Slashdot Mirror
Why Popular Anti-Virus Apps 'Don't Work'
Avantare writes "ZDNet Australia has a writeup about why AV apps don't work. The reason given is because the malware authors are writing code that will get around the signatures of the application by testing their code on the most popular anti-virus software before release." This comes as a follow up to another article detailing the sad state of anti-virus software currently on the market.
AV software, and even most firewall software, which goes beyond port control simply prevents the user using the whole of the internet, but rarely stops the internet using them. This is just one reason why.
Still an interesting point it raises, and a good example to give to none believers if you ever have to give the "Nothing is perfectly secure" speach to a client.
Because you can - or because you should?
Nothing to see here, move along please.
Faster! Faster! Faster would be better!
1. Firefox with popup blocker
2. Firewall software
3. Sit behind router
4. Use AV software
5. Don't click on anything that pops up without read it!
http://religiousfreaks.com/I don't use Norton not because I feel it's poor at catching/preventing viruses, but for the level of intrusion that comes with it. The Norton name, and especially Norton Ghost, are just a headache waiting to happen for anyone who installs it. I very happilly use FireFox 1.5 and the latest version of Nod32. Additionally, I don't open e-mails that promise a glimpse into Paris Hilton's private area. -ACA
So what's Kaspersky doing that's making it so much better? Or was the study paid for by Kaspersky? It sounds suspiciously like FUD to me.
My blog
But the disease .
perpetually dwelling in the -1 pits
Uttering logically derived and empirically supported truths to the disciples of the orthodox establishment.
I currently run the free edition of Avast! as my real time virus scanner, and ClamAV as a second layer of protection on Windows XP. I recently got infected with an Aol IM worm, which neither program could root out or detect...ended up having to get a free specialty program, AIMfix, to get the crap off my computer.
.inf type file without the correct permissions...
Windows XP, Windows Defender, Windows Firewall, or Avast! should be able to prevent the worm from installing itself...Heck, my Ubuntu installation wouldn't let me install some stupid
that was supposed to link to www.ubuntu.com/download/
perpetually dwelling in the -1 pits
Ummmmm...
Aw crap. Sorry, forgot which planet I was on again.
Please move along.
If anti-virus software on WIndows is bad, anti-virus software on the Mac is doubly so. And you don't even need it (on the Mac), except that some of us work in IT and the end-users refuse to believe the tech support staff and instead choose to believe the hyped-up newspaper reports about viruses being a problem on the Mac (sorry, no, they aren't). So, we have to have a "solution" present on their computers to make them feel "safe". Except the major A/V makers' products on the Mac side don't even do the job of appearing to work. A prime example is McAfee Virex and its virus definition update functionality. It gives an error message even when it works correctly (but of course an end-user is going to be put off by the error message and call tech support). Do you feel safe when your anti-virus software can't even report the status of virus definitions updates correctly?
The whole concept of recognizing known viruses was fundamentally flawed. It had a good run, but that was because virus writers were mostly trying to get attention, not steal. Now that viruses are an ongoing criminal enterprise, the old dumb tactics won't work.
We're going to have to give up on recognition and put more effort into partitioning. We need setups where each web page renders in its own jail, and it doesn't matter if the browser is insecure - when the page closes, a program exits and any corrupted info goes away.
Of course, this will break Active-X, toolbars, downloads, etc. Then again, on business systems, you want those things broken.
Once the browser is locked down like that, you need a "guard" program. When you want to move a file out of a browser's jail, it has to go through a program that "sanitizes" it. Often, a translation to a well-documented format that doesn't contain execution capability will do the job. Converting incoming .doc files to Open Document XML format, for example.
It's quite possible to completely solve this problem.
Antivirus software, by its very nature, is always one step behind virus authors. Antivirus software (or anything that relies on a blacklist, for that matter) can only defend against threats that the antivirus vendor knows about and has added a signature for in the product's definitions. So until virus authors start e-mailing their viruses directly to antivirus companies, there will always be a percentage of people that get pwned by a new virus, even if their virus protection is up to date.
Require all users to run as a limited user as per Principle of Least Privilege. This is the key. I once had a computer lab for inner city youth with no AV software at all, just limited user accounts and a simple router. Once we could afford Symantec AV Corporate (I work for a non profit) and ran the scans, no viruses. If anyplace was bound to get one, that would have been it.
Say it with me people Default Deny, Say it louder now so that Microsoft can here it. Operating systems need to by default deny the right to execute. This whole let anything run unless it looks like a virus crap is not working. Oh and Microsoft that doesn't mean make a pop up so that someone can click "Yeah run it already." Every program shipped with the OS gets to run, every program you add to the list gets to run, maybe every program on a white list maintained by a person or company you trust gets to run, and thats it. Now before you all freak out and starting talking about linux and how you can already do this let you remind you that, everyone switch to linux, is not a valid solutions because its not going to happen anytime soon. Sure it works on a case by case basis but I still need to go in to work and be able to keep 30 or 40 computers safe and clean that are going to run on windows because thats what our software will run on. So Microsoft do you let anyone into every room in every building you own unless security sees them on a list or do you determine who can go where and then keep everyone one else out? Why is it that we are forced to use security that anyone can see hasn't worked in the past and has no hope of work in the future?
I routinely get files [or browse for files] on random homebrew sites where "smart" people try and sneak a virus in there.
AV isn't supposed to make your computer stupid-proof. If you download and run every single application you can find no AV in the world will help.
If you happen to stumble on a 4 week old virus that either got bot-mailed to you or stored in a public archive they're a godsend. Specially since most AVs scan archives so before you even open it you're good.
Tom
Someday, I'll have a real sig.
Think about it for a moment. What is the intent of anti-virus software ("anti" + "virus")? Isn't it to stop apps that you don't want running on your computer? Apps that were written by the "bad guys"?
So, the reason that anti-virus software sucks is because the "bad guys" are writing BETTER "viruses" that can bypass the anti-virus programmers' software.
And the reason for that is that anti-virus software is REACTIVE.
A proactive system would patch the holes that are being exploited.
A reactive system issues patches to remove all the specific threats encountered so far.
That approach will ALWAYS result in the "good guys" being behind the "bad guys". Like DUH!!!
If you want the OS to protect you by denying you access make an admin and a non-admin account. Use the non-admin account for normal use, switch to the admin account if you need to install something.
Indeed. None of these "brand new AV product problems" are hardly new. Every real professional has known over 10 years that anti-virus software is based on flawed assumptions and the fundamental principles behind them are plain broken.
You have to distinguish what they do against lame mindless amateurs and random automated attacks versus targeted attacks. Using those scenarios as a backdrop you will very fast realize that it's easier mostly to fix the problems (the security problems) and not the symptoms.
What does an antivirus? It scans files and memory for known patterns in order to erase some bits. If 10 different viruses exploit the same flaw in 10 different ways, an antivirus requires 10 signatures to recognize them all (heuristics *are* signatures). Why don't antivirus vendors focus on providing workarounds for the actual Windows security flaws instead?
{{.sig}}
Aren't most of the viruses and worms that are out there just variants of other viruses? It seems like most of the time that I hear about a "new" terrible virus, it's really a slightly modified version of one that's been around for awhile, and usually if you're up to date on your antivirus and security patches the new virus won't do anything anyway. And let's not forget that there are still plenty of old viruses on non-secured machines that an antivirus application will protect you from.
I can see their point where people developing a new virus are concerned, but as the lifecycle of a virus is often longer than the time it takes to update the signatures, I think that they are overstating their case by saying that the AV apps "don't work."
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
...by testing their code on the most popular anti-virus software before release.
It's a sad state of affairs that worms, trojans and viruses are probably more tested before release than the anti-virus software.
It's exactly the same with spam. SpamAssassin is a great tool for ensuring that your unsolicited commercial e-mail doesn't get flagged as spam.
Once malicious code enters the "perimeter", so to speak, AV software is a rather weak stopgap measure. Software design flaws that result in holes can seldom be fixed by adding more surface area, it only becomes a matter of time before the attacker figures out the next step. The AV software companies know that most of their customers have no idea how computer security works. Antivirus provides some shallow peace of mind for Joe Average. It is not a very serious security measure and it should not be relied on as thus.
I'm sure other posters will provide the real answers to security, like limited user access, a good firewall, not running intrusted code, and using a web browser that isn't garbage.
I went for 3 years using just these precautions, but used no antivirus whatsoever. I never become infected by a single thing. I only recently grabbed ClamWin, a port of ClamAV, for my Windoze box because I wanted to scan a program I got via P2P.
Both these articles read like they were written by an idiot. They do not make the distinction between the detection of known viruses, and the detection of unknown viruses via heuristics. And if you start calling heuristics a signature, you are going to confuse the heck out of everyone. Don't mix terminology.
Honestly, I do not know anyone who believes that an AV program is going to protect them from unknown viruses! The whole point of AV software is to give you protection from viruses as they are discovered. I mean everyone knows that if they do not update their virus signatures on a constant basis (several times a day on my mail servers), they may as well not be running virus protection at all. OK. Maybe some people are dunces about this, but honestly, even my 81 year old grandmother knows that she has to keep her AV current, or she's unprotected.
I mean, for crying out loud, what are these signure updates for? For catching known viruses. Mega duh!
Mir tut es leid, Menschen daß Einfältigfehlersuchenbaumfolgendenaffen sind.
Symantec software is even worse than you said, in my experience.
You didn't mention the bugginess.
Default deny subject to who's overide authority? Remember: We are talking about a problem at home here. At work, things are already default deny, subject to my authority (or other members of our computer group). You don't get admin/root so you run only whats installed. Solaris or Windows, doesn't matter.
Ok but what aobut at home? You are the admin there. Who looks over your shoulder and determines if something is safe? You can set the OS to default deny running things by running it as a non-administrative account, or by getting something like KPF that intercept execution and asks you, but in either case it doesn't do anything if you give it permission. Doesn't matter what the hoops you have to jump through are, when you give it permission to escalte privlidge and run, you are screwed if you didn't check it out before hand.
I mean you can have a nice, secure Fedora box and I can send you a binary called destroy_system. If you decide to run it, Fedora automatically asks you for root. If you give it that, it does as it says. There's no way for them to defend you from yourself, without going to something like TCPA where some party other than yourself gets to decide what can and cannot be run on your system.
I think some UNIX people put WAAAAAY too much faith in UNIX's privlidge escalation model, as though somehow if the OS asks for a password instead of just a yes/no box people will suddenly stop and think. No, sorry, they won't. They'll view it as just another hoop to jump through. They won't read it, they won't consider the implications, they'll just learn "give it the password and it goes away" and will start doing just that.
In the hands of an educated user, running deprivlidged helps because it makes sure something doens't automatically launch that you aren't aware of. However in the hands of a cluless user, who is the real problem here, that doesn't cut it. You need something like a virus/spyware scanner that maintains a list of "bad" things and disallows those. Even then, some of them will override it because it'll block the installation of something they want.
Almost sounds like an endorsement for Security thru Obscurity. To some extent it works for Mac and Linux. If either of those become predominant, you can rest assured that far more virus writers would tarket them.
Table-ized A.I.
I do follow basic common-geek-sense, but so far F-Secure hasn't failed me. Completely anecdotal, mind you...
.: Max Romantschuk
Safer link to Systrace
...because theres hardly any virus out there. The virus days are gone. The Internet is clean of virii now.
Maybe thats why antispyware programs are so popular nowadays. Thats also why firefox is popular. And firewalls too.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
That's why: there is too much eye-candy!
I gave up a long time ago on NAV because it had a heavy interface -- fancy background, fade in/out, and all the other stuff that don't really contribute to its operation, especially for an application whose GUI you don't really pop or see very often.
Simple buttons and windows are enough, coupled with a good proper operation within a restricted account -- i.e. good communication with the service that runs in the background.
That is why I like the free AVG option.
They work, as soon as you remove false prefix.
Not so. There is a lot that can be done as I will explain.
That is correct. But it is inaccurate as, in most cases, the user is NOT AWARE that s/he is running software or installing software.
Which is one of the reasons that Linux is so resistant to the "viruses" (viruses, worms and trojans) that are out there. The OS protects the OS files from non-root users.
There, the problem is solved for all users except those who will willingly and knowingly install the "virus" themselves.
TFA claims that AV software doesn't work because malware writers testing their code on the most popular anti-virus software before release. All that really means is that they make sure that the AV programs can't already spot it. Once their malware's out in the wild, it will get spotted, analized, and the definitions rapidly updated to deal with it. All TFA actually says is that no AV softaere is going to spot/remove a new piece of malware on the first day. No fooling.
Good, inexpensive web hosting
For home users, I tell them the following:
1) You're not a company that gets thousands of virus-laden emails a day. You don't need to pay for Norton or McAfee. A 98-99% detection rate is perfectly adequate for a home user.
2) Install AVG or Avast AV. They're free, they update automatically, they're light on resources and they work.
3) Install Spybot Search and Destroy, SpywareBlaster, Ad-Aware and Windows Defender.
4) Install a software firewall like Kerio or just use Windows XP's firewall. If you install Kerio, use V2.1.5 because it's non-intrusive. The later versions are too picky and get in your face.
5) Stop using IE and use Firefox.
6) Lately, since trojans are on the upswing, I say install A-Squared anti-trojan which is free with manual updates.
7) Don't click on popups. Don't even click on the "No" button - click the window close button.
8) Don't install anything offered you by a Web site unless the site is a general freeware or shareware site that explicitly states it checks for spyware and adware.
9) Keep up with Windows updates and updates for the malware detector software.
10) Run a scan once a week or if you see any popups at all.
I've used these rules on Windows 98, 2000 and XP for four years with virtually NO spyware getting through - and that's with porn site visits and whatever else the Web can throw at me.
The single most important rule is number 5 - use Firefox. With no ActiveX, the stuff can't get in unless you have an OS vulnerability or you deliberate install it in response to a prompt you don't understand.
Finally, if they really want to be secure, switch to Mac or Linux.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
MOD PARENT DOWN. Bad Link.
Official Clam Anti-Virus for Windows link: ClamWin. ClamWin is free and excellent, but slower at scanning than commercial products, in my experience.
I'd just be happy if they wouldn't turn up so many false positives.
Linux isn't a silver bullet. A virus can still install itself in user space, and from there it can:
* Delete files
* Read confidential files from that one user (a typical computer might only have 1 or 2 users)
* Send out spam
* Install a keylogger
* Read the users contact list and forward itself to all users on that list.
* Install itself to start up with user priveleges when the computer boots (by modifying the users configuration files)
* Pretty much anything...
However having separate users does limit the damage and it makes it a lot easier to clean up since no executable files are affected, root should be safe, and the system should still be stable and consistent once the virus is removed. (This is not true if the virus has gained root priveleges, and really you should assume that it has, if you really want to be safe).
Much of the security of Linux comes from:
* The peer review process.
* The speed that the most serious holes are patched and the ease of applying these patches on most distribution.
* Vulnerable services are not usually open to attack after a default install.
* 'Biodiversity' - an attack against a specific application will not affect all users.
* New install media with latest bug fixes issued regularly and easy to obtain.
* Large amounts of software is available from the distribution repository so you don't need to download and run installers from third-party web pages.
* Smaller market share gives attackers less incentive to attack.
I'm not saying that ALL software for Linux is secure, and that ALL distributions respond promptly to security vulnerabilities, but it is possible to be reasonably secure if you choose the right vendor and don't be stupid by installing random screensavers from dodgy websites.
I'll probably be modded down for this...
I recently downloaded a crack for something on my machine (yeah, I know, not the best idea). After downloading, I scanned it with AVG, which didn't find anything wrong with it. I ran the program, and nothing happened. I started getting nervous. I did a system scan with AVG--nothing. I went online and did a scan with PandaScan--nothing. I went over to BitDefender--nothing. I then went over to TrendMicro's site--HouseCall found a keylogger. Now, how come three AV apps didn't find this thing and only one did? At this point I'm really tempted to shell out to TrendMicro for PC-Cillin. Anybody have any thoughts on this?
It's a sign that people need to start focusing on the real problem - releasing operating systems with security holes in the first place. All antivirus companies have ever done is cover the problem up, anyone who thinks they are a permanent fix to anything are giving them waaaaay too much credit.
The best you can say about the AV industry is that we finally found out, more or less, that the AV companies themselves aren't behind the malware.
n registry keys. Know what should be in there. 90% of the time you can detect when a virus or spyware is installed by looking there for things that don't belong.
I wish I was a sleazy ruthless person. I could make millions off this idea: check your HKLM/Software/Microsoft/Windows/CurrentVersion/Ru
There are two kinds of viruses, really; Good ones, and bad ones. The bad ones are easy to erases - your AV will do it for you. It's the good ones, written by experts and people who know the software industry like the back of their hands, that are troublesome. None of your lame anti virus software apps, like AVG or, if you're stupid enough to pay for it, Norton, will get rid of them. However, chances are, if it's a good enough virus, you're not the only one in the world who has it. Chances are, millions upon millions of people like you have not only gotten it, but also defeated it. And, they're helpfull folks. They've posted their sollutions on the internet, step by step. So, all in all, use Google to rid yourself of your problem. (If your belive a process like exaple.exe keeps starting your system, just type that into google, select a few keywords like "virus" or "help", and you're set.) PS. They say that if you're stupid enough to get a virus, you deserve it. I say, if you're stupid enough to PAY for AV software, you deserve the virus.
Then look at the 'news' source.
He'll post any shit just to get Australia mentioned on Slashdot...and he does.
>virus writers are motivated by doing what they love and not having to put up with PHB
Malware is a business now, aimed at building botnets to rent to spammers and extortionists.
Now that money is turning the wheels, it seems fair to expect that all the diseases of commercial software development will now afflict malware writing.
http://www.hpl.hp.com/techreports/2004/HPL-2004-22 1.html
Application shortcuts were replaced by a script that copied configuration files into a jail (implemented as a restricted account), did a Run As to start the application under the restricted account, and hooked the standard file open dialogs to copy files that the user asked for into the jail. Far from complete, but it was fascinating how much they did with how little (no kernel changes, for example).
>a well-documented format that doesn't contain execution capability
The program that reads that well-documented format might have a vulnerability which the theoretically non-executable file could exploit. That's happened in real life, with JPEG and PNG.
Worse, the line between executables and data isn't as sharp as we usually think it is. After all, an executable is nothing but data for the CPU's decoder. We *hope* that $WORDPROCESSOR doesn't do anything except display documents in response to the instructions in a document file, but there's one well known word processor whose behavior is as unpredictable as a cat's.
The link is to Microsoft, but they're far from originating the concept. The first mention I know of is: Jerry H. Saltzer and Mike D. Schroeder, The protection of information in computer systems, Proceedings of the IEEE, vol. 63 (no. 9), pp. 1278-1308, Sept 1975.
One of the easiest ways to protect yourself on Windows is to not run as Admin. Only log into admin when you want to install new software, or when you want to update Windows, etc. In my opinion this is way more effective than any AV software (although I would recommend AV anyway). I would say that 50% (at least) of the nasty things that happen to Windows machines are caused by the fact that people tend to run as Admin by default.
People would never dream of running as root all the time on their Linux machine, yet those same people often run as an admin in Windows XP.
>Operating systems need to by default deny the right to execute.
/bin/sh permission to execute. But as soon as you do, foo.sh becomes an executable file in effect, even though it's just a text file without a shell to run it.
/bin/sh is an interpreter, so maybe you could have a whitelist of files it's allowed to open. Could you do that with Firefox? It has a Javascript interpreter. How do you identify what .js files it's allowed to execute? By site, like Noscript does? Doesn't protect against compromised trusted sites, maybe not even against advertising. By file name? A new file could get slipped in under the same name. By hash? That would work, except for the nuisance of having gmail stop working every time Google made a change.
At what granularity?
You need to give
It's easy to tell that
Maybe you could sandbox all interpreters that aren't meant to be command shells.
I use prevx1 on windows and it kills trojans that my antivirus doesn't touch (not just mine, other people I know use it too).
My windows machine runs loads of stuff to keep it safe (grisoft avg, zonealarm and prevx1).
My linux machine runs iptables and only has ssh open (rsa key protected), and I've never had a single intrusion or trojan/virus problem.
I'm very careful with windows to keep it safe, but I'm constantly finding trojans and spyware on other peoples machines. It's very frustrating. I install prevx1 on every machine I encounter thats infected, and it keeps them clean.
Scientists discover that polio vaccines don't work against other diseases. Details at 11.
Seriously, this isn't news. This was obvious from the time where any signature updates were ever required, or when viruses, scumware, etc. included code to disable/corrupt/uninstall/otherwise cripple antivirus and antispyware software. They're merely admitting it now.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Case in point, Internet Explorer. Which Microsoft has previously claimed was part of the OS.
Most AV apps pop up a warning whenever they detect a virus. They like to remind you that they're doing their job.
More than once, Symantec AV has told me that it's detected and neytralized a Web page with the WMF vulnerability. I guess that's interesting to know, even though my system was fully patched so I wouldn't have been vulnerable anyway. It's also told me that my PC was being probed by hacking scripts, though (again) I was already protected through patches and not having the necessary ports open.
The real question is, how do any of us know that we're not already infected by a super-devious rootkit that no AV apps recognize?
So; what they're really saying is that, statistically speaking, security through obscurity is more effective.
Now, that kind of irony I find downright amusing.
-=Geoskd
I wish I had a good sig, but all the good ones are copyrighted
He always has been and always will be. His articles are practically marketing material for Kaspersky labs. First of all, write an article stating the obvious and then back it up with some arbitrary figures without displaying any real results.
For your reference (I made sure to use the Google cache so you can see the highlighting):
Hmmmm...what sole vendor was interviewed for this article?
I wonder who the focus of this article is...
My goodness! Another article from Munir which focuses on Kaspersky. Who would have guessed?
Which company did Munir get a virus analyst from to comment on this article?
Now that is some quality, unbiased reporting for you. Don't believe Munir's BS, it's a load of crap.
Default Permit and List Bad Only are the two dumbest ideas of 'security' ever implemented. Here's an idea: buy software that blocks apps that you do not specifically permit. Bam, instant virus/spyware protection.
So far McAfee is the only product I can find certied to run on Windows Server 2003 (64 bit). I would love to use something else, so please--someone tell me if I have missed something. I have heard and read anecdotal evidence that other smaller apps do work, but to cover myself it needs to be explicitly listed as a supported OS.
If truth be told, I think its silly to have to run anti virus software on a machine that nobody ever logs into and that is 2 firewalls away from the Internet, with no Internet access in or out--but such is life when we have credit card companies telling us how to secure out servers.
Of course the AV tools don't block viruses with unkown signatures. To do that you need either
a)Crystal ball
or
b) An Intrusion Detection System, which is not easy on windows.
Malicious activity is not easy to spot on windows because of crappy monolithic OS design that makes distinctions unclear, and the only thing the AV people can do is be on alert for new viruses, emulate them, produce signatures and update you as necessary. They cannot protect you from a non-generic malicious piece of code if it hasn't yet been written.
So if you want to know why AV tools fail, here's a hint: they run on wind.. nah. My karma matters more than my conscience.
Ummm , no.
I do agree its better then the retail box, but its by no means 'lightning fast'.
---- Booth was a patriot ----
Shut of your computer and disconnect all parts from each other.
If aussies are like yanks it's because we are the same kind of people and australia _is_ a lot like the usa only better in most ways. Why would us becoming part of the usa be such a bad thing anyway? We may as well be since we're so alike and if yanks are to stupid to see we should be part of there country then its _there_ loss not ours. i welcome being formally part of the usa or else at least having our own president. I'm really sick of people making us out to be a small country when we're one of the three or five most important in the world now.
Anti-virus software only exists to prevent people from having to learn about malware. It is a purchase of knowledge. If even 20% of viruses are blocked with it, that is worth the price to some people, because they don't know how to avoid it any other way. Browsing and interactive techniques need to be encouraged before anyone could attack anti-virus software...
Whats that? a new implementation of daemons?
Why does the enterprise edition have such a smaller footprint than the home edition?
Bah! I'm sure if I unplugged a server and threw it into an active volcano it could be considered secure. It may be inaccessible, but I guarantee nobody is going to steal your data or plant a virus.
We're using McAfee VirusScan 8.0. If by "small footprint" you mean installation coincides with a sudden, lasting rash of virtual memory errors on 2 Ghz desktop machines with 512mb of RAM, sure. Not to mention the fact that it's pretty much useless against spyware, which is a bigger resource problem for us than viruses, and even trojans are often requiring manual intervention to remove. It's no worse than Trend was, I'll grant you, but it's not so good you should be giving it free advertising. One of my home machines with AVG, Windows Firewall, and SpywareBlaster has historically been more secure (read: never compromised) than my work laptop, which has been compromised at least twice from behind our corporate firewall... and I'm not even in sales. Though it does seem to have a pretty decent boot time.
I was always fascinated with rock 'n' roll, or girls, or something like that when I was a kid. - Gary Sinise
Ive seen my fair share of viruses, and also my fair share of antivirus programs, but ive never seen a off the shelf product work as well. i use AVGfree, and as far as i know i have had next to no trouble with viruses. It is small in terms of memory and downloads but it seems to work a lot better than anything else ive tried.
:P
But i think there may be more to it. I think if you know your fair share about computers you know what to stay away from. I know that any site on the internet offering wares and serials is a sure thing to stay away from. Also if you just dont look up porn you have a very good chance of not getting a virus.
They focus on reminding the user they are there instead of encouraging better habits. Why are the corporate clients better then retail versions? A corporate client is sold to an institution that already recognizes the need for security. The retail version has to sell itself one by one to idiots, and I do mean IDIOTS, who will not percieve value if the application does not nag them about something every 12 seconds. I'm currently wasting my life as a technician at CompUSA (hey, it's the same money as McDonald's without smelling like grain-enhanced beef byproducts) and I've lost count of the number of people who bring computers in with viruses who say "Oh I had Norton for a while but it never did anything so I didn't get it again." The result? Norton retail version won't let you sneeze without nagging you about something. Funny thing too, I get almost as many units in with Norton issues as I do with viruses. Plus there's a huge number that come in with viruses who say "Oh it can't be a virus. I have Norton." Never mind they surf to every porn site they can find, answer every spam, and play at every poker site they ever heard of. I tell people that antivirus is like kevlar: it makes for a good shield but when's the last time you saw a cop jump to get in front of a bullet? But they're idiots. They do what they do, get infected, do nothing about it till it shuts off their Internet althogether, then blame the manufacturer or CompUSA and no matter what you tell them, they refuse to accept any responsibility whatsoever. And so it begins all over again.
As currently written, all anti-virus software will fail. The simple reason is that because anti-virus depends on a signature or a synthisis of actions to identify what is "bad" and what is "good". Last time I looked, using a moral imparitive in programming wasn't a system call. Like spam, viruses are not a technical problem, it is a human problem.
The chief problem is that anti-virus is a defensive posture. Sooner or later, any defense will fail, if only because it becomes outmoded and/or out flanked. Defend only the walls, you leave yourself open for an air attack. You see the quandry here: It is impossible to know all the various ways to mount an attack and defend against all of them.
You can do what many companies have started to do: Prohibt execuitbles in AD policy that are not specifically allowed. This protects (mostly, somewhat) corporate america, but doesn't protect the home user that doesn't have an active directory server, and likely wouldn't put up with that kind of restriction anyway.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
every application that runs on your computer should have its own address space and it should not be allowed to cross into other applications' address spaces, however this is not the case in MS Windows OS.
I gues we may want to rethink what a computer actually is.
I guess it should be possible to write (or use existing) virtualization software and run each application in its own virtual computer, give each application its own 'harddrive' without access to the rest of the disk, and most importantly make sure that the application cannot cross its VMs boundaries. Obviously each application that is not the OS itself should have run as a user and not as an administrator, but in a VM it shouldn't even matter that much.
To share data between applications that really need sharing, it should be possible to open 'network' connections.
In case when Intel or some other chip manufacturer will come up with multi-core processors (real multi-core, something like 10-1000 cores per CPU,) each application could also run in its own real processor space. A CPU could be rated something like: 100 simultaneous processes, and actually really run 100 simultaneous processes without time-slicing. Wouldn't that be a day? To accomodate memory per process, there could also be another independent administrator process runing, that would detect real time memory requests and manage memory accordingly (it could prepare memory ahead of time to avoid bottlenecking.)
It also should be possible to run an image of the OS per process (but this should be optional, depending on the tasks at hand.) Of-course a CPU like that would also be great for parallelizing threads in processes (if there are resources.)
In a computer like that, with each program only being able to affect its own computer space (CPU, RAM, disk space, network,) it should be possible to detect unwanted behaviour that could be caused by a virus. Attempts at 'networking' to the administration process, attempts at gaining unauthorized disk space, attempts at 'networking' with any other processes in the computer can be intercepted. In case when a virus (or a poorly written piece of software) behaves suspiciously or deadlocks or crashes or whatever, the rest of the machine should be protected and unaffected. The misbehaving process can be killed by the administration process and restarted or scanned and repared etc.
I don't think the future of the home computers is in bigger gigahertz numbers, it is at parallelizing, virtualizing, making the software more stable and less dangerous for everyone.
You can't handle the truth.
I never have used it. All it ever did was slow down my machine, and warn me with lockups. It got removed immediately. My whole computing life, I haven't used them. I've never gotten viruses either.
I do have a firewall, though.
So does this mean that I'm better off using an AV that isn't widely used? Is this one case where security through obscurity is actually valid?
security by obscurity is still one of the best ways to keep yourself secure. whether it be macintoshes, or just leaving your house's spare key in a really good hiding spot, obscurity is one of the oldest security features around.
obviously, what you need is an obscure anti virus app that's also really protective (as in put your spare key in a safe and hide it).
of course problem with that is that if an antivirus product works well, it doesn't stay obscure for long.
man i'm really stating the obvious here. i'm done now.
Comparing the learn curve between linux and windows, despite having made great step, is still a pain in the bottom. I use linux with a special compiler to run molpro (roughly said a quantum calculation package) and molcas. It took me a FREAKING long ime to get it right, and I can't imagine your average people taking the time to do it. And here lies the problem : The "you learnt windows so you can learn windows" is BUNK because of that. You can't compare the user friendliness and ease of learning of windows with linux. Sure some distro get it better than others, but this is still far away from general public. So in a way yes, windows in some way is so much easier to use, that you could as well say people were born knowing how to use it (or nearly). Naturally you can call sheenigan and speak about security issue, patching, and whatnot, but windows is year ahead in usuability issues. Call me back when the learn curve of linux is down to the one of windows...
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
25k is a lot of RAM. No one should need more than 8k. You can't FILL 16k with meaningful code!
The Gentoo package manager is one example of a way to get around nVidia and Google Earth operating this way: since all packages are essentially shell scripts intended to compile software from source, there are actively maintained packages for nVidia and Google Earth.
The reason most distros can't do this is that it becomes a legal issue -- can you legally unpack from the binary installer, then repack as an rpm or deb, and distribute it from the repository? But with Gentoo, even if they aren't allowed to distribute the binary from mirrors, they can always place it under management after you download it manually. This is nice, because the package also includes checksums for all its source files.
What this means is, even most of the times you would download random software from the Internet, you still check it against a repository checksum.
It really amazes me that other "modern" OSes have never done this. It's not as if it's a foreign concept. Windows Update is a package manager, it just happens to only work for Windows. MSI is also a package manager, but I believe it relies on the app to provide its own uninstall. On OS X, it's even worse -- most mpkg packages do not have uninstallers, and everything else is completely un-managed. The open-source community has started a library which apps can use to update themselves, but even if it were 100% supported, it's still nowhere near as powerful as real package management, complete with uninstall and dependency handling.
Don't thank God, thank a doctor!
..or how Microsoft can beat them to it.
Can someone explain to me (I am not a programmer) if Microsoft has it in their easy to reach power to allow users to do the following, if they choose:
1a. Blacklist any executable the user desires from running, no exceptions.
1b. And make this very easy by simply right-clicking on a process and selecting "Don't allow to relaunch".
2. And break down all the SVHOST.EXE programs into their individual component processes so when a virus adds itself under the svhost.exe, that virus is seen as a seperate process.
2a. Stop writing the Windows program to name several processes the same damned name (i.e. SVHOSTS.EXE)
Joe
"Artificial Intelligence usually beats real stupidity."
You're right about one thing, Vista won't make a difference -- at least, being able to run apps as a normal user won't do much right out of the box.
The big thing missing on non-Linux OSes is decent package management. And not for lack of technical skill -- Windows has Windows Update, OS X has Software Update. Software Update is especially slick, but the essential problem is, they don't work for anyone else's software, and they generally only do updates, not fresh installations.
OS X is the only OS I've regularly used (other than Linux) for work over the past year. Just last week, I discovered that the company I work for only has FTP access to their website -- very, very stupid, but it's not at all likely that I can change it. But anyway, I got sick of trying to do a recursive upload from the commandline FTP client, so I thought I'd get a graphical one. Searched the Internet, downloaded Cyberduck.
On Linux, what would I have done? Assuming there was a Linux version of Cyberduck, I'd have done "emerge cyberduck", or maybe "apt-get install cyberduck". This does two things -- it automatically gets dependencies, which means cyberduck can be properly programmed to have dependencies (instead of trying to cram them all into the one downloadable executable/image) -- and it also verifies a signature of the downloaded file against the public key of the distro maintainers, which was on the install CD I downloaded. This means I was vulnerable to a man-in-the-middle attack exactly once -- when I downloaded the CD image. Assuming the CD image is good, I can be sure that the Gentoo or Ubuntu guys have at least done a quick check to make sure a given package is not spyware, incredibly old (abandonware), or a security hazard. It also means there's an incredibly low chance that it's been changed since it was on someone's CVS server by anyone except the distro maintainers, since even if said distro maintainers don't check gpg signatures by upstream maintainers, each update is vulnerable to that MITM attack exactly once -- when downloaded by the maintainer -- if it's safe that one time, it's completely safe for all the distro users installing stuff or updating.
It's also a nice tool for keeping a system secure. Since it's usually not the OS itself that lets the software in, you want all of your software to be up to date with the latest patches. A package manager makes it happen -- you just tell it to update, and it grabs all updates, to every installed programs. I believe I've got some 22 custom-installed programs on my Mac, but it's probably more than that -- can you imagine the torture of trying to check the website of each and every one of them? Some are self-updating, but how do I make sure they've all at least checked for an update recently? It'd be a day's work for what I see as a daily habit on other Linuxes: "emerge sync && emerge -uDN world" on Gentoo, "apt-get update && apt-get upgrade" on Ubuntu/Debian. Ubuntu even checks automatically -- but in one place, with one program, instead of 22 different programs.
Don't thank God, thank a doctor!
Any opinions about Sophos? I have had good luck with it over the years.
Their home page: http://www.sophos.com/
It's surprizing that no one wrote about PixV Preempt as an alternative to antivirus software. It tries to fix the causes instead of the symptoms.
{{.sig}}
Microsoft has been as guilty as anybody in the past. Are they "clueless noobs" or does the problem lie elsewhere?
I've been writing Windows apps for years and I'm still not aware of any official, garanteed-to-work way of finding out where I'm supposed to write the user's data files. It just isn't part of the API. There's a function "GetModuleFileName()" to find out where the program lives but no equivalent to tell me where data files should go. I guess that's why writing to the program folder is so popular.
ObLinux: In *nix it's easy - every user has had a clearly defined home directory since version 1.0.
No sig today...
Does anybody know if rootkits can be detected if I reboot Windows in "safe mode"?
No sig today...
The biggest problem I have found with my friends and family is simply letting the software work. They shut down the scanner because 9 out of 10 use Norton and it always starts scanning in the middle of something and it hogs so much resources that you can't ignore it. I have convinced a few to switch to AVG which can run on a modern system(and some vintage too) without robbing them of the power they need to run IE but most just want me to shut off Norton and leave them be. I never answer the phone when those people call(no prizes guessing why)
I work in a small computer shop. we generally get 3 kinds of customer.
The first is just buying parts or tedious service. they know about computers/viruses and all that keep themselves safe.
The second are porn addicts they do all sorts of shifty things and come in every few weeks to have us purge their computer of viruses/malware.
The third (and most common) are the morons. They buy and install Norton AV, keep the subscription updated and all that, but they never actually update the definitions or run a scan. half of the time they've inadvertantly turned off the auto scan or real time protection.
people just don't understand things like this. The best way to fix this is to make users pass a test on basic computer use/safety before they are given the ability to do anything beyond text-only email and document/spreadsheet editing.
xterm is a user-mode program. A user-mode virus can take over xterm. It will know anything that you type in that terminal, including a sudo password. Once it has that, the virus can do what it wants.
Windows NT does not have this problem, at least as of 6.0: you always type your password in a program that runs as root ("LocalSystem"). Vista's default of not having admin access when logged on as admin is actually going to be a good feature. It'll also encourage developers to require admin to run their word processor.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
You're so wrong.
People can do a lot of cross platform stuff with a few lines of perl (or other popular scripting languages) and the standard built-in modules.
A LOT is possible. The last I checked perl is included on most Linux distros, *BSDs and OSX.
Just not many will bother yet.
It's trivial for a trojan horse perl script to have _zero_ malicious code at the start, but download the payload later from a google search (e.g. eval "$foo"; ). There could even be plausible deniability, just reuse crap code out there in your trojan and exploit it later.
If the AV people have difficulty detecting current silly viruses, I doubt they'll have much of a chance vs perl/other script stuff.
A malware writer can easily write a completely new one everyday - these are rapid development languages after all. Tons of people already do perl golf and obfuscated code for fun.
But for now linux, mac desktop users are fairly safe, because most aren't as stupid/ignorant AND there just aren't enough of them.
The targets of mass malware attackers are the weak/stupid/ignorant ones.
Once you have the same sort of people who will run as root/Administrator _AND_ actually enter passwords to decrypt encrypted zipfiles _AND_ run them, getting them to run a little perl script as root is nothing.
"Install new screensaver just do this:"
perl Makefile.PL
Anyway a real way to reduce this spyware/malware stuff is for the authorities to start using those existing antihacking laws on the culprits. After all if money is involved the trail is easier to follow. I mean who is paying who to force computers to show those stinking ads, or tamper with them to send spam?
If the cops etc are jailing "hackers" who copy source code etc, it's funny how they have difficulty getting the malware/spyware people who tamper with hundreds of thousands of computers or more.
every application that runs on your computer should have its own address space and it should not be allowed to cross into other applications' address spaces, however this is not the case in MS Windows OS.
Nor is it in Linux. A root program or program of the same user can manipulate another process - this is known as "ptrace". It's basically the same as Windows in that respect.
In fact, in Windows NT, the process creation system relies on cross-process memory writing. When a program runs another program, it actually does memory injection into the new process. The NT kernel isn't really aware of things like the user mode stack, the environment, and the command line *. The parent process actually allocates new memory into the new process as the stack, copies its own environment into the new process through injection, and creates the initial thread.
* I just mean that the kernel doesn't manage the user-mode stack. The kernel creates a structure in user memory called the Process Environment Block that points to the environment, but it's not filled in by the kernel.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
I have never run AV in the 12 years I've had computers at home - it just seems like too much hassle. And because there's obviously money to be made in conning people into thinking that it'll solve all their problems, I mistrust AV companies immensely.
I'm probably an idiot, but AFAIK I've only been infected twice in 12 years. Each time I simply re-installed.
"And the meaning of words; when they cease to function; when will it start worrying you?"
As for myself, I used to use Symantec's antivirus software both at home and at work, but a year ago decided it just wasn't worth it. The program was the most obscene resource hogs I've ever had the displeasure to use, and in the 7+ years of using the program it never once protected me from getting a virus. The same can be said for a lot of other AV offerings, and yet you still see some idiots suggesting you run 2-4 different AV applications just to "be sure you're safe".
I used to like Norton and have used Systemworks for several years. However I won't anymore once the PC I'm using now dies. Though it's setup to inform me I never get alerts from it when Windows or software crashs. Norton AV also causes errs and Windows forces it to quit. Now, I haven't had any viri but then again I'm careful about what I install, I won't open or preview any email unless I know who it came from or attachments unless I know what it is and I'll scan it first. Heck I don't even use my email client, Eudora, once a week. My isp offers webbased email and it offers a filter that only allows messages from those who are in your address book in the inbox folder. Everything else is either put into a "suspicious" folder or if the message has been previously been declared spam it's automatically deleted.
FalconShould there be a Law?
FYI molcas and molpro are just software, whether they run under windows is irrelevant. What is relevant is that to use those package I need normal day to day administration of that machine (network config from time to time 'cause uni admin like to change stuff,and in case of power dropping in the middle of a calculation, because I am too cheapo to buy a special supply, well having to mount and have fun repairing everything cost me more time than the same power down on a neighbour machine which is windows). And what i use is Suse, what is not bad as I can get a lot of support at the University from other fellow.
My experience is only relevant as an anedocte. You might have another better experience. All I know is that NO ONE I know from the average people without too much knowledge of PC would have gone learning through. Try hunt for an howto because some networking config is not going through as needed. Fun.Fun.Fun. I can only thanks deeply all those who helped me.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Except that the rate of new virus / worm variant production is now so high that purely reactive, signature-based detection isn't very good even with daily updates. There ARE distinctive general virus / worm behaviours which heuristic engines can pick up on : delta offset grabbers, self-decrypting / polymorphic code, modification of key windows binaries and system files, port scanning, dropping another exe and chain executing it, binding ports, starting SMTP spam engines, injection into other processes address space e.g. IE's, the creation of suspicious "startup" methods (too many to list), breaking into ring 0, trying to hide the process, use of non-standard / undocumented APIs, directly calling absolute addresses in kernel32.dll etc etc.
Many mainstream AV's heuristics are not very good. As a newbie coder I found it fairly easy to make an EXE appender that McAfee's resident 'Vshield' completely ignored, even though an exe writing to a directory full of other exes is clearly suspicious behaviour, and the situation was much the same with Norton unless you turned up the heuristic paranoia level to the point where it generated false positives. All it took was tweaking the delta offset grabber and a couple of other simple tricks. I was unable to get anything past AVG however, which is partly why I still use / recommend it (it also helps that it's free of course.)
I was a strong supporter of the Symantec stuff. IT admin and programmer, paranoid about adware and spyware and spam crap. Kept up to date, subscriptions current, the works. The POP3 email scanner used to nail all kinds of nasties. Several per day. :)
Then, all of a sudden, the nasties stopped. They stopped for a long time. But I was complacent, never bothered to run any other checks. I was a PC God, I knew it all. Had never been hit. Until I moved house, to an area where high speed internet access wasn't available, and I had to switch back to dialup. Everything was grindingly slow, I blamed the dialup, until I noticed after a couple of days that the 'send data' light on my modem was permanently on, regardless of what I was doing. Suspicious, I did a full system scan (with Norton Antivirus), it came up empty. On a whim, I loaded up ad-aware (which I hadn't touched in several months) and did a full scan. It went bananas! Turned out I'd managed to pick up a keyboard logger and some sort of other spyware goodness (fsck knows how, I browse with firefox, maybe my gf did it without realising). Couldn't get rid of it all though. So I promptly tossed out the symantec stuff, installed AVG free, and I've been clean ever since.
Lesson learned. Complacency is as bad as having no protection.
Oh, and my gf has her own VM now, if she needs to use the net
remember to loot and pillage before you burn!
"The problem is, I think, rather that we have spent 20 years telling users they don't have to understand computing to use computers, and placed colorful metaphors between the users and the screens. We succeeded, and now the malware is exploiting the places where the metaphors break down. And those metaphors are everywhere: the C array which we treat as an input buffer; the bits on a line we treat as a well-behaved full-duplex connection between two programs; the little icons that tell people 'click me and you'll see I'm a ZIP file which opens neatly in WinZip' ..."
And this was the drastic step it took to *finally* grind computers from "something for nerds" to "Oh, well, I guess I have to use one of those myself".
I'm sure the Cadre of users in force in 1990 proportionally knew much more, and despite the low level of malware, would have fared much better.
We achieved our sales objective of giving the otherwise-nonusers a computer, so by the logic of the sales mentality, "later is now", the time to use some of 2003's sales money to work on anti-malware.
In a splendid world, I'd like to see some of that money making Linux ready for a NewDecade Rollout for these same users by 2010, but unfortunately, that sales money is stuck cross-platform with Micro$oft. Oops.
--TaoPhoenix
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
>... you find the hidden folder full of child pornography you've been serving up for the last year.
You lost all credibility when you pulled out the "think of the children line". Apart from anti-virus software marketing, child pornography has nothing to do with viruses. SHow me one virus which has ever served up child pornography to the Internet.
Well not quite foolproof but I remember reading an article that claimed to be an interview with one of the original AV software creators. I apologise in advance for getting the specifics messed up.
Basically he said the first incarnation was like a whitelist of processes that were allowed to run. I guess that when you installed myFavProg.exe you had to add it to the list somehow. He claimed that this made the computer nigh impossible to pwn. The problem was they couldn't find a business model that would allow them to make enough money off of it so they created what became one of the big AV apps and adopted the subscription model for virus signature updates; Evil bastards. I wonder if their original concept is still workable?
Me lost me cookie at the disco.
Sad truth number one. Major vendor antivirus software will only stop about 20% of the new viruses from getting at your system. This is not acceptable in a business environment where companies are paying big money for this protection. Sad truth number two. Most home users are so lame, that they run out of date, or expired, or no antivus software, and thus, will pass on via email and documents, viruses and worms that are old, and would be caught by even the "big three" antivirus products. If you cant run Linux or a Mac, antiviurs prodcuts are a fact of life in the corporate environment, and yes their price can be justifed, even if they miss 8 out of 10 of the new stuff
vi +
I cancelled the insurance on my home. One year later other than saving $550 I have not had a single problem. I wasn't robbed, it didn't burn down, and no hurricanes, floods, or earthquakes hit me either...
Last time I checked, flood protection didn't cause your taps to leak, your lightbulbs to burn out, and your cable to cut in and out... in the PC realm bad antivirus software can do a lot of things along those lines.
Insurance has a specific purpose which is different from an antivirus. In fact, the parent's description of using a backup instead is closer to 'insurance' than an anti-virus program, replacing stuff if the worst happens. Yes, you can run an antivirus program, and if you're not paying attention and being careful you still might find yourself in the dumps (which is why for big corps, sometimes incremental backups are best), but oftimes the price of running many antivirus programs is just as much a loss of productivity. I know from experience, as our last corporate AV program tended on some machines to cause program or outright system crashes (not to mention slowness and resource consumption)... which is much of antivirus programs are intended to prevent.