Slashdot Mirror
Why Popular Anti-Virus Apps 'Don't Work'
Avantare writes "ZDNet Australia has a writeup about why AV apps don't work. The reason given is because the malware authors are writing code that will get around the signatures of the application by testing their code on the most popular anti-virus software before release." This comes as a follow up to another article detailing the sad state of anti-virus software currently on the market.
AV software, and even most firewall software, which goes beyond port control simply prevents the user using the whole of the internet, but rarely stops the internet using them. This is just one reason why.
Still an interesting point it raises, and a good example to give to none believers if you ever have to give the "Nothing is perfectly secure" speach to a client.
Because you can - or because you should?
Nothing to see here, move along please.
Faster! Faster! Faster would be better!
1. Firefox with popup blocker
2. Firewall software
3. Sit behind router
4. Use AV software
5. Don't click on anything that pops up without read it!
http://religiousfreaks.com/Ummmmm...
Aw crap. Sorry, forgot which planet I was on again.
Please move along.
Say it with me people Default Deny, Say it louder now so that Microsoft can here it. Operating systems need to by default deny the right to execute. This whole let anything run unless it looks like a virus crap is not working. Oh and Microsoft that doesn't mean make a pop up so that someone can click "Yeah run it already." Every program shipped with the OS gets to run, every program you add to the list gets to run, maybe every program on a white list maintained by a person or company you trust gets to run, and thats it. Now before you all freak out and starting talking about linux and how you can already do this let you remind you that, everyone switch to linux, is not a valid solutions because its not going to happen anytime soon. Sure it works on a case by case basis but I still need to go in to work and be able to keep 30 or 40 computers safe and clean that are going to run on windows because thats what our software will run on. So Microsoft do you let anyone into every room in every building you own unless security sees them on a list or do you determine who can go where and then keep everyone one else out? Why is it that we are forced to use security that anyone can see hasn't worked in the past and has no hope of work in the future?
I routinely get files [or browse for files] on random homebrew sites where "smart" people try and sneak a virus in there.
AV isn't supposed to make your computer stupid-proof. If you download and run every single application you can find no AV in the world will help.
If you happen to stumble on a 4 week old virus that either got bot-mailed to you or stored in a public archive they're a godsend. Specially since most AVs scan archives so before you even open it you're good.
Tom
Someday, I'll have a real sig.
Think about it for a moment. What is the intent of anti-virus software ("anti" + "virus")? Isn't it to stop apps that you don't want running on your computer? Apps that were written by the "bad guys"?
So, the reason that anti-virus software sucks is because the "bad guys" are writing BETTER "viruses" that can bypass the anti-virus programmers' software.
And the reason for that is that anti-virus software is REACTIVE.
A proactive system would patch the holes that are being exploited.
A reactive system issues patches to remove all the specific threats encountered so far.
That approach will ALWAYS result in the "good guys" being behind the "bad guys". Like DUH!!!
Indeed. None of these "brand new AV product problems" are hardly new. Every real professional has known over 10 years that anti-virus software is based on flawed assumptions and the fundamental principles behind them are plain broken.
You have to distinguish what they do against lame mindless amateurs and random automated attacks versus targeted attacks. Using those scenarios as a backdrop you will very fast realize that it's easier mostly to fix the problems (the security problems) and not the symptoms.
You mean this?
...by testing their code on the most popular anti-virus software before release.
It's a sad state of affairs that worms, trojans and viruses are probably more tested before release than the anti-virus software.
IMHO, the problem comes down to how security works on PC's - it's based on the user, not the app. This is true on Linux as well as Windows. An application runs under the security context of what the user can get to. Applications ought to run under their own security accounts, and when they try to write somewhere they have not been authorized to write before, the user ought to get warned. If the application makes an outbound Internet connection or starts listening on a port without prior authorization, the user ought to get warned. It might seem a hassle to have a couple of hundred security accounts on the PC, but it is far less of a hassle than invasive anti-virual software, especially crap like Norton and McAfee.
Yes, I know Linux is secure than Windows, I'm a happy Ubuntu user. I SUDO whenever I do anything administrative (install apps. install devices, etc.) But there is nothing from stopping a hostile application from going out and nuking every file that my non-admin account has access to..
> Why don't antivirus vendors focus on providing workarounds for the actual Windows security flaws instead?
Because viruses aren't using any security flaws.
Default deny subject to who's overide authority? Remember: We are talking about a problem at home here. At work, things are already default deny, subject to my authority (or other members of our computer group). You don't get admin/root so you run only whats installed. Solaris or Windows, doesn't matter.
Ok but what aobut at home? You are the admin there. Who looks over your shoulder and determines if something is safe? You can set the OS to default deny running things by running it as a non-administrative account, or by getting something like KPF that intercept execution and asks you, but in either case it doesn't do anything if you give it permission. Doesn't matter what the hoops you have to jump through are, when you give it permission to escalte privlidge and run, you are screwed if you didn't check it out before hand.
I mean you can have a nice, secure Fedora box and I can send you a binary called destroy_system. If you decide to run it, Fedora automatically asks you for root. If you give it that, it does as it says. There's no way for them to defend you from yourself, without going to something like TCPA where some party other than yourself gets to decide what can and cannot be run on your system.
I think some UNIX people put WAAAAAY too much faith in UNIX's privlidge escalation model, as though somehow if the OS asks for a password instead of just a yes/no box people will suddenly stop and think. No, sorry, they won't. They'll view it as just another hoop to jump through. They won't read it, they won't consider the implications, they'll just learn "give it the password and it goes away" and will start doing just that.
In the hands of an educated user, running deprivlidged helps because it makes sure something doens't automatically launch that you aren't aware of. However in the hands of a cluless user, who is the real problem here, that doesn't cut it. You need something like a virus/spyware scanner that maintains a list of "bad" things and disallows those. Even then, some of them will override it because it'll block the installation of something they want.
That's why: there is too much eye-candy!
I gave up a long time ago on NAV because it had a heavy interface -- fancy background, fade in/out, and all the other stuff that don't really contribute to its operation, especially for an application whose GUI you don't really pop or see very often.
Simple buttons and windows are enough, coupled with a good proper operation within a restricted account -- i.e. good communication with the service that runs in the background.
That is why I like the free AVG option.
One of the easiest ways to protect yourself on Windows is to not run as Admin. Only log into admin when you want to install new software, or when you want to update Windows, etc. In my opinion this is way more effective than any AV software (although I would recommend AV anyway). I would say that 50% (at least) of the nasty things that happen to Windows machines are caused by the fact that people tend to run as Admin by default.
People would never dream of running as root all the time on their Linux machine, yet those same people often run as an admin in Windows XP.
Scientists discover that polio vaccines don't work against other diseases. Details at 11.
Seriously, this isn't news. This was obvious from the time where any signature updates were ever required, or when viruses, scumware, etc. included code to disable/corrupt/uninstall/otherwise cripple antivirus and antispyware software. They're merely admitting it now.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Definitions for Windows viruses, so your mac can say "virus detected!!" and give you the warm fuzzies that symantec (or whoever) are protecting you from a (currently) non-existant threat, so you continue to put up the cash...
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Most end-user linux installs have one user who admins the maching with sudo. Anyone with any skill who writes a linux virus would simply make his code wait for the user to sudo, then install the rootkit.
The one reason viruses aren't a problem in linux: fewer gullible users.
The one reason worms aren't a problem in linux: the small number of diverse builds.
User seperation has very little to do with it.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
As currently written, all anti-virus software will fail. The simple reason is that because anti-virus depends on a signature or a synthisis of actions to identify what is "bad" and what is "good". Last time I looked, using a moral imparitive in programming wasn't a system call. Like spam, viruses are not a technical problem, it is a human problem.
The chief problem is that anti-virus is a defensive posture. Sooner or later, any defense will fail, if only because it becomes outmoded and/or out flanked. Defend only the walls, you leave yourself open for an air attack. You see the quandry here: It is impossible to know all the various ways to mount an attack and defend against all of them.
You can do what many companies have started to do: Prohibt execuitbles in AD policy that are not specifically allowed. This protects (mostly, somewhat) corporate america, but doesn't protect the home user that doesn't have an active directory server, and likely wouldn't put up with that kind of restriction anyway.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
So does this mean that I'm better off using an AV that isn't widely used? Is this one case where security through obscurity is actually valid?
security by obscurity is still one of the best ways to keep yourself secure. whether it be macintoshes, or just leaving your house's spare key in a really good hiding spot, obscurity is one of the oldest security features around.
obviously, what you need is an obscure anti virus app that's also really protective (as in put your spare key in a safe and hide it).
of course problem with that is that if an antivirus product works well, it doesn't stay obscure for long.
man i'm really stating the obvious here. i'm done now.
..or how Microsoft can beat them to it.
Can someone explain to me (I am not a programmer) if Microsoft has it in their easy to reach power to allow users to do the following, if they choose:
1a. Blacklist any executable the user desires from running, no exceptions.
1b. And make this very easy by simply right-clicking on a process and selecting "Don't allow to relaunch".
2. And break down all the SVHOST.EXE programs into their individual component processes so when a virus adds itself under the svhost.exe, that virus is seen as a seperate process.
2a. Stop writing the Windows program to name several processes the same damned name (i.e. SVHOSTS.EXE)
Joe
"Artificial Intelligence usually beats real stupidity."