Why Popular Anti-Virus Apps 'Don't Work'

Avantare writes "ZDNet Australia has a writeup about why AV apps don't work. The reason given is because the malware authors are writing code that will get around the signatures of the application by testing their code on the most popular anti-virus software before release." This comes as a follow up to another article detailing the sad state of anti-virus software currently on the market.

No S**t

[Instine]

AV software, and even most firewall software, which goes beyond port control simply prevents the user using the whole of the internet, but rarely stops the internet using them. This is just one reason why.

Still an interesting point it raises, and a good example to give to none believers if you ever have to give the "Nothing is perfectly secure" speach to a client.

Re:No S**t

[nmb3000]

Still an interesting point it raises, and a good example to give to none believers if you ever have to give the "Nothing is perfectly secure" speach to a client.

At least people are starting to realize this.

As for myself, I used to use Symantec's antivirus software both at home and at work, but a year ago decided it just wasn't worth it. The program was the most obscene resource hogs I've ever had the displeasure to use, and in the 7+ years of using the program it never once protected me from getting a virus. The same can be said for a lot of other AV offerings, and yet you still see some idiots suggesting you run 2-4 different AV applications just to "be sure you're safe".

Once people realize that the single best and most effective method of protecting themselves is common sense, they will be a lot better off. If you don't download from untrusted sources, don't click banners, don't install just any (activeX|extensions), and keep your machine patched, you'll be fine (YMMV of course).

The problem is that while people can buy Symantec's latest breakthrough in keeping your processor occupied, they cannot buy common sense.

Re:No S**t

[Instine]

And what crappy firewall do you use?

Good question. I use XP's SP2 with Advanced Security Tech, plus Router, on my every day machine. I'll not publicise the security I use on more critical machines (eccentricityplus obfuscation is THE only way to minimise security breaches in my opinion). But no AV. I don't open untrustworthy apps, and as TFA goes some way to explain, AV software doesn't work. However I dev and support web apps that must circumvent 'intrusions' made by Norton.

One such feature is their referrer blocking. This seems to serve no purpose, and is simple to work around. Without the work-around, my software, and many other web apps and sites out there are broken by this "security measure". It took me precisely 1 hour to work around this issue, and I'm not that fast a coder.

Am I some kind of evil, nija hacker trying to phish people's personal details? No, I'm a developer trying to make web based accessibility software.

So what DO I suggest? Have a quick and easy backup and recover system. And use it. Oh, and don't think Norton does anything practical to help your system security. It simply stops you from using many honest, trust worthy sites and services, while marginally improving your chances against old, 'orthodox' malware.

Re:No S**t

[tokenhillbilly]

I did the same thing almost the same time ago. I had 5 computers in my home running Symantic AV. The subscriptions kept expiring on a seemingly continuous rotation. Looking at the logs, none of them had detected a single virus in over a year. I finally decided to develop a system of backing up any critical files on a regular basis and a proceedure for reloading my systems if they were affected by any malware that came along. I removed all protection from my systems and waited for the worst.

It's a year later and, other than my systems running almost twice as fast and having a lot fewer weird hangups and crashes, I have not had a single problem.

Re:No S**t

[Schemat1c]

Maybe you would have gotten more viruses if you hadn't been using it. You'll never know since you had it running the whole time.

That's the same logic that keeps me from throwing away my anti-vampire rock. Ever since I've had it I haven't seen a single vampire so that proves it must work.

Re:No S**t

[secolactico]

The program was the most obscene resource hogs I've ever had the displeasure to use

Sadly, Symantec and most popular anti-virus apps now want to do *everything*. They install a firewall, anti-spam, anti-phishing, web content blocker, etc. And usually, turning off these features simply mean they won't actively filter/block but will still be residing in memory.

All I want is an antivirus that doesn't try to do everything for me. I've been a user of Panda Software for a while, but I won't be renewing my subscription for this reason.

Re:No S**t

[kz45]

"The program was the most obscene resource hogs I've ever had the displeasure to use"

The home editions are a resource hog. The enterprise edition (at least of mcafee) has a very small footprint and is lightning fast. Mcafee should consider using the same build on their home editions.

Re:No S**t

[iminplaya]

Mcafee should consider using the same build on their home editions.

What? And kill their sales of the enterprise edition? You won't get far in today's corporate world.

Re:No S**t

[vux984]

It's a year later and, other than my systems running almost twice as fast and having a lot fewer weird hangups and crashes, I have not had a single problem.

I cancelled the insurance on my home. One year later other than saving $550 I have not had a single problem. I wasn't robbed, it didn't burn down, and no hurricanes, floods, or earthquakes hit me either...

Just because the "worst" didn't happen, doesn't mean it won't.

Plus what is the "worst"? Its ill-defined. In my opinion its *not* a virus/spyware that pops up 400 popups and makes your computer an unusable steaming turd. Its the virus that installs a rootkit and remote control software, and adds your PC to a zombie spam network, and/or sets it up as "free ftp space" for child porn. All this after scanning your PC for passwords, financial records (the save files from tax software, credit card information, etc etc...), and installs a keylogger. And then it runs like this for 6 months without you knowing about it.

Then you get a low disc space warning and that's when you find the hidden folder full of child pornography you've been serving up for the last year.

I'm not saying Norton's software is better than garbage. I too think its over rated, over priced crap. But sadly, installing nothing and doing regular backups is far less protection than you might think.

I recall one virus in particular that periodically would randomly pick a file and rewrite a few dozen bytes in it in some random place. In theory it could run for months without getting detected. Gradually your doucments would become corrupt, or applications would start having issues until finally it would hit something critical and your pc would fail. Restoring from backups was worthless because this thing had been damaging files for ages, and your backups were full of damaged files.

For what its worth, I tend to agree that "real-time" protection is over-rated, 0-day exploits and so one will continue to get through, but frequent full system scans with the latest definitions are a good idea.

Re:No S**t

[NixLuver]

From TFA:

'"The most popular brands of antivirus on the market... have an 80 percent miss rate... So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in," said Ingram.'

Your argument is specious. Your conclusion may not be completely so ( that's an individual min-max: Is the effort, expense, and general PITA compensation for my 20% risk reduction ), but I'm more inclined to believe it's an IT-type "No one ever got fired for recommending an antivirus application be installed" rather than any real value-add position. I work for a major technology corporation that shall remain nameless; the corporate desktop image is crippled by some of this AV software that 'does not work' ( per TFA ), costs large quantities of dollars, and does not 'catch' viruses or trojans. To be fair, it might, but the email system in and out of the network scans all attachments and kills anything remotely resembling an executable ( including important Visio diagrams and Word documents). All web traffic is redirected through a transparent proxy that crashes IE (although it jsut irritates firefox) by forcing authentication for any URL it deems 'questionable'. And the desktop AV software has missed every challenge it's been faced with.

As a Unix Systems Engineer, I just sit at my Solaris, Linux, and OSX machines and shake my head in sympathy for my less fortunate brethren, and (mostly) resist the desire to invoke the ancient Dilbert line... "Here's a nickel, kid; go get yourself a better computer."

Re:No S**t

[vux984]

Your argument is specious.

I'd say that depends largely on which virus scanner you end up choosing.
Kapersky was noted as having a 90% hit rate, for example.

Re:No S**t

[donaldm]

A few years ago my eldest son was curious on how Computer viruses worked so he asked me. I though about it for a few minutes and remembering the pathetic script-kiddy viruses I had seen, I demoed a virus concept (about 5 minutes) using a simple Korn script. What surprised me was how easy it was to write and just for fun I thought "how do I make my script morph". The answer was so simple and obvious (maybe I should patent it since any stupid or obvious patent appears to be getting through).

What I was able to do (within 15 minutes) was write a simple script that would change it's signature identification every-time it was was run making identification almost impossible. The same concept I used in a simple Korn script could easily be be applied to a binary application, granted this is more complex in the writing but not difficult and I am amazed that we don't see more morphing virus.

People need to realise that a computer is fairly sophisticated and to use it properly you have to have some knowledge of computing, especially basic security. They should not just blindly rely on the so-called latest virus protection software, which always seems to "close the gate after the horse has bolted". I won't hold my breath on this since the main PC operating system is in itself inherently insecure.

Re:No S**t

[vux984]

If his PCs bugger up he wastes maybe an hour or two recovering the system from a complete backup and goes about his business,...

Not necessarily.

With the right kind of malware afflicting his system, he won't be spending 1-2 hours recovering from a complete backup. He'll have to either reinstall from scratch or revert to a very old backup image and then scavenge his backup(s) for usable files and documents, and even may have to give up on several files and recreate them from scratch. He could lose weeks or much more. Is it unlikely? Hell yeah. But then... so is my house burning down.

"Good" Malware doesn't bring your system down hard right away, so that you can simply restore it from a recent clean image. It corrupts data over time so your backups are corrupt too. And then restoring it is a *much* bigger hassle, and depending on your backup strategy you might have lost stuff too.

I'm not saying AV will necessarily save you, but it might give you an earlier warning than you might otherwise have had. The right backup strategy will save your data, but those strategies are tend to be tedious, cumbersome, and complex, especially for home users. And restoring will still be a PITA. Fortunately most malware just wants to annoy you with advertising, or use your computer to launch further attacks on someone else.

But there are virii that are designed to maliciously cause damage to the systems they are on, or steal your identity/ or harvest 'valuable' data from your PC. Backups won't help much against these kinds of malware. In the former, the backups are themselves likely to be corrupt, and in the latter the real damage cannot simply be undone by restoring from backups -- that won't get your 'stolen' data back.

Re:No S**t

[SnowZero]

If your house burns down you physically have to buy / restore the current one with hard earned cash.

Are you saying you don't make regular backups of your house? Man, you are really tempting fate.

Re:No S**t

[vux984]

If you could just stick to some guidelines strictly, you will be safe against any virus, not just old and new ones. And yes, for free (as in beer) too.

In other words ... "If you could just stop being a fallible human being indefinately..."

In other words, you are right, but the conditions you require are unattainable so its not a terribly useful solution.

Re:No S**t

[Phisbut]

I'd say that depends largely on which virus scanner you end up choosing.

Kapersky was noted as having a 90% hit rate, for example.

It also depends on which virus scanner you're actually allowed to choose from. Kaspersky might have a 90% hit rate, and we know it's good... but at the office, we had to go with McAfee (which is also a terrible ressource hog) and were not even allowed to evaluate Kaspersky... because... well... you know... Russians are evil... they could be spying through their software...

Sadly, I'm not making this up.

I'm happy though, I am fortunate enough to be working on a Linux box. However, I pity my coworkers that have to endure Windows and McAfee.

Did I miss something?

[ColdWetDog]

Or are both of these articles the same thing? And not much of anything, either. Two paragraph blurbs on the sad state of AV software.

Nothing to see here, move along please.

Re:Did I miss something?

[ConceptJunkie]

They are standard Web articles: Two paragraph summaries.

At the rate things are going, article writers won't even bother with the body of the story any more, it will just be a title and ads.

Just follow a few basic steps...

[gasmonso]

1. Firefox with popup blocker

2. Firewall software

3. Sit behind router

4. Use AV software

5. Don't click on anything that pops up without read it!

http://religiousfreaks.com/

Re:Just follow a few basic steps...

I clicked on your religous link, and my pc reboots ev

Re:Just follow a few basic steps...

[Mr.+Freeman]

I agree that windows is insecure. But it isn't exactly practical for a lot of people to switch to another OS. I hate windows, but I'm pretty much forced to use it because I have no idea how to run Linux well, and apple doesn't run any of the applications I use often.

Re:Just follow a few basic steps...

[Gnavpot]

1. Firefox with popup blocker

2. Firewall software

3. Sit behind router

4. Use AV software

5. Don't click on anything that pops up without read it!

You ignore the three most important:

Remove administrative priviledges from your everyday account.

Keep your software and OS updated.

Do not run software with a bad security record.

Re:Just follow a few basic steps...

[arodland]

You can't run Linux because you're not experienced in using it... but you were born knowing how to use Windows? Or what?

Re:Just follow a few basic steps...

6. Post the same link in every post you make on slashdot.

7. ???

8. Profit!!!

Mods, I don't care what you do to me, but someone has to stop this guy.

Re:Just follow a few basic steps...

[Ctrl-Z]

Also: Don't connect your computer to the Internet.

Re:Just follow a few basic steps...

[NihilEst]

Another poster got it, too. You had to learn to use windoze, you can learn to use Linux, too. Or *BSD, or Mac OS. Anything other than windoze. Necessity makes it practical.

When you use windoze, you're using the most targeted OS on the Earth ... you're lumping yourself in with a vast crowd of people who know absolutely nothing and suspect even less. Putting one of these machines on the 'Net is an invitation to be robbed -- literally; in many, many ways -- not to mention being held hostage by MS and whatever it decides to implement for DRM and other issues yet to be named.

No AV package/author is going to be able to stay even one step ahead of the black hats out there, who are getting more criminal as time goes on. You don't have to actively do anything other than visit a website to be infected/ripped off any more. The black hats have gotten very, very sophisticated. There's money available for the taking, and you're hanging it out there as long as you run windoze and store any kind of personal data on it.

I've heard all the excuses; none of them wash. Either you're intelligent enough to own, administer, and operate a computer; or you're not. If you have that level of intelligence, you are certainly capable of learning and retaining enough knowledge to run something else. So it takes an investment of time and effort ... okay, live with it.

Use windoze at your own risk.

Re:Just follow a few basic steps...

[jlarocco]

I agree that windows is insecure. But it isn't exactly practical for a lot of people to switch to another OS. I hate windows, but I'm pretty much forced to use it because I have no idea how to run Linux well, and apple doesn't run any of the applications I use often.

Oh, you poor thing. I have an idea which may help you: Stop bitching.

If you hate Windows so much, take some fucking initiative and learn something else. What the hell are you waiting for? Someone to volunteer to teach you? For Linux to become a Windows clone? Guess what? It's not gonna happen. Ever.

If you hate Windows, but still use it, it's your own fault. Stop crying to everyone on Slashdot that you're too stupid too learn.

Re:Just follow a few basic steps...

[isorox]

Most people I know haven't got a clue what a file is. They aren't computer litereate, they can load a few programs (word processor, browser, email), and that's about it.

It took YEARS for me to get somewhat computer literate (using linux). Not everyone fancies spending hundreds of hours re-learning it all.

I've tried windows XP (and 2K) several times, but I hate using something I don't understand, or don't understand enough to configure to run properly and such... Every time I've tried it, I've had problems, I couldn't even find the command line, had to download cygwin. All I could find (after about 2 hours) was an expanded run command "Command Prompt".

Files were stored seemingly randomly, and I wasn't sure where my files were for some programs, I couldn't find apache's htdocs without doing a search. The version of windows search I had seemed to have a bug, instead of taking half a second like 'locate htdocs' does, it took forever.

Of course, I had to figure out that installing apache wasn't enough - gotta install the service too or something, wtf is this computer management thing?

My PDA wouldn't work, I plugged it in (just works (TM) under linux), but windows said "Found new hardware, insert driver disk". WTF is a driver disk? My PDA's a few years old, and it's a standard usb networking device. Fixing it seemed overly complex, I couldn't find a driver on the "list all drivers" option. Had to spend donkeys years finding and installing essential programs, and it turns out with windows I can't just click on a program and have it automatically download and install (I hoped "add remove programs" in control panel would do that, it seems to simply be "remove (some) programs" though, I have to visit a website, click through dozens of popups, download a zip file, extract that, run a setup program, install that, then get arround to configuring the program. I looked for something like ".putty" to see where it stored connects, so I could move to another machine easilly, but no sign of that.

I'm also told I need something called "Anti Virus"? WTF is that? If my computer sneezes I'll know about it, but I doubt that it can get a cold (my PC runs >50C). Coupled with having to find alternatives for the programs I take for granted (cygwin helps a lot, but not for everything), and I find that programs that are available don't have the same support.

USB flash drive had to have drivers installed and a reboot (a reboot? I've plugged in a simple USB storage device, nto a new freakin' OS) too.

Yes, there is always an answer, a fix, or whatever. And the OS is ubiquitus and all. But, you gotta figure it all out, and even though ppl here like to say their grandma runs windows and finds it easy, IT'S NOT. I was completely fucking lost. Want to understand where files are (I hear some configuration settings are stored in a single binary file with a lousy editor)? Sure! Just read some website that's 100 pages of adverts. There's no nice sinple help system like "man" to find out how to do something easilly.

I'm sorry, but I'd rather download a linux net-install disk at dinner, and put it on that night, rather than having to leave the house, go 20 miles to some shop, spend $CAD 400 on a version of windows, come back and then faff arround installing, registering and activating it?

I'm still toying with windows at work, but for my home desktop? Not a chance.

If someone was learning from scratch one OS or the other, perhaps windows could be a better choice, but there's some of us that have already invested more time than we care learning to use an OS and associated apps, I just aren't going to relearn it all. When I had a problemwith linux I'd fire off an email to my local LUG and get a few nice courteous replies within an hour or two. I haven't found a windows user group though.

Windows isn't for everyone I guess.

I don't use Norton..

[ACAx1985]

I don't use Norton not because I feel it's poor at catching/preventing viruses, but for the level of intrusion that comes with it. The Norton name, and especially Norton Ghost, are just a headache waiting to happen for anyone who installs it. I very happilly use FireFox 1.5 and the latest version of Nod32. Additionally, I don't open e-mails that promise a glimpse into Paris Hilton's private area. -ACA

Re:I don't use Norton..

Additionally, I don't open e-mails that promise a glimpse into Paris Hilton's private area.

Hm. You can call that area on Paris Hilton a lot of things, but "private" isn't one them.

Kaspersky?

[morgan_greywolf]

FTFA:

One vendor Ingram did mention was Russian outfit Kaspersky, which in the same tests managed to block around 90 percent of new malware.

So what's Kaspersky doing that's making it so much better? Or was the study paid for by Kaspersky? It sounds suspiciously like FUD to me.

Re:Kaspersky?

[WombatDeath]

The article suggests not that it's doing anything better, but that since it has only 0.8% of the market the malware authors don't bother to work around it.

Dedication to QA

[Distinguished+Hero]

testing their code on the most popular anti-virus software before release.

Now that's good quality assurance. Many programmers have much to learn in this regard, though I suppose virus writers are motivated by doing what they love and not having to put up with PHBs, which are two amenities a lot of programmers have to do without. :)

Re:you are not supposed to cure the symptoms

[antifoidulus]

So..... the disease is slashdot then?

Why is...

[twmf]

...the endless repetition of the obvious considered news?

Ummmmm...

Aw crap. Sorry, forgot which planet I was on again.

Please move along.

Signature-based recognition was doomed

[Animats]

The whole concept of recognizing known viruses was fundamentally flawed. It had a good run, but that was because virus writers were mostly trying to get attention, not steal. Now that viruses are an ongoing criminal enterprise, the old dumb tactics won't work.

We're going to have to give up on recognition and put more effort into partitioning. We need setups where each web page renders in its own jail, and it doesn't matter if the browser is insecure - when the page closes, a program exits and any corrupted info goes away.

Of course, this will break Active-X, toolbars, downloads, etc. Then again, on business systems, you want those things broken.

Once the browser is locked down like that, you need a "guard" program. When you want to move a file out of a browser's jail, it has to go through a program that "sanitizes" it. Often, a translation to a well-documented format that doesn't contain execution capability will do the job. Converting incoming .doc files to Open Document XML format, for example.

It's quite possible to completely solve this problem.

Re:Signature-based recognition was doomed

[Carcass666]

IMHO, the problem comes down to how security works on PC's - it's based on the user, not the app. This is true on Linux as well as Windows. An application runs under the security context of what the user can get to. Applications ought to run under their own security accounts, and when they try to write somewhere they have not been authorized to write before, the user ought to get warned. If the application makes an outbound Internet connection or starts listening on a port without prior authorization, the user ought to get warned. It might seem a hassle to have a couple of hundred security accounts on the PC, but it is far less of a hassle than invasive anti-virual software, especially crap like Norton and McAfee.

Yes, I know Linux is secure than Windows, I'm a happy Ubuntu user. I SUDO whenever I do anything administrative (install apps. install devices, etc.) But there is nothing from stopping a hostile application from going out and nuking every file that my non-admin account has access to..

Re:Signature-based recognition was doomed

[narfbot]

The whole concept of recognizing known viruses was fundamentally flawed. It had a good run,

More than ten years ago, before windows 95, and most people were using DOS and DOS virus scanners, I had someone (comparable to a modern day script-kiddie) from my high school ask me to scan a disk to see if the viruses he had on there were detected. Even then he knew if the popular virus scanners of the day couldn't detect them, that he could potentially use them. It was then I realized that virus scanners were a joke and never have used those crappy bloated active scanners since. I don't think any virus scanners ever had a good run because the average kid back in the day knew they could be fooled.

What I do

[shawn443]

Require all users to run as a limited user as per Principle of Least Privilege. This is the key. I once had a computer lab for inner city youth with no AV software at all, just limited user accounts and a simple router. Once we could afford Symantec AV Corporate (I work for a non profit) and ran the scans, no viruses. If anyplace was bound to get one, that would have been it.

Re:What I do

[wildman6801]

The problem with this approach in Windows XP is most programs will not work properly as a limited user. This is because most programs were designed for Windows 9x not NT. The programs that were designed orignally for NT will run this way. What Microsoft should do is with the new release of Windows Vista is setup a user account on the system as a limited user. For Microsoft certification they must be able to function as a limited user! This would fix a lot of problems with malware and viruses!

Default Deny

[lapagecp]

Say it with me people Default Deny, Say it louder now so that Microsoft can here it. Operating systems need to by default deny the right to execute. This whole let anything run unless it looks like a virus crap is not working. Oh and Microsoft that doesn't mean make a pop up so that someone can click "Yeah run it already." Every program shipped with the OS gets to run, every program you add to the list gets to run, maybe every program on a white list maintained by a person or company you trust gets to run, and thats it. Now before you all freak out and starting talking about linux and how you can already do this let you remind you that, everyone switch to linux, is not a valid solutions because its not going to happen anytime soon. Sure it works on a case by case basis but I still need to go in to work and be able to keep 30 or 40 computers safe and clean that are going to run on windows because thats what our software will run on. So Microsoft do you let anyone into every room in every building you own unless security sees them on a list or do you determine who can go where and then keep everyone one else out? Why is it that we are forced to use security that anyone can see hasn't worked in the past and has no hope of work in the future?

Re:Default Deny

[hackstraw]

Operating systems need to by default deny the right to execute.

Hmm. Like Linux/UNIX that does not store executable permissions on email attachments w/o user intervention? Like OS X's behavior to ask the user the first time they run an associated file with an app for the first time? Like viruses are a Microsoft problem, and not a feature of other OSes?

I can't ever seem to type the last question here on /. without getting slammed, but when are people going to give up the drama and just use an OS that suits their wants and needs or shut the fuck up and deal with viruses, crashes, lagging development and features, horrible UI, and all that.

No, there are no battered OS user shelters like battered wife shelters. No, there is not MA (Microsoft Anonymous), but today in 2006, OSes are almost a dime a dozen like microwaves and everything else. I've been MS free for quite some time, but I'm in the process of taking over a PC at work that has 2000 on it and it had mysterious popups, firefox would not work with the HP print server I was playing with (java issue or something). The admin of the box said that you still basically have to log in as Administrator to do anything. Just for fun, I clicked on the adaware icon, and it found 70-80 or so things on it. In order to get TCP/IP printing to work, you had to configure a local printer to look like a networked printer or something bassackwards like that.

I mean, this was my first MS OS adventure in over 5 years, and within a couple of hours I was reminded of why I simply do not go there. Aside from the specific issues I mentioned, sure I was able to click on crap and view the web and read email, but how tough is that to do on any computer today?

AV stuff serves it purpose

[tomstdenis]

I routinely get files [or browse for files] on random homebrew sites where "smart" people try and sneak a virus in there.

AV isn't supposed to make your computer stupid-proof. If you download and run every single application you can find no AV in the world will help.

If you happen to stumble on a 4 week old virus that either got bot-mailed to you or stored in a public archive they're a godsend. Specially since most AVs scan archives so before you even open it you're good.

Tom

And they are both wrong.

[khasim]

Think about it for a moment. What is the intent of anti-virus software ("anti" + "virus")? Isn't it to stop apps that you don't want running on your computer? Apps that were written by the "bad guys"?

So, the reason that anti-virus software sucks is because the "bad guys" are writing BETTER "viruses" that can bypass the anti-virus programmers' software.

And the reason for that is that anti-virus software is REACTIVE.

A proactive system would patch the holes that are being exploited.

A reactive system issues patches to remove all the specific threats encountered so far.

That approach will ALWAYS result in the "good guys" being behind the "bad guys". Like DUH!!!

Re:And they are both wrong.

[CashCarSTAR]

The biggest hole existing right now is the user. Any thought otherwise is simply whistling in the wind.

Once a user runs software, if that software is malicious, that computer is compromised. Period.

Re:And they are both wrong.

[stevey]

A proactive system would patch the holes that are being exploited.

The problem here is that virus don't typically exploit any hole. They are simply programs that run with the privileges of the user who executes them.

A typical (old school) virus would do three things:

• When executed find files that can be written to - pick one at random.
• Update that program to append itself to the end of it. Patch the header so that execution starts at the newly appended code.
• Work out where the currently infected program should have started execution from - jump to it.

There are only two things you can do to protect against this, in general:

• Don't run infected programs.
• Don't allow the current user to modify binary files.

In Windows it is the second issue which allows viruses to spread - typically the local user would have write access to the system binaries, so eventually Notepad.exe would get infected, etc. Under Linux/Unix root generally is the only person who can write to system binaries, so a typical user can't infect them.

However Linux viruses do exist, and are trivial to write. The reason they don't spread is partly because users are used to getting their binaries from trusted sources, partly because they download things from source, and partly because most users don't run with the ability to modify system files. (Sure you might be able to infect ~/bin - but there isn't a big gain)

Windows is getting better at allowing non-Administrators to work properly, so sooner or later the ability of joe-random-desktop user to modify system binaries will disapear and at that point viruss will stop. Still there will be worms, trojans, and all the other nasties left!

I've gone on a bit much, but I wanted to drive the point home : Viruses do not exploit security holes. (In general)

Antiviruses are flawed by design

[chrysalis]

What does an antivirus? It scans files and memory for known patterns in order to erase some bits. If 10 different viruses exploit the same flaw in 10 different ways, an antivirus requires 10 signatures to recognize them all (heuristics *are* signatures). Why don't antivirus vendors focus on providing workarounds for the actual Windows security flaws instead?

Re:Antiviruses are flawed by design

[mobby_6kl]

> Why don't antivirus vendors focus on providing workarounds for the actual Windows security flaws instead?

Because viruses aren't using any security flaws.

But...

[aardvarkjoe]

Aren't most of the viruses and worms that are out there just variants of other viruses? It seems like most of the time that I hear about a "new" terrible virus, it's really a slightly modified version of one that's been around for awhile, and usually if you're up to date on your antivirus and security patches the new virus won't do anything anyway. And let's not forget that there are still plenty of old viruses on non-secured machines that an antivirus application will protect you from.

I can see their point where people developing a new virus are concerned, but as the lifecycle of a virus is often longer than the time it takes to update the signatures, I think that they are overstating their case by saying that the AV apps "don't work."

Re:But...

[TubeSteak]

Aren't most of the viruses and worms that are out there just variants of other viruses? It seems like most of the time that I hear about a "new" terrible virus, it's really a slightly modified version of one that's been around for awhile

All true, but your conclusion was false.

The codebase between variants can easily be changed to the point where heuristics & previous def files will not recognize it.

It's worse with a (encrypted) polymorphic virus, because those are hard enough for the anti-virus guys to decode the morphing bits without various blackhats tweaking the virus/morph/encryption code and re-releasing the virus.

The Black Hats are winning...

[__aaclcg7560]

...by testing their code on the most popular anti-virus software before release.

It's a sad state of affairs that worms, trojans and viruses are probably more tested before release than the anti-virus software.

I know this, you should know this

[Null+Nihils]

Once malicious code enters the "perimeter", so to speak, AV software is a rather weak stopgap measure. Software design flaws that result in holes can seldom be fixed by adding more surface area, it only becomes a matter of time before the attacker figures out the next step. The AV software companies know that most of their customers have no idea how computer security works. Antivirus provides some shallow peace of mind for Joe Average. It is not a very serious security measure and it should not be relied on as thus.

I'm sure other posters will provide the real answers to security, like limited user access, a good firewall, not running intrusted code, and using a web browser that isn't garbage.

I went for 3 years using just these precautions, but used no antivirus whatsoever. I never become infected by a single thing. I only recently grabbed ClamWin, a port of ClamAV, for my Windoze box because I wanted to scan a program I got via P2P.

Re:Anti-virus Programs Aren't Up to Snuff

[Apraxhren]

XP is a huge pain to use without admin rights due to braindead apps

I'm not sure if that is all that true anymore at least. Granted I don't run a vast amount of software but in my experience it seems more recent software tends to be non brain dead at least in the gaming industry. What was once one of the worst offenders, nearly everything used to write to the program files dir but now all the ones I have had experience with write to the user space. Every other program I run allows a choice of where to save data so they work perfectly as well. However, like I said I don't have every software title at my disposal and really it could just be luck in the programs I run. Aaron Margosis does an excellent job of providing all the information needed to run as non-admin on his blog: http://blogs.msdn.com/aaron_margosis/archive/2005/ 04/18/TableOfContents.aspx

What do these guys think signatures are, anyway?

[Teilo]

Both these articles read like they were written by an idiot. They do not make the distinction between the detection of known viruses, and the detection of unknown viruses via heuristics. And if you start calling heuristics a signature, you are going to confuse the heck out of everyone. Don't mix terminology.

Honestly, I do not know anyone who believes that an AV program is going to protect them from unknown viruses! The whole point of AV software is to give you protection from viruses as they are discovered. I mean everyone knows that if they do not update their virus signatures on a constant basis (several times a day on my mail servers), they may as well not be running virus protection at all. OK. Maybe some people are dunces about this, but honestly, even my 81 year old grandmother knows that she has to keep her AV current, or she's unprotected.

I mean, for crying out loud, what are these signure updates for? For catching known viruses. Mega duh!

In my experience, Symantec software is worse...

[Futurepower(R)]

Symantec software is even worse than you said, in my experience.

You didn't mention the bugginess.

Ummm ok

[Sycraft-fu]

Default deny subject to who's overide authority? Remember: We are talking about a problem at home here. At work, things are already default deny, subject to my authority (or other members of our computer group). You don't get admin/root so you run only whats installed. Solaris or Windows, doesn't matter.

Ok but what aobut at home? You are the admin there. Who looks over your shoulder and determines if something is safe? You can set the OS to default deny running things by running it as a non-administrative account, or by getting something like KPF that intercept execution and asks you, but in either case it doesn't do anything if you give it permission. Doesn't matter what the hoops you have to jump through are, when you give it permission to escalte privlidge and run, you are screwed if you didn't check it out before hand.

I mean you can have a nice, secure Fedora box and I can send you a binary called destroy_system. If you decide to run it, Fedora automatically asks you for root. If you give it that, it does as it says. There's no way for them to defend you from yourself, without going to something like TCPA where some party other than yourself gets to decide what can and cannot be run on your system.

I think some UNIX people put WAAAAAY too much faith in UNIX's privlidge escalation model, as though somehow if the OS asks for a password instead of just a yes/no box people will suddenly stop and think. No, sorry, they won't. They'll view it as just another hoop to jump through. They won't read it, they won't consider the implications, they'll just learn "give it the password and it goes away" and will start doing just that.

In the hands of an educated user, running deprivlidged helps because it makes sure something doens't automatically launch that you aren't aware of. However in the hands of a cluless user, who is the real problem here, that doesn't cut it. You need something like a virus/spyware scanner that maintains a list of "bad" things and disallows those. Even then, some of them will override it because it'll block the installation of something they want.

Safer link to Systrace

[Futurepower(R)]

Safer link to Systrace

Eye-Candy

That's why: there is too much eye-candy!

I gave up a long time ago on NAV because it had a heavy interface -- fancy background, fade in/out, and all the other stuff that don't really contribute to its operation, especially for an application whose GUI you don't really pop or see very often.

Simple buttons and windows are enough, coupled with a good proper operation within a restricted account -- i.e. good communication with the service that runs in the background.

That is why I like the free AVG option.

Re:Eye-Candy

[sco08y]

That's why: there is too much eye-candy!

That reminds me of when I wanted to bring my iBook into a library to use their network connection.

The woman said, "you have to have AV software installed to use our network connection."

So I fired up XCode, put together a dialog with a big SCAN button and a progress bar that slowly filled up.

It still said "MyApplication" in the menu bar...

I Tell My Clients the Following

[Master+of+Transhuman]

For home users, I tell them the following:

1) You're not a company that gets thousands of virus-laden emails a day. You don't need to pay for Norton or McAfee. A 98-99% detection rate is perfectly adequate for a home user.

2) Install AVG or Avast AV. They're free, they update automatically, they're light on resources and they work.

3) Install Spybot Search and Destroy, SpywareBlaster, Ad-Aware and Windows Defender.

4) Install a software firewall like Kerio or just use Windows XP's firewall. If you install Kerio, use V2.1.5 because it's non-intrusive. The later versions are too picky and get in your face.

5) Stop using IE and use Firefox.

6) Lately, since trojans are on the upswing, I say install A-Squared anti-trojan which is free with manual updates.

7) Don't click on popups. Don't even click on the "No" button - click the window close button.

8) Don't install anything offered you by a Web site unless the site is a general freeware or shareware site that explicitly states it checks for spyware and adware.

9) Keep up with Windows updates and updates for the malware detector software.

10) Run a scan once a week or if you see any popups at all.

I've used these rules on Windows 98, 2000 and XP for four years with virtually NO spyware getting through - and that's with porn site visits and whatever else the Web can throw at me.

The single most important rule is number 5 - use Firefox. With no ActiveX, the stuff can't get in unless you have an OS vulnerability or you deliberate install it in response to a prompt you don't understand.

Finally, if they really want to be secure, switch to Mac or Linux.

MOD PARENT DOWN. Bad Link.

[Futurepower(R)]

MOD PARENT DOWN. Bad Link.

Official Clam Anti-Virus for Windows link: ClamWin. ClamWin is free and excellent, but slower at scanning than commercial products, in my experience.

Linux is not a silver bullet.

[MarkByers]

Linux isn't a silver bullet. A virus can still install itself in user space, and from there it can:

  * Delete files
  * Read confidential files from that one user (a typical computer might only have 1 or 2 users)
  * Send out spam
  * Install a keylogger
  * Read the users contact list and forward itself to all users on that list.
  * Install itself to start up with user priveleges when the computer boots (by modifying the users configuration files)
  * Pretty much anything...

However having separate users does limit the damage and it makes it a lot easier to clean up since no executable files are affected, root should be safe, and the system should still be stable and consistent once the virus is removed. (This is not true if the virus has gained root priveleges, and really you should assume that it has, if you really want to be safe).

Much of the security of Linux comes from:

  * The peer review process.
  * The speed that the most serious holes are patched and the ease of applying these patches on most distribution.
  * Vulnerable services are not usually open to attack after a default install.
  * 'Biodiversity' - an attack against a specific application will not affect all users.
  * New install media with latest bug fixes issued regularly and easy to obtain.
  * Large amounts of software is available from the distribution repository so you don't need to download and run installers from third-party web pages.
  * Smaller market share gives attackers less incentive to attack.

I'm not saying that ALL software for Linux is secure, and that ALL distributions respond promptly to security vulnerabilities, but it is possible to be reasonably secure if you choose the right vendor and don't be stupid by installing random screensavers from dodgy websites.

Re:Linux is not a silver bullet.

[Kremmy]

I'd go one step further and say that you really meant:
* Install itself to start up with user privileges when the user logs in after a reboot (by modifying the users configuration files)
Also, cron jobs would make it so the user doesn't have to log in.

Re:Linux is not a silver bullet.

[zcat_NZ]

Until recently I think Linux has been crusing along to some extent on obscurity to some extent. A virus is only a program like any other, and trying to claim that Linux is magically able to discriminate between 'good' programs and 'bad' programs is completely silly.

The real strength is the 'package' model of modern distributions. When you want to install a program under Linux, the proper way is via synaptic or apt-get or whatever package tool your distribution uses.

Downloading a binary installer from some random website is NOT the way to install Linux software and I really wish companies like nVidia (for the nvidia drivers) and Google (Google earth for linux) would stop even packaging them!

On the other side, imagine if Google were to expand their 'google pack' installer to include the many thousands of OSS and freely redistributable programs available. It would become possible to use Windows like a package-based distribution, installing all new software only from signed and tested google packages. That would be very much like having apt-for-windows. I think this would help make Windows a lot more secure.

Re:Linux is not a silver bullet.

[Lord+Ender]

Most end-user linux installs have one user who admins the maching with sudo. Anyone with any skill who writes a linux virus would simply make his code wait for the user to sudo, then install the rootkit.

The one reason viruses aren't a problem in linux: fewer gullible users.
The one reason worms aren't a problem in linux: the small number of diverse builds.

User seperation has very little to do with it.

Harder than it sounds

[Beryllium+Sphere(tm)]

>a well-documented format that doesn't contain execution capability

The program that reads that well-documented format might have a vulnerability which the theoretically non-executable file could exploit. That's happened in real life, with JPEG and PNG.

Worse, the line between executables and data isn't as sharp as we usually think it is. After all, an executable is nothing but data for the CPU's decoder. We *hope* that $WORDPROCESSOR doesn't do anything except display documents in response to the instructions in a document file, but there's one well known word processor whose behavior is as unpredictable as a cat's.

Don't Run As Admin!

[RexRhino]

One of the easiest ways to protect yourself on Windows is to not run as Admin. Only log into admin when you want to install new software, or when you want to update Windows, etc. In my opinion this is way more effective than any AV software (although I would recommend AV anyway). I would say that 50% (at least) of the nasty things that happen to Windows machines are caused by the fact that people tend to run as Admin by default.

People would never dream of running as root all the time on their Linux machine, yet those same people often run as an admin in Windows XP.

Re:Don't Run As Admin!

[smash]

The difference is, that Linux is usable by a power user without logging in as root, via use of SUDO (or SU) to do what you need to do when you need to do it.

Windows is getting better in that respect (run-as), but it's still not exactly functional in my experience.

Half the games out there need to run as administrator - and if you're going to suggest I go through and figure out how to set them up not to, then that defeats the purpose of using windows because it's "easy to use"...

In a related story. . .

[kimvette]

Scientists discover that polio vaccines don't work against other diseases. Details at 11.

Seriously, this isn't news. This was obvious from the time where any signature updates were ever required, or when viruses, scumware, etc. included code to disable/corrupt/uninstall/otherwise cripple antivirus and antispyware software. They're merely admitting it now.

The AV app would tell him

[cyberformer]

Most AV apps pop up a warning whenever they detect a virus. They like to remind you that they're doing their job.

More than once, Symantec AV has told me that it's detected and neytralized a Web page with the WMF vulnerability. I guess that's interesting to know, even though my system was fully patched so I wouldn't have been vulnerable anyway. It's also told me that my PC was being probed by hacking scripts, though (again) I was already protected through patches and not having the necessary ports open.

The real question is, how do any of us know that we're not already infected by a super-devious rootkit that no AV apps recognize?

Re:The AV app would tell him

[cswiger2005]

The real question is, how do any of us know that we're not already infected by a super-devious rootkit that no AV apps recognize?

This is an excellent question. Mostly, you notice a well-hidden rootkit by using tcpdump on some other machine to sniff all of the traffic from the suspect machine [1], and then concentrate on stuff that's not local to your subnet.

If you don't have a user on the machine running a chat program, seeing traffic to or from the IRC port, 6667, tends to be a very common sign that the machine is giving or receiving orders as part of a botnet. Forcing the machine to do all web access via a proxy and then checking the proxy logs after a day or two also tends to be revealing.

[1]: This should be done where both machines are connected on the same hub, or perhaps using the "monitor" or "span" port that newer intelligent switches have for diagnostic testing.

Munir is a mole.

[lantastik]

He always has been and always will be. His articles are practically marketing material for Kaspersky labs. First of all, write an article stating the obvious and then back it up with some arbitrary figures without displaying any real results.

For your reference (I made sure to use the Google cache so you can see the highlighting):
Hmmmm...what sole vendor was interviewed for this article?
I wonder who the focus of this article is...
My goodness! Another article from Munir which focuses on Kaspersky. Who would have guessed?
Which company did Munir get a virus analyst from to comment on this article?

Now that is some quality, unbiased reporting for you. Don't believe Munir's BS, it's a load of crap.

Re:Mac AV Software

[smash]

Definitions for Windows viruses, so your mac can say "virus detected!!" and give you the warm fuzzies that symantec (or whoever) are protecting you from a (currently) non-existant threat, so you continue to put up the cash...

In my experience, any paid software is worse...

[ThePengwin]

Ive seen my fair share of viruses, and also my fair share of antivirus programs, but ive never seen a off the shelf product work as well. i use AVGfree, and as far as i know i have had next to no trouble with viruses. It is small in terms of memory and downloads but it seems to work a lot better than anything else ive tried.

But i think there may be more to it. I think if you know your fair share about computers you know what to stay away from. I know that any site on the internet offering wares and serials is a sure thing to stay away from. Also if you just dont look up porn you have a very good chance of not getting a virus. :P

Why current anti-virus will fail

[buss_error]

Speaking only for a Windows world....

As currently written, all anti-virus software will fail. The simple reason is that because anti-virus depends on a signature or a synthisis of actions to identify what is "bad" and what is "good". Last time I looked, using a moral imparitive in programming wasn't a system call. Like spam, viruses are not a technical problem, it is a human problem.

The chief problem is that anti-virus is a defensive posture. Sooner or later, any defense will fail, if only because it becomes outmoded and/or out flanked. Defend only the walls, you leave yourself open for an air attack. You see the quandry here: It is impossible to know all the various ways to mount an attack and defend against all of them.

You can do what many companies have started to do: Prohibt execuitbles in AD policy that are not specifically allowed. This protects (mostly, somewhat) corporate america, but doesn't protect the home user that doesn't have an active directory server, and likely wouldn't put up with that kind of restriction anyway.

virtualization + detection

[roman_mir]

every application that runs on your computer should have its own address space and it should not be allowed to cross into other applications' address spaces, however this is not the case in MS Windows OS.

I gues we may want to rethink what a computer actually is.

I guess it should be possible to write (or use existing) virtualization software and run each application in its own virtual computer, give each application its own 'harddrive' without access to the rest of the disk, and most importantly make sure that the application cannot cross its VMs boundaries. Obviously each application that is not the OS itself should have run as a user and not as an administrator, but in a VM it shouldn't even matter that much.

To share data between applications that really need sharing, it should be possible to open 'network' connections.

In case when Intel or some other chip manufacturer will come up with multi-core processors (real multi-core, something like 10-1000 cores per CPU,) each application could also run in its own real processor space. A CPU could be rated something like: 100 simultaneous processes, and actually really run 100 simultaneous processes without time-slicing. Wouldn't that be a day? To accomodate memory per process, there could also be another independent administrator process runing, that would detect real time memory requests and manage memory accordingly (it could prepare memory ahead of time to avoid bottlenecking.)

It also should be possible to run an image of the OS per process (but this should be optional, depending on the tasks at hand.) Of-course a CPU like that would also be great for parallelizing threads in processes (if there are resources.)

In a computer like that, with each program only being able to affect its own computer space (CPU, RAM, disk space, network,) it should be possible to detect unwanted behaviour that could be caused by a virus. Attempts at 'networking' to the administration process, attempts at gaining unauthorized disk space, attempts at 'networking' with any other processes in the computer can be intercepted. In case when a virus (or a poorly written piece of software) behaves suspiciously or deadlocks or crashes or whatever, the rest of the machine should be protected and unaffected. The misbehaving process can be killed by the administration process and restarted or scanned and repared etc.

I don't think the future of the home computers is in bigger gigahertz numbers, it is at parallelizing, virtualizing, making the software more stable and less dangerous for everyone.

Security through Obscurity

[Mantrid42]

So does this mean that I'm better off using an AV that isn't widely used? Is this one case where security through obscurity is actually valid?

obscurity

[akhomerun]

security by obscurity is still one of the best ways to keep yourself secure. whether it be macintoshes, or just leaving your house's spare key in a really good hiding spot, obscurity is one of the oldest security features around.

obviously, what you need is an obscure anti virus app that's also really protective (as in put your spare key in a safe and hide it).

of course problem with that is that if an antivirus product works well, it doesn't stay obscure for long.

man i'm really stating the obvious here. i'm done now.

How AV *can* work

[OhioJoe]

..or how Microsoft can beat them to it.

Can someone explain to me (I am not a programmer) if Microsoft has it in their easy to reach power to allow users to do the following, if they choose:

1a. Blacklist any executable the user desires from running, no exceptions.

1b. And make this very easy by simply right-clicking on a process and selecting "Don't allow to relaunch".

2. And break down all the SVHOST.EXE programs into their individual component processes so when a virus adds itself under the svhost.exe, that virus is seen as a seperate process.

2a. Stop writing the Windows program to name several processes the same damned name (i.e. SVHOSTS.EXE)

Joe

Re:What is Anti Virus?

[chawly]

Having a firewall probably helps. Being very lucky also.