Slashdot Mirror
Why Popular Anti-Virus Apps 'Don't Work'
Avantare writes "ZDNet Australia has a writeup about why AV apps don't work. The reason given is because the malware authors are writing code that will get around the signatures of the application by testing their code on the most popular anti-virus software before release." This comes as a follow up to another article detailing the sad state of anti-virus software currently on the market.
AV software, and even most firewall software, which goes beyond port control simply prevents the user using the whole of the internet, but rarely stops the internet using them. This is just one reason why.
Still an interesting point it raises, and a good example to give to none believers if you ever have to give the "Nothing is perfectly secure" speach to a client.
Because you can - or because you should?
Nothing to see here, move along please.
Faster! Faster! Faster would be better!
1. Firefox with popup blocker
2. Firewall software
3. Sit behind router
4. Use AV software
5. Don't click on anything that pops up without read it!
http://religiousfreaks.com/Uttering logically derived and empirically supported truths to the disciples of the orthodox establishment.
Additionally, I don't open e-mails that promise a glimpse into Paris Hilton's private area.
Hm. You can call that area on Paris Hilton a lot of things, but "private" isn't one them.
The article suggests not that it's doing anything better, but that since it has only 0.8% of the market the malware authors don't bother to work around it.
The whole concept of recognizing known viruses was fundamentally flawed. It had a good run, but that was because virus writers were mostly trying to get attention, not steal. Now that viruses are an ongoing criminal enterprise, the old dumb tactics won't work.
We're going to have to give up on recognition and put more effort into partitioning. We need setups where each web page renders in its own jail, and it doesn't matter if the browser is insecure - when the page closes, a program exits and any corrupted info goes away.
Of course, this will break Active-X, toolbars, downloads, etc. Then again, on business systems, you want those things broken.
Once the browser is locked down like that, you need a "guard" program. When you want to move a file out of a browser's jail, it has to go through a program that "sanitizes" it. Often, a translation to a well-documented format that doesn't contain execution capability will do the job. Converting incoming .doc files to Open Document XML format, for example.
It's quite possible to completely solve this problem.
Require all users to run as a limited user as per Principle of Least Privilege. This is the key. I once had a computer lab for inner city youth with no AV software at all, just limited user accounts and a simple router. Once we could afford Symantec AV Corporate (I work for a non profit) and ran the scans, no viruses. If anyplace was bound to get one, that would have been it.
Say it with me people Default Deny, Say it louder now so that Microsoft can here it. Operating systems need to by default deny the right to execute. This whole let anything run unless it looks like a virus crap is not working. Oh and Microsoft that doesn't mean make a pop up so that someone can click "Yeah run it already." Every program shipped with the OS gets to run, every program you add to the list gets to run, maybe every program on a white list maintained by a person or company you trust gets to run, and thats it. Now before you all freak out and starting talking about linux and how you can already do this let you remind you that, everyone switch to linux, is not a valid solutions because its not going to happen anytime soon. Sure it works on a case by case basis but I still need to go in to work and be able to keep 30 or 40 computers safe and clean that are going to run on windows because thats what our software will run on. So Microsoft do you let anyone into every room in every building you own unless security sees them on a list or do you determine who can go where and then keep everyone one else out? Why is it that we are forced to use security that anyone can see hasn't worked in the past and has no hope of work in the future?
I routinely get files [or browse for files] on random homebrew sites where "smart" people try and sneak a virus in there.
AV isn't supposed to make your computer stupid-proof. If you download and run every single application you can find no AV in the world will help.
If you happen to stumble on a 4 week old virus that either got bot-mailed to you or stored in a public archive they're a godsend. Specially since most AVs scan archives so before you even open it you're good.
Tom
Someday, I'll have a real sig.
Think about it for a moment. What is the intent of anti-virus software ("anti" + "virus")? Isn't it to stop apps that you don't want running on your computer? Apps that were written by the "bad guys"?
So, the reason that anti-virus software sucks is because the "bad guys" are writing BETTER "viruses" that can bypass the anti-virus programmers' software.
And the reason for that is that anti-virus software is REACTIVE.
A proactive system would patch the holes that are being exploited.
A reactive system issues patches to remove all the specific threats encountered so far.
That approach will ALWAYS result in the "good guys" being behind the "bad guys". Like DUH!!!
What does an antivirus? It scans files and memory for known patterns in order to erase some bits. If 10 different viruses exploit the same flaw in 10 different ways, an antivirus requires 10 signatures to recognize them all (heuristics *are* signatures). Why don't antivirus vendors focus on providing workarounds for the actual Windows security flaws instead?
{{.sig}}
Aren't most of the viruses and worms that are out there just variants of other viruses? It seems like most of the time that I hear about a "new" terrible virus, it's really a slightly modified version of one that's been around for awhile, and usually if you're up to date on your antivirus and security patches the new virus won't do anything anyway. And let's not forget that there are still plenty of old viruses on non-secured machines that an antivirus application will protect you from.
I can see their point where people developing a new virus are concerned, but as the lifecycle of a virus is often longer than the time it takes to update the signatures, I think that they are overstating their case by saying that the AV apps "don't work."
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
...by testing their code on the most popular anti-virus software before release.
It's a sad state of affairs that worms, trojans and viruses are probably more tested before release than the anti-virus software.
Once malicious code enters the "perimeter", so to speak, AV software is a rather weak stopgap measure. Software design flaws that result in holes can seldom be fixed by adding more surface area, it only becomes a matter of time before the attacker figures out the next step. The AV software companies know that most of their customers have no idea how computer security works. Antivirus provides some shallow peace of mind for Joe Average. It is not a very serious security measure and it should not be relied on as thus.
I'm sure other posters will provide the real answers to security, like limited user access, a good firewall, not running intrusted code, and using a web browser that isn't garbage.
I went for 3 years using just these precautions, but used no antivirus whatsoever. I never become infected by a single thing. I only recently grabbed ClamWin, a port of ClamAV, for my Windoze box because I wanted to scan a program I got via P2P.
Both these articles read like they were written by an idiot. They do not make the distinction between the detection of known viruses, and the detection of unknown viruses via heuristics. And if you start calling heuristics a signature, you are going to confuse the heck out of everyone. Don't mix terminology.
Honestly, I do not know anyone who believes that an AV program is going to protect them from unknown viruses! The whole point of AV software is to give you protection from viruses as they are discovered. I mean everyone knows that if they do not update their virus signatures on a constant basis (several times a day on my mail servers), they may as well not be running virus protection at all. OK. Maybe some people are dunces about this, but honestly, even my 81 year old grandmother knows that she has to keep her AV current, or she's unprotected.
I mean, for crying out loud, what are these signure updates for? For catching known viruses. Mega duh!
Mir tut es leid, Menschen daß Einfältigfehlersuchenbaumfolgendenaffen sind.
Symantec software is even worse than you said, in my experience.
You didn't mention the bugginess.
That's why: there is too much eye-candy!
I gave up a long time ago on NAV because it had a heavy interface -- fancy background, fade in/out, and all the other stuff that don't really contribute to its operation, especially for an application whose GUI you don't really pop or see very often.
Simple buttons and windows are enough, coupled with a good proper operation within a restricted account -- i.e. good communication with the service that runs in the background.
That is why I like the free AVG option.
For home users, I tell them the following:
1) You're not a company that gets thousands of virus-laden emails a day. You don't need to pay for Norton or McAfee. A 98-99% detection rate is perfectly adequate for a home user.
2) Install AVG or Avast AV. They're free, they update automatically, they're light on resources and they work.
3) Install Spybot Search and Destroy, SpywareBlaster, Ad-Aware and Windows Defender.
4) Install a software firewall like Kerio or just use Windows XP's firewall. If you install Kerio, use V2.1.5 because it's non-intrusive. The later versions are too picky and get in your face.
5) Stop using IE and use Firefox.
6) Lately, since trojans are on the upswing, I say install A-Squared anti-trojan which is free with manual updates.
7) Don't click on popups. Don't even click on the "No" button - click the window close button.
8) Don't install anything offered you by a Web site unless the site is a general freeware or shareware site that explicitly states it checks for spyware and adware.
9) Keep up with Windows updates and updates for the malware detector software.
10) Run a scan once a week or if you see any popups at all.
I've used these rules on Windows 98, 2000 and XP for four years with virtually NO spyware getting through - and that's with porn site visits and whatever else the Web can throw at me.
The single most important rule is number 5 - use Firefox. With no ActiveX, the stuff can't get in unless you have an OS vulnerability or you deliberate install it in response to a prompt you don't understand.
Finally, if they really want to be secure, switch to Mac or Linux.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
MOD PARENT DOWN. Bad Link.
Official Clam Anti-Virus for Windows link: ClamWin. ClamWin is free and excellent, but slower at scanning than commercial products, in my experience.
Linux isn't a silver bullet. A virus can still install itself in user space, and from there it can:
* Delete files
* Read confidential files from that one user (a typical computer might only have 1 or 2 users)
* Send out spam
* Install a keylogger
* Read the users contact list and forward itself to all users on that list.
* Install itself to start up with user priveleges when the computer boots (by modifying the users configuration files)
* Pretty much anything...
However having separate users does limit the damage and it makes it a lot easier to clean up since no executable files are affected, root should be safe, and the system should still be stable and consistent once the virus is removed. (This is not true if the virus has gained root priveleges, and really you should assume that it has, if you really want to be safe).
Much of the security of Linux comes from:
* The peer review process.
* The speed that the most serious holes are patched and the ease of applying these patches on most distribution.
* Vulnerable services are not usually open to attack after a default install.
* 'Biodiversity' - an attack against a specific application will not affect all users.
* New install media with latest bug fixes issued regularly and easy to obtain.
* Large amounts of software is available from the distribution repository so you don't need to download and run installers from third-party web pages.
* Smaller market share gives attackers less incentive to attack.
I'm not saying that ALL software for Linux is secure, and that ALL distributions respond promptly to security vulnerabilities, but it is possible to be reasonably secure if you choose the right vendor and don't be stupid by installing random screensavers from dodgy websites.
I'll probably be modded down for this...
Most AV apps pop up a warning whenever they detect a virus. They like to remind you that they're doing their job.
More than once, Symantec AV has told me that it's detected and neytralized a Web page with the WMF vulnerability. I guess that's interesting to know, even though my system was fully patched so I wouldn't have been vulnerable anyway. It's also told me that my PC was being probed by hacking scripts, though (again) I was already protected through patches and not having the necessary ports open.
The real question is, how do any of us know that we're not already infected by a super-devious rootkit that no AV apps recognize?
He always has been and always will be. His articles are practically marketing material for Kaspersky labs. First of all, write an article stating the obvious and then back it up with some arbitrary figures without displaying any real results.
For your reference (I made sure to use the Google cache so you can see the highlighting):
Hmmmm...what sole vendor was interviewed for this article?
I wonder who the focus of this article is...
My goodness! Another article from Munir which focuses on Kaspersky. Who would have guessed?
Which company did Munir get a virus analyst from to comment on this article?
Now that is some quality, unbiased reporting for you. Don't believe Munir's BS, it's a load of crap.
Ive seen my fair share of viruses, and also my fair share of antivirus programs, but ive never seen a off the shelf product work as well. i use AVGfree, and as far as i know i have had next to no trouble with viruses. It is small in terms of memory and downloads but it seems to work a lot better than anything else ive tried.
:P
But i think there may be more to it. I think if you know your fair share about computers you know what to stay away from. I know that any site on the internet offering wares and serials is a sure thing to stay away from. Also if you just dont look up porn you have a very good chance of not getting a virus.
every application that runs on your computer should have its own address space and it should not be allowed to cross into other applications' address spaces, however this is not the case in MS Windows OS.
I gues we may want to rethink what a computer actually is.
I guess it should be possible to write (or use existing) virtualization software and run each application in its own virtual computer, give each application its own 'harddrive' without access to the rest of the disk, and most importantly make sure that the application cannot cross its VMs boundaries. Obviously each application that is not the OS itself should have run as a user and not as an administrator, but in a VM it shouldn't even matter that much.
To share data between applications that really need sharing, it should be possible to open 'network' connections.
In case when Intel or some other chip manufacturer will come up with multi-core processors (real multi-core, something like 10-1000 cores per CPU,) each application could also run in its own real processor space. A CPU could be rated something like: 100 simultaneous processes, and actually really run 100 simultaneous processes without time-slicing. Wouldn't that be a day? To accomodate memory per process, there could also be another independent administrator process runing, that would detect real time memory requests and manage memory accordingly (it could prepare memory ahead of time to avoid bottlenecking.)
It also should be possible to run an image of the OS per process (but this should be optional, depending on the tasks at hand.) Of-course a CPU like that would also be great for parallelizing threads in processes (if there are resources.)
In a computer like that, with each program only being able to affect its own computer space (CPU, RAM, disk space, network,) it should be possible to detect unwanted behaviour that could be caused by a virus. Attempts at 'networking' to the administration process, attempts at gaining unauthorized disk space, attempts at 'networking' with any other processes in the computer can be intercepted. In case when a virus (or a poorly written piece of software) behaves suspiciously or deadlocks or crashes or whatever, the rest of the machine should be protected and unaffected. The misbehaving process can be killed by the administration process and restarted or scanned and repared etc.
I don't think the future of the home computers is in bigger gigahertz numbers, it is at parallelizing, virtualizing, making the software more stable and less dangerous for everyone.
You can't handle the truth.
So does this mean that I'm better off using an AV that isn't widely used? Is this one case where security through obscurity is actually valid?