Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Popular Anti-Virus Apps 'Don't Work'

Posted by ryuzaki0 on from the build-a-better-mousetrap dept.

Avantare writes "ZDNet Australia has a writeup about why AV apps don't work. The reason given is because the malware authors are writing code that will get around the signatures of the application by testing their code on the most popular anti-virus software before release." This comes as a follow up to another article detailing the sad state of anti-virus software currently on the market.

10 of 375 comments (clear)

  1. No S**t by Instine · · Score: 5, Insightful

    AV software, and even most firewall software, which goes beyond port control simply prevents the user using the whole of the internet, but rarely stops the internet using them. This is just one reason why.

    Still an interesting point it raises, and a good example to give to none believers if you ever have to give the "Nothing is perfectly secure" speach to a client.

    --
    Because you can - or because you should?
    1. Re:No S**t by nmb3000 · · Score: 5, Informative

      Still an interesting point it raises, and a good example to give to none believers if you ever have to give the "Nothing is perfectly secure" speach to a client.

      At least people are starting to realize this.

      As for myself, I used to use Symantec's antivirus software both at home and at work, but a year ago decided it just wasn't worth it. The program was the most obscene resource hogs I've ever had the displeasure to use, and in the 7+ years of using the program it never once protected me from getting a virus. The same can be said for a lot of other AV offerings, and yet you still see some idiots suggesting you run 2-4 different AV applications just to "be sure you're safe".

      Once people realize that the single best and most effective method of protecting themselves is common sense, they will be a lot better off. If you don't download from untrusted sources, don't click banners, don't install just any (activeX|extensions), and keep your machine patched, you'll be fine (YMMV of course).

      The problem is that while people can buy Symantec's latest breakthrough in keeping your processor occupied, they cannot buy common sense.

      --
      "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
      /)
    2. Re:No S**t by Schemat1c · · Score: 5, Funny

      Maybe you would have gotten more viruses if you hadn't been using it. You'll never know since you had it running the whole time.

      That's the same logic that keeps me from throwing away my anti-vampire rock. Ever since I've had it I haven't seen a single vampire so that proves it must work.

      --

      "Nobody knows the age of the human race, but everybody agrees that it is old enough to know better." - Unknown
  2. Re:I don't use Norton.. by Anonymous Coward · · Score: 5, Funny

    Additionally, I don't open e-mails that promise a glimpse into Paris Hilton's private area.

    Hm. You can call that area on Paris Hilton a lot of things, but "private" isn't one them.

  3. Signature-based recognition was doomed by Animats · · Score: 5, Interesting

    The whole concept of recognizing known viruses was fundamentally flawed. It had a good run, but that was because virus writers were mostly trying to get attention, not steal. Now that viruses are an ongoing criminal enterprise, the old dumb tactics won't work.

    We're going to have to give up on recognition and put more effort into partitioning. We need setups where each web page renders in its own jail, and it doesn't matter if the browser is insecure - when the page closes, a program exits and any corrupted info goes away.

    Of course, this will break Active-X, toolbars, downloads, etc. Then again, on business systems, you want those things broken.

    Once the browser is locked down like that, you need a "guard" program. When you want to move a file out of a browser's jail, it has to go through a program that "sanitizes" it. Often, a translation to a well-documented format that doesn't contain execution capability will do the job. Converting incoming .doc files to Open Document XML format, for example.

    It's quite possible to completely solve this problem.

  4. And they are both wrong. by khasim · · Score: 5, Insightful

    Think about it for a moment. What is the intent of anti-virus software ("anti" + "virus")? Isn't it to stop apps that you don't want running on your computer? Apps that were written by the "bad guys"?

    So, the reason that anti-virus software sucks is because the "bad guys" are writing BETTER "viruses" that can bypass the anti-virus programmers' software.

    And the reason for that is that anti-virus software is REACTIVE.

    A proactive system would patch the holes that are being exploited.

    A reactive system issues patches to remove all the specific threats encountered so far.

    That approach will ALWAYS result in the "good guys" being behind the "bad guys". Like DUH!!!

  5. But... by aardvarkjoe · · Score: 5, Interesting

    Aren't most of the viruses and worms that are out there just variants of other viruses? It seems like most of the time that I hear about a "new" terrible virus, it's really a slightly modified version of one that's been around for awhile, and usually if you're up to date on your antivirus and security patches the new virus won't do anything anyway. And let's not forget that there are still plenty of old viruses on non-secured machines that an antivirus application will protect you from.

    I can see their point where people developing a new virus are concerned, but as the lifecycle of a virus is often longer than the time it takes to update the signatures, I think that they are overstating their case by saying that the AV apps "don't work."

    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  6. What do these guys think signatures are, anyway? by Teilo · · Score: 5, Interesting

    Both these articles read like they were written by an idiot. They do not make the distinction between the detection of known viruses, and the detection of unknown viruses via heuristics. And if you start calling heuristics a signature, you are going to confuse the heck out of everyone. Don't mix terminology.

    Honestly, I do not know anyone who believes that an AV program is going to protect them from unknown viruses! The whole point of AV software is to give you protection from viruses as they are discovered. I mean everyone knows that if they do not update their virus signatures on a constant basis (several times a day on my mail servers), they may as well not be running virus protection at all. OK. Maybe some people are dunces about this, but honestly, even my 81 year old grandmother knows that she has to keep her AV current, or she's unprotected.

    I mean, for crying out loud, what are these signure updates for? For catching known viruses. Mega duh!

    --
    Mir tut es leid, Menschen daß Einfältigfehlersuchenbaumfolgendenaffen sind.
  7. Re:Just follow a few basic steps... by Gnavpot · · Score: 5, Informative
    1. Firefox with popup blocker

    2. Firewall software

    3. Sit behind router

    4. Use AV software

    5. Don't click on anything that pops up without read it!
    You ignore the three most important:

    Remove administrative priviledges from your everyday account.

    Keep your software and OS updated.

    Do not run software with a bad security record.
  8. The AV app would tell him by cyberformer · · Score: 5, Interesting

    Most AV apps pop up a warning whenever they detect a virus. They like to remind you that they're doing their job.

    More than once, Symantec AV has told me that it's detected and neytralized a Web page with the WMF vulnerability. I guess that's interesting to know, even though my system was fully patched so I wouldn't have been vulnerable anyway. It's also told me that my PC was being probed by hacking scripts, though (again) I was already protected through patches and not having the necessary ports open.

    The real question is, how do any of us know that we're not already infected by a super-devious rootkit that no AV apps recognize?