AV Software Isn't Dead, But It's Not Healthy

dasButcher writes "Is a conventional signature-based antivirus technology dead? Trend Micro CEO Eva Chen says no, but more is needed. Her answer: reputational analysis. Not a bad idea, but many have tried and failed to make this type of approach work. We've seen it all before: RBLs, integrity grading, etc. What will make this different? If we're not careful, Trend Micro might give us all a bad Web reputation. "

AV Software Isn't Dead...

...it's just pining for the fjords.

Re:AV Software Isn't Dead...

[Archangel+Michael]

Whoo-hoo-hoo, look who knows so much. It just so happens that your friend here is only MOSTLY dead.

The fewer the merrier

[Reverse+Gear]

I sure am not a big security expert, so forgive my n00bish words here.

I don't remember where, but at some point I read somebody, probably a sys-admin, saying that if you really want security then what you need to do is disable all the things you do not need. Not by default to allow everything and then pick the things you do not want, but go the other way around and make the default to not allow anything and then enable the things you need.
I guess this is one of the reasons I like Gentoo so much, I know everything that is installed on the system and I can remove it if I don't like it.
I don't like to install all kinds of things that I do not know what is and do not know if I can trust. The more things I have installed the more vulnerabilities I also have.

One of my friends once ran a version of Windows XP that he had pretty much scraped everything of that didn't need to be there, I think he was a lot more secure than he would have been had he filled his computer with all kinds of AV and anti-malware programs, some of them seem to be causing more problems than they solve anyhow.

Re:The fewer the merrier

[danpsmith]

One of my friends once ran a version of Windows XP that he had pretty much scraped everything of that didn't need to be there, I think he was a lot more secure than he would have been had he filled his computer with all kinds of AV and anti-malware programs, some of them seem to be causing more problems than they solve anyhow.

I think you are right in this thinking. Windows XP's services that are enabled by default are ludicrous. That's one of the main security problems with XP. What I don't understand is why someone doesn't just allow the computer to start with absolutely no services enabled, and then gradually ramp up to what the computer actually needs, turning services on only as they are needed.

For instance, shutting down a service might make a certain set of USB gadgets might not work. But when you plug the USB device in, Windows itself (or the OS itself) could recognize that the service is needed for the device to function and automatically enable the service. Depending upon how much this costs it could automatically disable the service again if it isn't being utilized by anything else.

Maybe I'm being naive, but that doesn't seem like too much to ask. On really strange services you could prompt for password information in order to ramp up the ability to use them or something. Makes sense to me.

It seems to me that windows has everything enabled by default to be user friendly. But couldn't you do the same thing using this method? Instead of having a bunch of running services running at idle constantly, turn em on when you need em.

Re:The fewer the merrier

[Intron]

Deleting DLLs is not the right way to "minimize the system". What you want to do is turn off unneeded services, not blow holes in your OS. Linux would fail just as badly if to turn off services you started deleting the contents of /usr/lib instead of disabling daemons in /etc/init.d.

Re:The fewer the merrier

[Tanktalus]

Er...? You've disabled IIS. The OS detects an incoming request on port 80. It enables IIS. Attacker leaves behind malware. IIS goes back down.

Other than that, I like your idea. If, for example, when it detected a service was needed, it popped up a nice dialog box saying something like, "Windows has detected an incoming request on port 80. is currently disabled. Enable? [ ] Don't ask this again. [Yes] [No]". And then, here's an important bit, if no response is detected within 30 seconds, assume "No", and continue. And log this in the system log. Maybe even email it to the user so they see it. (The email wouldn't happen for requests that were marked "Don't ask this again".)

I'm pretty sure a similar concept on Linux could apply - even if there's no user interface, just logging what comes in. In fact, I suspect some people have already set up iptables or ipchains or whatever to do exactly that: log all "intrusion" attempts. With a bit of work, I'm sure that some ports could be emailed (say, by default), with some trivial manner of masking ports (analogous to the "Don't ask this again" from above) to not receive notices about that port anymore. Possibly with netmasks - email me if someone comes in on 443 from 192.168.0.0/255.255.255.0, but not anyone else (ignore https requests from the internet completely).

In fact, I'm pretty sure someone has something like this already ... probably on sourceforge by now ;-)

Can I be the first to say it?

[zappepcs]

We need a new word to deal with this technology:

Webutation; The reputation an entity has, stemming from its web presence.

Trivial answer!

[VincenzoRomano]

Is a conventional signature-based antivirus technology dead? Trend Micro CEO Eva Chen says no.

If you ask an Oil company whether oil derived fuel engines are dead, they'll answer the same way.

The first 3 rules of computer security.

[khasim]

#1. There is no security without physical security.

#2. Run only what you absolutely need.

#3. Run it with the minimum rights possible.

The reason that Trend Micro's "new" approach will fail is ... rather long. Follow along for a moment.

a. Vulnerability is found and exploit is written.
b. Exploit needs to be distributed.
c. Exploit is distributed via a quick spam flood - they have no protection against this.
d. Exploit is posted on a web site - how do the bad people drive traffic to that site?
e. They use a compromised site. They hide the exploit in a directory that robots.txt says not to scan. Either Trend Micro violated robots.txt or it cannot find the exploit.
f. So Trend Micro will have to violate robots.txt and that behaviour should be noticeable. So the bad guys would hide that file from something that looks like a webcrawler that doesn't respect robots.txt.

And we're back at the beginning.

Re:The first 3 rules of computer security.

[voice_of_all_reason]

#1. There is no security without physical security.

Hire a bodyguard to stand over your ethernet jack, then chase down and beat interlopers with a nightstick? I like the way you think...

This is why reliance on AV software is dangerous

[Alioth]

Funnily enough, I just wrote about this:

http://slashdot.org/~Alioth/journal/167405 - includes a link to a major study of a piece of malware which went undetected by the AV companies for months.

Or just go to http://www.secureworks.com/research/threats/gozi/ if you don't want to read my crap.

I've personally witnessed two malware infections where the malware arrived up to a week before the AV companies had updated their definitions.

You have to trust something

[starseeker]

At a certain point, networking requires trust in order to realise it's potential benefits. Open source wouldn't work if everyone had to read every line of source code before running a program, so various organizations and projects develop trust and reputations. We know Debian, Fedora, Gentoo, etc. are OK and can proceed to use them with minimal trouble. A brand new Linux distribution must climb that hill, in addition to providing sufficient incentive for people to find out if they can be trusted. That's tough.

The anonymous nature of the web is what allows things like virus writers to succeed - if they couldn't hide, they wouldn't assume the responsibility for what they're doing (well OK a few nut cases would, but the same is true in real life.) However, forcing unique identities on people opens up a host of other problems, some of them more serious than the ones we have today.

So we must operate in the twilight world of making networks which cannot be successfully attacked by bad actors. There are a wide variety of intermediate solutions, like today's anti-spam techniques, wikipedia's system and even slashdot's own moderation system. But none are perfect and none can be perfect - the problem is not solvable in general. Open source actually helps this in one major way - the community controls that operate in the real world to keep human social systems functional also operate (to some degree) in small scale projects. There the individual traits of interested parties become known over time, and recognition and trust can be built up based on more than just a name or email address. It is not perfectly robust, but then no system to date has been.

Virus problems will continue as long as there are people wanting to write viruses, as they are simply an electronic version of spray painting walls, defacing monuments, or other useless and harmful activities that have persisted since the beginnings of civilization. We must rely on community, the most robust tools we can devise, and (finally) building our own web of trust based on things we have found to work. These issues are fundamental to the human condition and (like all social problems) cannot be resolved by technology. The fact that spam emails can be identified at all, for example, is really just an indication of the lack of skill of spam writers. Likewise, someone really wanting to distribute a virus can just make a freeware program that actually does something real and useful long enough to build a reputation, and then when it is widely distributed trashes every system it is installed on. There are always ways to attack a target, if enough effort is put into the planning. The trick is to be fault tolerent and recover quickly. In specific cases better security can be achieved (classified information, etc.) but for the general case it will always come down to dealing with the consequences of antisocial behavior as it happens.

Reputation does not prevent spread of viruses...

[Dr.+Zowie]

... otherwise there would be no syphilis in the world.

Seriously, there is a pretty direct analogy between (digital epidemiology, computer viruses) and (real epidemiology, real germs). If there were a simple answer to the digital problem, it's a good bet that some population or other would have adopted the analogous strategy to the real epidemiology problem.

STDs offer a good analogy for digital viruses with a Trojan-style (no snickers, please) strategy. In both cases sharing of {data|fluids} yields immediate benefit at some risk. In both cases, populations have adopted reputational strategies to avoid spreading/contracting viruses. In neither case do those strategies work.

Even with near-perfect "antivirus software" (the antibiotic penicillin), the old monsters of syphilis and gonorrhea still remain on the planet, and penicillin-resistant strains have even evolved. One problem is that reputations are hard to establish and not necessarily accurate; another is that most humans tend to discount future risks in favor of immediate benefits.

Interestingly, the reason that the traditional venereal diseases are treated with penicillin injections (and not an oral course) is that, statistically, patients are unlikely to finish the oral course -- a properly completed oral course of penicillin is as effective as the traditional three injections. There is perhaps a lesson to be learned there about how effective corporate data-hygiene strategies are likely to be.

Re:This is Crazy Making!

[Mister+Whirly]

"Ever since I told family and friends who needed computer support I won't fix windows and gave them the option of buying a mac or switching to Linux, I'm having much more fun on my days off."

Walking my family through command line installs of libraries and helping them chmod permissions so they can access the files they saved. I love the fact that all my dumbshit realtives are now running Linux, I mean who needs time off on weekends anyways!!! Now when my mom wants to install a new printer, insead of just plugging it in, now we get a 3 hour long session fighting with generic Gimp drivers and it still won't print 100% correctly. And my parents were really stoked that the thousands of dollars they had spent on Windows software was now mostly worthless! Yep, if there is one thing Grandma really loves digging into it's compiling her own Linux kernel - she really just can't get enough of it! All and all I'd say that an OS designed for geeks who really love tinkering with their systems is working out terrific for the average computer illiterate masses...