Anti-Virus Effectiveness Down from Last Year

juct sends us Heise Security's summary of an article detailing the abilities of 17 current anti-virus solutions. German computer magazine c't has found that, compared to last year, the virus scanners are having a more difficult time recognizing malware. Quoting Heise: "For real protection, however, in view of the flood of new malware, the way these programs cope with new and completely unfamiliar attacks is more important. And that's where almost all of the products performed significantly worse than just a year ago. The typical recognition rates of their heuristics fell from approximately 40-50 per cent in the last test - at the beginning of 2007 - to a pitiful 20-30 per cent."

My expectations are not that high...

[RuBLed]

I always assume an antivirus is only as good as its current signatures. Heuristics are good but nowadays, I could literally count with my fingers the number of times it did the job. The best defense is still knowing what you are running with or without an antivirus. Most of the annoyances I see are done by the local script / virus kiddies, their work rarely make it outside the country so the signatures against those are not a priority. (Although what I hate is that most of this local scripts/virii are just copycats of popular ones, yet popular AV's rarely detects them...)

Re:yeah, but..

[_merlin]

Considering how few viruses run on Linux, it's not as big a deal for Linux users. However, Linux machines that deliver content to Windows users (mail servers, usenet servers, bulletin boards, etc.) are a useful application for Linux virus scanners that detect viruses for other platforms. And the big names do function in this role: Kaspersky and AVG both have products for doing just this. And there's the free ClamAV as well, of course. The Linux versions of the big name products are probably no more or less effective than the Windows versions.

Re:Virus?

[Barny]

Yeah, now that world + dog uses a NAT router for their broadband and the lack of kazaa, virus' and worms are a dieing breed. We swapped them for intrusive spyware and identity theft-ware that is much harder to get rid of and, thanks to the wonders of social engineering, much harder to stop joe-sixpack from getting :/

read Ranum on enumerating badness ..

[rs232]

Why are we still talking about this in late 2007. What have the supreme innovators being doing the past decade. Ranum laid out the solution here:

"if I were to simply track the 30 pieces of Goodness on my machine, and allow nothing else to run, I would have simultaneously solved the following problems":

* Spyware
* Viruses
* Remote Control Trojans
* Exploits that involve executing pre-installed code that you don't use regularly

Re:read Ranum on enumerating badness ..

[QuantumG]

Meh, people can so you'll be leaving your big fat paw prints on it if you try. See, that's the cool bit. I can say "on line 2105 of blah.c in package foo version 4.321 I found that some fucker had tried to put in a backdoor.. can you guys check your revision control to see where this came from?" and there's this public audit trail. If I managed to find something in a binary that isn't in the source I can easily find out who made the package and where they got the binaries from. That's what security is.. it's people and accountability.

Re:where are all the Linux server exploits ..

[keesh]

Normal users on a Unix system have more than enough privileges to send out a million emails a day.

Re:where are all the Linux server exploits ..

[FireFury03]

If that were true, where are all the Linux server exploits being actively being used it the wild.

Linux server exploits _are_ being actively used in the wild. If you don't keep your server patched up then you stand a pretty good chance of being rootkitted. However, Linux distros tend to be pretty hot on security updates, meaning that a fully up to date system has very few known security holes. I suspect there are also more "idiot" server admins in charge of Windows servers than Linux servers (that is not to say that Windows admins are idiots, I just suspect there is a higher proportion of clued up admins in the Linux world).

However, the server world is very different from the desktop world - in the server world you can be relatively trustful that the admin won't go and install some random shiny new screensaver, etc. whereas on the desktop most people are not (and do not have access to) qualified admins.

A Linux desktop logged in as standard user is safe from the numpties and is still usable. The dangers of screensavers wouldn't even apply here; even if a user managed to run some malware script it would most probably be confined to the users home dir, the core system would remain immune.

There are a couple of important points here though:

1. Your average home user does _not_ have a dedicated sysadmin. When they want to install a package they (generally) need to become root to do it - that means that the numpties are equally capable of installing screensavers^Wmalware under Linux as they are under Windows. The thing the privilege separation gets you is that you can't _accidentally_ install something as root (e.g. via an exploit in your browser / mail client / whatever).

2. Even without root, a user still usually has plenty of permissions to do some evil things. They can't do some particularly bad things like SYN floods but they can still send out millions of emails and compromise other hosts.

3. Is the protection of the "core system" actually that important when you have a single user machine and so all the important data is owned by that user? The only thing this really gets you is the knowledge that your system binaries are probably safe (so you can trust that ps, netstat, etc are giving you accurate results rather than hiding the malware that is running).

There may be some merit in mounting all the filesystems the normal user can write to as "noexec" so that malware can't just install itself and run as the normal user. But this may place too much of a limit on usability and most distros certainly don't do this by default today.

Re:Useless

[ledow]

The trouble with antivirus is that the doorman is actually sitting upstairs with a note on the front door that says "Report to the doorman upstairs, please." By the time AV spots a virus it's usually already far too late and the first thing that any virus does is to turn off AV, usually in such a way that the user doesn't notice (the equivalent of swapping your doorman for a clone).

AV is good only as a system check. It is no good as a frontline defence. It can't spot viruses until they are either already in memory or sitting on your disk. Some of the time it will spot them before they get executed but most of the time not. When I used to use Windows at home (I only use it on school networks now, I work as a tech in schools) the one way to "tell" that you had something dodgy going on was when Zonealarm went ape. Even the integrated Zonealarm Security Suite, AVG etc. didn't detect the stuff that I was testing. But when something starts asking for Internet access out-of-turn, you know something's wrong. And when your AV is less use than a freeware firewall that bothered to ask you, you know it's a waste of time.

AV-scanning-proxies : excellent idea
AV scans of networks: good idea
AV scans of home machines: pointless and doesn't tell you what you can't find out in ten seconds of using the machine as an IT professional.
AV "real-time scanners": Well, yes, if you must, have CPU to spare and ignorant users using the machine. Otherwise, they're pointless.

Re:The kind of targets

[gzipped_tar]

Surely the weakest part is between the chair and the keybord.

A search on secunia tells a story of an old Linux virus (or rather, a piece of malware). The virus comes from a phishing mail in C sourcecode. Unless the luser has root privilege and is nuts, nothing could happen at all.

Consider one day M$ is dead and every luser in the corner of the world runs a Linux desktop. Then the luser happily su and make install, without even a single glance at the sourcecode.

yes it can

man cron; man at

Re:AV's???

[Opportunist]

He's right. He's just right.

True story:

A customer call. Quite irate person, yelling and screaming at our poor techie, telling him in no uncertain terms that he finally uninstalled our piece of junk and installed $competitor_software, because our piece of electron crap kept popping up and nagging him with some "virus found" junk and cutting into his productivity while $competitor_software doesn't.

So. Now question for 500: What the heck do you tell him?

Viruses are a 'stupid user' issue

[SCHecklerX]

You can't hope to really fix bad behavior with technology. This is why instead of giving dad a false sense of security with cpu/disk thrashing AV software, I took the time to show him the nastiness that can go on, especially with email attachments, and downloading and running software he doesn't know anything about. I also set him up with firefox with the adblock plus extension. On his own (even though I didn't feel it was necessary), he manually runs adware detecting software to make sure nothing has been slipping by. Three years, and he has yet to be infected with anything (manual AV scan with latest signatures when I was there the other day confirms).

Tools and their uses:
- Firewalls: block stuff you shouldn't be listening for anyway, also help to mitigate against attacks against stuff you do listen for.
- Service Lockdown (difficult on windoze, see "Firewalls" above): You can't exploit something that's not there
- Proper configuration of what you do need listening: default stuff on that linksys router, for example
- Patches: Deal with worms (not viruses)
- AV software: tries to correct user stupidity. Not exactly a winning battle, as can be seen by the existence of this article.
- IDS: Never for an end user. How are they to know how to tune it, and what the messages mean, etc?

My experience has been that AV software gets in the way, causes system instability, and provides a false sense of security. None of this provides a significant benefit for a user who already practices good hygiene on their computer.