Anti-Virus Effectiveness Down from Last Year

juct sends us Heise Security's summary of an article detailing the abilities of 17 current anti-virus solutions. German computer magazine c't has found that, compared to last year, the virus scanners are having a more difficult time recognizing malware. Quoting Heise: "For real protection, however, in view of the flood of new malware, the way these programs cope with new and completely unfamiliar attacks is more important. And that's where almost all of the products performed significantly worse than just a year ago. The typical recognition rates of their heuristics fell from approximately 40-50 per cent in the last test - at the beginning of 2007 - to a pitiful 20-30 per cent."

yeah, but..

[xubu_caapn]

do they run on Linux?

after the ffact

[wizardforce]

I think the real problem with malware is that by the time an antivirus/antispyware program is needed IT IS TOO LATE. you have already been infected, antivirus software is for after the fact, cleaning up the files that were installed or warning you of their presence in a file atatchment etc.. The real defense here is preventing this from happening in the first place. That is, educating users not to click haphazerdly at anything that they feel like and that is a heck of a challenge. most users do not understand what can happen and many likely do not really care, they just want their new screensaver or whatever to work [bundled with spyware of course] and when their bad habits finally catch up with them when their computer slows to a virtual crawl, they go out and buy a new one thinking computers decay over time or something.

Re:after the ffact

[Sloppy]

If people would start making an effort to use common sense in web surfing, would the need for an anti-virus disappear? Or is more practical to run an imperfect, bogged-down piece of security software (that really doesn't work too well, judging by my survey of people's computers) so that people can surf without thinking?

Both approaches are wrong. The best approach is for network client applications (web browsers, email readers, and maybe even removable media filesystem mounters) to make usage not dangerous. Clicking a link or viewing a page, should never(*) run external code; it shouldn't even ask the user "would you like to infect your system?" Just don't execute stuff that came from outside. And downloading a file (or mounting removable media) should never cause the newly acquired file(s) to have executable permission. Executing foreign code should always result from an active step, where the administrator goes out of his way to allow execution/infiltration.

This is the normal state of affairs on some operating systems, and it's the biggest (by far) reason that Malware is uncommon on Unix-like systems.

(*) The only exception to the above, should be with code that is run in very weak environments where dangerous capabilities are not available. This means stuff should run either very restrictive sandboxes (e.g. run binaries as a "nobody" who has very little I/O permission -- certainly not filesystem access beyond perhaps some ramdisk that is dedicated to that process), or arguably in contexts where the code doesn't have much expressive power to begin with (e.g. javascript in a web browser).

And even these exceptions are hard to get right, so they should be approached with extreme caution. For example, web browsers should probably disable Javascript by default, and only have controls to explicitly enable it, on a website-by-website basis. Current versions of Firefox get this wrong and that's a shame, because I know that years ago, I saw some Mozilla derivatives that got it right.

running multiple antiviruses

[improfane]

No one company has the resources to be aware of every virus. The standard advice is to run more than one.

In Windows, if you wanna run more than one, you can only have the real time protection of a single anti-virus enabled or you get conflicts.

Meaning you rely on the on-demand protection of every other anti-virus and have to manually run them regularly OR set up schedules. What kind of user will do that?

Consider Application and Device White-listing

Increasingly I'm recommending Application White-listing as a way to lift oneself out of the never-ending struggle against viruses and malware. Now there are several companies offering solutions to the problem (personal favorite is Trinamo). It wont suit every company or user since it requires an IT security function with some power and an understanding user community, but white-listing is more and more becoming an accepted method for dealing with some of ITs unsolved problems.

AG

Antivirus is just bandaid.

[miffo.swe]

The real problem is that its possible to just click on random stuff from mail, on the web and in IM clients and it gets installed. Because its such a big source of malware it shouldnt be done at all really. Many malware uses defects in browsers and OS and Antivirus is not a solution at all to those problems. Its not even bandaid then.

What i would like to see is Microsoft shipping a Windows version thats fairly secure out of the box. Then and only then Antivirus becomes something useful as a second added security layer. As it is now when it is the only security layer it doesnt work. Shipping Antivirus with Windows as Microsoft does is not a good solution but rather a recognition that they are not capable of delivering a fairly secure OS at all.

If users gets infected a lot by clicking the wrong things the sane thing would be to disable that function or atleast make it more safe. Like demand for example that a site that installs software is trusted by a third party.

where are all the Linux server exploits ..

[rs232]

"The reason that Linux is largely unaffected is that it is not very widely used .. If/when we succeed in bringing Linux to the masses, this layer of protection will be torn away"

If that were true, where are all the Linux server exploits being actively being used it the wild. A Linux desktop logged in as standard user is safe from the numpties and is still usable. The dangers of screensavers wouldn't even apply here; even if a user managed to run some malware script it would most probably be confined to the users home dir, the core system would remain immune.

Re:yeah, but.. (Score:5, Interesting)

Re:where are all the Linux server exploits ..

[jimicus]

Oh, there's plenty of Linux server exploits. Most depend on specific applications (eg. bind, sendmail), misconfigurations or both.

The other thing you have to look out for is web applications - which of course tend to be exploitable regardless of what OS is running the website. These are notorious for providing holes. If you're lucky, all that happens is your website is replaced with a single page which says "pwn3d! l053rz!".

If you're unlucky, you get to announce to the world that you've lost the credit card details of 20,000 people.

(This, by the way, is not drastically different from the current state of security in Windows Server. A careless administrator is probably the biggest security hole known to IT).

Re:where are all the Linux server exploits ..

[Knuckles]

Well, they should have backups. I mean really, it's the same as the hd dying or something.

Re:where are all the Linux server exploits ..

[Dr_Barnowl]

I don't think so.. on my MythTV box, I always run as root ; but the only time I log into it is to do sysadmin, so that's reasonable. It doesn't have a desktop environment, just a single application (MythTV) that runs on a bare X server.

It got up my nose slightly when I installed Ubuntu on my desktop and I needed to supply a password to perform admin tasks, and type "sudo" before admin commands in a terminal, but on the whole, it achieves the desired effect ; it makes you actually consider what you are doing before doing it.

I *do* habitually run Windows as Admin, because if you are a developer it's a pain in the arse not to. But I don't pick up malware of any kind because I don't download software from untrusted sources, use IE, or open unknown email attachments. Once in a while I install anti-malware and run it. And scan it from the Linux instance on the same box as well.

Will Linux newbie users infect their systems with huge amounts of malware? Well, I don't think so.

  * As people noted, there isn't a huge amount of desktop malware around NOW because the Windows target is so much bigger.
  * The vast majority of software installed on desktop distributions of Linux is done using a package manager. Any package manager worth it's salt will be operating out of a reputable source, with checksum verification.
  * The vast majority of software that the average user uses has an equivalent in the official package repositories.

On the other hand, nothing is foolproof and there an awful lot of fools out there, like my sister in law who infected her machine with 427 nasties by believing things she saw in IE.

The kind of targets

[_merlin]

I disagree. I think the reason there are fewer pieces of malware floating around for Linux is because of the kind of roles Linux machines typically serve in. Most Linux machines are servers or enterprise workstations. In the case of a server, there will be a system administrator who is responsible for configuring the server, locking it down, and keeping it up. Chances are, they'll notice malware pretty quickly, and do something about it. Enterprise workstations aren't an attractive target, either: they're usually either a shared machine that's locked down hard, and under the eye of a sysadmin, or they're the pet of a tech-savvy user who wants his box in top condition so s/he can get stuff done.

Malware is all about money these days, whether it's herding bots so you can sell spamming services, or getting paid to DDoS someone's competitor, sniffing credit card numbers to buy stuff, or sniffing personal details for identity theft. Remember that your attack isn't 100% reliable, so you want as many potential targets as possible, and you want to attack weak targets so as to get the highest possible success rate. All so you can make as much money as possible, of course.

And what's the best target? Home Windows PCs, of course. No vigilant sysadmin monitoring the system; average Joe user doesn't grasp the concept of locking his box down, let alone have the m4d skillz to do it; Joe doesn't install patches regularly because he sees the downloads and restarts as nothing more than an annoyance; Joe doesn't really understand his computer, so he doesn't know how to look for the telltale signs of malware; Joe doesn't understand that he has to keep his virus scanner's definitions up to date, and turned off the annoying prompts; Joe doesn't understand a firewall, so he just clicks "Allow" to get rid of the warning message; the list goes on forever...

Now that MacOSX is becoming more popular, we're seeing a bit of malware for it, too. Example, that thing that claimed to be a video codec, but was really a DNS redirector. Now this one is a very good example of how malware authors target uninformed users: in the standard OSX installer program, there is an option to show the files that will be installed; if you or I (as /. geeks) looked at the files that this "codec" was installing, we would see that it couldn't be a real codec at all, and we could cancel the install; but an uninformed user won't know to look at file listings, and won't know what looks right, and what doesn't. It wasn't a failing of the OS: it was a valid installer package that prompted for authorisation to run; it was all about users who don't know how to administer a system.

Until Linux is popular in the hands of inexperienced, non-tech-savvy home users (as opposed to enterprise), it won't be an attractive target for malware authors, and we won't see its security put to the test. When it does become popular, I expect we will see Linux malware, and I expect it will be like OSX malware, in that it relies on failings of the user, rather than the system itself.

For the record, I use OSX and Solaris at home, and develop for whatever I'm paid to develop for at work (which was, until recently, Windows, Linux, Solaris and OSX - looks like it will be just Solaris soon).

Useless

[Jessta]

Antivirus has always been useless. It's not proper security.
Imagine having a door man that has a list of everyone you hate and everyone on that list is not allowed in your house. An enemy is prevented access but a stranger can still walk away with your TV. Wouldn't it be better to give the door man a list of all your friends instead.

Blacklisting is a really bad way to prevent unwanted activity. Whitelisting is much better.

Of course effectiveness is falling...

[A+Pressbutton]

And it will fall still further.
Time was a virus would either just pop up an annoying message or delete random data or reformat your PC. Effectively viruses and virus writers were hunters and once they had got the target they had no further interest.

Virus writers have now become 'civilised' farmers. They now get paid for their efforts.
The writers have a tame herd (of infected PCs). They will spend their time trying to make sure the AV software will not interfere (to them these things are the infection). They spend their time tending their herd and catching 'wild' examples - other peoples virii (?) so they cross-breed.

One consquence of this (if correct) is that viruses may well start to remove other infections, and generally tune up your PC. After all, if your PC is working just fine, why would you bother keeping the AV scanner up to date?

Re:There are just too many false positives

[Opportunist]

Sorry, but it's not easy for AVG to take care of that. There are billions of programs out there, many using calls and features the average malware will use, too. Self modification, installation of drivers, calling drivers in more than just a little strange ways, debugger and tracer detection routines and so on.

In short, copy protection mechanisms share a fair lot of features with malware. It is often not easy to discriminate between them.

Now, it's likely that AVG didn't have access to NWN2 to ensure their routine won't find it. If anything, I'd complain about a program behaving like a trojan, not about an AV tool finding something they didn't know about.

Re:The Real Reason

[Opportunist]

Windows is an insecure piece of crap. Ok. So far, so good. But the real reason why it is the main target for malware is simply that it is the most used system.

Malware has turned into a business. It's no longer the 16 year old pimple-face that wants to prove he has the longest virtual dick. It's biz. Malware is being written in almost normal looking "companies", cranking out quite professional software, complete with versions, updates, CVS systems and other things you'd expect in a "normal" software company. Because it simply IS a normal software company, with the goal to make money from their software.

Their main reason why they target Windows isn't its inherent insecurity. It's simply that this is the main system used in the world. It would be not a bit different if the 90% market share system would be Linux or MacOS.

Now, I can already hear "but it's harder to infect a Linux machine". Bullcrap! To infect a fully patched Windows system is about as hard, at least if the user isn't a complete tool. And with a user that has the computer ability of a slightly moldy slice of toast, it does not matter how secure the machine itself may be. It will probably take a bit more social engineering, but people are stupid enough to click on everything, allow everything and hand any kind of crapware their root password when you promise them some nude pics, some crack for a piece of software or some make-money-fast software.

The reason why it doesn't happen is simply that it doesn't pay to go to those lengths. A Linux system run by a user who can't tell a floppy disk from a USB stick is still such a tiny, insignificant minority that it's simply not worth developing for him.

Re:smitFraud

That's because you are providing a cure. Your boss wants you to provide a treatment.