Slashdot Mirror
Testing Free English Anti-Malware On Non-English Threats
An anonymous reader writes "Brazilian technology news site O Globo posted an interesting comparison on how free anti-malware behaves against non-English threats (Google translation of Portuguese original). By using a database of over 3000 samples from Brazil's Security Incident Contact Center, the numbers are quite different from all US anti-malware reviews. While Avira achieved the best score, 78%, Microsoft Security Essentials stopped less than 14%. This can be a headache for some large multinational corporations, whose IT departments deploy US anti-malware on the entire network, but have network segments outside US with many 'unknown' threats roaming around. I wonder what the results would be in other countries."
So it can be as simple as getting your malware translated into another language?
paid solutions?
It isn't really news that AV products rely fairly heavily on canned signatures and that heuristic detection of evil lags behind evil by a fair margin.
What does surprise me, though, about these results, is that they suggest a fairly high level of geographic discrimination in the customization and targeting of malware. My (naive) expectation would have been that, aside from trivial stuff like trying to get the language of your spam/phishing/social engineering emails correct, the market for good exploits, well-crafted viruses, and so forth would be a fairly global one. Also, given that some malware attempts to propagate itself, rather than being delivered by a bugged website or other external mechanism, I would expect a fair amount of "splash" from malware spreading to any vulnerable hosts it can find, not bothering with any sort of geolocation, or from expats who live in country A, but still visit websites from home country B.
I would have expected a much more homogeneous(from the perspective of the mechanics of the exploit mechanism, evasion techniques, and payload) worldwide population of malware.
A free program that uninstalls your OS is a virus, not a security program.
You are hilarious though, don't let anyone tell you otherwise.
This only proves what people have been saying since day 1: fighting malware via blacklisting is a losing battle.
Eventually some company will come up with a business plan which is the opposite: if you are interested to run an application, you can pay them to do a security review on it. If the company worked on a "we do the review once $X dollars have been raised" basis, popular applications would be reviewed for small change per user, and niche applications would be expensive to have reviewed.
Unfortunately, that's also a losing battle because of the noncomputablity of the stopping problem, but it's less so --- developers who want their application to be reviewed quickly would supply source code to the reviewing company and the developers would have an interest to have the code be as "clean"-looking as possible, raising the bar for slipping in "underhanded" side effects (and hopefully making malware with complex behavior difficult to pass muster).
Acne soaked, snort-laughing virgins from 2002 called -- they want their joke back.
fixed that for you
Actually no it isn't, but nice try.
A virus needs some sort of self-replicating mechanism - if it simply disabled the host OS then it would basically kill itself. I'd categorize it as malware if it didn't announce that it was going to trash my OS, but it's no more than that.
In my experience it's pretty easy to spot malware when English menu options and stuff start appearing on a non-English Windows installation, such as "Open" or "Open folder to view files" for thumbdrives while the rest of the options show up in the local language, sometimes malware can even bork the system because of it (like in the olden days of Windows 9x when installing IE in a different language caused all sorts of havoc in the OS)
Even with such a blatant language mismatch most users simply won't notice anything wrong with their systems until it bites them really hard.
There's a bigger security threat, the one sitting in front of the computer.
O Globo is one of the biggest newspapers on the country. But it is not a technology news site as the summary implies. Although yes, this was posted on the tech area of the site, it is hardly the focus of the newspaper.
Regarding the testing itself. This is just a report on a test made by an external firm (www. clavis.com.br) which was commissioned by the site. The test focused on the quality of free antivirus only. With implications that the issue lies in the fact that they are free, not that all antivirus are plagued by these issues (I will let you decide on what was the exactly aim of the article). Besides that, the test is devoid of crucial information. The database they used is a great one, the CAIS is maintained by our best scientific network, RNP (site in English: http://www.rnp.br/en/), so I trust the info there. But nowhere does it say that the threats are in Portuguese.
They used a list of 3.269 threats among virus, trojan horses, spywares, keyloggers, and etc. We don't know how many of each. Before the article they praise pay security suites, because they are a suite and not an antivirus only. There is no data on these threats, nor how many of each type, how old each one was, nor how they have threats which are not on the known list of each antivirus. Much less the language of the code.
Let me repeat it: NOTHING on the test implies that antivirus have a problem with non-English threats. It only said that those antivirus had that percentage of correct matches on either Heuristics or non-threads. But we don't know the exactly content of the database or the code used to test it. Much less the quality of the test.
Again: Language was not a part of the test!!!
--- "When you gotta do something wrong. You gotta do it right. (Fighter)"
Right, because a multinational is going to be using a basic security product with no management features like Microsoft Security Essentials.
I believe Secunia is calling this one antifoidulous.pebkac.2011A.
Actually the installer for OS/2 (warp iirc) would do a virus scan before installing and would come up with the messge
"windows found, remove: (y/y)?"
so someone at IBM shares your sense of humor... or maybe it was you?
Andy Warhol got it right / Everybody gets the limelight
Andy Warhol got it wrong / Fifteen minutes is too long.
Devil's advocate here:
I beg to differ, especially with Windows 7. Windows has its issues, but its security features are on par with everyone else.
The problem oftentimes is with the third party developers which don't allow the OS to enforce DEP, much less ASLR. Heck, Microsoft was accused of acting like a tyrant because they decided to force programs to have a separate user/admin priv model, just like every other mainstream OS out there.
Of course, Windows has problems, but saying it is fundamentally insecure isn't accurate.
I can't read the article: blocked by company policy.
But I would like to know whether they tested with Comodo in the "auto sandbox" setting. Since the virus would run sandboxed, it should not matter what the language was.
I am thinking of switching from MSSE to Comodo, and if they tested it and it failed then Comodo would not be an option for me.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
It seems that at least in my assessment that Microsoft will have to come with some way of changing their operating system completely and then adding an application support layer to the new one for the old applications the way OSX did. This would be a very large undertaking and an extremely difficult one. The application support layer would have to be sand-boxed and would still represent a security challenge. I feel like computing is going to a more distributed utility type service model in the near future which would be enabled by faster more secure fiber-optic communications. I suspect that apple has this in mind with its new datacenter(s). If this is the case Windows may become quickly overtaken as Apple leverages open technologies, those already in OSX and ones already being developed for it. I think that OSX is headed for an iMakeover. Hint: the termination and or possible re-purposing for internal use of of the xServe line. And the interesting coincidence that the price of OSX server is the same as a machine installed with it (the Mac Mini Server) which is fast enough but not front end heavy leaving windows to to poorly copy it yet again. Maybe some day Apple will just acquire Microsoft and deal with the mess for them. They will probably be able to afford it at some point but I doubt is something that a company like Apple would take on. ;-) I want to be PERFECTLY clear that I am ONLY speculating here but this future seems inevitable if not highly plausible. Label me as a "troll" if you want.
What if it saves all your data to the cloud (best encryption), uninstalls your broken OS, installs a better OS, ports all your settings and themes over (as close as possible, given proprietary format angst) and then presents you with a better deal overall?
What sort of definition would one give to that sort of virus, Vir.Benev.BashScript? ;-)
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
Security "features" of a typical desktop OS is not what makes it secure -- it's what annoys the user while pretending to make the computer less vulnerable. UAC and antivirus are "security features", and so are Window Firewall, ACLs, etc.
What makes OS secure is secure design and lack of vulnerabilities, Windows has none of that and never will.
Contrary to the popular belief, there indeed is no God.
.... are a HUGE number of threats....
Posted AC due to incredibly old and lame joke.
Nevertheless, why should Soviet Russia be the only one to get it's own meme?
Heck, Microsoft was accused of acting like a tyrant because they decided to force programs to have a separate user/admin priv model, just like every other mainstream OS out there.>
They started that back in about '95. By Vista, they'd given up asking nicely. It was as bad as the MS-DOS tricks that continued until XP came out.
Spamming /. with fashion accessories. Mod parent funny and then visit the link.
Silence
Do you speak English?
Silence
(This time with Hand gestures and really loud) Do YOOOOOO SPEEEAAAAAAAKKKKK Englissshhhh?
Thanks to the Internet, there is no reason that malware written in one place cannot easily spread across the world...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Delve deeper under the hood...
Networking protocols that can be authenticated using password hash instead of having to crack the password...
Weak encryption for user passwords...
Network services running by default that are difficult to turn off (so most people firewall them - a kludge at best)...
Unnecessarily complex (ie poorly designed) network services, microsoft-ds on port 445 provides access not only to file/printer sharing but all manner of features such as accessing the registry remotely, manipulating services etc. If you want to open up one piece of functionality, you are left opening up huge amounts of functionality you do not necessarily want exposed.
Layers upon layers of backwards compatibility cruft, many functions have multiple versions which are selected at compile time depending on which sdk version you use, lots of cruft is present for compatibility with win9x which had no concept of security whatsoever.
No centralised update system, you can only update ms stuff centrally, third party apps are left out in the cold.
Even tho there is a centralised update system for ms apps, it is broken - find a largeish network running wsus, verify that wsus thinks every machine is up to date, now go and manually check the file versions installed on those machines against the versions contained within patches (the ms security advisory page contains such lists), or use an automated tool like nessus to do this for you... You will find that on any moderately sized network, wsus fails to update a handful of machines despite claiming that it has.
Software installed by default that is difficult/impossible to remove, even if you don't need such software or choose to replace it with an alternative.
Client side security in many areas which is trivially bypassed, eg command prompt restrictions or certificate export restrictions, access to view certain dirs is restricted in the gui but can be bypassed in the command prompt etc. (the worst part here is not that these trivial things can be bypassed, its that they give people a false sense of security).
Depends on file extensions, and yet hides them by default.
Needs lots of third party software, eg av software, software to restrict access to usb devices, software to restrict execution of arbitrary binaries etc etc... Then also needs third party software to update the third party software!
anti-malware, about as much use as selling rocks ...
The O Globo article doesn't mention language issues but only free AV quality.
Moreover, in Brazil we have much Banker malwares, that are malwares specialized in faking home banking web pages and stole user passwords.
Not exactly the same thing, but I've been getting a lot of spam in Greek for some reason -- and I have no idea how to filter it out (I could just capture any message with a common Greek word, but it's... gibberish to me). It's clearly spam, and probably all from the same sender, because the formatting is always similar, though of course the links vary.
Agreed. There are "features" which constitute little more than security theater, like the annoying firewalls of times past.
However, there are true security features that operating systems must have.
UAC can be debated. In reality, UAC is a good thing, although how MS got a patent on a "graphical sudo" is beyond me.
There are features that are needed, and not theater though. A couple:
1: Filesystem encryption, either file by file like AIX's EFS, Window's EFS, EncFS/FUSE, raw image level like TrueCrypt, LUKS, encrypted disk images on OS X [1], or even hardware level encryption like on IronKeys, IBM disk arrays like the DS5100s and up, or encrypted drive controllers. This is the court of last resort if a blackhat gets physical access to a machine and decides to pull media, be it tapes from a silo, or drives out of a RAID enclosure.
2: ASLR, DEP, and other memory protection. By making sure that data is not executable with a NX bit, this protects the OS against a lot of buffer overflow attacks. Combine this with a malicious program not knowing where the stack is using ASLR, and this slams the door on a whole type of attacks.
3: Limited application context. This is called different on different operating systems, but essentially it means an application does not have the full privs of the user it is running under. This can be done via policies (SELinux, AppArmor), jail(), or Microsoft's low priv functionality (how IE7 and IE8 are run under). It can even be done by a third party program like SandboxIE [2]. This is a definite security feature because it limits the damage malware can do if it gets the ability to execute in the context of a browser add-on or a browser (which is one of the most common infection vectors these days.)
4: Ability to deny access after "x" amount of bad password guesses. This is important to prevent brute forcing of either local access (via a hardware device that guesses passwords), or from remote.
5: Ability to check for unauthorized modifications to the operating system. AIDE/Samhain/TripWire are good tools for that, but I'm sure there are always ways to get around those. The only real way to detect modifications even with rootkits present is to boot the OS from other media, check the hashes of the programs on the system against a known good list, and discard false positives.
6: The ability to have audit logs sent to another machine. Having this ability may mean the difference between an investigation of a breach being unable to commence versus being able to backtrack to the next link in the chain.
So, I agree -- there are security theater "features", but general use operating systems have to have true security features to deal with today's attack vectors as well.
[1]: IronKeys in my experience are the only game in town when it comes to on-board hardware encryption for USB flash drives. They are expensive, but worth it, assuming the machine its used on is not compromised.
[2]: SandboxIE may not be perfect, but it definitely goes a long way for helping priv isolation. It also is easier to use than keeping your web browser in a separate VM.
No centralised update system, you can only update ms stuff centrally, third party apps are left out in the cold.
no, in an enterprise setting you can setup your own WSUS server and you can push msi centrally. And you can create your own msi to update application like firefox.
Most of your arguments are outdated; you are resorting to FUD just like ms did between 1998-2008
Jehovah be praised, Oracle was not selected
please mod me down I suffer from ADD today, I did not read the part about nessus and WSUS....
Jehovah be praised, Oracle was not selected
With implications that the issue lies in the fact that they are free, not that all antivirus are plagued by these issues (I will let you decide on what was the exactly aim of the article).
Yup.
It's strongly tuned to make reader buy commercial antivirus.
For a start, it only mentions popular commercial antiviruses which happen to have a free version. /. entry and mentionned elsewhere in this discussion), has better chance to get covered.
It does not mention the freesoftware ClamAV, for example, which could have been a nice addition. Specially because ClamAV accepts lots of community input in its database. So malware more frequent in some less marketed countries (like suggested by the
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
UAC can be debated. In reality, UAC is a good thing, although how MS got a patent on a "graphical sudo" is beyond me.
It may be a "good thing" for Microsoft, considering what a disaster it was before and what a slightly lesser disaster it is with that. In reality, when security is concerned, "if you have to ask, the answer is no". Please note that Linux desktops mostly moved from sudo to PolicyKit, and use password prompts not to verify if potentially security-breaking operation is started by an authorized user but to check if the user really wants to perform an administrative operation, so he won't just press OK. I expect that cached permissions in sudo will be completely disabled after that transition will be complete.
1: Filesystem encryption,
This is only justified for non-removable media when user has to deal with attacker having access to hardware AND attacker is interested in reading or altering data instead of destroying it, AND computer is always off when attacker can access it. Never in my life I was in a situation when I could benefit from this, or seen someone who can. With removable media it is somewhat justified because it's shipped and carried in all kinds of potentially hostile environments.
[1]: IronKeys in my experience are the only game in town when it comes to on-board hardware encryption for USB flash drives. They are expensive, but worth it, assuming the machine its used on is not compromised.
There is no way in Hell I will trust unknown implementation of unknown encryption algorithm on a media type known to move data around its physical addresses.
2: ASLR, DEP, and other memory protection.
Useful, but only marginally because almost everything that was exploitable is still exploitable with a more convoluted exploit.
3: Limited application context.
This is a part of design. Windows has such a hard time using it (cutting IE away from the rest of the system that you mentioned being the only feasible, and extremely inconvenient for the user who has to download files, example).
4: Ability to deny access after "x" amount of bad password guesses. This is important to prevent brute forcing of either local access (via a hardware device that guesses passwords), or from remote.
Absolutely worthless for any purposes other than being an easy DoS target. "Locking out" of this kind needs an override to restore access after it happens, and access to such override is protected by... another password!
5: Ability to check for unauthorized modifications to the operating system.
This can not be possibly a part of the system because it has to be performed in a known-unmodified environment outside of the system. Otherwise it's no better than antivirus.
The only real way to detect modifications even with rootkits present is to boot the OS from other media, check the hashes of the programs on the system against a known good list, and discard false positives.
The only real way to detect modifications is to boot from a read-only media. There is no requirement for OS being the same as OS being booted -- in fact, it's better to keep checker the Hell away from the image that is normally booted, lest the user will be tempted to run it from there.
6: The ability to have audit logs sent to another machine. Having this ability may mean the difference between an investigation of a breach being unable to commence versus being able to backtrack to the next link in the chain.
The existence of such logging is a part of design -- to be in any way effective it has to be used by everything worth being monitored, OR it has to log every system call.
Contrary to the popular belief, there indeed is no God.
Yes, windows is fundamentally insecure.
WPAD, UPNP, and Shatter attacks. End of story. Microsoft happily releases patch after patch to hide the most apparent symptoms, but the disease continues merrily along.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant