Slashdot Mirror
Testing Free English Anti-Malware On Non-English Threats
An anonymous reader writes "Brazilian technology news site O Globo posted an interesting comparison on how free anti-malware behaves against non-English threats (Google translation of Portuguese original). By using a database of over 3000 samples from Brazil's Security Incident Contact Center, the numbers are quite different from all US anti-malware reviews. While Avira achieved the best score, 78%, Microsoft Security Essentials stopped less than 14%. This can be a headache for some large multinational corporations, whose IT departments deploy US anti-malware on the entire network, but have network segments outside US with many 'unknown' threats roaming around. I wonder what the results would be in other countries."
So it can be as simple as getting your malware translated into another language?
paid solutions?
It isn't really news that AV products rely fairly heavily on canned signatures and that heuristic detection of evil lags behind evil by a fair margin.
What does surprise me, though, about these results, is that they suggest a fairly high level of geographic discrimination in the customization and targeting of malware. My (naive) expectation would have been that, aside from trivial stuff like trying to get the language of your spam/phishing/social engineering emails correct, the market for good exploits, well-crafted viruses, and so forth would be a fairly global one. Also, given that some malware attempts to propagate itself, rather than being delivered by a bugged website or other external mechanism, I would expect a fair amount of "splash" from malware spreading to any vulnerable hosts it can find, not bothering with any sort of geolocation, or from expats who live in country A, but still visit websites from home country B.
I would have expected a much more homogeneous(from the perspective of the mechanics of the exploit mechanism, evasion techniques, and payload) worldwide population of malware.
A free program that uninstalls your OS is a virus, not a security program.
You are hilarious though, don't let anyone tell you otherwise.
This only proves what people have been saying since day 1: fighting malware via blacklisting is a losing battle.
Eventually some company will come up with a business plan which is the opposite: if you are interested to run an application, you can pay them to do a security review on it. If the company worked on a "we do the review once $X dollars have been raised" basis, popular applications would be reviewed for small change per user, and niche applications would be expensive to have reviewed.
Unfortunately, that's also a losing battle because of the noncomputablity of the stopping problem, but it's less so --- developers who want their application to be reviewed quickly would supply source code to the reviewing company and the developers would have an interest to have the code be as "clean"-looking as possible, raising the bar for slipping in "underhanded" side effects (and hopefully making malware with complex behavior difficult to pass muster).
Actually no it isn't, but nice try.
A virus needs some sort of self-replicating mechanism - if it simply disabled the host OS then it would basically kill itself. I'd categorize it as malware if it didn't announce that it was going to trash my OS, but it's no more than that.
In my experience it's pretty easy to spot malware when English menu options and stuff start appearing on a non-English Windows installation, such as "Open" or "Open folder to view files" for thumbdrives while the rest of the options show up in the local language, sometimes malware can even bork the system because of it (like in the olden days of Windows 9x when installing IE in a different language caused all sorts of havoc in the OS)
Even with such a blatant language mismatch most users simply won't notice anything wrong with their systems until it bites them really hard.
O Globo is one of the biggest newspapers on the country. But it is not a technology news site as the summary implies. Although yes, this was posted on the tech area of the site, it is hardly the focus of the newspaper.
Regarding the testing itself. This is just a report on a test made by an external firm (www. clavis.com.br) which was commissioned by the site. The test focused on the quality of free antivirus only. With implications that the issue lies in the fact that they are free, not that all antivirus are plagued by these issues (I will let you decide on what was the exactly aim of the article). Besides that, the test is devoid of crucial information. The database they used is a great one, the CAIS is maintained by our best scientific network, RNP (site in English: http://www.rnp.br/en/), so I trust the info there. But nowhere does it say that the threats are in Portuguese.
They used a list of 3.269 threats among virus, trojan horses, spywares, keyloggers, and etc. We don't know how many of each. Before the article they praise pay security suites, because they are a suite and not an antivirus only. There is no data on these threats, nor how many of each type, how old each one was, nor how they have threats which are not on the known list of each antivirus. Much less the language of the code.
Let me repeat it: NOTHING on the test implies that antivirus have a problem with non-English threats. It only said that those antivirus had that percentage of correct matches on either Heuristics or non-threads. But we don't know the exactly content of the database or the code used to test it. Much less the quality of the test.
Again: Language was not a part of the test!!!
--- "When you gotta do something wrong. You gotta do it right. (Fighter)"
I believe Secunia is calling this one antifoidulous.pebkac.2011A.
Actually the installer for OS/2 (warp iirc) would do a virus scan before installing and would come up with the messge
"windows found, remove: (y/y)?"
so someone at IBM shares your sense of humor... or maybe it was you?
Andy Warhol got it right / Everybody gets the limelight
Andy Warhol got it wrong / Fifteen minutes is too long.
I don't see any multinational company doing this because of what you said (no ability to manage/audit workstations), plus the EULA would be violated as MSE is for personal/home use and defines it.
This is what Forefront is for. Forefront is essentially MSE, but it has enterprise-level features, as well as that MS advertised that a few years ago that it can deter zombie invasions. Just the fact that the undead won't be attacking the workplace alone makes Microsoft's offering worth getting on an enterprise level.
MSSE and Forefront Endpoint Protection are the same base engine and since MS is giving it away to companies with an enterprise agreement you can bet companies are at least considering it.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Devil's advocate here:
I beg to differ, especially with Windows 7. Windows has its issues, but its security features are on par with everyone else.
The problem oftentimes is with the third party developers which don't allow the OS to enforce DEP, much less ASLR. Heck, Microsoft was accused of acting like a tyrant because they decided to force programs to have a separate user/admin priv model, just like every other mainstream OS out there.
Of course, Windows has problems, but saying it is fundamentally insecure isn't accurate.
I can't read the article: blocked by company policy.
But I would like to know whether they tested with Comodo in the "auto sandbox" setting. Since the virus would run sandboxed, it should not matter what the language was.
I am thinking of switching from MSSE to Comodo, and if they tested it and it failed then Comodo would not be an option for me.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
What if it saves all your data to the cloud (best encryption), uninstalls your broken OS, installs a better OS, ports all your settings and themes over (as close as possible, given proprietary format angst) and then presents you with a better deal overall?
What sort of definition would one give to that sort of virus, Vir.Benev.BashScript? ;-)
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
Security "features" of a typical desktop OS is not what makes it secure -- it's what annoys the user while pretending to make the computer less vulnerable. UAC and antivirus are "security features", and so are Window Firewall, ACLs, etc.
What makes OS secure is secure design and lack of vulnerabilities, Windows has none of that and never will.
Contrary to the popular belief, there indeed is no God.
Heck, Microsoft was accused of acting like a tyrant because they decided to force programs to have a separate user/admin priv model, just like every other mainstream OS out there.>
They started that back in about '95. By Vista, they'd given up asking nicely. It was as bad as the MS-DOS tricks that continued until XP came out.
Spamming /. with fashion accessories. Mod parent funny and then visit the link.
Thanks to the Internet, there is no reason that malware written in one place cannot easily spread across the world...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
anti-malware, about as much use as selling rocks ...
Not exactly the same thing, but I've been getting a lot of spam in Greek for some reason -- and I have no idea how to filter it out (I could just capture any message with a common Greek word, but it's... gibberish to me). It's clearly spam, and probably all from the same sender, because the formatting is always similar, though of course the links vary.
Agreed. There are "features" which constitute little more than security theater, like the annoying firewalls of times past.
However, there are true security features that operating systems must have.
UAC can be debated. In reality, UAC is a good thing, although how MS got a patent on a "graphical sudo" is beyond me.
There are features that are needed, and not theater though. A couple:
1: Filesystem encryption, either file by file like AIX's EFS, Window's EFS, EncFS/FUSE, raw image level like TrueCrypt, LUKS, encrypted disk images on OS X [1], or even hardware level encryption like on IronKeys, IBM disk arrays like the DS5100s and up, or encrypted drive controllers. This is the court of last resort if a blackhat gets physical access to a machine and decides to pull media, be it tapes from a silo, or drives out of a RAID enclosure.
2: ASLR, DEP, and other memory protection. By making sure that data is not executable with a NX bit, this protects the OS against a lot of buffer overflow attacks. Combine this with a malicious program not knowing where the stack is using ASLR, and this slams the door on a whole type of attacks.
3: Limited application context. This is called different on different operating systems, but essentially it means an application does not have the full privs of the user it is running under. This can be done via policies (SELinux, AppArmor), jail(), or Microsoft's low priv functionality (how IE7 and IE8 are run under). It can even be done by a third party program like SandboxIE [2]. This is a definite security feature because it limits the damage malware can do if it gets the ability to execute in the context of a browser add-on or a browser (which is one of the most common infection vectors these days.)
4: Ability to deny access after "x" amount of bad password guesses. This is important to prevent brute forcing of either local access (via a hardware device that guesses passwords), or from remote.
5: Ability to check for unauthorized modifications to the operating system. AIDE/Samhain/TripWire are good tools for that, but I'm sure there are always ways to get around those. The only real way to detect modifications even with rootkits present is to boot the OS from other media, check the hashes of the programs on the system against a known good list, and discard false positives.
6: The ability to have audit logs sent to another machine. Having this ability may mean the difference between an investigation of a breach being unable to commence versus being able to backtrack to the next link in the chain.
So, I agree -- there are security theater "features", but general use operating systems have to have true security features to deal with today's attack vectors as well.
[1]: IronKeys in my experience are the only game in town when it comes to on-board hardware encryption for USB flash drives. They are expensive, but worth it, assuming the machine its used on is not compromised.
[2]: SandboxIE may not be perfect, but it definitely goes a long way for helping priv isolation. It also is easier to use than keeping your web browser in a separate VM.
No centralised update system, you can only update ms stuff centrally, third party apps are left out in the cold.
no, in an enterprise setting you can setup your own WSUS server and you can push msi centrally. And you can create your own msi to update application like firefox.
Most of your arguments are outdated; you are resorting to FUD just like ms did between 1998-2008
Jehovah be praised, Oracle was not selected
please mod me down I suffer from ADD today, I did not read the part about nessus and WSUS....
Jehovah be praised, Oracle was not selected
With implications that the issue lies in the fact that they are free, not that all antivirus are plagued by these issues (I will let you decide on what was the exactly aim of the article).
Yup.
It's strongly tuned to make reader buy commercial antivirus.
For a start, it only mentions popular commercial antiviruses which happen to have a free version. /. entry and mentionned elsewhere in this discussion), has better chance to get covered.
It does not mention the freesoftware ClamAV, for example, which could have been a nice addition. Specially because ClamAV accepts lots of community input in its database. So malware more frequent in some less marketed countries (like suggested by the
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
UAC can be debated. In reality, UAC is a good thing, although how MS got a patent on a "graphical sudo" is beyond me.
It may be a "good thing" for Microsoft, considering what a disaster it was before and what a slightly lesser disaster it is with that. In reality, when security is concerned, "if you have to ask, the answer is no". Please note that Linux desktops mostly moved from sudo to PolicyKit, and use password prompts not to verify if potentially security-breaking operation is started by an authorized user but to check if the user really wants to perform an administrative operation, so he won't just press OK. I expect that cached permissions in sudo will be completely disabled after that transition will be complete.
1: Filesystem encryption,
This is only justified for non-removable media when user has to deal with attacker having access to hardware AND attacker is interested in reading or altering data instead of destroying it, AND computer is always off when attacker can access it. Never in my life I was in a situation when I could benefit from this, or seen someone who can. With removable media it is somewhat justified because it's shipped and carried in all kinds of potentially hostile environments.
[1]: IronKeys in my experience are the only game in town when it comes to on-board hardware encryption for USB flash drives. They are expensive, but worth it, assuming the machine its used on is not compromised.
There is no way in Hell I will trust unknown implementation of unknown encryption algorithm on a media type known to move data around its physical addresses.
2: ASLR, DEP, and other memory protection.
Useful, but only marginally because almost everything that was exploitable is still exploitable with a more convoluted exploit.
3: Limited application context.
This is a part of design. Windows has such a hard time using it (cutting IE away from the rest of the system that you mentioned being the only feasible, and extremely inconvenient for the user who has to download files, example).
4: Ability to deny access after "x" amount of bad password guesses. This is important to prevent brute forcing of either local access (via a hardware device that guesses passwords), or from remote.
Absolutely worthless for any purposes other than being an easy DoS target. "Locking out" of this kind needs an override to restore access after it happens, and access to such override is protected by... another password!
5: Ability to check for unauthorized modifications to the operating system.
This can not be possibly a part of the system because it has to be performed in a known-unmodified environment outside of the system. Otherwise it's no better than antivirus.
The only real way to detect modifications even with rootkits present is to boot the OS from other media, check the hashes of the programs on the system against a known good list, and discard false positives.
The only real way to detect modifications is to boot from a read-only media. There is no requirement for OS being the same as OS being booted -- in fact, it's better to keep checker the Hell away from the image that is normally booted, lest the user will be tempted to run it from there.
6: The ability to have audit logs sent to another machine. Having this ability may mean the difference between an investigation of a breach being unable to commence versus being able to backtrack to the next link in the chain.
The existence of such logging is a part of design -- to be in any way effective it has to be used by everything worth being monitored, OR it has to log every system call.
Contrary to the popular belief, there indeed is no God.
Yes, windows is fundamentally insecure.
WPAD, UPNP, and Shatter attacks. End of story. Microsoft happily releases patch after patch to hide the most apparent symptoms, but the disease continues merrily along.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant