Slashdot Mirror
Antivirus Software Performs Poorly Against New Threats
Hugh Pickens writes "Nicole Perlroth reports in the NY Times that the antivirus industry has a dirty little secret: antivirus products are not very good at stopping new viruses. Researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab and found that the initial detection rate was less than 5 percent (PDF). 'The bad guys are always trying to be a step ahead,' says Matthew D. Howard, who previously set up the security strategy at Cisco Systems. 'And it doesn't take a lot to be a step ahead.' Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its 'signature' — unique signs in its code — before they can write a program that removes it. That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years. 'The traditional signature-based method of detecting malware is not keeping up,' says Phil Hochmuth. Now the thinking goes that if it is no longer possible to block everything that is bad, then the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached. 'The bad guys are getting worse,' says Howard. 'Antivirus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution.'"
who would have thought?
As the bad guys are always ahead! It's trivial!
The antivirus company can only react to new virus technologies. So the time to reaction is the actual measurement we need first. Only later we need the accuracy.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
We should just outlaw malware. Then we wouldn't have to worry about it anymore! >_>
In about 15 years I've seen (and fixed) about ten infections, all on computers from friends or colleagues. All those infections were with known viruses or rootkits. You might say that new viruses go unnoticed, but even if they have infected a computer, shouldn't an antivirus scanner detect it later? Yeah I know it "should", but will it? I never see anything about them. Anyway, how often do all these new viruses actually have an impact?
The real "Libtards" are the Libertarians!
Malwarebytes isn't much different than other anti-virus products... as far as I'm aware, it uses pretty much the same methods to detect and remove. Also, the free version is only much use once the system is already infected (at least that was the case last time I checked) - you have to pay for any sort of real-time monitoring.
The article mentions whitelist technology as the next step beyond conventional signature-based blacklist systems. But that's what I used three years ago, with RegRun. As soon as an executable is run that it doesn't recognize, RegRun pops up an alert asking you if it's legitimate. Of course, this is useful only for the technologically savvy.
But now instead of that, I employ the ultimate in virus recovery (albeit not virus control). Using the multi-boot software BootIt Bare Metal (like a commercial version of GRUB, GParted, and other utilities rolled into one), I keep a clean OS on a separate partition that I can copy over the main partition at any time. Of course, I keep data on fileservers instead of my local hard drive.
While this is a classic arms-race (i.e. each has incentive to stay one step ahead) - I would argue that there is asymmetry in the incentives in the attackers (malware writers), and defenders (anti-virus, and computer security software writers). I believe the long-term outcome of this is that the window of exposure for popular platforms will continue to grow, despite advances in: patching hosts, general user education, availability of firewalls, etc
An illustration of the basic asymmetry is this:
A lone coder in an impoverished country has a lot more to gain by writing a single virus/piece of malware than does an anti-virus company to write detection for that single virus. Think: bread for your family vs. one more item crossed off in a list of tens (if not hundreds) of thousands.
Additionally, the virus only has to be active for a short time to make the labour worth it. Write a new one every month, by the time it gets to the a/v companies, cash is in the bank.
Multiply this by the number of coders that are out of work, in countries that have other things to worry about, and the increasing availability of tools and education for the job.
It is a losing battle, long term.
Heuristics are HARD, and if you spend 3 months developing a virus you test it against the major players to see if it actually does anything.
New viruses are designed to get past the current antiviruss. The only thing that a AV should guarantee is a minimal number of days until they have an update that will protect users.
Troll is not a replacement for I disagree.
I like to think of myself as being pretty good when it comes to security and AV protection. I've been using computers since the C64 era and I remember when Michelangelo was making waves, long before rootkits. I even wrote a small DOS virus in assember myself (never released it, just as a study). I don't run crap downloaded from torrent sites and all my software is licensed. I keep a Windows XP inside a VM for stuff I'm not sure about.
Last month I got infected. I got sloppy and I just run something from an unknown origin (not a crack or some crapware, a legitimate installer). Some alarm bells sounded right away in my brain (the installer should have been signed and I got a warning that Windows Security has been disabled). I spent the next 5 days running AV tests on the drive. I used Live CDs from Kaspersky and MS to boot clean. I pulled out the drive and scanned it on a clean computer. I run separate AV and Rootkit finders. They all said the system is clean but I still didn't feel right. Finally, I run Malwarebytes Anti-Rootkit and it found it! No false positive, it really was a trojan svchost.exe. Needless to say I nuked everything from orbit - repartitioned and reformatted the drive, installed everything fresh and restored my files from backup. I even changed all the passwords.
Anyway, I guess the next scientific breakthrough is just around the corner...
... if everyone stopped using McAfee and Norton, we wouldn't be in such problems. I switched to MSE when it got released, and haven't gotten a virus since, including those fake anti-virus/security ones.
The question is, how well do these products protect their users? This study doesn't really help in that regard. Sure, we can dig up samples that the product doesn't detect. This is inevitable as pretty much everyone acknowledges.
A couple thoughts though. Looking at the PDF, they are deliberately going after obscure and experimental samples of malware. Fair enough, this was the purpose of the study. If they wanted to establish that AV products won't detect obscure and experimental malware samples, so far so good. But how likely is it that any normal user is going to encounter one of these? Probably very unlikely.
The AV vendors have to prioritize their time, so they will focus more on malware that a user is likely to encounter, so as to provide better protection.
Yes, the underlying point is still valid. Any automated detection technology is going to lag behind, that's a problem we will have to live with. Even products from Imperva will suffer from this, malware authors will simply run their samples through VirusTotal and all the other tools and keep tweaking until they have an approach that evades the detection.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
It will require a whole new Internet to keep bad guys out. One Internet with all the lock down measures in place, and one with all the free rain and dangers that come with it. I'm thinking this will all be done by companies like Google and Microsoft. They will probably have some options in the search engine to enable this.
-- By all means let's be open-minded, but not so open-minded that our brains drop out.
It's not like this has only started happening. Does anyone seriously give any weight to the advertisements for things like NOD32 and others, where they claim "so and so reports that they have never missed a virus in the wild in the last ten years"?
Does not work for PEBKAC.
Every end has half a stick.
The real dirty secret is that the antivirus companies are in cahoots with government and Big Content companies like Sony to prevent the detection of malware beneficial to their creators.
we could finally start putting security before convenience, unnecessary bloat and crap and making a quick buck..
ie. Adobe reader, java, flash player, internet explorer (with its unholy deep system integration), unnecessary background services, even if they are meant for updating the program's (firefox, adobe: thanks, I am sure this will become a new attack vector)
That doesn't really stop the virus once its already infected a host, and it does nothing until people actually apply the patch.
Hardly the "Best" way.
What about Comodo's Defender? You can set it up to automatically sandbox any suspicious programs (unsigned for example) and any suspicious behaviours will be denied and reported. Certainly it is not a silver bullet but I have had good experience with it after it detected a malware hidden in my input method program (which wasn't detected by MSE). The developer site was breached and a modified version was uploaded, comodo alerts me that the program was trying to access the internet.
Seems like we had a story about this same shit a month ago. It is still basically just scare mongering.
Yes, virus scanners are not good at brand new threats. A threat must be identified, and an update sent out before it can be blocked. Virus scanners are not magic AI boxes that can evaluate code for its intent, nor is there an "evil bit" that is set in bad code.
However, it turns out not to matter since viruses spread like, well, viruses, and virus scanners are inoculation. It is a herd immunity thing. New threats aren't on any systems, they are put up in various places to try and infect systems. They start slowly spreading. They get identified and an update sent out, and their spread is limited as potential hosts are inoculated.
Virus scanners are NOT perfect, but then no defense is. Geeks need to stop living in this fantasy land where there is perfect security. There's not. Ever. There is only layers of defense, defense in depth, to try and keep threats out and eternal vigilance.
Virus scanners are a valuable tool to help strengthen a defense. For most people they'll catch most of the threats they are likly to encounter and that is not nothing.
Back in 1997 I wrote a resident com/exe DOS infector, which couldn't be detected by F-Prot nor TBAV (remember those?), despite the infector not being encrypted, much less polymorphic.
I learned two valuable lessons back then:
1) If you're going to write an infector, make sure you write the cleaner first.
2) You are your own best AV on the PC. If you know what you're doing, the AV does nothing helpful, and if you get infected, it'll be by something that AV cannot detect.
we have a human analogy as a starting point. If I wanted to keep something, human or otherwise, free of infection I would stick it in an hermetically sealed container. Personally, I think (and I am most certainly not a security expert) the problem we have is that users are, by and large, allowed too much freedom by default. They can wander, like horny 16 year olds, the boudoirs and dark alleys of the internet without any form of protection what so ever. The iPhone is a nice example of a locked down system where there are very few, if any, threats. Why can't we have the default machine something like the iPhone with options to free things up a bit for those who know what they are doing? My guess is that a lot of users are increasingly in the "I just want it to work" category and wouldn't even notice significant loss of privileges. Unless it affected their access to pet tap zoo, or whatever it is called.
Would like to see how Prevx stacks up at early detection of unknowns.
You seem to regard science as some kind of dodge... or hustle.
Nicole Perlroth reports in the NY Times that the antivirus industry has a dirty little secret: antivirus products are not very good at stopping new viruses.
Why do I get the sense that I've known this all along, and that I have in fact heard this same thing over a decade ago? Oh yeah--because I have, and things don't just magically change.
Software can't just catch 100% of everything that it was not designed to detect in the first place. How is this news? Same shit, different year (or would that more appropriately be decade?).
Not a security expert? But isn't antivirus software supposed to prevent against known viruses and not against new zero day exploits?? Firewalls, proper user rights, application hardening, recovery systems, monitoring etc An much as i hate to say it the os does play a part as to guiding human behavior
I run a local computer repair shop, and I can corroborate this story- modern AV does jack.
I haven't seen any really malicious malware in a while, but I see ransomware and scareware ones quite often, and every time the computer has up to date AV on it.
What's more, a lot of the time I've seen the virus in question several times, meaning it's been around for at least a fortnight, and still the AV guys haven't picked up on it.
I can appreciate that a social engineered drive-by exploit attack is difficult to defend from, when the customer asks me how to stop it happening again, it's a tough question to answer- but this doesn't change the fact that IMHO, all anti-virus is a waste of time and money at the moment.
I install MSE on customer laptops because I have to put SOMETHING there, but I have little faith that it will protect them.
Now I'm not fear-mongering here, I'm just being matter-of-fact. Three years ago when I stopped re-selling AVG, my account manager said 'Oh sorry to hear that, can I ask why?'
I said; 'Because it doesn't work. I am removing trojans and rootkits from computers every day, and many of them are running AVG, which has completely failed to save them.'
Make your anti-virus software work, and make it protect users from drive-by attacks on bad facebook links (without intrusive toolbars and link checkers please), and I will sell you hundreds of copies in my little shop alone.
This is why I use Sandboxie on the Windws PC's I use. Great little tool and I bought a license some time ago after testing the free version for a few years.
Only problem is that it's no use for regular users. You need to know what you're doing.
BufferZone Pro might just be the right alternative but I've not tested it much.
home
The top AV vendors have been using methods beyond signatures (white listing, behavior monitoring) for a while now.
You can't fix a human behavior problem by throwing more technology at it. Depending on AV for prevention of computer malware is like telling someone to slice themselves up with razor blades then jump into raw sewage. We have antibiotics, after all.
Have gnu, will travel.
If you need antivirus software, you're doing it wrong.
Help stamp out iliturcy.
The wiring job behind the AV CTO is quite embarassing.. what's going on there?
https://www.nytimes.com/images/2013/01/01/technology/01security-web/01security-web-articleLarge.jpg
Have a squat over at the hobo house.
Do NOT anthropomorphize computer viruses! They HATE that.
As it renders the virus useless.
No it doesn't. Viruses take advantage of a vulnerability to infect a system. Once it is on the system it doesn't use the vulnerability anymore.
Obligatory car analogy: You got a nail through a tire on your car. To take care of it you just don't drive on the road with nails on it where you got the first one. This doesn't fix it as the nail is still there making the tire deflate.
IMO, this is all to be expected, and hints at the true, underlying problem. The entire concept of anti-virus software developed under false pretenses.
If you read Wired magazine's lengthy story on John McAfee, for example, you learn that the guy was little more than a scammer, ever since his college years. He started out giving away "free" magazine subscriptions that he lied and told people they won, and then convinced them to pay him a "shipping and handling" charge to receive them.
He only got the idea to form his anti-virus company after reading a few news stories about the successful spreading of the first virus programs (which were really developed as an experiment to see how far they'd replicate -- not to do any damage to systems). He thought it was really scary stuff (which he claims is largely because he was beat as a child by his dad, and the idea of a computer virus suddenly attacking a machine for no known/good reason was similar in his mind).
His company only become really financially successful after he fear-mongered to the media at every turn, trumping up relatively small virus infections as "liable to wipe out entire corporations!" and so forth. (Remember, in the beginning, McAfee actually gave his product away for free - knowing home users would start recommending and/or installing the product where they worked too, and the real money was in getting companies to pay for licensing.) Obviously, others saw the flow of money and wanted a piece of that action, so they, too, started anti-virus or "computer security" companies with similar strategies.
Don't get me wrong. I'm sure there really are people in the computer security or anti-virus business with good intentions. Some people out there really DO think they've "built a better mousetrap" and aren't just trying to sell a bill of goods for easy money. But at best, this stuff is a rapidly moving target. In fact, the traditional virus is hardly even a problem anymore, since most malicious software writers have moved on to malware as more effective for their purposes. (Why try to make complicated code that secretly attaches to valid files and replicates itself at every turn when you can just trick a clueless user into voluntarily downloading and running your destructive application instead?)
Over the years, I've watched companies spend huge money on dedicated appliances that purported to be "advanced firewalls" and "intrusion prevention systems" and the like -- only to become pretty much obsolete when a new "security" company popped up and offered up a replacement solution that was more clever and relevant to the latest variations of threats. Meanwhile, how much money was REALLY saved by having any of this? That's the beauty of the scam, of course... there's no way to quantify it. You can make up all sorts of pretend statistics!
There are ways of mitigating that. Windows has typically been abysmal in this respect but even other operating systems could go a long way to improve things.
...and the antivirus marketers have been telling us they've been adding behavioral detection for years, too.
How's that working out for anybody?
No sig today...
Who would have thought, since the bad guys can test their malware against the most up-to-date popular av software to ensure that the malware does not get detected
The problem with every antivirus I have ever used in my computer business, not just Norton and McAfee, is that virus is too narrowly defined. Most miss spyware and all miss scamware, which they cannot tell from legitimate competing products and shakedowns like the FBI scam. Malwarebytes or Spybot while running in safe mode are the best bet for scamware and shakedowns.
The Uncoveror: It's the real news.
Running an anti-virus does not provide 100% protection, it does however provide infinite times as much protection as not running one.
Every major anti-virus company works with the NSA or similar intelligence agencies. All significant recent viruses have been crafted by state agencies, or under contract from these agencies.
Modern mass produced software, including so-called open-source from the larger projects, MUST be assumed to be compromised, and seriously so. Back-doors are planted for the use of the police, military and spy agencies. If awareness of these back-doors becomes too widespread in the greater community, 'patches' are released. The patches themselves may introduce new vectors of attack, but it is usually easier to build multiple holes in the software in the first place.
Every well informed computer users knows that security comes from a raft of good hygiene practices- never by trusting an all-in-one solution like an always running anti-virus program. If the state is really after you online (most unlikely, but it happens), the only sensible approach is to use much less common software for everything.
Running a modern Windows system, and ensuring that there are no low level hidden processes logging and transmitting your details is insanely hard and time consuming. Running even the best anti-trojan/anti-virus scan will NOT alert you to code currently in use by the security agencies. Finding this form of intrusion by hand is purposely complicated by 'legitimate' code (from Microsoft, Google and others) that is continuously transmitting encoded information even when their applications are seemingly inactive (but running, obviously).
>No it doesn't. Viruses take advantage of a vulnerability to infect a system. Once it is on the system it doesn't use the vulnerability anymore.
That is almost always true, but not 100%. A very few use methods that do not persist over a reboot to avoid off-line detection. Fixing the vulnerability does remove the virus in these cases.
It also uses file name/path blacklisting, something it seems most major AVs do not.
Vulnerabilities are not just the OS anymore.
This means browsers, java, flash, and PDFs, and sometimes even Office!
Create a standard user account for day to day computing and setup your less techy friends the same way and explain that. Uninstall Java and disable Java scripting in IE in the internet zone and disable add-on for it you must use Java like myself. This will help use the crappy insecure garbage at work in the intranet zone yet still protect them on the WWW.
Do not use Adobe PDF. Use Foxit or summutra (Foxit is my preference). Use adblock and the very latest flash that auto-updates, or better yet use Chrome. Chrome is sandboxed and takes care of that for you! Disable Office document cache in IE 9 if you use.
DO NOT USE OUTDATED BROWSERS! No I am not just referring to IE 6,7,and 8. I am looking at the user reading this on Firefox 3.6 which has 40 EXPLOITS right now and will never be patched! IE 8 is at least patched but still not a wise choice in this day and age.
IT managers? Get off your ass and tell the beancounters it is a liability to keep their ancient web apps! If you have confidential data your business can be sued and is a virus writer goldmine where they can stall all sorts of stuff like SSNs and credit card numbers. Put the cost up there and ask them if it is worth it? Same with Firefox 3.6. It is time to move on.
Stop using XP! ... Read my section above with browsers and IT managers. Same applies to obsolete operating systems.
Do all the above and you have a very secure setup. Nothing is ever safe, but that and a AV software package will limit the amount of holes a virus can infect. Less vulnerabilities = less infections.
http://saveie6.com/
>> How is this news? This has been the case for years!
It's news to the AV makers ...
>> ...and the antivirus marketers have been telling us they've been adding behavioral detection for years, too.
> How's that working out for anybody?
It means the clients can sign up for certification and compliance ...
AccountKiller
> We should just outlaw malware. Then we wouldn't have to worry about it anymore!
Make virus-writing a felony punishable by the death penalty ..
AccountKiller
'The bad guys are getting worse,' says Howard. 'Antivirus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution.'"
... link
Run your OS off a read-only USB device
"Australian company Cybersource says it's currently talking to two domestic banks about providing Linux-based bootable CDs to consumers to ensure Internet banking security". link
"Accessing online banking from your home PC is unsafe, says CIO of CNL Bank", link link
AccountKiller
After you found the bugger unknown to all the AV persons in the world....you send it to all of them right? I deal with a lot of client pc's and some are horribly infected. Sometimes a boot from usb gives me the bootsector virusses sometimes other things but whenever the uncanny feeling you discrive creeps up it might be right... something new... I had one of these things on a pc that performed just bad enough to digg deeper, found something that had to be it. Put it through an online many virus scanner. Only two virus scanners thought it might perhaps be a virus. Send it to microsoft: took them half a day to classify it as in need for in depth rearch. Took many days to be released and detected as a code obfruscator. Oh and I nuked it from orbit, who knows where or what it was hiding other nasty siblings...
http://www.tot-ltd.org/API/
Back in 1992 I wrote a report called "Virus Detection Alternatives",
:-)
already describing all this "new" knowledge.
(problems with signature scanning, polymorphic viruses,
heuristical scanning, etc.)
The main conclusion at the time (of DOS 5.0 (!)) was that the
security of the operating system had to be improved.
Get a copy of the report at
http://ftp.sac.sk/pub/sac/text/virusdet.zip
(printed to text using WP5.1