Slashdot Mirror

← Back to Stories (view on slashdot.org)

Antivirus Software Performs Poorly Against New Threats

Posted by Soulskill on from the also-can't-hold-its-own-against-the-protoss dept.

Hugh Pickens writes "Nicole Perlroth reports in the NY Times that the antivirus industry has a dirty little secret: antivirus products are not very good at stopping new viruses. Researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab and found that the initial detection rate was less than 5 percent (PDF). 'The bad guys are always trying to be a step ahead,' says Matthew D. Howard, who previously set up the security strategy at Cisco Systems. 'And it doesn't take a lot to be a step ahead.' Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its 'signature' — unique signs in its code — before they can write a program that removes it. That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years. 'The traditional signature-based method of detecting malware is not keeping up,' says Phil Hochmuth. Now the thinking goes that if it is no longer possible to block everything that is bad, then the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached. 'The bad guys are getting worse,' says Howard. 'Antivirus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution.'"

46 of 183 comments (clear)

  1. so its like the human immune system? by alen · · Score: 4, Interesting

    who would have thought?

    1. Re:so its like the human immune system? by spottedkangaroo · · Score: 2

      It's much much worse than that... A human virus has to get really lucky and accidentally evolve features necessary to bind to our receptor sites. Virus authors, on the other hand, can use virustotal.com to see who can detect their stuff and evolve as necessary to avoid detection.

      --
      Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
    2. Re:so its like the human immune system? by mcgrew · · Score: 5, Informative

      Virus authors, on the other hand, can use virustotal.com to see who can detect their stuff and evolve as necessary to avoid detection.

      Virus writers make their viruses evolve? Creationism, anyone? Computer viruses don't evolve, they are engineered/programmed. And viruses that attack animals (including humans) don't have to evolve features necessary to bind to our receptor sites, those features have already evolved. What they do is mutate so that the animal's immune system doesn't recognize it as a threat.

      The animal immune system is nothing whatever like computer antivirus, and animal viruses are nothing like computer viruses. You guys are anthropomorphising WAY too much here.

      --
      Free Martian Whores!
    3. Re:so its like the human immune system? by GrumpySteen · · Score: 4, Informative

      Virus writers make their viruses evolve?

      In a sense, yes. Viruses have been created which "evolve" by changing their code around in order to prevent signature based detection. Viruses that do that are referred to as polymorphic viruses.

      Polymorphic viruses are doing basically the same thing as a biological species that evolves into a different coloring that helps it hide from predators. The ones that don't evolve better camouflage get eaten by predators/cleaned by virus scanners. The ones that do evolve better camouflage spread.

    4. Re:so its like the human immune system? by Joce640k · · Score: 2, Interesting

      Nope. Computer viruses are intelligent design, not evolution.

      --
      No sig today...
    5. Re:so its like the human immune system? by Joce640k · · Score: 2

      Mutation is a bad word here, it's got too many science-fiction-comic meanings.

      Try "corruption" instead. Does random corruption of code seem like a good way to generate anything useful? Did hard disk corruption ever improve a computer program? How about a stick of bad RAM? Did that ever make your operating system run better?

      --
      No sig today...
    6. Re:so its like the human immune system? by AlphaWolf_HK · · Score: 2

      If you want to get technical, a bio-hazardous virus (it's not an animal in any sense at all - debatable that it is even what you'd consider living matter) splices its RNA payload into a cell, which reprograms it to transcript more viruses and fewer organelles (destroying the cell in the process,) which then spread to inject their RNA into other cells ad infinitum.

      A computer virus splices its code payload into another executable program that it finds, causing the program to do repeat the process in addition to its normal function.

      Fundamentally similar in that they are just blindly reprogramming their host.

      Today what most people refer to as a virus doesn't really do that anymore though - modifying binary code nowadays is often a very easy way to be discovered without even having anti-virus software, because there's no telling if the software you are modifying includes its own integrity checks, which is commonly done to prevent cheating in video games, piracy, or a number of other things. Crackers get around this because they know exactly what they are targeting, but hitting software blindly like a virus needs to do is a no-no.

      Instead people call what is actually a trojan or a worm a virus, much like most people tend to confuse the difference between a virus or a bacterium.

      --
      Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
  2. It's a matter of time, stupid! by aglider · · Score: 3, Insightful

    As the bad guys are always ahead! It's trivial!
    The antivirus company can only react to new virus technologies. So the time to reaction is the actual measurement we need first. Only later we need the accuracy.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    1. Re:It's a matter of time, stupid! by bondsbw · · Score: 2

      I'm not sure what "comprehensive solution" is being called for. Antivirus is an undecidable problem; the best we can ever do is check for what we know to date, and add some guesswork for finding future malware. But we will never have a perfect antivirus program.

      The better solution has proven to be OS security locks. Like it or not, the walled-garden approach implemented by Apple in iOS--and more recently by Microsoft--has made it much more difficult for malware to actually do anything harmful to your data and device. (Then again, it has also made it much more difficult for goodware to actually do anything useful with your data and device.)

      Even a good set of file permissions like in Linux, or in Windows Vista and 7, have been nearly as effective at blocking malware as what the antivirus industry has produced (and by that statement, I include the fact that many antivirus programs make the computer so unusable that people turn parts of them off). Of course, permissions tend to leave vulnerable anyone who is susceptible to social engineering.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    2. Re:It's a matter of time, stupid! by ByOhTek · · Score: 2

      I thought I've seen some pattern detection stuff in AVs before, that was supposed to try to detect suspicious activity.

      Problem is, there are a lot of legitimate things that look suspicious. Writing a predictive scanner is an even more difficult task than getting the base OS secure without losing too much performance, usability, or user friendliness.

      --
      Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
    3. Re:It's a matter of time, stupid! by TheLink · · Score: 4, Insightful

      Solving the AV problem is harder than solving the "Halting Problem", since you aren't given the full source and inputs. Sandboxing and similar is the better approach.

      In many cases if you do things right (esp on servers), AV software is more likely to cause problems than viruses. Every now and then you hear of an AV software with a system crippling false positive or other big problem. So if you are sandboxing stuff, and not regularly adding 3rd party software to a server or browsing with it, installing AV software on servers is more likely to cause problems than it'll ever solve.

      --
    4. Re:It's a matter of time, stupid! by Zero__Kelvin · · Score: 2

      "At best you could say someone who deeply understands operating system vulnerabilities and works hard to find and fix security issues."

      You are confusing the tern secure and the phrase 100% in-penetrable. A bank vault is secure. A shoe box is not. Neither is 100% in-penetrable.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  3. Law by SJHillman · · Score: 2

    We should just outlaw malware. Then we wouldn't have to worry about it anymore! >_>

    1. Re:Law by dkleinsc · · Score: 2

      We don't need a law, we just need to have wider adoption of RFC 3514, "The Security Flag in the IPv4 Header".

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    2. Re:Law by Blackeneth · · Score: 2

      Put a sign on your computer declaring it a "Virus Free Zone"

      --
      -- Knowledge is power. -- Francis Bacon
  4. What's the impact of those new viruses? by rvw · · Score: 4, Interesting

    In about 15 years I've seen (and fixed) about ten infections, all on computers from friends or colleagues. All those infections were with known viruses or rootkits. You might say that new viruses go unnoticed, but even if they have infected a computer, shouldn't an antivirus scanner detect it later? Yeah I know it "should", but will it? I never see anything about them. Anyway, how often do all these new viruses actually have an impact?

    1. Re:What's the impact of those new viruses? by SJHillman · · Score: 4, Insightful

      The "best" malware are the ones designed to be undetectable for years. Some even go so far as to play the role of an anti-virus to keep other infections out of its host. Given that most users don't bother to make sure their AV product is up to date (if working at all), it's no surprise these infections are never detected because they're actually making the computer run better (from the user's perspective) just so they can continue their own agenda undisturbed. The most advanced malware is more akin to a semi-benign parasite than a biological virus or bacteria.

    2. Re:What's the impact of those new viruses? by iMouse · · Score: 3, Insightful

      I'm still finding systems with infected MBRs and hidden partitions loaded with TDSS.tdl4. How old is this rootkit now?

      I think these AV companies need to figure out how to properly clean/repair a system that has already been compromised before trying to play the cat and mouse game with the malware developers. I find AV software far more useful if a late detection can be removed/repaired rather than have it sit on my system for years undetected.

    3. Re:What's the impact of those new viruses? by KitFox · · Score: 2

      Boot away from the hard drive (Linux live CD for example). Replace the MBR with a known-good copy. Check that the primary partition of the drive is Active, not the dinky space area. The TDL4 stuff primarily hits the MBR to bootstrap a malign active partition that it boots from. Wiping the MBR alone leaves the partition active but unable to boot. Wiping the partition alone leaves the MBR corrupted and unable to boot.

      --

      @Whee

  5. Film at 11... by whoever57 · · Score: 5, Interesting
    Seriously, how many people here at /. are not already aware how poorly anti-virus software works? This "study" is just a "slashvertisement". From TFA

    Imperva, which sponsored the antivirus study, has a horse in this race. Its Web application and data security software are part of a wave of products that look at security in a new way.

    --
    The real "Libtards" are the Libertarians!
  6. Whitelist is old news by michaelmalak · · Score: 4, Interesting

    The article mentions whitelist technology as the next step beyond conventional signature-based blacklist systems. But that's what I used three years ago, with RegRun. As soon as an executable is run that it doesn't recognize, RegRun pops up an alert asking you if it's legitimate. Of course, this is useful only for the technologically savvy.

    But now instead of that, I employ the ultimate in virus recovery (albeit not virus control). Using the multi-boot software BootIt Bare Metal (like a commercial version of GRUB, GParted, and other utilities rolled into one), I keep a clean OS on a separate partition that I can copy over the main partition at any time. Of course, I keep data on fileservers instead of my local hard drive.

    1. Re:Whitelist is old news by SJHillman · · Score: 4, Funny

      "Of course, this is useful only for the technologically savvy."

      That's the one huge, gaping security hole in most modern OSes... the user. Damn hard to patch too, although I have had some success with a crowbar.

    2. Re:Whitelist is old news by mcgrew · · Score: 2

      It depends on what you call "data". You can hide a virus in a text file, but that virus will be harmless, as there's no way to execute it. But a Word file isn't just data, since you can insert a macro. IMO whoever thought of putting embedded macros in word processing documents was brain-dead stupid; a word processing document should NOT be able to infect a system. Even a spreadsheet should not be able to infect; there should be two files in a spreadsheet with macros, the data and the macros, just like a database has data (uninfectable) and code (which can BE infection).

      Your MP3s are safe from viruses, your WMAs are not. WMA's DRM-friendliness make it a virus vector, while MP3s are safe. Anything subject to DRM can and most likely is infected or is an infection itself. On'y the ignorant use WiMP and WMA, they beg to have your system pwned.

      --
      Free Martian Whores!
    3. Re:Whitelist is old news by PlusFiveTroll · · Score: 3, Informative

      Bzzt, wrong. MP3s have been the vectors for exploits too.

      >Your MP3s are safe from viruses

      http://www.exploit-db.com/exploits/14309/
      http://www.gnucitizen.org/blog/backdooring-mp3-files/
      http://www.theregister.co.uk/2002/04/29/winamps_malicious_mp3_vuln/

      Any interpreter can be used to run an exploit if the interpreter has a flaw. The seemingly huge number of flaws in interpreters shows that it is either hard or people that write software make a lot of mistakes.

    4. Re:Whitelist is old news by Anonymous Coward · · Score: 2, Interesting

      I swear I saw a buffer-overrun attack (/ jailbreak) on an mp3 player using a maliciously malformed ID3 tag. Even "data" can be a vector for an attack as soon as it's read by a vulnerable application.

    5. Re:Whitelist is old news by KitFox · · Score: 2

      Way behind the times. Webroot took over the light factor by a huge margin (sub-MB total installer size anybody?). Instead of trying to make a spot heuristic decision about unknowns to figure if they are viruses or force them to run in a VM and not have any access to system resources (let's break legitimate stuff), or have access that is monitored and cut off, but the damage done is still there, it journals changes made by the unknown thing and if it's determined to be a problem, rolls it all back. If it's good, it just tosses out the journal. Upside: Light. Really. Downside: You can be "infected" for an average of ten minutes before it catches, neuters, and then guts the infection. Upside to the downside: The unknown is not given access to sensitive things (screenshots, keylogging, etc) while it's unknown. Downside to the upside to the downside: It can still get sensitive information from gullible users. Upside to the downside to the... Meh...: When something is detected in one place, it's detected globally within seconds.

      So yeah, not perfect, but sucks less.

      --

      @Whee

    6. Re:Whitelist is old news by tilante · · Score: 2

      An ID3 tag attack was the method used initially to jailbreak the Kindle Touch:

      http://yifan.lu/2011/12/10/kindle-touch-5-0-jailbreakroot-and-ssh/

      For those who don't want to actually read the article, the interface for the Touch was largely created with HTML5 apps, using Javascript. Digging into things, the jailbreak designer found that a Javascript function had been put in on the system to allow arbitrary command lines to be passed to the underlying Linux-based OS. However, when being used as a web browser, the Touch's interface code protected that function, and wouldn't allow it to be called.

      So, he started looking for other apps that had been created that way, that might not be protecting that function. One of them was an MP3 player. He tried putting HTML in an ID3 tag, and found that the HTML was processed and displayed. He then tried putting Javascript in the tag, and found that it was executed... and the function wasn't protected when called from there, so he was then able to run arbitrary shell commands as root on the system. This allowed the creation of an MP3 file that could be loaded onto a Touch and used to jailbreak it.

  7. Industry Incentives by Anonymous Coward · · Score: 4, Interesting

    While this is a classic arms-race (i.e. each has incentive to stay one step ahead) - I would argue that there is asymmetry in the incentives in the attackers (malware writers), and defenders (anti-virus, and computer security software writers). I believe the long-term outcome of this is that the window of exposure for popular platforms will continue to grow, despite advances in: patching hosts, general user education, availability of firewalls, etc

    An illustration of the basic asymmetry is this:

    A lone coder in an impoverished country has a lot more to gain by writing a single virus/piece of malware than does an anti-virus company to write detection for that single virus. Think: bread for your family vs. one more item crossed off in a list of tens (if not hundreds) of thousands.

    Additionally, the virus only has to be active for a short time to make the labour worth it. Write a new one every month, by the time it gets to the a/v companies, cash is in the bank.

    Multiply this by the number of coders that are out of work, in countries that have other things to worry about, and the increasing availability of tools and education for the job.

    It is a losing battle, long term.

  8. Cautionary tale by Anonymous Coward · · Score: 3, Interesting

    I like to think of myself as being pretty good when it comes to security and AV protection. I've been using computers since the C64 era and I remember when Michelangelo was making waves, long before rootkits. I even wrote a small DOS virus in assember myself (never released it, just as a study). I don't run crap downloaded from torrent sites and all my software is licensed. I keep a Windows XP inside a VM for stuff I'm not sure about.

    Last month I got infected. I got sloppy and I just run something from an unknown origin (not a crack or some crapware, a legitimate installer). Some alarm bells sounded right away in my brain (the installer should have been signed and I got a warning that Windows Security has been disabled). I spent the next 5 days running AV tests on the drive. I used Live CDs from Kaspersky and MS to boot clean. I pulled out the drive and scanned it on a clean computer. I run separate AV and Rootkit finders. They all said the system is clean but I still didn't feel right. Finally, I run Malwarebytes Anti-Rootkit and it found it! No false positive, it really was a trojan svchost.exe. Needless to say I nuked everything from orbit - repartitioned and reformatted the drive, installed everything fresh and restored my files from backup. I even changed all the passwords.

    1. Re:Cautionary tale by SScorpio · · Score: 3, Interesting

      He had an uneasy feeling and confirmed it. It's possible there was more to the infection that wasn't found. The only safe way to recover from a virus is a nuke from orbit and restore from backups.

    2. Re:Cautionary tale by jawtheshark · · Score: 2

      Yes, that's why you nuke from orbit immediately when you have an uneasy feeling, without wasting so much time.

      --
      Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
  9. This is asking the wrong questions by jbmartin6 · · Score: 3, Insightful

    The question is, how well do these products protect their users? This study doesn't really help in that regard. Sure, we can dig up samples that the product doesn't detect. This is inevitable as pretty much everyone acknowledges.

    A couple thoughts though. Looking at the PDF, they are deliberately going after obscure and experimental samples of malware. Fair enough, this was the purpose of the study. If they wanted to establish that AV products won't detect obscure and experimental malware samples, so far so good. But how likely is it that any normal user is going to encounter one of these? Probably very unlikely.

    The AV vendors have to prioritize their time, so they will focus more on malware that a user is likely to encounter, so as to provide better protection.

    Yes, the underlying point is still valid. Any automated detection technology is going to lag behind, that's a problem we will have to live with. Even products from Imperva will suffer from this, malware authors will simply run their samples through VirusTotal and all the other tools and keep tweaking until they have an approach that evades the detection.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  10. Re:The best way to stop a virus by CSMoran · · Score: 2

    Does not work for PEBKAC.

    --
    Every end has half a stick.
  11. Comodo malware protector? by Clarious · · Score: 2

    What about Comodo's Defender? You can set it up to automatically sandbox any suspicious programs (unsigned for example) and any suspicious behaviours will be denied and reported. Certainly it is not a silver bullet but I have had good experience with it after it detected a malware hidden in my input method program (which wasn't detected by MSE). The developer site was breached and a modified version was uploaded, comodo alerts me that the program was trying to access the internet.

  12. This shit again? by Sycraft-fu · · Score: 2

    Seems like we had a story about this same shit a month ago. It is still basically just scare mongering.

    Yes, virus scanners are not good at brand new threats. A threat must be identified, and an update sent out before it can be blocked. Virus scanners are not magic AI boxes that can evaluate code for its intent, nor is there an "evil bit" that is set in bad code.

    However, it turns out not to matter since viruses spread like, well, viruses, and virus scanners are inoculation. It is a herd immunity thing. New threats aren't on any systems, they are put up in various places to try and infect systems. They start slowly spreading. They get identified and an update sent out, and their spread is limited as potential hosts are inoculated.

    Virus scanners are NOT perfect, but then no defense is. Geeks need to stop living in this fantasy land where there is perfect security. There's not. Ever. There is only layers of defense, defense in depth, to try and keep threats out and eternal vigilance.

    Virus scanners are a valuable tool to help strengthen a defense. For most people they'll catch most of the threats they are likly to encounter and that is not nothing.

  13. No shit by A+Friendly+Troll · · Score: 3, Insightful

    Back in 1997 I wrote a resident com/exe DOS infector, which couldn't be detected by F-Prot nor TBAV (remember those?), despite the infector not being encrypted, much less polymorphic.

    I learned two valuable lessons back then:

    1) If you're going to write an infector, make sure you write the cleaner first.

    2) You are your own best AV on the PC. If you know what you're doing, the AV does nothing helpful, and if you get infected, it'll be by something that AV cannot detect.

  14. Re:Well, maybe... by grahamm · · Score: 2

    Part of the problem is that products that start off good and have a good reputation often lose their edge but people continue using them. I remember when Norton Utilities (or it competitor PC Tools from Central Point) was almost essential for 'power' users, and when McAfeee was amonst the best anti-virus toolkits.

  15. Bigger problem than imagined. by grahamlord86 · · Score: 4, Insightful

    I run a local computer repair shop, and I can corroborate this story- modern AV does jack.

    I haven't seen any really malicious malware in a while, but I see ransomware and scareware ones quite often, and every time the computer has up to date AV on it.
    What's more, a lot of the time I've seen the virus in question several times, meaning it's been around for at least a fortnight, and still the AV guys haven't picked up on it.
    I can appreciate that a social engineered drive-by exploit attack is difficult to defend from, when the customer asks me how to stop it happening again, it's a tough question to answer- but this doesn't change the fact that IMHO, all anti-virus is a waste of time and money at the moment.
    I install MSE on customer laptops because I have to put SOMETHING there, but I have little faith that it will protect them.

    Now I'm not fear-mongering here, I'm just being matter-of-fact. Three years ago when I stopped re-selling AVG, my account manager said 'Oh sorry to hear that, can I ask why?'
    I said; 'Because it doesn't work. I am removing trojans and rootkits from computers every day, and many of them are running AVG, which has completely failed to save them.'

    Make your anti-virus software work, and make it protect users from drive-by attacks on bad facebook links (without intrusive toolbars and link checkers please), and I will sell you hundreds of copies in my little shop alone.

    1. Re:Bigger problem than imagined. by 0123456 · · Score: 3, Insightful

      Um, the viruses you see infecting systems will, pretty much by definition, be the ones that get past the AV software. You won't be asked to remove a virus that the AV software on the machine will catch, because the AV software will catch it.

    2. Re:Bigger problem than imagined. by grahamlord86 · · Score: 2

      That's true, but-

      A: My point about a virus that's been in the wild for at least two or more weeks is still not covered stands. AV corps bang on about research and monitoring so much, why are they so slow to keep up, especially when a lot of modern viruses are relatively easy to remove?

      B: AV loves to harp on about how well it's protecting you, yet you never see positive virus removals in the logs. By your suggestion, I should be seeing disinfections and removals in the AV logs on most computers. The only time I get a hit on AV is on a system that's already infected, and the AV is quite unable to remove it.

  16. Add sandboxing... by JamesTRexx · · Score: 2

    This is why I use Sandboxie on the Windws PC's I use. Great little tool and I bought a license some time ago after testing the free version for a few years.

    Only problem is that it's no use for regular users. You need to know what you're doing.
    BufferZone Pro might just be the right alternative but I've not tested it much.

    --
    home
  17. Time to... by PPH · · Score: 3, Funny

    ... bring John McAfee out of retirement and put him to work on the problem.

    --
    Have gnu, will travel.
  18. Do NOT anthropomorphize Computer viruses by codewarren · · Score: 4, Funny

    Do NOT anthropomorphize computer viruses! They HATE that.

  19. Anti-Virus - scamming people since day 1.... by King_TJ · · Score: 3, Interesting

    IMO, this is all to be expected, and hints at the true, underlying problem. The entire concept of anti-virus software developed under false pretenses.

    If you read Wired magazine's lengthy story on John McAfee, for example, you learn that the guy was little more than a scammer, ever since his college years. He started out giving away "free" magazine subscriptions that he lied and told people they won, and then convinced them to pay him a "shipping and handling" charge to receive them.

    He only got the idea to form his anti-virus company after reading a few news stories about the successful spreading of the first virus programs (which were really developed as an experiment to see how far they'd replicate -- not to do any damage to systems). He thought it was really scary stuff (which he claims is largely because he was beat as a child by his dad, and the idea of a computer virus suddenly attacking a machine for no known/good reason was similar in his mind).

    His company only become really financially successful after he fear-mongered to the media at every turn, trumping up relatively small virus infections as "liable to wipe out entire corporations!" and so forth. (Remember, in the beginning, McAfee actually gave his product away for free - knowing home users would start recommending and/or installing the product where they worked too, and the real money was in getting companies to pay for licensing.) Obviously, others saw the flow of money and wanted a piece of that action, so they, too, started anti-virus or "computer security" companies with similar strategies.

    Don't get me wrong. I'm sure there really are people in the computer security or anti-virus business with good intentions. Some people out there really DO think they've "built a better mousetrap" and aren't just trying to sell a bill of goods for easy money. But at best, this stuff is a rapidly moving target. In fact, the traditional virus is hardly even a problem anymore, since most malicious software writers have moved on to malware as more effective for their purposes. (Why try to make complicated code that secretly attaches to valid files and replicates itself at every turn when you can just trick a clueless user into voluntarily downloading and running your destructive application instead?)

    Over the years, I've watched companies spend huge money on dedicated appliances that purported to be "advanced firewalls" and "intrusion prevention systems" and the like -- only to become pretty much obsolete when a new "security" company popped up and offered up a replacement solution that was more clever and relevant to the latest variations of threats. Meanwhile, how much money was REALLY saved by having any of this? That's the beauty of the scam, of course... there's no way to quantify it. You can make up all sorts of pretend statistics!

  20. Re:So... by grantspassalan · · Score: 3, Informative

    This is exactly what Apple has done with gatekeeper in their current OSX. Users can choose 3 levels of software protection. The strictest is only to run software from the Apple store which all has a code signature key. After that level comes a restriction to run only software from trusted developers that have been issued a signature key by Apple. The final level is no restriction at all, were all software including Trojans and viruses are allowed. The default is the middle level. All iDevices from Apple are restricted to the highest level, namely only software from the Apple Store is allowed. This is a restriction which some techies consider severe, but ordinary users are perfectly happy with Apple's walled garden. This approach of Apple for security seems to work better than all A/V software combined. There have been no viruses or Trojans for iDevices.

    --
    A sufficiently advanced simulation is indistinguishable from reality.
  21. Missing from your story by bitflusher · · Score: 2

    After you found the bugger unknown to all the AV persons in the world....you send it to all of them right? I deal with a lot of client pc's and some are horribly infected. Sometimes a boot from usb gives me the bootsector virusses sometimes other things but whenever the uncanny feeling you discrive creeps up it might be right... something new... I had one of these things on a pc that performed just bad enough to digg deeper, found something that had to be it. Put it through an online many virus scanner. Only two virus scanners thought it might perhaps be a virus. Send it to microsoft: took them half a day to classify it as in need for in depth rearch. Took many days to be released and detected as a code obfruscator. Oh and I nuked it from orbit, who knows where or what it was hiding other nasty siblings...