Slashdot Mirror
Anti-Virus Is Dead (But Still Makes Money) Says Symantec
judgecorp (778838) writes "Symantec says anti-virus is dead but the company — the world's largest IT security firm — still makes 40 percent of its revenue there. AV now lets through around 55 percent of attacks, the company's senior vice president of information security told the Wall Street Journal. Meanwhile, other security firms including FireEye, RedSocks and Imperva are casting doubt on AV, suggesting a focus on data loss prevention might be better."
"AV now lets through around 55 percent of attacks" What happened? What's the big game changer from the 95% detections of just a few years ago?
They learned they can sell multiple product lines that do nothing.
Sure they want to sell you something in addition to "anti-virus" software with a fresh new name. But host-based security software isn't going away.
It has become so easy to make a virus, that creators abandon old virus methods before anti-virus companies even find out that they existed. Unless they come up with new ways to predict the attacks, they will never keep up.
When the back door was made of cloth and paper, there wasn't much sense in trying to fool the user guarding the front gate. Now that we've locked that down with a steel door and a proper deadbolt, it's a lot easier to try to sneak past the guard--and it's a lot harder to upgrade a guard than it is to upgrade a door.
I think we're entering a period where forensics and an effective legal apparatus are going to become the primary means of defense.
Obliteracy: Words with explosions
Part of the problem may be the closed source nature of AV itself. I have always wondered if the closed source AV vendors are basically reinventing the wheel and needlessly wasting resources on finding viruses that have already been found by other companies, and that maybe there should be a central virus database that all of the companies would contribute to instead. The model of each company having to independantly find viruses is inefficient and leads to much slower progress on eliminating them. It is wasted time and effort reinventing the wheel, and as well it actually worsens things for users because things do not work as well as they could.
Does anyone here have a recommendation for the best AV software?
What about ClamAV? Is this as good as the closed source AV products?
In the article, Redsocks makes the claim that between January and March, the detection rate for something (their own software? Symantec's?) was between 64 and 73 percent. How does this add up to letting through 55% of attacks? Honestly, this sounds more like people waking up and realizing that Norton is badly-coded bloatware, and are uninstalling it and not buying it.
Sounds about right. I've had at least 3 viruses that have circumvented Norton -- but caught by Bitcoin Vigil (a honey pot based approached to catching malware). I guess it's a combination of outdated signatures, and novel attacks and Antivirus needing to limit its false positives
I think they're only talking about their own software. In the last quarter's test at AV-Test, Avast (which is free) detected 100% of known samples and 98% of unknown virus samples. I never figured out how they obtained over 100 "unknown" samples of malware without reporting it to antivirus companies but I think it was an ongoing zero day, detect them as they're released type of thing.
"...are casting doubt on AV, suggesting a focus on data loss prevention might be better"
Oh yes, prevent your data from being deleted or Cryptolocker-ed while you're a spam-sending robot with all your credit card numbers and login passwords being recorded by a rootkit. Great strategy.
Of all the problems that my relatives have called upon me to fix on their machines AV might be the number one complaint. They buy a machine from some big box store (against my recommendation) and the AV becomes more and more threatening as to the dire situation their machine is in and how only a subscription to their product will solve the problem.
Then to make it worse the AV infests the machine like a spreading cancer. The browsers work funny, the startup is longer, the thing periodically pigs out on the internet. But it might be the popups that are the worst. We have all see the public jumbotron/Kiosk with a big AV popup front and center.
Personally I blame AV bloatware for being one of the downfalls of the PC industry. People were buying their shiny new machines hoping that all their problems would go away and poof their new machine is effectively just as crappy as their old machine with these incomprehensible popups and threats.
My only happiness in this situation is that the AV products haven't managed to get much traction in the mobile device industry.
The key thing to keep in mind is that when you buy a basic PC from a manufacturer that they don't make much if any profit from the machine. It is the kickbacks they get from the crap AV, crap game, and crap music services that come as trialware. So if the AV industry has a business model based upon fooling people, kickbacks, and annoying people; then they can't die too soon.
The horrible thing is that some products like NOD32 were awesome and didn't play those MBA games.
My fear is that some neophyte will read this and believe he doesn't need an anti-virus application anymore because they don't work. While AV applications are not my favorite thing to spend money on, they do have their place for less-then-savvy users who may be surfing or downloading from areas that may not be safe.
I wouldn't use a Symantec product if it was an extinguisher and I was on fire.
Nobody even vaguely familiar with PC support over the last 20 years can possibly fail to be acquainted with what was (is?) the most complicated, agonizing, and laborious process that was removing a Symantec/Norton antivirus "product" from a computer.
Seriously, with a newer machine, just re-installing the OS was far quicker, easier, and less likely to leave you with later issues.
As an AV product, it was not terribly successful in most neutral tests I saw.
If you didn't uninstall it, it was a resource hog, bringing even powerful machines to their proverbial knees when scanning. If you were foolish enough to install the 'suite' of security applications, it would involve literally dozens of services installed obscurely across your system. Removing it was very much like (or worse than) trying to get rid of some of the most tenacious malware I've ever encountered.
Truly, the 'cure' in this case was nearly worse than the disease. They *owned* the PC security market in the early days...why do you think its competitors have been so widely successful?
-Styopa
No amount of Virus protection can prevent Stupidity.
oh wait, Symantec does!
Or whenever AV apps turned from something that protected your Windows machine from malware into scareware that slowed down the OS more than a virus.
In the last 5 years the only hits I ever got with McAfee or Kaspersky were for legit files (heuristic fumbling in the dark) or the EICAR file.
I use Virtualbox VM's (and a different OS than the host, the more obscure the better) to do all my web surfing and routinely delete then replace the pristine VM, the important stuff (banking, whatnot) gets done on the host and that's all that I do on the host.
No rootkits, "virus", or malware in 5 years (that I can detect of course).
At first it was a hassle, but now I have it polished down to "slim mode" and no expansion on the one bar that shows on the host.
To sum up, anti-virus is essentially worthless for me, as is any "malware" detection app because they have never had a hit.
"If any question why we died, Tell them because our fathers lied."
In Soviet Russia, McAfee sets you on fire!
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I can't believe anyone in the industry hasn't already realized that AV is kind of like the police: they don't really prevent crime, but are there to investigate crime after the fact. For the last 10 years at least, it has been my experience, that none of the really stealthy and dangerous viruses are ever detected by AV. It's good at catching the "script kiddie" sort of stuff, but ineffective at finding anything really dangerous, until it's too late. I don't own any Windows machines any longer, but if I did, I wouldn't even bother with installing AV. All it does is slow down your system. The best AV tool is your brain.
It's now crapware, sorry but Symantec should now be thoroughly flogged in public for turning a once great, working, AV product into a piece of shit. I can't say much about the other vendors in the AV space, well I can for a few and I don't really trust any of them right now because they all miss shit and have lousy customer support.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Good anti-virus still has high detection rates. AV Comparitives puts most virus scanners above 90% detection in their March real world protection test. The better ones are in the 98%+ range. http://www.av-comparatives.org...
Of course Symantec isn't on that list... perhaps there's a reason :).
I suspect the key to the 55% number is the word 'attacks' i.e. not viruses, worms etc but using OS holes and other such exploits.
I want a list of atrocities done in your name - Recoil
that all AV software like this is reactive. Once the malware is out in the wild, it needs to get reported and analyzed and then added to the database. But the people who write the malware use every trick they can think of to evade the detection heuristics.
Don't get me wrong - I am not arguing that one ought not use AV at all, but that AV by itself doesn't provide you with the level of protection that many people might assume that they have.
I bet some geniouses do think well done is done well. But where do you go to order something and they ask you, "would you like a cup of our crapiest water?" or likewise. Would you like the engine cap fully tightened? How about only half-filled brake light fluid...
Your detractors have 0 vs your points on hosts. Only unjustifiable minusmods to try hide your post. They clearly can't disprove your points validly.
BOOM. Wish I had mod points!
Yeah, an experienced professional welder with a plasma arc in his shop is not as dangerous as some random guy waving one around on the street.
You could argue, though, that since Apple and Microsoft are purposefly marketing to less educated and skillful users, their systems should be required to be more highly engineered for safety. We do require airbags and dual-circuit master cylinders in cars, for example, even though a expert driver in a superbly maintained vehicle will rarely need them.
I wouldn't use a Symantec product if it was an extinguisher and I was on fire.
Nobody even vaguely familiar with PC support over the last 20 years can possibly fail to be acquainted with what was (is?) the most complicated, agonizing, and laborious process that was removing a Symantec/Norton antivirus "product" from a computer.
Seriously, with a newer machine, just re-installing the OS was far quicker, easier, and less likely to leave you with later issues.
As an AV product, it was not terribly successful in most neutral tests I saw.
If you didn't uninstall it, it was a resource hog, bringing even powerful machines to their proverbial knees when scanning. If you were foolish enough to install the 'suite' of security applications, it would involve literally dozens of services installed obscurely across your system. Removing it was very much like (or worse than) trying to get rid of some of the most tenacious malware I've ever encountered.
Truly, the 'cure' in this case was nearly worse than the disease. They *owned* the PC security market in the early days...why do you think its competitors have been so widely successful?
You obviously have no experience with these products in at least the last five years. Yes, there was a time they earned a bad reputation, but the current versions are easily uninstalled and are much lighter on resources. In fact, for many users (not the typical Slashdot user), modern AV (incl Symantec AV) can actually increase felt computer performance due to scheduled background maintenance tasks (defrag, for example). Still, like all software, AV products do consume resources and can have a noticeable performance hit, especially on marginal hardware to start with.
Malware constitutes the following:
[Injection Method] + [Exploit] + [Persistence or Self-Removal Configuration] + [Payload]
You can jumble around solutions to create a virus.
AV companies have to figure out both signature based and heuristic detection methods as they can't just MD5 and ban files. Malware writers can build files that defy algorithmic description; that self-jumble every time they are copied.
Most viruses can emulate user activities sufficiently that antivirus cannot stop them.
E.G. Cryptolocker. Users have rights to use windows cryptographic processes to encrypt files.
Thus the focus has gone straight to controlling user activities and user data securely. Assume the user is a criminal, what can they do, what can I do to stop them?
Assume the end user will get hijacked; what can they do? Compartmentalize them and their job so the damage done is minimal. E.G. Publishing every application via Citrix Remote applications and setting the interface with the OS on some of them so you cannot copy specific fields in forms. E.G. Websense.
Assume multiple end users will get compromised, Log every attack so each attack becomes a one-trick-pony. E.G. Most Firewalls and their monitoring features.
Assume the end user will take off with their files; encrypt them and setup a system by which the keys are kept locally. E.G. Microsoft RMS or "Next Gen" Firewalls.
This is a big shift in paradigm for security and for Sarbox organizations where compliance objectives trump everything else. It's also a fantastic way to completely decimate an organization, because you limit the ability of organic growth to fudge over incompetent management.
For your Ma' and Pa' business, things have stayed business as usual. And really, there's a whole new set of skills and features big enterprises are expecting out of IT that they will not be able to find in the field or in current certification paths.
Your detractors have = 0 vs your points on hosts. Only unjustifiable minusmods to try hide your post. They clearly can't disprove your points validly.
In Windows XP you can use task scheduler to have the defragmenter automatically run, in Vista onwards, scheduling a defrag is as simple as clicking a checkbox. I would rather just use the OS's utilities than have redundant bloat.
I suspect he was referring to enterprise attacks rather than AV attacks on individuals.
You obviously have no experience with these products in at least the last five years. Yes, there was a time they earned a bad reputation, but the current versions are easily uninstalled and are much lighter on resources.
Not according to people I know who used them recently. For a few different family members in the past few years (who live far enough away that I can't troubleshoot their computer), I recommended installing antivirus to fix symptoms that obviously seemed to be some sort of malware. Yes, they found malware and viruses, and that often fixed some weird behavior. But inevitably it also tended to slow down their computers until they were basically unusable. Two of these family members ended up switching to tablets and just giving up on their laptops... and that's after I tried to recommend some tweaks to settings to stop the incessant background crap.
In fact, for many users (not the typical Slashdot user), modern AV (incl Symantec AV) can actually increase felt computer performance due to scheduled background maintenance tasks (defrag, for example).
What the heck are you talking about? My copy of Norton Utilities (came with AV package) I got in 1995 or 1996 something had automatic defrag operations (and all sorts of other "maintenance" it could do in the background) -- and it was PRECISELY all those background processes and tasks that slowed my system to a halt, leading me to dump the OS and reinstall everything without Norton.
I tried again maybe 10 years ago, and the same crap happened. The only usable AV that doesn't completely slow down your system is usually one tweaked so it doesn't perform any "background maintenance" nonsense.
Still, like all software, AV products do consume resources and can have a noticeable performance hit, especially on marginal hardware to start with.
Yeah, and that's the whole problem. AV products need to be designed for MARGINAL HARDWARE. That's probably their primary audience -- people who buy cheap underpowered systems that have crap "trial versions" of AV on them to try to convince people to buy, and people with older systems who have realized that "weird stuff is happening" and decide to try to purchase AV. If the AV companies can't make their stuff work reasonably well on older or underpowered machines, who the heck do they think they are going to sell to?
In the email world there are 'reputation' providers that will give an IP address a score (e.g. from 0 to 100). On many domains if your 'reputation' is too low, the email bounces. However we are heading towards an IPv6 world where ip-reputation is too hard (too many addresses). So you need another way to base your reputation on (e.g. your domain name or email address).
Who is providing the content and are they trusted (you better prove you are trustworthy). Just another option.
nosig today
All antivirus software is ultimately based on the notion of a blacklist. That has failed. Whitelists however... that is lists of known good applications are more reasonable. Yes, they require users to know the difference and not just white list any nonsense. But white lists are much better at dealing with zero day attacks etc.
This is what anti virus should be... white lists.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
The problem is a majority of the stuff that gets on the computer are not viruses at all. Sure they are crappy, annoying, and screw the computer over and hog all the resources, but they are legal "products" being shilled to the internet surfer constantly, telling them their computer is slow and this and that, and they just need to install "blah blah blah registry cleaner" to make it better. But then you install it, and all it does is scan and tell you you need to pay money to actually fix anything (not that it would help, since it is the thing actually slowing the computer down by starting up and scanning constantly now). The user generally does not know how to remove a program, if the uninstaller works at all. Some of these come bundled with other "helpful" trial programs and shopping "helpers" and "savers" that work hard to show you ads all the time of all the deals you could be getting. All of this stuff is legal and installed by the user.
I found a cure for Cancer . . . but its only effective against 55% of the cancers out there, so it hardly seems worth immunizing the public since its not 100% effective.
As long as the overhead of trapping/blocking the 55% of computer virus attacks is unobtrusive to me . . . Thanks, I'll gladly take what protection I can get.
No, I don't remember your name. But the memory mapped screen on a TRS80 from 1977 is from 15360 to 16383 if that helps.
As much as I dislike the company I have to say Antiviruses can't protect users from being stupid.
First off, most of the commercial ones like Norton, are barley better than the viruses they claim to protect you from. Except they are more bloated, you pay for them, and usually come pre-installed on your system if you buy retail. Many of the "free" (usually pay for upgrade) options are actually much better. My two favorite are MSE and Spybot. However even they have limitations now. From experience MOST baddies, are not really the viruses of old, but rather adware of some creed. Anyone who had gotten and removed from some of these can tell you about the painful process of trying to go through the complex process to get rid of some of these insidious things. Having a 2nd computer or smart phone is handy in trying to do this so you can take the affected system offline so it doesn't automatically re-infect itself halfway through the process. In many cases it is just easier to wipe the slate clean and install clean again. AV is going to have a very hard time automating some of those complex processes to remove the agent. Hell a good chunk of the malware you are going to get is likely produced with the specific purpose of selling AV software in the first place. Having some AV is a good idea, but it is only a very small piece of the puzzle. Firewalls are more critical. Even more so than that is being critical about what you run, visit or install on your machine. Knowing if you go to a sketchy site you are running a risk. Have install disks. Have a decent backup. That is the world we live in now. I know what the hell I am doing, but every now and again even I get owned. Many of them aren't really infecting your system, so much as vulnerable software, particularly browsers. The last one I had, was easily removed from the "system", but it continued to completely own Chrome, which you would have to go into and manually change all the settings back, or re-install a clean version of Chrome with default settings.
So anyway to summarize, it just isn't all that useful anymore, but like anything you can sell it to people who don't know any better.
In case you hadn't noticed, Credit Card companies secure your credit card using techniques very similar to A/V vendors' products. They do heuristic scanning of transactions, looking for consumer spending patterns and throwing red flags when they change significantly. You can wax poetic all you want about "smart cards" but the system is big enough that we'll probably *never* be without similar methods for protecting your bank account
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I've had some experience with managed Symantec Enterprise Protection in recent years (>2012) and it takes very low resources (I have it running on several high-end computational workstations with no impact to calculation speed pre- and post-installation). Further, it (seems) to remove without any issues. I'm not saying it is the best AV solution, and the manageability is a little obfuscated, but in general, many of the disparaging statements you bring up are inconsistent with my general experience.
~
Not even close, unless you also think that the majority of people who suffer in silence all fret over the same life issue.
Apathy has at least a dozen different root causes at the level of kingdom and phyla. Some people dislike how their computer turns into a vat of sticky molasses right after the anti-virus software gets installed. They didn't know you need twice as much bare metal to eke out a tolerable user experience once the protective condom—prosthetic cylinder—is superglued onto the pink skin under the hood. When you find a male user whose entire panoply of defences are on the floor (or around his ankles), one suspects the anti-virus software was interfering with a cherished late-night hobby.
The entire anti-virus program was misconceived to begin with. It's not ultimately impossible to write secure code, but it will remain impossible until we've exhausted every other dodge.
You can always count on Americans to do the right thing - after they've tried everything else. — Winston Churchill
Note that by "secure" I don't mean "flawless". A better proxy is that once a flaw is discovered, it takes far longer to work up a successful exploit than it does to fix the problem and test the patch, assuming both lines of development hear the same gun.
I've been reading security threads for at least two decades. There's always someone who pipes up with the view that because the travelling salesman problem is NP-complete, you might as well plan your route by flipping coins. This is the strange and not-so-wonderful archaea kingdom of the apathy tree. Brain the size of a planet, and all these people can manage is to cop a snivel. These people have their edge enhancement (aka paranoia) dialed up so far, the entire universe looks like a chessboard in the movie Tron. I'm guessing that the evolution of intelligent life is also NP-complete, yet somehow it happened. Hard to notice this if your giant brain perceives itself as living on planet Tron.
At the end of the day secure code has no hope of survival in a winner-take-all market with a short little span of attention (winner take all, until it's all siphoned away by a Chinese triad). It probably boils down to prisoner's dilemma—until there's a sea change, and secure code gets the girl.
The answer lies in a systems theory analysis of human mating-instinct time horizons. This is a different difficulty class than NP-complete, founded on the technique of proof by partial induction: well, we're still here.
It constantly irritates me when I see people installing all sorts of junk simply because they can't be bothered to READ what's on the screen, right in front of them. Thanks to the proliferation of "free" software for Windows (as opposed to true freeware), the installation programs often ask you if you'd like to ALSO install one of several other questionable toolbars, add-ons or other utilities, with an "opt in" default for each prompt. Really, there's no secret here.... It tells you right on the screen what it wants to install, and you simply de-select a check-mark to skip it. But people blow right through those prompts, clicking as fast as they can find the button, and then wonder where the "Super Cool MegaSearch" toolbar came from that keeps popping up ad banners while they surf the web.
Software cannot currently exist in or directly access Layer 8.
Our governments are addressing this and within the decade 'AV Firms' will once again have full access to all IO and static data within layer 8 of the OSI model.
I have been reliably informed that these measures will reduce crime and increase community compliance and by bringing calm to all who have the Thought Process Modification (TPM) chip installed.
The simple fact is the most basic crypter can defeat 99% of the antivirus that are on the market and the 1% that does catch something that is crypeted just gets lucky. Until the app has spread around enough for the antivirii databases to learn the hash of the file in question, only then it gets flagged and nearly all antivirus programs catch it instantly. This is obviously a download and run scenario not a drive by attack (crypted files). Either way you look at it you can expect to get owned with a clever 0-day or crypted app. So watch what you torrent ;)
Hi, I'm another 'anonymous coward' (actually APK but pretending to be anonymous) writing in support of APK, because nobody will ever know that it's me.
I'm so damn clever!!
Eventually Norton AV began to take less resources and I think became easier to uninstall, but I am not sure about the detection rate.
Your detractors have = 0 vs your points on hosts. Only unjustifiable minusmods to try hide your post. They clearly can't disprove your points validly.
Hi fuckwad, allow me to help you out here: nobody cares what you have to say, whether it's accurate or not, so stop annoying everyone by posting your shit over and over again.
No, we're not going to argue the usefulness of the hosts file with you, because we don't care and because nobody wants to talk to you.
You must have noticed by now, right? Nope! Still ignorant as ever, APK. You're too self-absorbed to notice anything outside your own little world. Better idea would be to post the hosts stuff again, maybe THIS TIME people will like you?
Oh, good one - let's have it again! Nobody noticed it the first time, right?
Now they've broken login, good job.
Time to leave /. if they can't even get the basics right.
1. Disable autorun.
2. Install adblocker.
3. Install EMET.
4. Install the security updates people.
5. Stop opening every freaking email attachment.
Congrats. Your odds of being infected with anything are stupid low. And you did it without even installing an AV yet.
the censorship is a trun off and while it's good to have some kind of app testing but to kick apps out due to there content and or say they can run dos apps, snes roms and so on.
Heheheh, use SAR Tool much? I remember those days. Pretty bad when they have to have a special removal tool to get the software off your machine.
Plus you have to wonder what back doors were created to allow it to be possible in the first place (since other software should not be able to remove your AV).
It's OK Bender, there's no such thing as 2.
Brake lights are usually electrical rather than hydraulic
I have an idea guys, let's draw attention to how useless our product is and see how many suckers still buy it! Purchase antivirus software from Symantec, the world's leader in software that lures you into a false sense of security. Get it now for only $50 and you can enjoy a few more months of 50% less viruses, after that - meh, who knows!
Self encrypted and polymorphics have been detectable for over 20 years.