Ask Slashdot: How Dead Is Antivirus, Exactly?

Safensoft writes: Symantec recently made a loud statement that antivirus is dead and that they don't really consider it to be a source of profit. Some companies said the same afterwards; some other suggested that Symantec just wants a bit of free media attention. The press is full of data on antivirus efficiency being quite low. A notable example would be the Zeus banking Trojan, and how only 40% of its versions can be stopped by antivirus software. The arms race between malware authors and security companies is unlikely to stop.

On the other hand, experts' opinions of antivirus software have been low for a while, so it's hardly surprising. It's not a panacea. The only question that remains is: how exactly should antivirus operate in modern security solutions? Should it be one of the key parts of a protection solution, or it should be reduced to only stopping the easiest and most well-known threats?

Threats aren't the only issue — there are also performance concerns. Processors get better, and interaction with hard drives becomes faster, but at the same time antivirus solutions require more and more of that power. Real-time file scanning, constant updates and regular checks on the whole system only mean one thing – as long as antivirus is thorough, productivity while using a computer goes down severely. This situation is not going to change, ever, so we have to deal with it. But how, exactly? Is a massive migration of everything, from workstations to automatic control systems in industry, even possible? Is using whitelisting protection on Windows-based machines is the answer? Or we should all just sit and hope for Microsoft to give us a new Windows with good integrated protection? Are there any other ways to deal with it?

Never mind the quantity, feel the quality

[Badger+Nadgers]

"only 40% of its versions can be stopped by antivirus software" Take a general case. What proportion of crime is stopped by the police?

Re:Never mind the quantity, feel the quality

[Luckyo]

I always log on as admin on my home machine. The only time I ever got a virus on a machine was back in 1990s, where I got hit by a floppy virus that did nothing except propagate itself.

I also got owned once when I reinstalled XP on network that was completely open to the internet and forgot to unplug the PC during the installation. That installation got owned before I installed firewall in a very obvious way - it started throwing porn ad popups everywhere. I nuked the drive with format c: and reinstalled after about 20 minutes with PC unplugged.

But I haven't gotten owned once because I run as a full admin. It's more risky, sure, but it's far more comfortable to use. And security is always a trade off between risk and comfort, and safety and discomfort. And if you're smart enough at using your PC, using it as an admin, and installing from other sources is quite safe nowadays.

You may accept the discomfort that comes with your degree of safety. Many of us don't. And many of us are in fact smart enough not to get owned even at our lower safety level.

Incentive Bug Finding

What are virus writers looking to get out of writing malware? Money? Fame? Absolute Power?? Well neither of the last two are ever going to happen.

We should incentivize the reporting of bugs... Getting recognition as being a prolific bug finder, and fixer in a positive light would be a start. Also being paid is another avenue. Optional fame, and a steady reliable source of money would be very appealing to most people.

Am I just being naive?

Re:Incentive Bug Finding

[Opportunist]

Money. Simple as that.

I've been on the "other side" of the security business for a bit over a decade now. I'm not really earning pocket change, but it's by some margin dwarfed by what the criminal side of our business makes.

Malware is profitable. If you really want to fight malware, you first have to make it unprofitable. As long as it is possible to profit from spam and botnets, it's not going to stop. And since the source of spam and botnets is in countries you can't really reach, while the targets are "here", I guess it's time to start punishing those who are unable or unwilling to keep their computers secure.

Yes, that means punishing the victim. Whereas the victim here is a facilitator for the culprit. It's like leaving your car unlocked and open on the main road and someone using it for a bank heist. I don't know about yours, in my country, if that's your car you're due for facilitating a crime.

Sandboxing

[OpenSourced]

I'd say security in the future will converge on three lines:

a) Sandboxed browsers/apps: Different browsers for mail access, general browsing and sensitive browsing (banking, using credit card, etc). All browsers revert to base state after closing, or allowing just a limited set of changes (bookmarks, cookies). The browsers are possibly stored in a USB stick with a physical write protection switch for part of the storage.

b) Trust structure: The OS will only execute programs with a certain signature, based in a chain of trust. You can choose who to trust or not.

c) Closed devices: (See Apple iPhone and iPad, but with paranoid-mode).

Well implemented, these strategies can reduce the malware threat, and they are implementable with current technology. I really don't see the anti-virus surviving much. It's an after-the-fact tech that was born as a patch for systems unprepared for a new threat. The playing board is now set and the structure of the systems must change to reflect that.

Stockholm syndrome

[Torp]

Let's translate the OP's question:
I have this insecure by design environment, while there are more secure by design environments available (yeah, probably not completely secure, but much more secure than what I'm using now). I'd like to patch my grossly insecure environment to get at least an illusion of security instead of considering the alternatives.

Re:Switch to linux / OsX.

[Opportunist]

Mostly 'cause it's not profitable. Too small a market. Same reason why business software is rare for Linux (desktop, at least): No market.

As for "but it's more secure because you don't need root for every shit": The current big thing, cryptolocker, would work just as well on Linux. It needs no special privileges, all it needs is to run as the current user to encrypt all of the current user's documents and hold them for ransom.

I don't want to start the flamewar of whether Linux is more secure than Windows. Mostly because it does not matter jack. Linux could be the most insecure OS on the planet and still Windows would get the bigger share of malware. Simply because it is the bigger market.

Re: End state and private capitalism.

[DaMattster]

In an ideal world we would be a bunch of smurfs helping each other out when needed. However, this would simply be utopian. This lifestyle might work for small communities of 5-25 people where everyone is dependent upon each other for friendship, socialization, and survival.

Re:Switch to linux / OsX.

Which will last exactly as long as it isn't profitable to make a virus for it.

If everyone swapped to a certain distro of Linux, I'd be willing to bet you'd have major problems within a week.

This old Trope again; completely belied by the facts that:

• MacOS which was not so popular was one of the major virus problem OSs
• OSX, which is much more popular, gets almost no viruses whilst
• Google default Android which is much more popular than Windows get's practically no viruses whilst
• Chinese Android clones, which have a smaller market than mainline Android Get lots and
• iOS whicuh is more popular than that, gets practically none

There are several major things;

• does the OS run "default secure" like Ubuntu, RedHat, Android and iOS where only verified software is installed and there won't be servers running on a normal user install. - if yes you tend to be okay - if no, ike Windows and Chinese Android, you tend to lose
• does the vendor keep backdoors into the system like Windows Update and ActiveX or do they treat security flaws as bugs and fix them no matter what - like most BSD and Linux variants
• does the vendor blame the victim - like UAC or do they just block stupidity and, for example, require the admin to do command line security disabling for special cases - like Red Hat Enterprise Linux and OpenBSD

Each of these are deisgn differences and the problems come down to commercial choices by Microsoft to increase their profit at risk their own user's safety. Microsoft invented the executable email attachment making email spreading viruses, previously thought of as just a joke, a reality. Note, that these are not technical problems. The Windows NT kernel, a design copied from VMS, is a perfectly fine base for security. What is needed to get rid of viruses is to start to see competing companies who actually care about their users and not just the lockin and immediate profit they can extract from those users.

Re:Dead as a profit source for Symantec, well, ...

[swb]

I have a small client that hasn't run anything more than Microsoft Security Essentials for three years, mainly because they don't want to spend the money.

So far, I've only had to rebuild about 3 PCs in that time frame due to infection. They also got hit by crytolocker but at a weird time where it just made sense to reload the share directories from a recent backup because there hadn't been any changes to worry about between infection and last backup.

The controller feels that this is more or less an acceptable trade-off over time -- my labor cost to rebuild the PCs vs. the ongoing cost of AV.

Re:Dead as a profit source for Symantec, well, ...

[Cyberdyne]

The controller feels that this is more or less an acceptable trade-off over time -- my labor cost to rebuild the PCs vs. the ongoing cost of AV.

They are probably right there - of those 3 rebuilds, how many do you think would have been prevented by paying more for any given AV product? Thinking back, I can remember several PCs needing recovery work because of the AV system in use (good old McAfee pulled down an update which declared a piece of Windows XP itself to be malware and need deletion - leaving a machine you couldn't log in to until that file was reinstalled), and probably two nasty infections for me to clean, which got in despite McAfee being present with fairly paranoid settings.

Re:No, you don't need AV, even on Windows

[kesuki]

sounds like we've got an Id ten T error.

thing is, i've seen $100 a fix computer security professionals unable to remove a virus.

i removed the administrator privileges from said user and the malware couldn't reinstall itself. funny thing about windows is that making a new user account prevents many reinfection scenarios, yet a $100 a fix professional tries to fix it with tools that wont install properly because a malware is reinstalling every boot up.

they infected the keyboard controller on the laptop somehow too, so i used a new $10 usb keyboard to fix that because i didn't want to replace the whole keyboard, and made it so that the id ten t user would have to enter a password to install a program, and would have to use a password to remove the anti virus which i wrote down and didn't give to them. they also though youtube movie links were 'purchasing' movies so i did what i could and washed my hands of the situation.