Slashdot Mirror
Ask Slashdot: How Dead Is Antivirus, Exactly?
Safensoft writes: Symantec recently made a loud statement that antivirus is dead and that they don't really consider it to be a source of profit. Some companies said the same afterwards; some other suggested that Symantec just wants a bit of free media attention. The press is full of data on antivirus efficiency being quite low. A notable example would be the Zeus banking Trojan, and how only 40% of its versions can be stopped by antivirus software. The arms race between malware authors and security companies is unlikely to stop.
On the other hand, experts' opinions of antivirus software have been low for a while, so it's hardly surprising. It's not a panacea. The only question that remains is: how exactly should antivirus operate in modern security solutions? Should it be one of the key parts of a protection solution, or it should be reduced to only stopping the easiest and most well-known threats?
Threats aren't the only issue — there are also performance concerns. Processors get better, and interaction with hard drives becomes faster, but at the same time antivirus solutions require more and more of that power. Real-time file scanning, constant updates and regular checks on the whole system only mean one thing – as long as antivirus is thorough, productivity while using a computer goes down severely. This situation is not going to change, ever, so we have to deal with it. But how, exactly? Is a massive migration of everything, from workstations to automatic control systems in industry, even possible? Is using whitelisting protection on Windows-based machines is the answer? Or we should all just sit and hope for Microsoft to give us a new Windows with good integrated protection? Are there any other ways to deal with it?
On the other hand, experts' opinions of antivirus software have been low for a while, so it's hardly surprising. It's not a panacea. The only question that remains is: how exactly should antivirus operate in modern security solutions? Should it be one of the key parts of a protection solution, or it should be reduced to only stopping the easiest and most well-known threats?
Threats aren't the only issue — there are also performance concerns. Processors get better, and interaction with hard drives becomes faster, but at the same time antivirus solutions require more and more of that power. Real-time file scanning, constant updates and regular checks on the whole system only mean one thing – as long as antivirus is thorough, productivity while using a computer goes down severely. This situation is not going to change, ever, so we have to deal with it. But how, exactly? Is a massive migration of everything, from workstations to automatic control systems in industry, even possible? Is using whitelisting protection on Windows-based machines is the answer? Or we should all just sit and hope for Microsoft to give us a new Windows with good integrated protection? Are there any other ways to deal with it?
"only 40% of its versions can be stopped by antivirus software" Take a general case. What proportion of crime is stopped by the police?
I'd say security in the future will converge on three lines:
a) Sandboxed browsers/apps: Different browsers for mail access, general browsing and sensitive browsing (banking, using credit card, etc). All browsers revert to base state after closing, or allowing just a limited set of changes (bookmarks, cookies). The browsers are possibly stored in a USB stick with a physical write protection switch for part of the storage.
b) Trust structure: The OS will only execute programs with a certain signature, based in a chain of trust. You can choose who to trust or not.
c) Closed devices: (See Apple iPhone and iPad, but with paranoid-mode).
Well implemented, these strategies can reduce the malware threat, and they are implementable with current technology. I really don't see the anti-virus surviving much. It's an after-the-fact tech that was born as a patch for systems unprepared for a new threat. The playing board is now set and the structure of the systems must change to reflect that.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
Let's translate the OP's question:
I have this insecure by design environment, while there are more secure by design environments available (yeah, probably not completely secure, but much more secure than what I'm using now). I'd like to patch my grossly insecure environment to get at least an illusion of security instead of considering the alternatives.
I apologize for the lack of a signature.
Money. Simple as that.
I've been on the "other side" of the security business for a bit over a decade now. I'm not really earning pocket change, but it's by some margin dwarfed by what the criminal side of our business makes.
Malware is profitable. If you really want to fight malware, you first have to make it unprofitable. As long as it is possible to profit from spam and botnets, it's not going to stop. And since the source of spam and botnets is in countries you can't really reach, while the targets are "here", I guess it's time to start punishing those who are unable or unwilling to keep their computers secure.
Yes, that means punishing the victim. Whereas the victim here is a facilitator for the culprit. It's like leaving your car unlocked and open on the main road and someone using it for a bank heist. I don't know about yours, in my country, if that's your car you're due for facilitating a crime.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Mostly 'cause it's not profitable. Too small a market. Same reason why business software is rare for Linux (desktop, at least): No market.
As for "but it's more secure because you don't need root for every shit": The current big thing, cryptolocker, would work just as well on Linux. It needs no special privileges, all it needs is to run as the current user to encrypt all of the current user's documents and hold them for ransom.
I don't want to start the flamewar of whether Linux is more secure than Windows. Mostly because it does not matter jack. Linux could be the most insecure OS on the planet and still Windows would get the bigger share of malware. Simply because it is the bigger market.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
In an ideal world we would be a bunch of smurfs helping each other out when needed. However, this would simply be utopian. This lifestyle might work for small communities of 5-25 people where everyone is dependent upon each other for friendship, socialization, and survival.
I have a small client that hasn't run anything more than Microsoft Security Essentials for three years, mainly because they don't want to spend the money.
So far, I've only had to rebuild about 3 PCs in that time frame due to infection. They also got hit by crytolocker but at a weird time where it just made sense to reload the share directories from a recent backup because there hadn't been any changes to worry about between infection and last backup.
The controller feels that this is more or less an acceptable trade-off over time -- my labor cost to rebuild the PCs vs. the ongoing cost of AV.
They are probably right there - of those 3 rebuilds, how many do you think would have been prevented by paying more for any given AV product? Thinking back, I can remember several PCs needing recovery work because of the AV system in use (good old McAfee pulled down an update which declared a piece of Windows XP itself to be malware and need deletion - leaving a machine you couldn't log in to until that file was reinstalled), and probably two nasty infections for me to clean, which got in despite McAfee being present with fairly paranoid settings.