Antivirus Software Could Make Your Company More Vulnerable

itwbennett writes: Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications. And evidence suggests that attacks against antivirus products are both possible and likely. Some researchers believe that such attacks have already occurred, even though antivirus vendors might not be aware of them because of the very small number of victims. Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status 'sold.'

Not quite AV, but close

There's a well documented case of a successful automated attack on a personal firewall product - Witty worm, 12 years ago.

Re:Not quite AV, but close

[ls671]

Every piece of software is a potential security hole. AVs, firewalls, encryption layers like SSL or what not constitute no exceptions.

Re:Not quite AV, but close

[Bert64]

Exactly, which is why things should be kept simple - the less code you have running the less you have to keep track of.

Re:Not quite AV, but close

[Dutch+Gun]

I'll half agree with you... I think I know what you're getting at, but I think it's worth clarifying a bit. After all, it's not like any arbitrary code on a machine is vulnerable to random attacks from the internet.

Rather than talking about simplicity - because let's face it, that will never happen - we need to focus on minimizing and hardening the attack surface. For instance, if my personal machine sits behind a router, arbitrary incoming traffic from the internet is blocked. Anything that isn't blocked then has to make it past my personal machine's built-in firewall, which would tend to reject most anything else. Thus, it's likely that 99.999 percent of the code on my machine (any modern OS is *horribly* complex by nature) is completely immune to random internet-based attacks, at least ignoring user actions like launching an infected program or script.

A good example of minimizing attack surface is Amazon's recent release of a very tiny TLS library called s2n. With only 6000 lines of code, it's *much* easier to vet and declare secure than the feature rich but dangerously bloated OpenSSL library, which may put servers at risk with features they never used. Even the name (signal to noise) indicates the intent, which is to keep the library tiny and focused. We're discovering that there's a danger to letting code grow infinitely large and complex, and not depreciating it, because even if those old features work, they still may contain security issues. I'd be extremely surprised if s2n had any serious security flaws in its implementation simply due to its small size - there's just not as much that can go wrong there.

Re:Not quite AV, but close

[Desty]

completely immune to random internet-based attacks, at least ignoring user actions like launching an infected program or script

Or using a web browser to view a news article on Forbes triggering popunders with malware exploits, or looking at a page which happens to contain a PNG file designed to exploit a buffer overflow in the PNG parsing library, or running AV software which scans a ZIP file that happens to be crafted to exploit a vulnerability in the archive extraction library. Or really installing any software, ever.

If there's two things we could do to mitigate the damage caused by these exploits, it's:
1: Stop using C and C++ to write programs. People are still shooting themselves (and all users of their software) in the foot by accidentally introducing stack-smashing vulnerabilities and the like into their code in 2016, and that's embarrassing and unnecessary.
2: Figure out how to automatically use virtualisation containers like Docker to isolate every user program into a separate virtual environment that prevents them from accidentally destroying the system. Without the user needing to even know anything about it...

Re:Not quite AV, but close

[Zaelath]

While your desktop is likely pretty well protected against worms by default (ignoring the fact it's probably punching holes in the firewall with UPnP) it's /entirely/ irrelevant to the attack under discussion.

This is a privilege escalation attack on people who are doing the 'right thing' and not running all their web browsers as admin. i.e. corporate/government networks that tend to enforce AV and have moved on from the Windows 98 model. Access from the internet side is not required.

It's like you're saying HIV isn't a problem because you use condoms with any casual sex partners, but we've gone ahead and infected your spouse to get to you.

Re:Not quite AV, but close

[Dutch+Gun]

Yep, I didn't mean to imply otherwise. I was specifically responding to the parent's notion that "simplicity" is what's needed, but my argument is that's somewhat impractical given the size of modern software, so you need to focus more on the software that's exposed to potential attacks. And obviously, as this article points out, that includes our AV software.

It's the reason many of us were upset with Mozilla for adding that stupid "Pocket" feature - that product is likely to have security holes, and the more code you add to a web browser (which Desty rightly pointed out is generally a much bigger attack surface), the more likely it is for there to be a crack in the existing code to exploit.

I didn't mean to sound like I was blaming users - there are plenty of times users/admins do absolutely nothing wrong, like an exploit just from looking at a web page with a fully patched browser, or even just previewing an e-mail with a malicious payload. It's sort of depressing that we're still at this stage in computer security.

Re:Not quite AV, but close

[pnutjam]

So, what I'm hearing is that huge pig AV's are bad (McAfee). They also open an attack vector because they are obsfucated to protect themselves from end users. This makes it more difficult for people to notice problems and I see a clear pattern of users blaming slowness an odd behavior on the AV without any ability to really verify this.

Re:Not quite AV, but close

[david_thornley]

Go ahead and use Modern C++. Properly used (and by that I mean doing things that can be easily checked by a code reviewer), it's a lot safer than C or older C++.

Seen it often

[dwywit]

on domestic computers. AVG in particular just seems to let malware through - advertising scams, mostly, although once it was ransomware.

It's particularly annoying that I can't deactivate them to run other scanners to remove the crap they've allowed in. Anti-malware should NOT install and run under the SYSTEM account.

Re:Seen it often

Use avast only with file system checking. Use Firefox with ABP and Noscript (with all whitelist, default XSS def on), Thunderbird as mailer and you won't catch any virs ever.

Many of these are ASLR related FAILURES of devs

If I've read correctly (and tell me if I'm wrong, no doubt) but most of these latest vulns in the AV apps themselves were related to faulty or no-implementation of ASLR memory randomization and as such allow overflow and direct injection attacks into memory. All the major companies report it as a closed bug.

Is there some other APT type attack going on that isn't mentioned in the original disclosures?

cost and benifit

[fermion]

I don't know if it is possible to have a MS Windows running on the internet without a anti virus software. So the question is not which AV software has vulnerabilities, as all software has this issue, but which provides significantly more protection than risk. Or if there is better way to protect MS Windows machines than AV software.

Re:cost and benifit

[gilgongo]

If it's any help (and if you're referring to desktop Windows computers behind standard domestic NAT-ed router/firewalls), then with the exception of WSE since it came out (WinVista?), I've *never* run anti-virus on any Windows installation in our 4-person home in over 20 years.

About once a year I boot each machine from something like Trinity Rescue Disk and run a sweep using two or three different anti-virus packages. This might come up with perhaps one or two low-risk infections (usually Java), but that's it.

I assume therefore that if the people using the machines are not in the habit of visiting certain types of website, and aren't inclines to open attachments they're not expecting, then all will be well.

Re:cost and benifit

[Frosty+Piss]

I ran XP and later Win7 with nothing more than Microsoft Security Essentials, and never had an infection. Ran CCleaner and Malwarebytes regularly and never found a thing.

Re:cost and benifit

About once a year I boot each machine from something like Trinity Rescue Disk and run a sweep using two or three different anti-virus packages. This might come up with perhaps one or two low-risk infections (usually Java), but that's it.

Your experience is about the same as I had one year while running full featured commercial anti-virus with everything updated. Sometimes those harmful java packages can be found from the browser cache only after moths of signature updates. Had I had the java run-time installed and enabled, it would have probably been a bad day.

Re:cost and benifit

[phantomfive]

The problem with AV software is, it will only catch threats that are already known (and usually for vulnerabilities that are already patched).

Think about it: if you were writing malware, wouldn't you test to make sure it could get past the major antivirus packages? That's just due diligence. If your QA didn't do that, you would fire them.

And if that weren't bad enough, some of the Antiviruses are worse user experience than actually getting a virus......

Re:cost and benifit

[mark-t]

Sure it's possible.... in practice, the vectors for infection when one is behind a strict enough firewall (external to windows, not the built-in windows firewall) are restricted to either social engineering or else less educated users downloading and running software from locations that a more educated user would probably realize was dubious anyways. The only antivirus you need at that point is a user that knows how to not get infected while using the 'net, and perhaps a periodic manual scan or two every few months to make sure that nothing really did sneak past the primary lines of defense.

Re:cost and benifit

Hosts file. Noscript. Selective browsing. No Java.

But that's teaching people how to fish rather than a product you can just sell as a cure-all.

Re:cost and benifit

[DarkOx]

Yes its possible if you don't do stupid things and don't foul up Windows security. the vast majority of liabilities/vulnerabilities on modern Windows desktops arise directly from PBCAK (Person between chair and keyboard). I personally use a mixture of Slackware and OSX at home but I do security work and I can tell you if you are following the rules below on Windows 8 and later its very unlikely anyone is going to pop your box.

[Stuff that comes out of box if you don't f**k it up]
0) Have a strong password.
1)Leave UAC enabled.
2)Leave the windows firewall on and with recommended settings, even if you are behind NAT and or some other hardware firewall.
3)Install updates promptly.
4)Don't run things from sources you don't trust.
4a) If you really must run stuff from untrusted sources have a separate user account to download and execute that stuff with that you do not use to handle any information you don't want public, and for goodness sake don't let it elevate.
5) Do not install Flash
6) Do not install the Java browser plugins.

[Mostly painless things you can do to really harden windows boxen]
7) Install EMET
8) Install KB2871997 and disable wdigest

[annoying but still a good practice]
9) logoff (not just lock) your desktop when not in use. Optionally suspend or hibernate the system, instead.

Re:cost and benifit

Not so true, in fact some generate false positives because of various techniques used to infer a risky file.

Some are better than others, hence high or low false positives.

Maybe that was the way in the original v1 days, but not any more.

Re:cost and benifit

[whoever57]

PEBCAK (Problem exists between chair and keyboard).

FTFY.

Re:cost and benifit

[jetkust]

I can confirm that it is possible. Are you an AV salesman?

Re:cost and benifit

[Marillion]

Passive AV software is about eliminating malware AFTER it has taken root on a system. Active AV injects itself into critical checkpoints. Microsoft, to their credit, has taken proactive steps to close the exploits that malware have used enter a system. Steps like including Flash player updates with Windows updates. Is it perfect? Of course not. But it's gone a long way to the point of making AV software the "low hanging fruit" of attack surfaces.
I'll also echo what many have said - WSE and SPI Firewalls (Stateful Packet Inspection is the prerequisite of NAT is what actually protects you) have been the only thing I've been using for years.

Re:cost and benifit

[phantomfive]

Not so true, in fact some generate false positives because of various techniques used to infer a risky file.

Which part of what I said do you consider not true? That Antivirus fails a lot of times? Here's a citation for you, with a quote:

no single AV vendor can detect most malware most of the time.

Re:cost and benifit

[fred911]

Absolutely. I too have never ran any virus package on any of my machines starting from the days of Win 3 and winsock. I have never had an infected machine. I scan every six months and receive the same results.

For button pushing users I support, the only packages I would trust were the packages distributed by Kaspersky or Panda. Everything else I've ever seen is excellent in the over use of your funds and resources.

Re:cost and benifit

[sublayer]

3)Install updates promptly.

4)Don't run things from sources you don't trust.

Those two are mutually exclusive for Windows 7 users. I no longer trust Microsoft updates, thanks to the spyware that is Windows 10.

Re:cost and benifit

[DarkOx]

Seriously, if windows needs a 'security' kludge like UAC to stay secure, then it's not really secure at all.

That is seriously ignorant. What UAC is really under the hood is very similar to having two accounts. One privileged and one less so. The shell has some smarts in it to spot when things that are likely to need escalation such as programs named setup.exe are called and asks, when the user is privileged. Its also a little more convient for the user because the environment etc is shared, and depending on the registry settings they maybe don't need to type their password, and because the OS takes special steps to ensure programs cannot send events to UAC windows that is still somewhat tamper proof.

You could very correctly compare this to a Linux system where your user account is a member of the wheel group and wheel is allowed to run any command via sudo. The difference is UAC without a password can still be an effective security control while sudo without a password can't (the malware can just try and invoke it). So either sudo has to require password entry (annoying) or its only protecting the system from things like accidents like you thought the working directory was /home/myself/documents turns out wrong window and you are in /bin for whatever reason (still valuable).

Is the old advice of having an account that is not a local administrator and a separate account that is to use for things that need that, and then running them either via runas or via logout / login to the other account still be better. Probably, but years of practice has shown us users won't as a general rule do that. Which is why the UNIX and like world has sudo and Windows now has UAC.

The alternative is everyone runs around running everything privileged all the time. Which years of practice has shown us means malware gets to do whatever it wants.

Re:cost and benifit

It's very possible. You just need to stop going out of your way to execute viruses, like running IE, going to a shady site, clicking on all the fake download buttons and then running the executable it downloaded to your PC (making sure to leave "hide extensions" enabled so you can't tell for sure)

We've had 0 viruses in a decade in this house (including teens). As for work, in all of 2015, we had a couple cases of browser popup problems and that's it.

Re: cost and benifit

[Billly+Gates]

As someone who used to support these users with infections I can tell you almost everyone of them had Norton, an expired av package, or no AV at all whatsoever.

So I highly disagree. Though most had XP and 7 is much more secure by default. av software and adbkocking make a HUGE difference.

Though today I now think ad blocking add ons are the best security on the planet! Ads are how malware gets on and being a sophisticated Slashdot user you do what most don't.

FYI nod32 found a Trojan on Slashdot a few years ago. Just saying

Re: cost and benifit

[Billly+Gates]

False.

Most Trojans get on by ads from 3rd party networks visiting a website.

Re:cost and benifit

[SwashbucklingCowboy]

"and never had an infection"

That you know of.

Re:cost and benifit

I ran XP and later Win7 with nothing more than Microsoft Security Essentials, and never had an infection. Ran CCleaner and Malwarebytes regularly and never found a thing.

So you ran antivirus software on your workstation? Cool, relevant story, bro.

Re: cost and benifit

To buttress your point, /. published this today: http://yro.slashdot.org/story/...

Re:cost and benifit

[sabt-pestnu]

I was, at one time, tasked to incorporate CCleaner as a 'plugin' to an app I was working on.

AFAIK, CCleaner does absolutely no virus checking. The version I was working on would 'clean up' your registry, temp directory, and a couple other spots, but not check for viruses per se.

And having looked through what it purports to do in the way of registry element deletion, I would be exceptionally cautious about letting it run free. Some of the bits it wanted to clean up as unused were not unused/useless on the system I was running it on. Not saying it did not find stuff that actually WAS useless, just that I saw it register some false positives.

YMMV.

Re:cost and benifit

CCleaner is not a virus checker whatsoever, but it does delete temp files that may be used by shitty malware.

Re: cost and benifit

DON'T USE THE H***S WORD! You-know-who will be along here now to bot-post his 2000 line ravings with random bold bits about how his software has been *proven* to cure cancer and make you rich while outperforming every anti virus package ever written.

Re:cost and benifit

I simply run any Windows installation I have inside of VirtualBox. I do this since many years (back then with VMWare and VMWare player as soon as we had that). At the end of the day I either store its state as a snapshot or I revert to last day's snapshot. Depending on whether I installed something trusted during the day.

Works fine without a virus scanner.

Re:cost and benifit

[KGIII]

I did so, for quite some time actually, just to prove that it could be done. I still functioned - pretty much like normal, and had no known malware compromises. I had no resident AV but would scan once in while (with multiple non-resident apps like AVG and MBAM) and was fine. Don't download things from bad places, use a firewall, get thee behind a NAT, do not allow scripting to run as a general rule, and use least privilege practices.

This is possible to do with Windows, albeit a bit tedious to set up and practice at first, but whitelisting approaches help as do general safe hex methods. I'm not, currently, much of a Windows user but I imagine I could do the same again with just some trivial research. I do not, of course, recommend this - this was simply a bit of mental masturbation in cause and results. As an AV is not always effective - it's also good to be alert for symptoms that indicate that you might have an infection.

It was effective and lasted until I switched back to using a Unix-like operating system. I still practice many of those same practices and I still don't use an AV application. The difference now is that I don't really need to scan every week or so. I do still keep an eye out for behaviors that might indicate there is a problem. As I've multiple systems, I will sometimes let Wireshark sit and check for outbound (or inbound) traffic that might indicate the system is doing something that I did not give it permission to do.

Basically, good security starts in the chair and the chair is best armed with someone that understands what it is that the system should be doing. Security is a process, not an application. It's also about accepting and mitigating risks because all actions are, by their very nature, risky. You need to accept a certain level of risks and decide if taking those risks is worth the benefit of achieving those goals. When you run without an AV on Windows, you learn to really think about the actions you take.

The only safe computer is one that you can't turn on. Now, that's a crazy definition of safe. Once you get past that, you determine which levels of risks you'll take based on how valuable you see the reward. To use a fairly recent example, I do not value the content at Forbes enough to accept the risks of allowing them to execute code on my system. I do not accept the risks based on the reward. I'm okay with that choice, if I wasn't then I'd change my practices.

That said, it's a very individual thing. What is important to you is probably different than what is important to me. What risks you take is also up to you. What risks you're willing to take to accomplish something is also very different than what I'm willing to risk. There are probably things that I value more than you and thus I'll probably accept more risks. What I use for a layered defense is likely very different then what you use. What you'll accept is very different than what I'd accept and I'd suspect your defense to be different than mine.

Hopefully you, and others, have put the effort in and decided what risks you'll accept and how you'll manage those risks. It's pragmatic and realistic. The greatest asset one can have is understanding - even if basic. "What can happen if I do this? How can I avoid doing that? Is it worth it for me to do that when I know that this might be the outcome? How can I lower the risks to make doing this safer?" Questions along those lines are how one needs to think if they're going to use a computer but they're much more important to ask (and answer) if you're going to do it with an AV.

And no, I didn't switch (back?) to Linux because of security issues. I switched because my brain was turning into mush and I was not learning anything new. I'm not suggesting that anyone do anything in specific - other than asking them to think about risks and rewards and to accept that security should begin with the ass in the seat and not with a piece of software. I am also not suggesting that a Windows user operate their system without resident, updated, quality anti-malware protection. It's possible but not easy. It gets easier as you go along. Using a whitelist approach and being sure to back those settings up is a good idea.

Re:cost and benifit

[bloodhawk]

Seriously, if windows needs a 'security' kludge like UAC to stay secure, then it's not really secure at all. The whole point of OS security is to be able to run stuff that is 'untrusted' with a reasonable expectation that it won't totally compromise the system.

You are completely and utterly ignorant. UAC is just process elevation or a separate account and is pretty much how all OS's handle this. The simple rule on security is if you allow someone elses code to run on your machine then it is no longer your machine. remote vulnerabilities are reasonably common, but there is ALWAYS a little shit ton of local escalation vulnerabilities available to just about every OS and system level apps, If you can't find one for your chosen OS then chances are you aren't looking in the right place.

Re:cost and benifit

[bmo]

I assume therefore that if the people using the machines are not in the habit of visiting certain types of website,

Which type of website would that be?

Years ago, when Investor Village was still young, they had a problem with an advertiser serving up malware.

Just the other day, Forbes was caught serving up malware in their ads after telling people to whitelist them.

Various other web pages not affiliated with what you might call the "seedy underbelly" of the Internet have been caught serving up malware in their ads.

So tell me, which "certain type of website" might I avoid?

If it's any help

No, your statement here is not of any help.

--
BMO

Re:cost and benifit

[nanoflower]

I have had Antivirus packages installed for years but usually have it turned off and only turn it on to check a download that I'm particularly worried about. Running Noscript and Adblock seems to be enough to stop most viruses and malware so that the only ones that make it to my system are those that I download. Those are found when I check the download with an A/V. I think this would be true for most people so long as they are smart enough to not click on random links or trust all the spam they get in email. That brings up another thing that helps is that I use Gmail and the spam blocker they have in place works very well. I can only think of a couple of emails over the years that were incorrectly marked as spam.

Re: cost and benifit

Another excellent post. Thanks Dave.

Re:cost and benifit

OS security is to be able to run stuff that is 'untrusted' with a reasonable expectation that it won't totally compromise the system.

The basics of the OS security is only available with the Enterprise version, won't work with all of the peripherals and motherboards, and it is only meant for protecting the domain certificates at this point. Sorry, infected users.

Re:cost and benifit

What a load of utter shit. If you don't understand security please don't try to comment on it.

Re:cost and benifit

Do you enjoy it when your drivers fuck with your kernel? It's a matter taste, of course.

Re: cost and benifit

[ChickPea]

Re: PEBCAK - prefer the more easily pronounced PICNIC: Problem In Chair Not In Computer.

Re:cost and benifit

[Frosty+Piss]

Have a nice day, but please don't come again. Idiot.

I'll Be Damned

Symantec is not on the list. Lucky surprised me.

Re:I'll Be Damned

[houstonbofh]

Symantec is not on the list. Lucky surprised me.

Must have been filtered by their antivirus...

I Don't Think You Understand

I don;t think you understand. What you've seen is a failure to detect a particular virus. But, the story is talking about vulnerabilities in the antivirus software itself. So, AVG gets exploited and is then used to grant administrative access to a Windows system, something that would not have been possible if it wasn't for the weakness in the AVG agent and the fact that it runs with system level privileges.

My suspicion is that, if you were affect by such a virus, you would never know it.

Learned helplessness

The main vector for malware is people doing what computers tell them to do. Users have become so accustomed to oversight and "someone else" taking care of their computers that they feel they do need to "update their media player program", "install a codec" and "download this antivirus to remove the trojan horse" when their computer tells them to. That's what the pros do, right? Update and install something and then everything works. And Windows has a "security center" which lambasts the users with red exclamation marks until they download an antivirus, and now that website has found something and offers a free antivirus software. Phew, close one.

Microsoft, Google, Apple, etc. need to stop their programs from telling people how to keep their computers safe. If you know how, then just do it. If you don't know, then what's the point in warning the users: They certainly won't know what to do. Either way, shut up about it. When the computer tells them it has a virus, then users must know that the message is not from someone who looks over them, but probably from someone who wants them to do something that they shouldn't do. "Install this" should instinctively sound exactly as dangerous as installing software off the internet is.

Re:Learned helplessness

I remember catching my parents often from this very sin. It's an ingrained approach to a complex system exhibited by non-expert users and those who had less media critique during their basic education. Then again, the elderly and those greedy for results are probably the easiest target groups for the street hustlers and con-artists. Constantly running AI interfaces to systems administration are needed as the systems become more complicated and "unsecurable" by mere mortals, if only to disable the unnecessary subsystems and interfaces for the particular use case.

Re:Learned helplessness

[Bert64]

The problem here is that traditional desktop systems are designed for people who understand what they're doing...

Someone with no experience cannot be trusted to download software from the web and install it, if you search for any piece of software on virtually any search engine you will see many many sources to get the software from, many of which will be unofficial if not downright malicious.

The same problem does not happen to typical users of ios, android or chromeos because these systems don't expect users to install software from arbitrary sources and usually don't even allow that by default. If you know enough to jailbreak, root or switch to developer mode then you should also know enough to not fall for malware scams.

Repos, app stores, walled gardens etc are the answer for the majority of users, a general purpose unlocked os is a geek's toy and shouldn't have been put in the hands of random people.

And Performance

[cdxta]

Not to mention the CPU and memory performance hit you take. Every antivirus tool probably has a missive database of every known virus, even from 20 years ago it's checking every file against (with any hope a file hash binary search). Norton's virus definition grew from like 25MB in 2008 to 220MB in 2013.

I routinely pause my antivirus when copying tons of files around or when installing known to be good stuff. As soon as I pause the scanner everything speeds up. even if you have a quad core, every file has to be inspected by by a scanner before the system or disk gets the files.

Re:And Performance

[climb_no_fear]

Every antivirus tool probably has a missive database of every known virus, even from 20 years ago it's checking every file against (with any hope a file hash binary search).

Could you please replete that?

Re:And Performance

[DarkOx]

Every antivirus tool probably has a missive database of every known virus, even from 20 years ago it's checking every file against (with any hope a file hash binary search). Norton's virus definition grew from like 25MB in 2008 to 220MB in 2013

Don't count on that. I have personally seen some very old EOL systems NT4 and W2K boxes get infected with very old malicious software.

People keep some of these system in service, the AV packages often still support them but... here the rub to keep those definition files reasonably sized Symantec and friends actually drop old definitions for things that depend on vulns not present in more recent platforms. So if don't count on your old Win2K box not suddenly getting CodeRed all over again, even with NAV running and updated.

The Mafia

[MakersDirector]

I have advised everyone to remove virus protection from their system for years, for pretty simple reasons:

Every piece of software you introduce to your system creates vulnerabilities.

Pretty easy, right? But there's more to it than that.

AV protection has predictable distribution networks which, like Microsoft's update mechanisms, create a single point of entry for hackers seeking a large audience. Zero day vulnerabilities are introduced after they've been exploited at least once, and these networks provide an easy and predictable distribution network to leverage for these and find 'selected target hosts'.

Not convinced? But wait, there's more. These companies hire a great deal of hackers to begin with who's key job is to not 'find' vulnerabilities - but to create them - and then delver the fixes for the very things they create through their networks.

In a general sense, I ask people who pay AV companies money: Aren't you tired of paying protection money to these companies who are the ones introducing the very elements you're being protected against?

Whether it's AV protection, or it's insurance in any form (which I am not a fan of) - these industries in many cases create the very problems they protect us from. Now insurers have notably gotten better and fairer about this and work with the public to mitigate the risks because of backlash to the industry.

But developers of AV protection have not.

I mean. Why do you think one of the biggest suppliers of 'AV protection comes from a country where the mafia's alive and well and runs much of the country? (Kaspersky and Russia).

I'm an advocate of removing AV protection and haven't had it in years.

And I would highly advise anyone who has an IT person near them as a friend or family member do the same. And when you actually do catch a random virus, rather than paying $240 for a full year of protection you've paid for your programmer friend to come over and have a homemade steak and a beer with you.

Which do you prefer?

I can tell you what the IT guys prefer.Home cooking.

Bad title.

[Fencepost]

Introducing any new software onto a system has the potential to add increased attack vectors. In the case of antivirus software exploits may be easier to get to the right place because the software by definition is looking at all the traffic coming in, but you could just as easily look for vulnerabilities in network card driver stacks for widely-used network and wireless cards.

At least with antivirus they're likely already getting updates regularly; the same can't be said for hardware drivers on a huge percentage of systems.

Re:Bad title.

[jader3rd]

At least with antivirus they're likely already getting updates regularly

Why do you think that? Won't most people try to run with their original, old version of the antivirus and hope that the package definitions keep getting updated?

Re:Bad title.

[Fencepost]

Many (most?) antivirus packages check for program updates along with definition updates and will warn if there's an update available. Hardware driver updates on the other hand are the kind of thing that almost never get installed unless you know you have a problem and go looking for a solution.

And as far as going without antivirus, it's a question of which is more of a concern - the things that may target the antivirus, or the things that may target the other parts of the system (browsers, maybe Flash still, maybe old Java, maybe Office vulnerabilities, etc.).

ESET broken is huge!

Its one of the few decent per app firewalls to stop things connecting out with your private data, usage reports, etc.

Re: ESET broken is huge!

[Billly+Gates]

I left eset for Kaspersky. Reason is I thought I had a bad ass, motherboard, and sata cables. Constant disk corruption occurred.

When doing a SFC caused a bsod at the NTFS driver I figured it was the av software. I was right

some detect novel malware, in two ways

[raymorris]

I'm not GP, but you asked what part of your post is not true. This part:

> The problem with AV software is, it will only catch threats that are already known

That's true of SOME AV software. Other types use heuristics similar to spam filters to detect LIKELY threats (code that has been obfuscated in ways bad guys use, executables with names like *.com or *.jpg.exe, etc). Another type sometimes actually runs the code in a vm and looks for any changes to registry entries or files outside of the designated installation destination.

The third type is the most heavy-duty both in terms of effectiveness and resource usage, though in at least one case (Fireeye) the malware was able to escape the sandbox, turning the malware scanner into a major vulnerability.

Re:some detect novel malware, in two ways

[phantomfive]

Those things are all easily overcome by malware writers by testing against existing antivirus. If the Antivirus detects it, then keep changing the malware until the Antivirus doesn't detect it.

Not Really

[SwashbucklingCowboy]

It's quite certain that AV software flaws have been attacked by bad guys, but that hardly means that your company is *more* vulnerable with the software than without it. Any sufficiently complex software has vulnerabilities.

Layers of options

[AHuxley]

If its vital, use a typewriter, secure limited amounts of paper files and hold face to face meetings in a secure room with only trusted staff. Works well during policy creation. Use the internet to push out a final policy statement, not create policy over years, weeks via junk encryption.
Learn about good quality encryption so that years of plain text data are not just sitting on fast internet facing servers.
As for AV brands: The global reach and trust means they are getting reports back of bespoke 5 eye crafted code in the wild.
AV brands that have the ability to understand every users network and create complex reports in near realtime.
Suite of Sophisticated Nation-State Attack Tools Found With Connection to Stuxnet (02.16.15)
http://www.wired.com/2015/02/k...
That is the real issue. The tame crypto academics, consumer OS designers are the way in. AV brands that can understand and get a wide range of reports are starting to see what was and is been done to wide open export grade OS's and hardware.
The other issue is the numbers of contractors and brands selling one time, unknown, not yet found access tools to govs/mil.
Well staffed AV brands are slowly understanding how to more protect wide open junk consumer OS's and then tell the world.
Gov funded malware is having less of a free open window for access over years to months or been patched or discovered in use..

unfortunately...

[buddyglass]

My company operates in a regulated industry (finance). We're forced to have AV software installed (including on Macs) in order to comply with the regs.

That IS a problem for type A, partially for B, not

[raymorris]

> Those things are all easily overcome by malware writers by testing against existing antivirus. If the Antivirus detects it, then keep changing the malware until the Antivirus doesn't detect it.

Those are called crypters and you're right, those are currently a significant problem for type-A, signature based AV. However, signature based is still useful. Consider all the Nigerian Prince scams and similar that you see. Most is immediately recognizable due to the grammar, etc. I would be absolutely trivial for the bad guys to defeat "grammar detection", but most don't bother. Similarly, while signature-based AV (and standard door locks) are easily defeated, they are still useful.

Heuristics-based (type 2) can't be so readily overcome by changing the malware. A type 2 detection engine scores on factors such as:
Runs automatically at boot. (+2 points)
Fake file extension like kittens.jpg.exe (+3 points)
Alters system files (+2 points)

To change the software to avoid triggering this better type of engine, the bad guys have to make it -not- run automatically, not have a misleading name, and not alter the system. Keep going down that path and it's no longer malware, so a high-quality type 2 is a great thing to have. Further development in this area is worthwhile.

then we have type 3, which runs the software on a test machine and see if any damage is done. Type 3 looks directly at the EFFECTS, at what the software DOES. If it reads private files, it's rejected. If it automatically changes any existing files (cryptolocker) it's rejected, etc. "Change the malware until it's not detected" means "change it to no longer do anything bad", on a well-constructed type 3 system.

Re:That IS a problem for type A, partially for B,

[phantomfive]

Further development in this area is worthwhile.

Indeed.

I don't want to live on this planet anymore

- Security software that can open systems to hackers.
- Governments that propose security backdoors in the name of security.
- Malware that targets other malware with the stated aim of making people safer.
- Anti-flatulence medication that can cause flatulence (just go with it, you know what I mean).

I don't want to live on this planet anymore!

Is AntiVirus dead?

[iq145]

http://www.techweekeurope.co.u...