Slashdot Mirror
Tavis Ormandy Criticizes Meaningless Antivirus Excellence Awards (softpedia.com)
An anonymous reader writes: A Google security expert (Tavis Ormandy) has become annoyed with antivirus products receiving awards a week after he finds huge security holes in their software. He's talking about Comodo who received an "excellence" award from Verizon, after the researcher discovered 4 security issues in the past four months, and is in the process of submitting a fifth. His criticism of Comodo and Verizon's silly awards is also validated by the fact that during the past year, he discovered security flaws in numerous antivirus and security software such as Avast, Malwarebytes, Trend Micro, AVG, FireEye, Kaspersky, and ESET.
were for the holes.
Many antivirus products started as small, useful tools which genuinely helped detect and neutralize viruses, at least still in the 90s and early 2000s. For some reason which I can only compare to gluttony for more "features" and attention, most have grown to bloatware with flashing popups, nagging screens and award stickers collected like flairs which are supposed to validate their usefulness, but are meaningless. When friends ask me to set up a newly purchased laptop, one of the first things to do is remove all that antivirus crap and educate them on PC hygiene.
Some of these awards are being paid for, FYI
We've been there before. (17 seconds clip and it's NOT Rick Astley)
bickerdyke
The article points out that Tavis Ormandy is at a disadvantage in doing a security evaluation of the AV products since he doesn't have access to any of the source code. It seems like AV badly need to be an open source community effort so the best of the security community has a chance to modify he product.
When Cisco took over SourceFire, they also acquired the Immunet anti-virus software which in turn leverages the ClamAV database. But two years ago, they stopped updating it. At this point, it seems clear that Immunet AV is abandonware. If Cisco where to release the source code, it could help jump start a community open source AV and possibly help improve the Cisco brand name among the security community.
switching to an Operating System that is not the target of virus writers, or at least less of a target
Linux is your best bet for a general purpose operating system
Politics is Treachery, Religion is Brainwashing
I laugh at how AV is always touted as catching stuff. In fact its designed to make users think its catching important stuff. In fact what you see it catching is normally benign stuff such as month or years old malware that has long since been patch by software or operating systems. Its like putting down a mouse trap to catch dead mice. The zero day exploits come and go, and effectiveness of any security suite comes into question. This is why many have resorted to other features like file cleanup, disk management, checking for outdated software, and privacy and password protection. It's because anti virus protection is a joke these days. Sure install as much of it as you want, and let your PC slowly creep to a halt while it scans your drive in a methodical way in order to give you that false sense of security.
That's the computer security industry for you. Too busy selling "haxx0r-pr00f" bullcrap to notice the ointment they're selling is in fact stinky crap and therefore does indeed stink. This includes the likes of softpedia, who keep on telling the "haxx0r" narrative designed ultimately exactly to sell the bullcrap that introduces at least as many holes as it purports to protect against abuse.
Did I just call the entire computer security industry a scam? Why yes, I did. Tell me I'm wrong please, and try and add a believable argument. I haven't seen anybody even try in a long time, n'mind succeed.
every security software has, by definition, at least one security flaw. Making a lot of noise about finding security flaws in security software is also meaningless. Just do what you can to see the flaw remedied, and leave it at that.
Well you know, it is Verizon handing out the rewards.
It's much easier to be skeptical after realizing that.
Have you ever fallen asleep at the keybhanusdiog?
I should think not! They paid good money for that award!
Perhaps said Google employee should focus on Google, which tends to be clueless about a lot of things. If you install a private CA cert, your Android phone will then start lying to you, claiming "This network may be monitored by an unknown party." (or similar). Nope. I who they are, I deliberately installed the cert, and your incorrect message only makes me tend to ignore any warnings you give in the future. OTOH, it also comes pre-loaded with a shitload of enabled CA Certs, most of which I likely have no use for, and which Google expects me to simply accept as trustworthy. WTF is "Government Root Certification Authority?" certainly sound like someone I wouldn't want to trust. Anyone remember Diginotar?
"National Security is the chief cause of national insecurity." - Celine's First Law
I get that lots of people make bad shit with security holes in it, what I don't get is that the people paying him (i.e. google) are one of those groups making a lot of shit with security holes so why is he spending so much time researching other peoples problems instead of fixing the shit google got wrong? those in glass houses shouldn't be throwing stones. Is this really just negative PR campaigning by google?
.
One A/V product pokes around my network trying to find my router and determine whether or not I have it configured properly? Give me a break. Focus on the reason I purchased the product, and stop surveying my network. If the router settings have changed, then the A/V product failed in its core goal. Why not focus more effort to preventing malware from getting on my PC and less effort in trying to clean up what happens when they fail in that task.
It is most definitely not a replacement for common sense. Anti-virus should be a backup for those stupid moments where you accidentally forget to test an unknown executable in a sandbox/virtual machine before running it.
Common sense and a sandboxed browser are far more effective solutions than any anti-virus product on the market.
If you guys had to recommend a solid setup for anti-virus or anti-malware, what would you go with?
Antivirus was most useful in the days prior to it needing to be always running. TSR's started down the path towards bloat and instability, but prior to that it was quite helpful to be able to pop in a read-only floppy with antivirus and run a scan on your local drives.
Once they started running as TSR's (background programs), they became a constant hog of system resources oft-times worse than the viruses themselves. The internet furthered this in many ways because - previously - viruses generally spread through physical transfer.
In the "good ol' days", you got a virus by either running an infected file, or once MBR virii came around by inserting infected media into your PC. Those viruses were like blood/fluid born viruses in the human world, of-times nasty, but you wouldn't get computer-herpes without touching somebody elses infected junk. Sure there were networks, but infection usually stemmed from somebody running a trojan and having write access to files on a shared drive.
Nowadays, modern viruses are like an airborne version of ebola. You don't need to download anything, or insert anything. Visiting a legit site with a bad advertisement is enough to get you, or sometimes even just being online with a machine that has an unpatched vulnerability. That leads to constant-running A/V that is basically trying to scan memory of active software trying to catch viruses before they can dig in. That's fine for older viruses but new still the AV misses entirely, and unlike the days of physical transfer a new viruses can go from the creator's PC to a thousands of victims within seconds of being written.
At this point, your AV is flu-shot. It works on some known infections and possibly close variations, but many people who have it still get sick from new stuff.
An AC posted in reference to AV software once being nimble and useful before mutating into the crapware we see today. This is of course true. Things have escalated to such a level of what the fuck, I have been wondering if some AV companies are not covertly writing virus and malware software themselves, concurrent with the patch so that once they manage to get the virus\malware propagating out of the dark web, they can demonstrate how quickly they are able to update their software and better "protect" their customers. This would at least mitigate all the times AV companies get blindsided resulting in countless millions of infections. I was going to include an explanation as to why that is not as crazy as it sounds, but reading my own words it doesn't sound crazy at all.
Of course no AV company could ever keep a lid on that, but we already know we are talking about management making less than brilliant decisions about their software. I would not be the least bit surprised to see that as a Slashdot headline after someone squeals.
Brought to you by Carl's Junior.
switching to an Operating System that is not the target of virus writers, or at least less of a target
Linux is your best bet for a general purpose operating system.
You don't chose an operating system because it is free of risks.
You chose it because it supports the programs and services you want and need to run on the hardware you find attractive and affordable. You chose it because it is a comfortable fit for your level of interest and involvement. Not everyone enjoys spending time under the hood.
It's telling that the only flavor of Linux to achieve mass-market status is the malware-ridden Android platform.
An "award" is totally arbitrary and meaningless anyway, anyone can provide an award, for anything, based on any criteria and don't have to even disclose the criteria on which the award is based.
The problem is that people think any of these awards have any value whatsoever, so vendors will take steps to acquire them and use them in marketing material.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
What else is there? Remember: you don't have to outrun the bear, you just have to outrun the other guy(s). And Ubuntu rather easily outruns the other guys.
Saying Linux sucks for mainstream users is totally fine. You're right: it does suck for mainstream users. Alas, Windows sucks even more for mainstream users: you have to be an expert to in order to use it safely. And then MacOS is ok, but then if you do anything non-mainstream, even if you are otherwise 95% mainstream, then it lags behind both of those other two.
What else might you be talking about? ReactOS?(!?!) Haiku?
Face it, if your computer-averse mom needs a computer, you're probably going to get her Linux, just so you don't have to constantly spend all your time supporting her drama-of-the-day. Linux is fire-and-forget.
Antivirus is borderline useless these days.
Application whitelisting, generally by publisher certificate, is the only way to lock things down meaningfully. Use hash-based exceptions for unsigned apps. Too bad all the tools are priced for enterprise.
SELinux is good, but it takes a lot of work to get it into shape if you are doing anything that lacks an out-of-the-box config.
Behavior-based anomaly detection is the next big thing. But the last I checked, it takes forever to establish your baselines, and false positives are the norm. Too many false positives is like crying wolf. People stop checking the alerts, admins create exceptions with little or no justification, or sometimes there are just too many to investigate individually.
But almost all of these alternatives are better than bloated crapware that only protects you against the oldest and least sophisticated threats. Most malware is spread over half the planet before there is a signature for it.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
I see that neither McAfee or APK Hosts File are on the list of bad antivirus, so by exclusion, they must be the winners!
Thanks, Captain Obvious. Keep providing that insight.
Sincerely,
The Choir
Antivirus relevancy is rapidly decreasing...
Considering that Windows 10 includes, Windows Defender now enhanced with Security Essentials (Anti Spyware / Anti Virus) (Free and built in to the O.S.) Not including that the real "Protection" to the file system "Internals" is the windows MRT.exe another built in tool that Microsoft upgrades monthly and quietly runs invisible in the background each time you boot the box.
These are largely all anyone really needs, to "Protect" Windows. as far as Windows "Protection" is concerned.
The real tool-kit required to have is knowledge of the Microsoft SFC (System File Check) as the SFC is how you can find out which files are corrupted by malware and need to be replaced. That is the secret sauce ingredient to any good system clean-up recipe.
SFC: https://support.microsoft.com/...
Also In the largest number of cases the users typically are led to unwittingly "Chose" to install malware on their system.
Either due to technical ineptitude or a total lack of awareness of their own online behaviours.
This even when A.V's tell them not to install something.
The other real trouble with A.V.'s is that the largest hole in the security equations is Web browsers server side scripts bidirectional interactions. Meaning sites average around 10 to 25 scripts, pulling everything from profiling data, and advertising or marketing propaganda, to direct control of user system functionality and even drive video game within the web browser. Some Exotic new malware (and spyware) now exploit these extensively.
This is significant since most modern exploit are web browser centric. This is the real weak point where user behaviours are socially engineered into functional obfuscated exploits. Typically via embedded scripts, mingled with Adverts and privacy busting data gathering by businesses.
The safe route for joe average is Linux, with Firefox configured with NoScript, not add blockers but an actual "Extensive" script management system that provides full visibility and granular control to the user this will then elevate their awareness to the point where visibility grants administrative access over ones own privacy and security.
The only remaining issue is what can be cleanly embedded within PHP and kept obfuscated to the users while permitting access to remote processing on visiting machines...
As for the real security issues facing us, I don’t think I ever wrote a better explanation as the one here:
https://hermes-computers.ca/ar...
Verizon promotes an Security product to its customers, gets kickback per sale. Security product gets "award" from Verizon to promote their brand with.
Bought, paid for, utterly garbage.
Pretty much any "award" from a major corporation is nothing more than a marketing agreement. My ISP has variously promoted Norton, McAfee, AVG and at least one other. Never installed any of them due to known problems at the time the ISP began promoting them. not even when they offered free for a year cause I don't need nagware desperately trying to do nothing more than get me to give it money.
APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...
* Less power/cpu/ram+ IO use vs. local DNS servers + addons w/ less security issues vs. DNS + routers. Less complex vs firewalls (needing layered filtering drivers - hosts don't + firewalls block less used IP addresses, hosts block more used host-domain names) complimenting 'em. Antivirus = reactive. Hosts = far more proactive, blocking infection BEFORE you get it. Gets its data from 10 reputable security community sites.
APK
P.S. - Hosts get you more speed (hardcodes + adblocks) & faster vs. addons, security (vs. bad sites/dns security issues), reliability (vs. downed/poisoned dns), & anonymity (dns requestlogs/trackers) vs. other "so-called -solutions'" w/ what you natively have. Unlike Adblock/UBlock/Ghostery, hosts != blockable by ClarityRay/BlockIQ... apk