Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tavis Ormandy Criticizes Meaningless Antivirus Excellence Awards (softpedia.com)

Posted by timothy on from the you-wanna-play-the-dozens-well-the-dozens-is-game dept.

An anonymous reader writes: A Google security expert (Tavis Ormandy) has become annoyed with antivirus products receiving awards a week after he finds huge security holes in their software. He's talking about Comodo who received an "excellence" award from Verizon, after the researcher discovered 4 security issues in the past four months, and is in the process of submitting a fifth. His criticism of Comodo and Verizon's silly awards is also validated by the fact that during the past year, he discovered security flaws in numerous antivirus and security software such as Avast, Malwarebytes, Trend Micro, AVG, FireEye, Kaspersky, and ESET.

37 of 72 comments (clear)

  1. The awards by invictusvoyd · · Score: 1

    were for the holes.

  2. Bloatware by Anonymous Coward · · Score: 4, Interesting

    Many antivirus products started as small, useful tools which genuinely helped detect and neutralize viruses, at least still in the 90s and early 2000s. For some reason which I can only compare to gluttony for more "features" and attention, most have grown to bloatware with flashing popups, nagging screens and award stickers collected like flairs which are supposed to validate their usefulness, but are meaningless. When friends ask me to set up a newly purchased laptop, one of the first things to do is remove all that antivirus crap and educate them on PC hygiene.

    1. Re:Bloatware by rudy_wayne · · Score: 4, Informative

      Most AV programs have not only become bloatware, adding more and more useless "features", but they have actually become malware themselves.

      For example:

      The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users install AVG antivirus, is vulnerable to trivial XSS (cross-site scripting) attacks.

      "This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page. The installation process is quite complicated so that AVG can bypass the Chrome Store malware checks, which specifically tries to stop abuse of the Chrome Extension API."

    2. Re:Bloatware by idbeholda · · Score: 1

      No real surprise in all of this, tbh. ~15 years of writing AV stuff getting me absolutely nowhere, and I got burned out, hence pulling the plug. I've said this many times, but there needs to be a centralized database that vendors pull their info from. The next step is seeing which AV vendor can write the most efficient detection algorithm. The only thing I brought table with my project was a bare minimum standard of efficiency. The result was this:

      1 Dependency installer
      No further "installation" needed
      Comprehensive databases (Whitelist, blacklist, port list, API calls, filenames/sizes (forensic blacklist/whitelist), default install paths - ~400 million unique matches)
      Fast data access times (only limited by hardware and internet latency 0/0000-F/FFFF hash database format @ avg 220 bytes per file, 17GB overall)
      Small frontend with low overhead (5MB package size, ~2MB overhead)

      http://www.softpedia.com/get/A...
      And sauce - https://www.planet-source-code...
      This particular industry is indeed a popularity contest. At this juncture, I can at least prove I know what I'm talking about.

    3. Re:Bloatware by castionsosa · · Score: 1

      The conventional antivirus has became all but useless to deal with the latest zero-day threats. At best, an AV program is useful for scanning a download for a potential Trojan... but even with that, one is better off just using VirusTotal if the executable is small, or use the MD5/SHA hash if the file is bigger.

      I'd like to see an AV program actually do something useful:

      1: Filter by IP address. This is especially useful with third party malvertising which is a large infection vector.
      2: Set kill bits and disable site cookies, similar to SpywareBlaster's functionality.
      3: Scan via executable signatures and look for unsigned stuff that isn't whitelisted by the user.
      4: Boot from Windows PE so Bitlocker can be unlocked, scan the machine offline.
      5: Have the ability to run on the hyperviser level, so VMs can be checked for RAM-resident stuff and suspended/rolled back.
      6: Have the option to act as a "file firewall", (turned off by default, so a user doesn't get used to blindly clicking 'allow' as with the earlier ZoneAlarm type software) so software that isn't normally set to access a certain filetype (for example a game grabbing Word documents in the user's Documents directory) would prompt the user with the details of what is being done (reading, overwriting, etc.) This would act as pushback against ransomware.
      7: Offer more than just AV functionality. Having the program also be able to function as a client so a user can have a backup server that "pulls" documents as further protection from ransomware would be nice.
      8: Money is important, but perhaps do like some programs, allow manual updates, and charge for automatic updates/automated scanning, cutting the annoying dialogs to as low as possible. For minimizing impact on servers, signed binary diffs for the signature files can't hurt. Having enterprise versions with no expiration of signatures can't hurt.
      9: Offer enterprise functionality, such as pulling signatures from a local server, audit logs, and other items to help organizations with compliance. This should be available in every version, not just "enterprise" versions.
      10: Focus on being out of the way... software that is designed to be made part of a WIM install image where it is installed and forgotten about... until there is a meaningful alert.

    4. Re:Bloatware by Bert64 · · Score: 1

      Welcome to capitalism...
      You can't keep selling the same product, you have to offer perceived "improvements" or people won't upgrade, and under the hood improvements are not visible to users so won't compel them to buy more - only highly visible and flashy features will make clueless users think they're getting value for money.

      Another thing to consider, is should users have to be educated about hygiene and learn how to deal with such things? For the vast majority of users that is wishful thinking, and they'd be much better off with a device that is managed by someone else.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    5. Re:Bloatware by Bert64 · · Score: 1

      1, this is what a firewall does...
      3, OSX does this by default - although signed binaries is not a perfect solution
      5, i scripted something similar for a linux kvm based hypervisor setup, it mounts each of the vm disk images readonly and scans them... you can also scan your backups in this way which gives your backup server something to do during the day when its not actually making backups.
      6, selinux/apparmor policies do this - access to unexpected locations are logged and/or denied, the problem with windows is that the filesystem is more messy and users often store files in ridiculous locations.
      7, if the server can pull backups then it can take whatever it wants from your machine at any time, push backups aren't necessarily a problem if done correctly - ie retention should be controlled by the server and the client should not be able to overwrite or remove old backups.
      10, its too hard to define "meaningful"... if you alert too frequently users get annoyed and ignore or disable the alerts, if the alerts are too insensitive then its easier for malware to avoid attracting attention... it also depends highly on the skill level of whoever receives the alerts.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    6. Re:Bloatware by Coren22 · · Score: 1

      Since Windows 7, Microsoft has included Windows Defender in the installation package. Windows Defender was a #1 virus scanner that MS bought out. Do you really need to disable Defender and install another virus scanner?

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    7. Re:Bloatware by cbhacking · · Score: 2

      Technically, Windows Defender in Win7 is was built from Giant AntiSpyware and only provided anti-spyware/anti-adware protection; it doesn't have detection for things like worms and other sorts of malware. For that you need the (free, but optional download) Microsoft Security Essentials. However, starting with Win8, Defender (the built-in thing) includes the MSE scanning engine and signatures.

      The obvious difference between Win7 and Win8 in this regard is that when Win7 came out, MS was still under some anti-trust restrictions against bundling software that competed with commercial offerings (and anti-virus would definitely count). Those restrictions expired before Win8 was released, so they could bundle the full scanner instead of requiring that people go seek it out on their own.

      --
      There's no place I could be, since I've found Serenity...
  3. Excellent Award! by bickerdyke · · Score: 1

    We've been there before. (17 seconds clip and it's NOT Rick Astley)

    --
    bickerdyke
  4. And The Best AntiVirus is.... by FudRucker · · Score: 4, Insightful

    switching to an Operating System that is not the target of virus writers, or at least less of a target

    Linux is your best bet for a general purpose operating system

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re:And The Best AntiVirus is.... by Anonymous Coward · · Score: 1

      Linux is your best bet for a general purpose operating system

      Oh, you're killing me. Do you do live stand up too, or just hilarious Slashdot posts? Linux is a geek's operating system. It is your best general purpose operating system only if your purposes aren't mainstream and general. Is Linux a good OS? Of course - it certainly is. Best for general purposes? Haha, that's a good one.

    2. Re:And The Best AntiVirus is.... by KGIII · · Score: 1

      I don't know about all that... As the phrase in use here is general purpose then I can say that I am content to use Linux for my computing needs - all of them. I'm not a gamer so I don't care about that. However, the term is general purpose and not gaming purpose so I'm thinking it doesn't much matter.

      Note: I did not say that it has or should have (or even will have) mainstream acceptance. I'm okay with that. I don't really care if there's a year of the Linux Desktop. Hell, I don't even actually care what operating system you (or anyone else) uses just so long as you made informed consent to use it and made the choice you wanted to make without duress.

      --
      "So long and thanks for all the fish."
    3. Re:And The Best AntiVirus is.... by MightyDrunken · · Score: 1

      Therefore GNU Hurd. In fact if you want to get malware you have to write it yourself.

      --
      The most dangerous drug
    4. Re:And The Best AntiVirus is.... by Bert64 · · Score: 1

      Which is why we need diversity, a variety of different systems being used with interoperable data files between them... If no single system has more than 30% market share then malware writing will become far less profitable.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    5. Re:And The Best AntiVirus is.... by Bert64 · · Score: 1

      All the big operating systems are aimed at geeks, the average user is not really capable of managing a complex general purpose computer system and that's the whole reason why such problems as malware are so prevalent.

      But there's also the fact that very few people actually need a general purpose system, most people do a small subset of things so devices built to do these things are a far better choice for most people. Think games consoles, chromebooks, tv sets, phones, routers etc... And a lot of these special purpose are running linux underneath, just that the user doesn't ever have to deal with the underlying system.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    6. Re:And The Best AntiVirus is.... by TheDarkMaster · · Score: 1

      Grow Linux desktop usage above 10% and he WILL be a target for script kiddies with viruses.

      --
      Religion: The greatest weapon of mass destruction of all time
  5. Verizon by wkwilley2 · · Score: 1

    Well you know, it is Verizon handing out the rewards.

    It's much easier to be skeptical after realizing that.

    --
    Have you ever fallen asleep at the keybhanusdiog?
  6. "Meaningless"? by jargonburn · · Score: 1

    I should think not! They paid good money for that award!

  7. Meanwhile, closer to home... by msauve · · Score: 1

    Perhaps said Google employee should focus on Google, which tends to be clueless about a lot of things. If you install a private CA cert, your Android phone will then start lying to you, claiming "This network may be monitored by an unknown party." (or similar). Nope. I who they are, I deliberately installed the cert, and your incorrect message only makes me tend to ignore any warnings you give in the future. OTOH, it also comes pre-loaded with a shitload of enabled CA Certs, most of which I likely have no use for, and which Google expects me to simply accept as trustworthy. WTF is "Government Root Certification Authority?" certainly sound like someone I wouldn't want to trust. Anyone remember Diginotar?

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  8. Re:Nekkid emperor is still nekkid by GrumpySteen · · Score: 1

    Did I just call the entire computer security industry a scam? Why yes, I did. Tell me I'm wrong please, and try and add a believable argument.

    Okay. You're wrong.

    You've painted the entire computer security industry as being nothing more than virus scanning software. For an example of how just wrong this is, you need to look no further than the summary; "the researcher discovered 4 security issues in the past four months, and is in the process of submitting a fifth." Security researchers who find flaws, the programmers who implement encryption algorithms to keep your data safe, the manufacturers of firewalls that help protect everyone's systems... the group of people you've dismissed as virus scanner scammers would be enough to fill a large city.

    Let me illustrate what you're suggesting in a different way. Do a search for "internet of things exploit" and "internet of things security." You'll get tens of thousands of results. Read a few. You'll find that, to borrow a line from Ars Technica, âoeInternet of Thingsâ security is hilariously broken and getting worse. If the entire computer security industry was nothing but a scam, that is what all computer security would look like.

  9. Re:Nekkid emperor is still nekkid by Anonymous Coward · · Score: 3, Informative

    He may be inarticulate, but he's not wrong.

    The entire "computer security industry" is little more than scammers selling nothing but snake oil, i.e., security products which themselves are full of exploitable vulnerabilities and in many cares are very close to being malware.

  10. Who watches the watchers? by QuietLagoon · · Score: 1
    The A/V companies made the significant strategic error of starting a race to add more and more features to their products, resulting in insecure bloatware that is tasked with monitoring our PCs for malware.

    .
    One A/V product pokes around my network trying to find my router and determine whether or not I have it configured properly? Give me a break. Focus on the reason I purchased the product, and stop surveying my network. If the router settings have changed, then the A/V product failed in its core goal. Why not focus more effort to preventing malware from getting on my PC and less effort in trying to clean up what happens when they fail in that task.

    1. Re:Who watches the watchers? by AHuxley · · Score: 1

      The AV product just looks for the standard factory set admin password and suggests a change as malware has been found using the default hardware password lists.

      --
      Domestic spying is now "Benign Information Gathering"
  11. background bloat by phorm · · Score: 1

    Antivirus was most useful in the days prior to it needing to be always running. TSR's started down the path towards bloat and instability, but prior to that it was quite helpful to be able to pop in a read-only floppy with antivirus and run a scan on your local drives.

    Once they started running as TSR's (background programs), they became a constant hog of system resources oft-times worse than the viruses themselves. The internet furthered this in many ways because - previously - viruses generally spread through physical transfer.

    In the "good ol' days", you got a virus by either running an infected file, or once MBR virii came around by inserting infected media into your PC. Those viruses were like blood/fluid born viruses in the human world, of-times nasty, but you wouldn't get computer-herpes without touching somebody elses infected junk. Sure there were networks, but infection usually stemmed from somebody running a trojan and having write access to files on a shared drive.

    Nowadays, modern viruses are like an airborne version of ebola. You don't need to download anything, or insert anything. Visiting a legit site with a bad advertisement is enough to get you, or sometimes even just being online with a machine that has an unpatched vulnerability. That leads to constant-running A/V that is basically trying to scan memory of active software trying to catch viruses before they can dig in. That's fine for older viruses but new still the AV misses entirely, and unlike the days of physical transfer a new viruses can go from the creator's PC to a thousands of victims within seconds of being written.
    At this point, your AV is flu-shot. It works on some known infections and possibly close variations, but many people who have it still get sick from new stuff.

  12. Shady Industry by wjcofkc · · Score: 1

    An AC posted in reference to AV software once being nimble and useful before mutating into the crapware we see today. This is of course true. Things have escalated to such a level of what the fuck, I have been wondering if some AV companies are not covertly writing virus and malware software themselves, concurrent with the patch so that once they manage to get the virus\malware propagating out of the dark web, they can demonstrate how quickly they are able to update their software and better "protect" their customers. This would at least mitigate all the times AV companies get blindsided resulting in countless millions of infections. I was going to include an explanation as to why that is not as crazy as it sounds, but reading my own words it doesn't sound crazy at all.

    Of course no AV company could ever keep a lid on that, but we already know we are talking about management making less than brilliant decisions about their software. I would not be the least bit surprised to see that as a Slashdot headline after someone squeals.

    --
    Brought to you by Carl's Junior.
  13. Re:Nekkid emperor is still nekkid by shawn2772 · · Score: 1

    He may be inarticulate, but he's not wrong.

    The entire "computer security industry" is little more than scammers selling nothing but snake oil, i.e., security products which themselves are full of exploitable vulnerabilities and in many cares are very close to being malware.

    This argument is why terms need to be defined. You and the GPP are defining "computer security industry" as the set of people and companies that build and sell security products. Even with that definition, the accusation of snake oil is overly broad; there are a few security products which are actually useful. The GP is defining "computer security industry" as the set of people and companies that work on and around computer security, including security researchers that find vulnerabilities, and engineers that fix them and design and build secure systems.

    The computer security industry includes a lot of crap, but it also includes a lot of good people and organizations doing good work. Tavis Ormandy is a part of that industry.

  14. Meaningless awards by Bert64 · · Score: 1

    An "award" is totally arbitrary and meaningless anyway, anyone can provide an award, for anything, based on any criteria and don't have to even disclose the criteria on which the award is based.
    The problem is that people think any of these awards have any value whatsoever, so vendors will take steps to acquire them and use them in marketing material.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    1. Re:Meaningless awards by ripvlan · · Score: 1

      Yes - thank you. For example - did Verizon feel that the winner responded to issues in a timely fashion? Was this company somehow ahead of the others in either securing systems or repairing issues quickly?

      Nobody has perfect AV/firewall software. Do some companies do a better job at doing their best? Do they fix the underlying problem or issue lots of hot-fixes?

      It's a beauty contest. Next Verizon will announce that product as being the Select Vendor or it's already in use within their cloud. And - Hey! - it has also garnered awards >_

  15. Re:Nekkid emperor is still nekkid by Bert64 · · Score: 1

    No it's just that the scammers selling snake oil are noisier, have bigger marketing budgets and are more trusted by those who don't know any better...

    There are plenty of competent people out there, doing research, finding and fixing security holes, trying to write secure code themselves and trying to improve the coding and general security practices of others. The problem is that setting things up securely or building secure code requires a high level of (expensive and rare) skills, whereas trusting the snake oil salesman and buying his product does not.

    To someone who doesn't understand the technical details, buying a product that claims to magically solve all your problems costs much less than employing people to actually address them.
    Plus being horrendously insecure doesn't necessarily mean you will suffer a high profile breach, most organizations have gaping security holes but are either lucky and don't get hacked, or do get hacked but never find out about it. It only becomes a problem if a high profile breach occurs and goes public.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  16. Re:Nekkid emperor is still nekkid by Sloppy · · Score: 1

    Did I just call the entire computer security industry a scam? Why yes, I did. Tell me I'm wrong please, and try and add a believable argument.

    Maybe you're right, but I still can't figure out how these guys are scamming us. They sure look innocent.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  17. Almost Anything Else is Better by EndlessNameless · · Score: 1

    Antivirus is borderline useless these days.

    Application whitelisting, generally by publisher certificate, is the only way to lock things down meaningfully. Use hash-based exceptions for unsigned apps. Too bad all the tools are priced for enterprise.

    SELinux is good, but it takes a lot of work to get it into shape if you are doing anything that lacks an out-of-the-box config.

    Behavior-based anomaly detection is the next big thing. But the last I checked, it takes forever to establish your baselines, and false positives are the norm. Too many false positives is like crying wolf. People stop checking the alerts, admins create exceptions with little or no justification, or sometimes there are just too many to investigate individually.

    But almost all of these alternatives are better than bloated crapware that only protects you against the oldest and least sophisticated threats. Most malware is spread over half the planet before there is a signature for it.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    1. Re:Almost Anything Else is Better by DigiShaman · · Score: 1

      Application whitelisting, generally by publisher certificate, is the only way to lock things down meaningfully. Use hash-based exceptions for unsigned apps.

      Agreed 100%.

      Too bad all the tools are priced for enterprise.

      It's already in OSX. I've had to grant the exception for one app, but it's rare.

      Allow app downloaded from:
      -Mac App Store
      -Mac App Store and Identified developers (what I keep mine set too)
      -Anywhere

      --
      Life is not for the lazy.
    2. Re:Almost Anything Else is Better by cbhacking · · Score: 1

      AppLocker, in recent Windows versions (and building on Software Restriction Policies, dating back to XP), provides similar controls. It's actually a lot more fine-grained than that, though it can be made to act much like how you describe.

      --
      There's no place I could be, since I've found Serenity...
  18. Re:Awards? by ole_timer · · Score: 1

    ALL the awards are paid for, how do you think ICSA Labs survives?

    --
    nothing to see here - move along
  19. Re:Over Hyped and improper focus... by campuscodi · · Score: 1

    Nobody is arguing with you after that response.

  20. Re:Nekkid emperor is still nekkid by TheDarkMaster · · Score: 1

    And the security people who know what they are doing cost more to hire than the H1B's

    --
    Religion: The greatest weapon of mass destruction of all time