Slashdot Mirror
How Good is Antivirus Software at Protecting Itself? (tomsguide.com)
An anonymous reader writes: Earlier this week, AV-TEST evaluated 19 security suites and found that only three of them seemed to be well protected from savvy potential hackers. First, some context about the tests: The first test measured how well each program uses address space layout randomization (ASLR) and data execution prevention (DEP). Briefly, ASLR randomizes a computer's memory allocation, making it harder for an attacker to target a particular process in a program; DEP is a Windows protocol that designates some memory as non-executable space (other operating systems do this under different names), making it harder (or impossible) for unauthorized programs to run in that space. The second test measured whether the AV programs digitally signed their software-update files. Signing is a way of determining a file's origin and authenticity; unsigned files could be more easily substituted with malicious ones. The final test was the simplest, and determined whether an AV manufacturers delivered its software updates via the encrypted HTTPS web protocol. Lack of encryption makes it easy for an attacker to stage a man-in-the-middle attack by intercepting the data transmission, altering the data and then sending the data back on its way. Of the 19 programs tested, only three succeeded on all counts: Bitdefender Internet Security 2017, ESET Internet Security 10 and Kaspersky Internet Security 17.0. It's difficult to rank the rest of the programs, as each one succeeded and failed to varying degrees.
I use Windows Defender Antivirus. It's helping to protect my Win 10 pc even now.
What operating system is being tested?
That's a pretty big omission IMHO, although it probably doesn't perform as good as the top 3, that's still a glaring omission.
Forcing DEP on is trivial. No major program for Windows fails with DEP enabled. What "advanced development practices" are you imagining?
Came here to say this same thing.
None of those things matter at all if you've already got a process running on the system and are looking for ways to shut down the AV.
>> Updates should be signed in the first place
Agree but...
>> once done there is no further benefit to https encryption
HTTPS will keep a client from pulling updates from the wrong server. If I had a client that installed ANY properly signed update, I might intercept HTTP requests to install signed patch 1.4.8 and return signed patch 1.1.1 (a downgrade to a version with a known vulnerability) instead of the requested file.
If your clients are smart enough to check the signature (including expected hash) of each patch, then you're in better shape...unless the attacker intercepts the HTTP connection used to communicate expected hashes and changes the expected hash to on that makes his bad patch seem legit.
Long story short, I think there's still a role for HTTPS even when you're checking for patch signatures.
That's (a small) part of why I don't employ them.
Next question?
True Dat!
I tried installing Skype for Business but no matter what I try it won't run.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Focusing on anti virus, firewalls, what ever is useless. The problem is the base OS. Windows is flawed, been flawed and will continue to be flawed.
Except it doesn't protect you from Microsoft viruses
Advanced development practices often result in having to turn it off?
What the heck are you doing to your code that you can't mark a some memory as read-only before you load data into and work with it?
APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
Selfchecks vs. alteration in every proc inlined (fast vs. function call overheads) & there's 100's of them (would take a SERIOUS 'custom hack job')!
If altered by 1 byte (by traditional .exe jump table/tail end attach viruses OR crackers using disassemblers/hexeditors) it shuts down + alters users & suggests reinstall (portable too)
Data's pristine refreshed as rebuild hosts & protects hosts above/beyond Windows SFP/WFP via a hi-res timer applying read-only (nothing usermode busts thru).
P.S. -> Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/
As long as the update can be verified with a signed hash that's thought to be secure (e.g. not SHA-1) then there is no significant advantage to using HTTPS. It's doesn't hurt to distribute it over HTTPS but there's no reason it has to be delivered over HTTPS. The contents are public record in that anyone with a copy of the AV program has access and general updates don't need repudiation. This is the system that most linux distros use (you know, the sha and gpg hashes right after the download links that most people ignore)
AV vendors also shouldn't rely solely on HTTPS for that matter, there have been a number of successful MITM attacks against SSL and TLS over the past few years and if the AV vendor is putting all their faith in HTTPS to insure the integrity of their updates then they could have been compromised and probably could be again going forward.
It does matter... if every windows user switched to {pick an operating system} overnight it wouldn't be long before it would be a cat and mouse game of who can find an exploit first the people patching or the people writing malicious software. It doesn't matter how secure you think it is when there is money to be made and the os with the most installs has it people will find a way. Android is quickly turning into swiss cheese just like windows.
That's strange. That is the solution that is in the box for the foreseable future.
Is updated the same way the rest of the OS is updated... Say what you want about forced updates and restarts, but if you do not trust the update mechanism (signeage of files + Method of delivery) of the OS itself, no ammount of 3rd party AV will do you any good.
I wonder how it stacks up on ASLR and DEP... but anyhow, I usae a Mac with BootCamp, so no big dealio
*** Suerte a todos y Feliz dia!
Any operating systems written in Ada? (Of course, all the libraries and applications would have to be written in B&D languages, too.)
"I don't know, therefore Aliens" Wafflebox1
I might intercept HTTP requests to install signed patch 1.4.8 and return signed patch 1.1.1 (a downgrade to a version with a known vulnerability) instead of the requested file.
This sounds insanely stupid.
Most patch and definition files include dates and/or versions, which are part of the signed files. You cannot simply send a version 1.1 patch rebadged as 1.4 to a 1.2 client and expect it to install. Changing the version invalidates the signature.
Long story short, I think there's still a role for HTTPS even when you're checking for patch signatures.
There is no discernible benefit unless the developer/vendor is a total moron. Digital signatures ensure the contents have no been tampered with---and that is from the date the files are signed until the present, not just while they are being transferred.
Maybe they get some bonus points if they use HTTPS, but they straight up fail if they do not digitally sign all updates.
The original article was written by some numbskull who obviously never worked a day in information security.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
GCC's nested functions put trampolines on the stack. Other things put trampolines on the heap. Forcing DEP on breaks stuff.
Question: Why does Microsoft keep rewriting their software and perpetually adding vulnerabilities instead of perfecting code?
Answer: Money.
Solution: Don't use Microsoft products.
Anons need not reply. Questions end with a question mark.
Anything that includes runtime code generation, including delegates, which includes inner functions.
There is no perfect anti-virus program. The only thing that comes close is using a sandbox and you religiously do all of your online stuff in that sandbox. You preferably use a sandbox with a golden recovery point or use a program like Deep Freeze which resets your session upon reboot or uncontrolled power down. I prefer just using Virtualbox and an OS that run within it. You can recover your golden setpoint within 10 seconds (no joke). This protection scheme alone will not protect against keyloggers though. :)
HTTPS will keep a client from pulling updates from the wrong server.
Assuming of course that your HTTPS client properly validates the server's HTTPS certificate. This includes not only checking that the subject name of the certificate matches the DNS name you are connecting to, but also needs to include validating the cryptographic chain up to a well known trusted root Certificate Authority, and examining Certificate Revocation Lists to ensure that the CRL is current and doesn't contain a record indicating that the certificate has been revoked. Many systems do not fully ensure a valid HTTPS session, in specific many do not do CRL checking as it takes time.
While ensuring that the update has been properly signed reduces the likelihood that HTTPS has been unknowingly compromised, you still have to make sure that the signature process of the signed update is cryptographically valid as well.
If you are already compromised, all bets are off as you cannot be assured that your list of trusted CAs (which are the base of HTTPS security), whatever you are basing the signing of your updates on, and the very code that is validating everything is still doing its job.
>> many do not do CRL checking
True - that's an ongoing blind spot in the security community. Those of us who work with long-lived and signed "web authentication tokens" are currently dealing with similar issues: once they are out in the wild, a lot of "performance-optimized" (highly scalable due to no central check-in/bottleneck) servers will continue to accept tokens that should have been revoked hours or days ago. (The tokens are accepted because they were signed by a trusted source and no check for revocation is done.)
... but rating them on their use of ASLR is worse than the problem:
https://forums.grsecurity.net/...
Find someone who's done some real security analysis, don't see if they bought the snake oil.
Replay attack
No shit. Do you know why Firefox and chrome are such memory hogs? Because they run with address sanitizer. That's a piece of shit from google that increases memory consumption 4 times
An old version of Comodo firewall has treated me well through the years - even alerting me when Charter.com back doored my system.
I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell
his hosts program is actually pretty good by xenotransplant
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg
I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon
take a look at the APK hosts file engine by SuperKendall
APK is kinda right. I've tried his hosts file generating software. It works by bmo
I like your host file system by Karmashock
I find your hosts file admirable by vel-ex-tech
* My code's liked + recommended & hosted by Malwarebytes' hpHosts!
APK
P.S.=> See subject: You're obviously projecting your own mental issues onto me - I'm not autistic & let's see YOU get the above for your non-existent code, ok? apk
See subject & AV signatures = more reactive (have to suck a threat in 1st) hosts block threat sources before it can get to you in the 1st place (thus, hosts = more proactive).
* As the saying goes? "Touche"... & of course, YOU ARE WELCOME TO DO A BETTER ONE THAN I HAVE YOURSELF (where's yours? It's not).
APK
P.S.=> AV Heuristics recently had Webroot go completely nuts on Windows in fact http://www.theregister.co.uk/2017/04/25/webroot_windows_wipeout/ so I can produce SOLID verifiable, concrete, undeniable PROOF - can you? Not that I see - mere "speculation" is what you have... apk
Personally I don't buy paid security and haven't for several years. The protection is not significantly better than free options and while you should use the best free option if your a general users who may not be able to understand threats or avoid them yourself. Many security experts have come out long ago and said security apps are basically worthless paid or free. They are marginally effective and a informed user can almost always do a better job by simply being a educated users.
For more information, click on This Google Doc that explains how.
-- Tigger warning: This post may contain tiggers! --
Tavis Ormandy's torn up every AV (full of coding vulnerabilities, biggest is writing in C/C++ null terminated strings (buffer overflows))
AV uses more moving parts complexity (room for exploit) - hosts = 1 "moving part" part of IP stack (tcpip.sys resolver in Windows) proven since 1968. No filter driver overhead too. Native protection vs. "Bolt on 'MoAr'" stupidity.
AV eats more resources & CPU it SLOWS YOU - hosts by way of comparison speed you up 2 ways (blocking ads & scripts, 1 of the biggest infectors there is) & hardcoded fav sites you spend most time @ (stopping DNS level tracking + resolution turn-around time - 2 for the price of 1 bonus & lighten DNS server load (goes down a lot & even the CHINESE have done "imitation = sincerest form of flattery" MY WAY via supercharge the 'hosts' file to save users plagued by DNS outages on that very note http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ )
APK
I knew BitDefender were on to something good.
They offer a free version and even the full version has near-negligible impact on performance.
And it was one of only three that passed all tests.
Kriston
WARNING! DO NOT READ!
Windows Defender has detected a potential threat in this post: "APK Authenticity Check Failed->No P.S. line"
Sigh. They can accomplish the same by just knocking over the connection. Replaying the current patch is just a noop and replaying an older one won't do anything.
Yes the concept of DEP, having a separate memory space for instructions and not allowing execution outside if it. IBM mainframes had it in the 1960s. Simple and useful idea.
Until Microsoft and Apple ignored it for decades.
Protecting Windows from viruses is pointless. There are so many attack vectors as to make it impossible to defend.
For instance: the registry, not disabling the executable bit on downloads, IE/Edge integration, vulnerable programs with elevated privileges, the ability to run with admin rights, useless services leaving ports open, etc.
The architectures of Mac(UNIX) and Linux, are much better in this respect, with many hacks caused by weak passwords or social engineering techniques. Often the hack affects only one account and not the entire system. Not that NIX is perfect, but Windows feels like it was made by Fisher-Price (no offense to FP intended) by comparison.
HTTPS will keep a client from pulling updates from the wrong server.
No it doesn't. You put too much faith in HTTPS.
The default HTTPS providers on most operating systems only verify that the provided origin server certificate chain has been signed by a known trusted root and that the valid-from and valid-to dates are current. CRL checks are off by default because they require extra network traffic (which generally occurs over HTTP - go figure).
The above behaviours are required for man-in-the-middle re-encrypting proxy appliances, like those from Blue Coat Systems, Inc., to work correctly in corporate environments.
Any additional checks are up to individual applications, such as confirming that the trusted root is one that you expected (not BCSI), or that the origin certificate thumbprint is what you expected, etc.
MITM attacks still runs pass Bitdefender
See subject: If the "best ya got" is calling me names (that aren't true about me & I suspect you're actually projecting)? You fail.
APK
P.S.=> I can't put it any simpler than that & I actually THANK you for doing it! apk
See subject: I couldn't even add the fact hosts prevents security issues in DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + prevents botnet infesting infiltrators "asking for orders" from their C&C servers (effectively paralyzing them).
* I would've added that - but our "gracious host" here also further TRIES to restrict me to only 5 posts a day too - "Gosh, I wonder why?" (not - ad money is why, hosts block those (they infect/track/slow you))
APK
P.S.=> I'd suspect he tracks my browser by signature & tries keeping my post length REALLY low (& I know he tracks the direct download link to my program on Start64.com & won't let me post it here (or anyone else either I suspect)) - I already have him quoted as tracking my "patterns" etc. so, it's no mystery (not working though, lol)... apk
First time I've seen a Windows 10 system get infected. Naturally it was the fault of the end user who downloaded a text translation toolbar that installed a search redirect into every browser on the system, then opened a backdoor for the actual virus to install which disabled UAC and Defender. The only mistake the virus made was that by disabling UAC the Edge browser was unable to open (go figure). It was just our dumb luck that the user was using Edge and came over to complain about it not working. Clean up was easy compared to infections I've dealt with in the past but it was surprising to see a virus so easily disable UAC.
No security feature of an OS or 3rd party can help protect a stupid user. First, create standard user accounts for all users and only one admin account to modify system settings in your Win10. A standard user cannot disable UAC.
Fuck you by Anonymous Coward
See subject: As you see, I have no problem getting around it & as Obi-Wan Kenobi said to Darth Vader? "You can't win Darth - If you strike me down I shall become more powerful than you can possibly imagine..." & I think Whipslash/Logan Abbott knows that (he saw what happened when I posted on "AlmostALLAdsBlocked"'s website & when they DELETED that post, I just tossed it RIGHT back in their face in their inability to disprove 17 points of superiority hosts files have over their easily detected & blocked, bloated, inefficient & ineffectual CRIPPLED BY DEFAULT 'souled-out' to advertisers browser addon - it only worked in MY favor!).
APK
P.S.=> TOR? No, lol - I have a FAR better & faster method than that to blow past the "puny barriers" put in my way here, but thanks anyways - it IS the thought that counts... apk
See subject: Bet you're disappointed, right? What's the matter - you don't like EATING YOUR WORDS? Yes... LMAO!
* Take your own advice!
APK
P.S.=> You're a loony psycho stalker - no questions asked, you UNIDENTIFIABLE anomymous worm... apk
Windows exempts certain cd-copy drm from DEP.