How Good is Antivirus Software at Protecting Itself?

An anonymous reader writes: Earlier this week, AV-TEST evaluated 19 security suites and found that only three of them seemed to be well protected from savvy potential hackers. First, some context about the tests: The first test measured how well each program uses address space layout randomization (ASLR) and data execution prevention (DEP). Briefly, ASLR randomizes a computer's memory allocation, making it harder for an attacker to target a particular process in a program; DEP is a Windows protocol that designates some memory as non-executable space (other operating systems do this under different names), making it harder (or impossible) for unauthorized programs to run in that space. The second test measured whether the AV programs digitally signed their software-update files. Signing is a way of determining a file's origin and authenticity; unsigned files could be more easily substituted with malicious ones. The final test was the simplest, and determined whether an AV manufacturers delivered its software updates via the encrypted HTTPS web protocol. Lack of encryption makes it easy for an attacker to stage a man-in-the-middle attack by intercepting the data transmission, altering the data and then sending the data back on its way. Of the 19 programs tested, only three succeeded on all counts: Bitdefender Internet Security 2017, ESET Internet Security 10 and Kaspersky Internet Security 17.0. It's difficult to rank the rest of the programs, as each one succeeded and failed to varying degrees.

Meaningless

DEP is rather useless. Advanced development practices often result in having to turn it off.

ASLR is only a mild advantage, and none at all against processes already on the same computer.

There is no need at all to download updates over https. Updates should be signed in the first place to defend against stuff like superfish, and once done there is no further benefit to https encryption.

Re:Meaningless

Forcing DEP on is trivial. No major program for Windows fails with DEP enabled. What "advanced development practices" are you imagining?

Re:Meaningless

[Wulf2k]

Came here to say this same thing.

None of those things matter at all if you've already got a process running on the system and are looking for ways to shut down the AV.

Re:Meaningless

[xxxJonBoyxxx]

>> Updates should be signed in the first place

Agree but...

>> once done there is no further benefit to https encryption

HTTPS will keep a client from pulling updates from the wrong server. If I had a client that installed ANY properly signed update, I might intercept HTTP requests to install signed patch 1.4.8 and return signed patch 1.1.1 (a downgrade to a version with a known vulnerability) instead of the requested file.

If your clients are smart enough to check the signature (including expected hash) of each patch, then you're in better shape...unless the attacker intercepts the HTTP connection used to communicate expected hashes and changes the expected hash to on that makes his bad patch seem legit.

Long story short, I think there's still a role for HTTPS even when you're checking for patch signatures.

Re:Meaningless

Advanced development practices often result in having to turn it off?

What the heck are you doing to your code that you can't mark a some memory as read-only before you load data into and work with it?

Re:Meaningless

The ideal is both. The request for the update is done over HTTPS to ensure tamper resistance during the download. Then, checking should not just check that the patch is signed, but that it can be applied to the current code, and is greater than what is currently available. Of course, a downgrade mechanism should be possible, but it would require manual intervention to have happen.

As for AV programs, I use a Mac, where there is no need for AV.

Re:Meaningless

[EndlessNameless]

I might intercept HTTP requests to install signed patch 1.4.8 and return signed patch 1.1.1 (a downgrade to a version with a known vulnerability) instead of the requested file.

This sounds insanely stupid.

Most patch and definition files include dates and/or versions, which are part of the signed files. You cannot simply send a version 1.1 patch rebadged as 1.4 to a 1.2 client and expect it to install. Changing the version invalidates the signature.

Long story short, I think there's still a role for HTTPS even when you're checking for patch signatures.

There is no discernible benefit unless the developer/vendor is a total moron. Digital signatures ensure the contents have no been tampered with---and that is from the date the files are signed until the present, not just while they are being transferred.

Maybe they get some bonus points if they use HTTPS, but they straight up fail if they do not digitally sign all updates.

The original article was written by some numbskull who obviously never worked a day in information security.

Re:Meaningless

GCC's nested functions put trampolines on the stack. Other things put trampolines on the heap. Forcing DEP on breaks stuff.

Re:Meaningless

Anything that includes runtime code generation, including delegates, which includes inner functions.

Re:Meaningless

[Nkwe]

HTTPS will keep a client from pulling updates from the wrong server.

Assuming of course that your HTTPS client properly validates the server's HTTPS certificate. This includes not only checking that the subject name of the certificate matches the DNS name you are connecting to, but also needs to include validating the cryptographic chain up to a well known trusted root Certificate Authority, and examining Certificate Revocation Lists to ensure that the CRL is current and doesn't contain a record indicating that the certificate has been revoked. Many systems do not fully ensure a valid HTTPS session, in specific many do not do CRL checking as it takes time.

While ensuring that the update has been properly signed reduces the likelihood that HTTPS has been unknowingly compromised, you still have to make sure that the signature process of the signed update is cryptographically valid as well.

If you are already compromised, all bets are off as you cannot be assured that your list of trusted CAs (which are the base of HTTPS security), whatever you are basing the signing of your updates on, and the very code that is validating everything is still doing its job.

Re:Meaningless

[xxxJonBoyxxx]

>> many do not do CRL checking

True - that's an ongoing blind spot in the security community. Those of us who work with long-lived and signed "web authentication tokens" are currently dealing with similar issues: once they are out in the wild, a lot of "performance-optimized" (highly scalable due to no central check-in/bottleneck) servers will continue to accept tokens that should have been revoked hours or days ago. (The tokens are accepted because they were signed by a trusted source and no check for revocation is done.)

Re:Meaningless

On Windows? What are you smoking. No one is using GCC for windows development. What kind of bubble do you live in?

Re:Meaningless

Replay attack

Re: Meaningless

No shit. Do you know why Firefox and chrome are such memory hogs? Because they run with address sanitizer. That's a piece of shit from google that increases memory consumption 4 times

Re:Meaningless

Sigh. They can accomplish the same by just knocking over the connection. Replaying the current patch is just a noop and replaying an older one won't do anything.

Re:Meaningless

[scdeimos]

HTTPS will keep a client from pulling updates from the wrong server.

No it doesn't. You put too much faith in HTTPS.

The default HTTPS providers on most operating systems only verify that the provided origin server certificate chain has been signed by a known trusted root and that the valid-from and valid-to dates are current. CRL checks are off by default because they require extra network traffic (which generally occurs over HTTP - go figure).

The above behaviours are required for man-in-the-middle re-encrypting proxy appliances, like those from Blue Coat Systems, Inc., to work correctly in corporate environments.

Any additional checks are up to individual applications, such as confirming that the trusted root is one that you expected (not BCSI), or that the origin certificate thumbprint is what you expected, etc.

Re:Meaningless

Windows exempts certain cd-copy drm from DEP.

Nothing to worry about here

I use Windows Defender Antivirus. It's helping to protect my Win 10 pc even now.

What operating system?

What operating system is being tested?

Re:What operating system?

The one that supports viruses.

Re:What operating system?

Thanks for narrowing that down to every platform in existence.

You are a useless wank stain.

Re:What operating system?

How would you propose to write a virus for a system that uses file permissions, such as UNIX?
The executable files are non-user-writable, and located in a non-user-writable directory.
How is a program run by a user going to change those files?
No change to executable files = no virus.

Re:What operating system?

[Wulf2k]

Craft an HTML file to exploit a javascript vulnerability that will make your perfectly valid browser executable execute arbitrary code, perhaps?

No change to executable files = virus.

Re:What operating system?

For most home users (and more businesses that anyone would like to admit) that don't use backups, malware and ransomware don't need to touch system files to be effective.
They only need to snoop for your passwords, encrypt your data files for ransom, etc which cab be just as vulnerable on Linux as any other OS.

Do any consumer friendly distributions perform regular snapshots with easy restore of files/folders/etc out of the box?

Re:What operating system?

So where's the virus part? A virus spreads from one executable file to another.
Or have we returned to the mid-'80s practice of calling ALL malware "viruses"?

Re:What operating system?

Who said anything about malware and ransomware? The subject was viruses.

Re:What operating system?

Windows has file permission since NT, moron.

Re:What operating system?

[arglebargle_xiv]

Any of them. Far too much security software is secure by executive fiat rather than practice. AV software is full of vulns due to the ton of file formats it has to be able to parse, firewalls have hardcoded default passwords and backdoors, IDSes have buffer overflows, etc. It is the way of things.

Re: What operating system?

Find an exploit in a suid binary and elevate privileges? Happens all the time...

They didn't evaluate Microsoft?

That's a pretty big omission IMHO, although it probably doesn't perform as good as the top 3, that's still a glaring omission.

Linux Mint

Best anti-virus ever. My system has yet to be infected by a Windows virus.

Re:Linux Mint

[ArhcAngel]

True Dat!
I tried installing Skype for Business but no matter what I try it won't run.

Re:Linux Mint

[pr0fessor]

It does matter... if every windows user switched to {pick an operating system} overnight it wouldn't be long before it would be a cat and mouse game of who can find an exploit first the people patching or the people writing malicious software. It doesn't matter how secure you think it is when there is money to be made and the os with the most installs has it people will find a way. Android is quickly turning into swiss cheese just like windows.

Re:Linux Mint

[Nutria]

Any operating systems written in Ada? (Of course, all the libraries and applications would have to be written in B&D languages, too.)

Absolutely terrible.

[Matheus]

That's (a small) part of why I don't employ them.

Next question?

Re:Absolutely terrible.

Being able to RECOVER from infection (wipe system/disk, reload or swith to clean backup system/disk) quickly is more important that virus protection unless someone has intentionally singled you out and actively attacking you.

Re:Absolutely terrible.

[GuB-42]

You have to know you are infected before you recover.
With ramsomware or adware, it is obvious. But if you are part of a botnet, the attacker will go to great lengths to make sure you don't notice the infection.

It's windows, that the base problem.

Focusing on anti virus, firewalls, what ever is useless. The problem is the base OS. Windows is flawed, been flawed and will continue to be flawed.

Virus called Microsoft

Except it doesn't protect you from Microsoft viruses

I protect mine thus... apk

APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Selfchecks vs. alteration in every proc inlined (fast vs. function call overheads) & there's 100's of them (would take a SERIOUS 'custom hack job')!

If altered by 1 byte (by traditional .exe jump table/tail end attach viruses OR crackers using disassemblers/hexeditors) it shuts down + alters users & suggests reinstall (portable too)

Data's pristine refreshed as rebuild hosts & protects hosts above/beyond Windows SFP/WFP via a hi-res timer applying read-only (nothing usermode busts thru).

P.S. -> Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/

Re:I protect mine thus... apk

Oh look, it's the autistic turd again.

Re: I protect mine thus... apk

Says the aspie.

Re:I protect mine thus... apk

Listing every single site in an hosts file only counts as reactive protection. As with regular anti-virus, it doesn't protect against new threats that you haven't had time to review.

AV updates don't need HTTPS.

As long as the update can be verified with a signed hash that's thought to be secure (e.g. not SHA-1) then there is no significant advantage to using HTTPS. It's doesn't hurt to distribute it over HTTPS but there's no reason it has to be delivered over HTTPS. The contents are public record in that anyone with a copy of the AV program has access and general updates don't need repudiation. This is the system that most linux distros use (you know, the sha and gpg hashes right after the download links that most people ignore)

AV vendors also shouldn't rely solely on HTTPS for that matter, there have been a number of successful MITM attacks against SSL and TLS over the past few years and if the AV vendor is putting all their faith in HTTPS to insure the integrity of their updates then they could have been compromised and probably could be again going forward.

Windows Defender is NOT included in the test

[williamyf]

That's strange. That is the solution that is in the box for the foreseable future.

Is updated the same way the rest of the OS is updated... Say what you want about forced updates and restarts, but if you do not trust the update mechanism (signeage of files + Method of delivery) of the OS itself, no ammount of 3rd party AV will do you any good.

I wonder how it stacks up on ASLR and DEP... but anyhow, I usae a Mac with BootCamp, so no big dealio

More importantly...

[Gravis+Zero]

Question: Why does Microsoft keep rewriting their software and perpetually adding vulnerabilities instead of perfecting code?
Answer: Money.

Solution: Don't use Microsoft products.

Re:More importantly...

[GuB-42]

Yes, money.
But this is not exclusive to Microsoft. Perfecting code doesn't sell, you need something new, and with new features come new bugs.
It is also applicable to free software. Free software mostly done by developers working for for-profit companies, and in most case their priority is not to perfect the code but rather adapt the software to their business model. A typical example is adding drivers for their products in the linux kernel.
And it even applies to nonprofits, just look at Mozilla.

The solution: None that I can think of. And unless people are ready to pay for it, it will stay that way.

The dirty little secret.

[lkroll4565]

There is no perfect anti-virus program. The only thing that comes close is using a sandbox and you religiously do all of your online stuff in that sandbox. You preferably use a sandbox with a golden recovery point or use a program like Deep Freeze which resets your session upon reboot or uncontrolled power down. I prefer just using Virtualbox and an OS that run within it. You can recover your golden setpoint within 10 seconds (no joke). This protection scheme alone will not protect against keyloggers though. :)

I'm no fan of anti-virus software...

[Balial]

... but rating them on their use of ASLR is worse than the problem:

https://forums.grsecurity.net/...

Find someone who's done some real security analysis, don't see if they bought the snake oil.

I don't use an anti-virus program

An old version of Comodo firewall has treated me well through the years - even alerting me when Charter.com back doored my system.

Re:I don't use an anti-virus program

I used comodo firewall up to version 2.4 on Win XP, before it tried to be an antivirus and other crap

Re:I don't use an anti-virus program

I used comodo firewall up to version 2.4 on Win XP, before it tried to be an antivirus and other crap

My version is 5.X is just before they went the Geek thing full bore. It's not a full fledge AV or if so non of the overhead if not in it's data base it will shoot it out to be scanned (this can be blocked).

trax3001bbs

Re:I don't use an anti-virus program

An old version of Comodo firewall has treated me well through the years - even alerting me when Charter.com back doored my system.

That's just not a good Anonymous Coward post (yet I can't get to a story logged in).
This is Charters entry into my system http://i64.tinypic.com/15x55t.jpg

-trax3001bbs

I do pretty well by our /. peers & more though

I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

take a look at the APK hosts file engine by SuperKendall

APK is kinda right. I've tried his hosts file generating software. It works by bmo

I like your host file system by Karmashock

I find your hosts file admirable by vel-ex-tech

* My code's liked + recommended & hosted by Malwarebytes' hpHosts!

APK

P.S.=> See subject: You're obviously projecting your own mental issues onto me - I'm not autistic & let's see YOU get the above for your non-existent code, ok? apk

AV Heuristic produce false positves like mad

See subject & AV signatures = more reactive (have to suck a threat in 1st) hosts block threat sources before it can get to you in the 1st place (thus, hosts = more proactive).

* As the saying goes? "Touche"... & of course, YOU ARE WELCOME TO DO A BETTER ONE THAN I HAVE YOURSELF (where's yours? It's not).

APK

P.S.=> AV Heuristics recently had Webroot go completely nuts on Windows in fact http://www.theregister.co.uk/2017/04/25/webroot_windows_wipeout/ so I can produce SOLID verifiable, concrete, undeniable PROOF - can you? Not that I see - mere "speculation" is what you have... apk

Don't bother with paid security

Personally I don't buy paid security and haven't for several years. The protection is not significantly better than free options and while you should use the best free option if your a general users who may not be able to understand threats or avoid them yourself. Many security experts have come out long ago and said security apps are basically worthless paid or free. They are marginally effective and a informed user can almost always do a better job by simply being a educated users.

AV is very good at this

[WillAffleckUW]

For more information, click on This Google Doc that explains how.

Re:AV is very good at this

I knew what you did there. Should be modded as funny.

Antivirus slows you & eats more resources

Tavis Ormandy's torn up every AV (full of coding vulnerabilities, biggest is writing in C/C++ null terminated strings (buffer overflows))

AV uses more moving parts complexity (room for exploit) - hosts = 1 "moving part" part of IP stack (tcpip.sys resolver in Windows) proven since 1968. No filter driver overhead too. Native protection vs. "Bolt on 'MoAr'" stupidity.

AV eats more resources & CPU it SLOWS YOU - hosts by way of comparison speed you up 2 ways (blocking ads & scripts, 1 of the biggest infectors there is) & hardcoded fav sites you spend most time @ (stopping DNS level tracking + resolution turn-around time - 2 for the price of 1 bonus & lighten DNS server load (goes down a lot & even the CHINESE have done "imitation = sincerest form of flattery" MY WAY via supercharge the 'hosts' file to save users plagued by DNS outages on that very note http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ )

APK

I knew BitDefender were on to something good

[kriston]

I knew BitDefender were on to something good.

They offer a free version and even the full version has near-negligible impact on performance.

And it was one of only three that passed all tests.

Improperly formatted APK post detected!

WARNING! DO NOT READ!

Windows Defender has detected a potential threat in this post: "APK Authenticity Check Failed->No P.S. line"

The concept of DEP

Yes the concept of DEP, having a separate memory space for instructions and not allowing execution outside if it. IBM mainframes had it in the 1960s. Simple and useful idea.

Until Microsoft and Apple ignored it for decades.

Pointless to Defend a Flawed Architechture

Protecting Windows from viruses is pointless. There are so many attack vectors as to make it impossible to defend.

For instance: the registry, not disabling the executable bit on downloads, IE/Edge integration, vulnerable programs with elevated privileges, the ability to run with admin rights, useless services leaving ports open, etc.

The architectures of Mac(UNIX) and Linux, are much better in this respect, with many hacks caused by weak passwords or social engineering techniques. Often the hack affects only one account and not the entire system. Not that NIX is perfect, but Windows feels like it was made by Fisher-Price (no offense to FP intended) by comparison.

Re:Pointless to Defend a Flawed Architechture

For instance: the registry, not disabling the executable bit on downloads, IE/Edge integration, vulnerable programs with elevated privileges, the ability to run with admin rights, useless services leaving ports open, etc.

.
I am typing this on my XP Pro machine and all of that can be removed by configuring any NT family OS's.

the registry: it is just similar to *.conf files on your Unix machines, but the registry have granular ACL where you can control the access and modification on some settings.
disable executable bit on downloads: set that by white-listing all my executables, yes even the archaic XP have this feature. All new executables downloaded or copied into my machine won't execute.
IE/Edge integration: how about systemD integration into your Linux distro? I can disable IE by not including all IE executable and dlls in my whitelist.
vuln programs with elevated priv: I have seen userland applications, and kernel modules in *BSD and Linux having vulnerabilities too.
ability to run with admin rights: same with all OS.
useless services leaving ports open: same with most Linux and BSD distros. I have seen the irritating Intel Management Engine ports (IME) being left open by Linux and BSDs too, same with windows. I can disable most services in windows to close those opened ports.

lol's Bitdefender passes the tests

MITM attacks still runs pass Bitdefender

Calling me names != effective you know

See subject: If the "best ya got" is calling me names (that aren't true about me & I suspect you're actually projecting)? You fail.

APK

P.S.=> I can't put it any simpler than that & I actually THANK you for doing it! apk

My post length's restricted... apk

See subject: I couldn't even add the fact hosts prevents security issues in DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + prevents botnet infesting infiltrators "asking for orders" from their C&C servers (effectively paralyzing them).

* I would've added that - but our "gracious host" here also further TRIES to restrict me to only 5 posts a day too - "Gosh, I wonder why?" (not - ad money is why, hosts block those (they infect/track/slow you))

APK

P.S.=> I'd suspect he tracks my browser by signature & tries keeping my post length REALLY low (& I know he tracks the direct download link to my program on Start64.com & won't let me post it here (or anyone else either I suspect)) - I already have him quoted as tracking my "patterns" etc. so, it's no mystery (not working though, lol)... apk

Re:My post length's restricted... apk

Post using TOR. Problem solved.

Just had to deal with a Windows 10 virus yesterday

First time I've seen a Windows 10 system get infected. Naturally it was the fault of the end user who downloaded a text translation toolbar that installed a search redirect into every browser on the system, then opened a backdoor for the actual virus to install which disabled UAC and Defender. The only mistake the virus made was that by disabling UAC the Edge browser was unable to open (go figure). It was just our dumb luck that the user was using Edge and came over to complain about it not working. Clean up was easy compared to infections I've dealt with in the past but it was surprising to see a virus so easily disable UAC.

Re:Just had to deal with a Windows 10 virus yester

No security feature of an OS or 3rd party can help protect a stupid user. First, create standard user accounts for all users and only one admin account to modify system settings in your Win10. A standard user cannot disable UAC.

Re:I do pretty well by our /. peers & more tho

Fuck you by Anonymous Coward

What problem?

See subject: As you see, I have no problem getting around it & as Obi-Wan Kenobi said to Darth Vader? "You can't win Darth - If you strike me down I shall become more powerful than you can possibly imagine..." & I think Whipslash/Logan Abbott knows that (he saw what happened when I posted on "AlmostALLAdsBlocked"'s website & when they DELETED that post, I just tossed it RIGHT back in their face in their inability to disprove 17 points of superiority hosts files have over their easily detected & blocked, bloated, inefficient & ineffectual CRIPPLED BY DEFAULT 'souled-out' to advertisers browser addon - it only worked in MY favor!).

APK

P.S.=> TOR? No, lol - I have a FAR better & faster method than that to blow past the "puny barriers" put in my way here, but thanks anyways - it IS the thought that counts... apk

No thanks - not interested... apk

See subject: Bet you're disappointed, right? What's the matter - you don't like EATING YOUR WORDS? Yes... LMAO!

* Take your own advice!

APK

P.S.=> You're a loony psycho stalker - no questions asked, you UNIDENTIFIABLE anomymous worm... apk