Why Popular Anti-Virus Apps 'Don't Work' 375
Avantare writes "ZDNet Australia has a writeup about why AV apps don't work. The reason given is because the malware authors are writing code that will get around the signatures of the application by testing their code on the most popular anti-virus software before release." This comes as a follow up to another article detailing the sad state of anti-virus software currently on the market.
No S**t (Score:5, Insightful)
Still an interesting point it raises, and a good example to give to none believers if you ever have to give the "Nothing is perfectly secure" speach to a client.
Did I miss something? (Score:4, Insightful)
Nothing to see here, move along please.
Just follow a few basic steps... (Score:4, Insightful)
1. Firefox with popup blocker
2. Firewall software
3. Sit behind router
4. Use AV software
5. Don't click on anything that pops up without read it!
http://religiousfreaks.com/ [religiousfreaks.com]Why is... (Score:2, Insightful)
Ummmmm...
Aw crap. Sorry, forgot which planet I was on again.
Please move along.
Re:Just follow a few basic steps... (Score:1, Insightful)
Re:Just follow a few basic steps... (Score:1, Insightful)
6. Don't use Windows
7. Don't install something that you do not know (to within a reasonable degree of certainty) to be trust-worthy
Default Deny (Score:4, Insightful)
AV stuff serves it purpose (Score:4, Insightful)
AV isn't supposed to make your computer stupid-proof. If you download and run every single application you can find no AV in the world will help.
If you happen to stumble on a 4 week old virus that either got bot-mailed to you or stored in a public archive they're a godsend. Specially since most AVs scan archives so before you even open it you're good.
Tom
And they are both wrong. (Score:5, Insightful)
So, the reason that anti-virus software sucks is because the "bad guys" are writing BETTER "viruses" that can bypass the anti-virus programmers' software.
And the reason for that is that anti-virus software is REACTIVE.
A proactive system would patch the holes that are being exploited.
A reactive system issues patches to remove all the specific threats encountered so far.
That approach will ALWAYS result in the "good guys" being behind the "bad guys". Like DUH!!!
Amateurs talking, never mind (Score:1, Insightful)
You have to distinguish what they do against lame mindless amateurs and random automated attacks versus targeted attacks. Using those scenarios as a backdrop you will very fast realize that it's easier mostly to fix the problems (the security problems) and not the symptoms.
Re:I don't use Norton.. (Score:1, Insightful)
The Black Hats are winning... (Score:4, Insightful)
It's a sad state of affairs that worms, trojans and viruses are probably more tested before release than the anti-virus software.
Re:Signature-based recognition was doomed (Score:3, Insightful)
IMHO, the problem comes down to how security works on PC's - it's based on the user, not the app. This is true on Linux as well as Windows. An application runs under the security context of what the user can get to. Applications ought to run under their own security accounts, and when they try to write somewhere they have not been authorized to write before, the user ought to get warned. If the application makes an outbound Internet connection or starts listening on a port without prior authorization, the user ought to get warned. It might seem a hassle to have a couple of hundred security accounts on the PC, but it is far less of a hassle than invasive anti-virual software, especially crap like Norton and McAfee.
Yes, I know Linux is secure than Windows, I'm a happy Ubuntu user. I SUDO whenever I do anything administrative (install apps. install devices, etc.) But there is nothing from stopping a hostile application from going out and nuking every file that my non-admin account has access to..
Re:And they are both wrong. (Score:4, Insightful)
Once a user runs software, if that software is malicious, that computer is compromised. Period.
Re:Antiviruses are flawed by design (Score:3, Insightful)
Because viruses aren't using any security flaws.
Re:Just follow a few basic steps... (Score:3, Insightful)
Ummm ok (Score:3, Insightful)
Ok but what aobut at home? You are the admin there. Who looks over your shoulder and determines if something is safe? You can set the OS to default deny running things by running it as a non-administrative account, or by getting something like KPF that intercept execution and asks you, but in either case it doesn't do anything if you give it permission. Doesn't matter what the hoops you have to jump through are, when you give it permission to escalte privlidge and run, you are screwed if you didn't check it out before hand.
I mean you can have a nice, secure Fedora box and I can send you a binary called destroy_system. If you decide to run it, Fedora automatically asks you for root. If you give it that, it does as it says. There's no way for them to defend you from yourself, without going to something like TCPA where some party other than yourself gets to decide what can and cannot be run on your system.
I think some UNIX people put WAAAAAY too much faith in UNIX's privlidge escalation model, as though somehow if the OS asks for a password instead of just a yes/no box people will suddenly stop and think. No, sorry, they won't. They'll view it as just another hoop to jump through. They won't read it, they won't consider the implications, they'll just learn "give it the password and it goes away" and will start doing just that.
In the hands of an educated user, running deprivlidged helps because it makes sure something doens't automatically launch that you aren't aware of. However in the hands of a cluless user, who is the real problem here, that doesn't cut it. You need something like a virus/spyware scanner that maintains a list of "bad" things and disallows those. Even then, some of them will override it because it'll block the installation of something they want.
Re:No S**t (Score:2, Insightful)
Good question. I use XP's SP2 with Advanced Security Tech, plus Router, on my every day machine. I'll not publicise the security I use on more critical machines (eccentricityplus obfuscation is THE only way to minimise security breaches in my opinion). But no AV. I don't open untrustworthy apps, and as TFA goes some way to explain, AV software doesn't work. However I dev and support web apps that must circumvent 'intrusions' made by Norton.
One such feature is their referrer blocking. This seems to serve no purpose, and is simple to work around. Without the work-around, my software, and many other web apps and sites out there are broken by this "security measure". It took me precisely 1 hour to work around this issue, and I'm not that fast a coder.
Am I some kind of evil, nija hacker trying to phish people's personal details? No, I'm a developer trying to make web based accessibility software.
So what DO I suggest? Have a quick and easy backup and recover system. And use it. Oh, and don't think Norton does anything practical to help your system security. It simply stops you from using many honest, trust worthy sites and services, while marginally improving your chances against old, 'orthodox' malware.
Eye-Candy (Score:3, Insightful)
I gave up a long time ago on NAV because it had a heavy interface -- fancy background, fade in/out, and all the other stuff that don't really contribute to its operation, especially for an application whose GUI you don't really pop or see very often.
Simple buttons and windows are enough, coupled with a good proper operation within a restricted account -- i.e. good communication with the service that runs in the background.
That is why I like the free AVG option.
Re:Just follow a few basic steps... (Score:4, Insightful)
Re:Just follow a few basic steps... (Score:2, Insightful)
7. ???
8. Profit!!!
Mods, I don't care what you do to me, but someone has to stop this guy.
Re:No S**t (Score:3, Insightful)
Sadly, Symantec and most popular anti-virus apps now want to do *everything*. They install a firewall, anti-spam, anti-phishing, web content blocker, etc. And usually, turning off these features simply mean they won't actively filter/block but will still be residing in memory.
All I want is an antivirus that doesn't try to do everything for me. I've been a user of Panda Software for a while, but I won't be renewing my subscription for this reason.
Re:Just follow a few basic steps... (Score:3, Insightful)
When you use windoze, you're using the most targeted OS on the Earth ... you're lumping yourself in with a vast crowd of people who know absolutely nothing and suspect even less. Putting one of these machines on the 'Net is an invitation to be robbed -- literally; in many, many ways -- not to mention being held hostage by MS and whatever it decides to implement for DRM and other issues yet to be named.
No AV package/author is going to be able to stay even one step ahead of the black hats out there, who are getting more criminal as time goes on. You don't have to actively do anything other than visit a website to be infected/ripped off any more. The black hats have gotten very, very sophisticated. There's money available for the taking, and you're hanging it out there as long as you run windoze and store any kind of personal data on it.
I've heard all the excuses; none of them wash. Either you're intelligent enough to own, administer, and operate a computer; or you're not. If you have that level of intelligence, you are certainly capable of learning and retaining enough knowledge to run something else. So it takes an investment of time and effort ... okay, live with it.
Use windoze at your own risk.
Don't Run As Admin! (Score:3, Insightful)
People would never dream of running as root all the time on their Linux machine, yet those same people often run as an admin in Windows XP.
In a related story. . . (Score:3, Insightful)
Seriously, this isn't news. This was obvious from the time where any signature updates were ever required, or when viruses, scumware, etc. included code to disable/corrupt/uninstall/otherwise cripple antivirus and antispyware software. They're merely admitting it now.
Re:Just follow a few basic steps... (Score:3, Insightful)
Oh, you poor thing. I have an idea which may help you: Stop bitching.
If you hate Windows so much, take some fucking initiative and learn something else. What the hell are you waiting for? Someone to volunteer to teach you? For Linux to become a Windows clone? Guess what? It's not gonna happen. Ever.
If you hate Windows, but still use it, it's your own fault. Stop crying to everyone on Slashdot that you're too stupid too learn.
Re:Mac AV Software (Score:3, Insightful)
Re:No S**t (Score:3, Insightful)
'"The most popular brands of antivirus on the market... have an 80 percent miss rate... So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in," said Ingram.'
Your argument is specious. Your conclusion may not be completely so ( that's an individual min-max: Is the effort, expense, and general PITA compensation for my 20% risk reduction ), but I'm more inclined to believe it's an IT-type "No one ever got fired for recommending an antivirus application be installed" rather than any real value-add position. I work for a major technology corporation that shall remain nameless; the corporate desktop image is crippled by some of this AV software that 'does not work' ( per TFA ), costs large quantities of dollars, and does not 'catch' viruses or trojans. To be fair, it might, but the email system in and out of the network scans all attachments and kills anything remotely resembling an executable ( including important Visio diagrams and Word documents). All web traffic is redirected through a transparent proxy that crashes IE (although it jsut irritates firefox) by forcing authentication for any URL it deems 'questionable'. And the desktop AV software has missed every challenge it's been faced with.
As a Unix Systems Engineer, I just sit at my Solaris, Linux, and OSX machines and shake my head in sympathy for my less fortunate brethren, and (mostly) resist the desire to invoke the ancient Dilbert line... "Here's a nickel, kid; go get yourself a better computer."
Re:No S**t (Score:3, Insightful)
I'd say that depends largely on which virus scanner you end up choosing.
Kapersky was noted as having a 90% hit rate, for example.
Re:Linux is not a silver bullet. (Score:4, Insightful)
The one reason viruses aren't a problem in linux: fewer gullible users.
The one reason worms aren't a problem in linux: the small number of diverse builds.
User seperation has very little to do with it.
Re:No S**t (Score:3, Insightful)
Not necessarily.
With the right kind of malware afflicting his system, he won't be spending 1-2 hours recovering from a complete backup. He'll have to either reinstall from scratch or revert to a very old backup image and then scavenge his backup(s) for usable files and documents, and even may have to give up on several files and recreate them from scratch. He could lose weeks or much more. Is it unlikely? Hell yeah. But then... so is my house burning down.
"Good" Malware doesn't bring your system down hard right away, so that you can simply restore it from a recent clean image. It corrupts data over time so your backups are corrupt too. And then restoring it is a *much* bigger hassle, and depending on your backup strategy you might have lost stuff too.
I'm not saying AV will necessarily save you, but it might give you an earlier warning than you might otherwise have had. The right backup strategy will save your data, but those strategies are tend to be tedious, cumbersome, and complex, especially for home users. And restoring will still be a PITA. Fortunately most malware just wants to annoy you with advertising, or use your computer to launch further attacks on someone else.
But there are virii that are designed to maliciously cause damage to the systems they are on, or steal your identity/ or harvest 'valuable' data from your PC. Backups won't help much against these kinds of malware. In the former, the backups are themselves likely to be corrupt, and in the latter the real damage cannot simply be undone by restoring from backups -- that won't get your 'stolen' data back.
Why current anti-virus will fail (Score:3, Insightful)
As currently written, all anti-virus software will fail. The simple reason is that because anti-virus depends on a signature or a synthisis of actions to identify what is "bad" and what is "good". Last time I looked, using a moral imparitive in programming wasn't a system call. Like spam, viruses are not a technical problem, it is a human problem.
The chief problem is that anti-virus is a defensive posture. Sooner or later, any defense will fail, if only because it becomes outmoded and/or out flanked. Defend only the walls, you leave yourself open for an air attack. You see the quandry here: It is impossible to know all the various ways to mount an attack and defend against all of them.
You can do what many companies have started to do: Prohibt execuitbles in AD policy that are not specifically allowed. This protects (mostly, somewhat) corporate america, but doesn't protect the home user that doesn't have an active directory server, and likely wouldn't put up with that kind of restriction anyway.
Security through Obscurity (Score:3, Insightful)
obscurity (Score:3, Insightful)
obviously, what you need is an obscure anti virus app that's also really protective (as in put your spare key in a safe and hide it).
of course problem with that is that if an antivirus product works well, it doesn't stay obscure for long.
man i'm really stating the obvious here. i'm done now.
How AV *can* work (Score:2, Insightful)
Can someone explain to me (I am not a programmer) if Microsoft has it in their easy to reach power to allow users to do the following, if they choose:
1a. Blacklist any executable the user desires from running, no exceptions.
1b. And make this very easy by simply right-clicking on a process and selecting "Don't allow to relaunch".
2. And break down all the SVHOST.EXE programs into their individual component processes so when a virus adds itself under the svhost.exe, that virus is seen as a seperate process.
2a. Stop writing the Windows program to name several processes the same damned name (i.e. SVHOSTS.EXE)
Joe
Re:Just follow a few basic steps... (Score:2, Insightful)
It took YEARS for me to get somewhat computer literate (using linux). Not everyone fancies spending hundreds of hours re-learning it all.
I've tried windows XP (and 2K) several times, but I hate using something I don't understand, or don't understand enough to configure to run properly and such... Every time I've tried it, I've had problems, I couldn't even find the command line, had to download cygwin. All I could find (after about 2 hours) was an expanded run command "Command Prompt".
Files were stored seemingly randomly, and I wasn't sure where my files were for some programs, I couldn't find apache's htdocs without doing a search. The version of windows search I had seemed to have a bug, instead of taking half a second like 'locate htdocs' does, it took forever.
Of course, I had to figure out that installing apache wasn't enough - gotta install the service too or something, wtf is this computer management thing?
My PDA wouldn't work, I plugged it in (just works (TM) under linux), but windows said "Found new hardware, insert driver disk". WTF is a driver disk? My PDA's a few years old, and it's a standard usb networking device. Fixing it seemed overly complex, I couldn't find a driver on the "list all drivers" option. Had to spend donkeys years finding and installing essential programs, and it turns out with windows I can't just click on a program and have it automatically download and install (I hoped "add remove programs" in control panel would do that, it seems to simply be "remove (some) programs" though, I have to visit a website, click through dozens of popups, download a zip file, extract that, run a setup program, install that, then get arround to configuring the program. I looked for something like ".putty" to see where it stored connects, so I could move to another machine easilly, but no sign of that.
I'm also told I need something called "Anti Virus"? WTF is that? If my computer sneezes I'll know about it, but I doubt that it can get a cold (my PC runs >50C). Coupled with having to find alternatives for the programs I take for granted (cygwin helps a lot, but not for everything), and I find that programs that are available don't have the same support.
USB flash drive had to have drivers installed and a reboot (a reboot? I've plugged in a simple USB storage device, nto a new freakin' OS) too.
Yes, there is always an answer, a fix, or whatever. And the OS is ubiquitus and all. But, you gotta figure it all out, and even though ppl here like to say their grandma runs windows and finds it easy, IT'S NOT. I was completely fucking lost. Want to understand where files are (I hear some configuration settings are stored in a single binary file with a lousy editor)? Sure! Just read some website that's 100 pages of adverts. There's no nice sinple help system like "man" to find out how to do something easilly.
I'm sorry, but I'd rather download a linux net-install disk at dinner, and put it on that night, rather than having to leave the house, go 20 miles to some shop, spend $CAD 400 [microwarehouse.co.uk] on a version of windows, come back and then faff arround installing, registering and activating it?
I'm still toying with windows at work, but for my home desktop? Not a chance.
If someone was learning from scratch one OS or the other, perhaps windows could be a better choice, but there's some of us that have already invested more time than we care learning to use an OS and associated apps, I just aren't going to relearn it all. When I had a problemwith linux I'd fire off an email to my local LUG and get a few nice courteous replies within an hour or two. I haven't found a windows user group though.
Windows isn't for everyone I guess.