Why Popular Anti-Virus Apps 'Don't Work'

Avantare writes "ZDNet Australia has a writeup about why AV apps don't work. The reason given is because the malware authors are writing code that will get around the signatures of the application by testing their code on the most popular anti-virus software before release." This comes as a follow up to another article detailing the sad state of anti-virus software currently on the market.

I don't use Norton..

[ACAx1985]

I don't use Norton not because I feel it's poor at catching/preventing viruses, but for the level of intrusion that comes with it. The Norton name, and especially Norton Ghost, are just a headache waiting to happen for anyone who installs it. I very happilly use FireFox 1.5 and the latest version of Nod32. Additionally, I don't open e-mails that promise a glimpse into Paris Hilton's private area. -ACA

Kaspersky?

[morgan_greywolf]

FTFA:

One vendor Ingram did mention was Russian outfit Kaspersky, which in the same tests managed to block around 90 percent of new malware.

So what's Kaspersky doing that's making it so much better? Or was the study paid for by Kaspersky? It sounds suspiciously like FUD to me.

Signature-based recognition was doomed

[Animats]

The whole concept of recognizing known viruses was fundamentally flawed. It had a good run, but that was because virus writers were mostly trying to get attention, not steal. Now that viruses are an ongoing criminal enterprise, the old dumb tactics won't work.

We're going to have to give up on recognition and put more effort into partitioning. We need setups where each web page renders in its own jail, and it doesn't matter if the browser is insecure - when the page closes, a program exits and any corrupted info goes away.

Of course, this will break Active-X, toolbars, downloads, etc. Then again, on business systems, you want those things broken.

Once the browser is locked down like that, you need a "guard" program. When you want to move a file out of a browser's jail, it has to go through a program that "sanitizes" it. Often, a translation to a well-documented format that doesn't contain execution capability will do the job. Converting incoming .doc files to Open Document XML format, for example.

It's quite possible to completely solve this problem.

Antiviruses are flawed by design

[chrysalis]

What does an antivirus? It scans files and memory for known patterns in order to erase some bits. If 10 different viruses exploit the same flaw in 10 different ways, an antivirus requires 10 signatures to recognize them all (heuristics *are* signatures). Why don't antivirus vendors focus on providing workarounds for the actual Windows security flaws instead?

But...

[aardvarkjoe]

Aren't most of the viruses and worms that are out there just variants of other viruses? It seems like most of the time that I hear about a "new" terrible virus, it's really a slightly modified version of one that's been around for awhile, and usually if you're up to date on your antivirus and security patches the new virus won't do anything anyway. And let's not forget that there are still plenty of old viruses on non-secured machines that an antivirus application will protect you from.

I can see their point where people developing a new virus are concerned, but as the lifecycle of a virus is often longer than the time it takes to update the signatures, I think that they are overstating their case by saying that the AV apps "don't work."

I know this, you should know this

[Null Nihils]

Once malicious code enters the "perimeter", so to speak, AV software is a rather weak stopgap measure. Software design flaws that result in holes can seldom be fixed by adding more surface area, it only becomes a matter of time before the attacker figures out the next step. The AV software companies know that most of their customers have no idea how computer security works. Antivirus provides some shallow peace of mind for Joe Average. It is not a very serious security measure and it should not be relied on as thus.

I'm sure other posters will provide the real answers to security, like limited user access, a good firewall, not running intrusted code, and using a web browser that isn't garbage.

I went for 3 years using just these precautions, but used no antivirus whatsoever. I never become infected by a single thing. I only recently grabbed ClamWin [clamwin.com], a port of ClamAV, for my Windoze box because I wanted to scan a program I got via P2P.

What do these guys think signatures are, anyway?

[Teilo]

Both these articles read like they were written by an idiot. They do not make the distinction between the detection of known viruses, and the detection of unknown viruses via heuristics. And if you start calling heuristics a signature, you are going to confuse the heck out of everyone. Don't mix terminology.

Honestly, I do not know anyone who believes that an AV program is going to protect them from unknown viruses! The whole point of AV software is to give you protection from viruses as they are discovered. I mean everyone knows that if they do not update their virus signatures on a constant basis (several times a day on my mail servers), they may as well not be running virus protection at all. OK. Maybe some people are dunces about this, but honestly, even my 81 year old grandmother knows that she has to keep her AV current, or she's unprotected.

I mean, for crying out loud, what are these signure updates for? For catching known viruses. Mega duh!

Re:Default Deny

[hackstraw]

Operating systems need to by default deny the right to execute.

Hmm. Like Linux/UNIX that does not store executable permissions on email attachments w/o user intervention? Like OS X's behavior to ask the user the first time they run an associated file with an app for the first time? Like viruses are a Microsoft problem, and not a feature of other OSes?

I can't ever seem to type the last question here on /. without getting slammed, but when are people going to give up the drama and just use an OS that suits their wants and needs or shut the fuck up and deal with viruses, crashes, lagging development and features, horrible UI, and all that.

No, there are no battered OS user shelters like battered wife shelters. No, there is not MA (Microsoft Anonymous), but today in 2006, OSes are almost a dime a dozen like microwaves and everything else. I've been MS free for quite some time, but I'm in the process of taking over a PC at work that has 2000 on it and it had mysterious popups, firefox would not work with the HP print server I was playing with (java issue or something). The admin of the box said that you still basically have to log in as Administrator to do anything. Just for fun, I clicked on the adaware icon, and it found 70-80 or so things on it. In order to get TCP/IP printing to work, you had to configure a local printer to look like a networked printer or something bassackwards like that.

I mean, this was my first MS OS adventure in over 5 years, and within a couple of hours I was reminded of why I simply do not go there. Aside from the specific issues I mentioned, sure I was able to click on crap and view the web and read email, but how tough is that to do on any computer today?

Re:No S**t

[tokenhillbilly]

I did the same thing almost the same time ago. I had 5 computers in my home running Symantic AV. The subscriptions kept expiring on a seemingly continuous rotation. Looking at the logs, none of them had detected a single virus in over a year. I finally decided to develop a system of backing up any critical files on a regular basis and a proceedure for reloading my systems if they were affected by any malware that came along. I removed all protection from my systems and waited for the worst.

It's a year later and, other than my systems running almost twice as fast and having a lot fewer weird hangups and crashes, I have not had a single problem.

The Best AV App: Google

[the_claps]

There are two kinds of viruses, really; Good ones, and bad ones. The bad ones are easy to erases - your AV will do it for you. It's the good ones, written by experts and people who know the software industry like the back of their hands, that are troublesome. None of your lame anti virus software apps, like AVG or, if you're stupid enough to pay for it, Norton, will get rid of them. However, chances are, if it's a good enough virus, you're not the only one in the world who has it. Chances are, millions upon millions of people like you have not only gotten it, but also defeated it. And, they're helpfull folks. They've posted their sollutions on the internet, step by step. So, all in all, use Google to rid yourself of your problem. (If your belive a process like exaple.exe keeps starting your system, just type that into google, select a few keywords like "virus" or "help", and you're set.) PS. They say that if you're stupid enough to get a virus, you deserve it. I say, if you're stupid enough to PAY for AV software, you deserve the virus.

Re:No S**t

[kz45]

"The program was the most obscene resource hogs I've ever had the displeasure to use"

The home editions are a resource hog. The enterprise edition (at least of mcafee) has a very small footprint and is lightning fast. Mcafee should consider using the same build on their home editions.

Harder than it sounds

[Beryllium Sphere(tm)]

>a well-documented format that doesn't contain execution capability

The program that reads that well-documented format might have a vulnerability which the theoretically non-executable file could exploit. That's happened in real life, with JPEG and PNG.

Worse, the line between executables and data isn't as sharp as we usually think it is. After all, an executable is nothing but data for the CPU's decoder. We *hope* that $WORDPROCESSOR doesn't do anything except display documents in response to the instructions in a document file, but there's one well known word processor whose behavior is as unpredictable as a cat's.

Re:What I do

[wildman6801]

The problem with this approach in Windows XP is most programs will not work properly as a limited user. This is because most programs were designed for Windows 9x not NT. The programs that were designed orignally for NT will run this way. What Microsoft should do is with the new release of Windows Vista is setup a user account on the system as a limited user. For Microsoft certification they must be able to function as a limited user! This would fix a lot of problems with malware and viruses!

The AV app would tell him

[cyberformer]

Most AV apps pop up a warning whenever they detect a virus. They like to remind you that they're doing their job.

More than once, Symantec AV has told me that it's detected and neytralized a Web page with the WMF vulnerability. I guess that's interesting to know, even though my system was fully patched so I wouldn't have been vulnerable anyway. It's also told me that my PC was being probed by hacking scripts, though (again) I was already protected through patches and not having the necessary ports open.

The real question is, how do any of us know that we're not already infected by a super-devious rootkit that no AV apps recognize?

Munir is a mole.

[lantastik]

He always has been and always will be. His articles are practically marketing material for Kaspersky labs. First of all, write an article stating the obvious and then back it up with some arbitrary figures without displaying any real results.

For your reference (I made sure to use the Google cache so you can see the highlighting):
Hmmmm...what sole vendor was interviewed for this article? [64.233.167.104]
I wonder who the focus of this article is... [64.233.167.104]
My goodness! Another article from Munir which focuses on Kaspersky. Who would have guessed? [64.233.167.104]
Which company did Munir get a virus analyst from to comment on this article? [64.233.167.104]

Now that is some quality, unbiased reporting for you. Don't believe Munir's BS, it's a load of crap.

Re:No S**t

[iminplaya]

Mcafee should consider using the same build on their home editions.

What? And kill their sales of the enterprise edition? You won't get far in today's corporate world.

Re:Linux is not a silver bullet.

[zcat_NZ]

Until recently I think Linux has been crusing along to some extent on obscurity to some extent. A virus is only a program like any other, and trying to claim that Linux is magically able to discriminate between 'good' programs and 'bad' programs is completely silly.

The real strength is the 'package' model of modern distributions. When you want to install a program under Linux, the proper way is via synaptic or apt-get or whatever package tool your distribution uses.

Downloading a binary installer from some random website is NOT the way to install Linux software and I really wish companies like nVidia (for the nvidia drivers) and Google (Google earth for linux) would stop even packaging them!

On the other side, imagine if Google were to expand their 'google pack' installer to include the many thousands of OSS and freely redistributable programs available. It would become possible to use Windows like a package-based distribution, installing all new software only from signed and tested google packages. That would be very much like having apt-for-windows. I think this would help make Windows a lot more secure.

Re:Don't Run As Admin!

[smash]

The difference is, that Linux is usable by a power user without logging in as root, via use of SUDO (or SU) to do what you need to do when you need to do it.

Windows is getting better in that respect (run-as), but it's still not exactly functional in my experience.

Half the games out there need to run as administrator - and if you're going to suggest I go through and figure out how to set them up not to, then that defeats the purpose of using windows because it's "easy to use"...

Re:No S**t

[vux984]

It's a year later and, other than my systems running almost twice as fast and having a lot fewer weird hangups and crashes, I have not had a single problem.

I cancelled the insurance on my home. One year later other than saving $550 I have not had a single problem. I wasn't robbed, it didn't burn down, and no hurricanes, floods, or earthquakes hit me either...

Just because the "worst" didn't happen, doesn't mean it won't.

Plus what is the "worst"? Its ill-defined. In my opinion its *not* a virus/spyware that pops up 400 popups and makes your computer an unusable steaming turd. Its the virus that installs a rootkit and remote control software, and adds your PC to a zombie spam network, and/or sets it up as "free ftp space" for child porn. All this after scanning your PC for passwords, financial records (the save files from tax software, credit card information, etc etc...), and installs a keylogger. And then it runs like this for 6 months without you knowing about it.

Then you get a low disc space warning and that's when you find the hidden folder full of child pornography you've been serving up for the last year.

I'm not saying Norton's software is better than garbage. I too think its over rated, over priced crap. But sadly, installing nothing and doing regular backups is far less protection than you might think.

I recall one virus in particular that periodically would randomly pick a file and rewrite a few dozen bytes in it in some random place. In theory it could run for months without getting detected. Gradually your doucments would become corrupt, or applications would start having issues until finally it would hit something critical and your pc would fail. Restoring from backups was worthless because this thing had been damaging files for ages, and your backups were full of damaged files.

For what its worth, I tend to agree that "real-time" protection is over-rated, 0-day exploits and so one will continue to get through, but frequent full system scans with the latest definitions are a good idea.

Re:No S**t

[donaldm]

A few years ago my eldest son was curious on how Computer viruses worked so he asked me. I though about it for a few minutes and remembering the pathetic script-kiddy viruses I had seen, I demoed a virus concept (about 5 minutes) using a simple Korn script. What surprised me was how easy it was to write and just for fun I thought "how do I make my script morph". The answer was so simple and obvious (maybe I should patent it since any stupid or obvious patent appears to be getting through).

What I was able to do (within 15 minutes) was write a simple script that would change it's signature identification every-time it was was run making identification almost impossible. The same concept I used in a simple Korn script could easily be be applied to a binary application, granted this is more complex in the writing but not difficult and I am amazed that we don't see more morphing virus.

People need to realise that a computer is fairly sophisticated and to use it properly you have to have some knowledge of computing, especially basic security. They should not just blindly rely on the so-called latest virus protection software, which always seems to "close the gate after the horse has bolted". I won't hold my breath on this since the main PC operating system is in itself inherently insecure.

In my experience, any paid software is worse...

[ThePengwin]

Ive seen my fair share of viruses, and also my fair share of antivirus programs, but ive never seen a off the shelf product work as well. i use AVGfree, and as far as i know i have had next to no trouble with viruses. It is small in terms of memory and downloads but it seems to work a lot better than anything else ive tried.

But i think there may be more to it. I think if you know your fair share about computers you know what to stay away from. I know that any site on the internet offering wares and serials is a sure thing to stay away from. Also if you just dont look up porn you have a very good chance of not getting a virus. :P

virtualization + detection

[roman_mir]

every application that runs on your computer should have its own address space and it should not be allowed to cross into other applications' address spaces, however this is not the case in MS Windows OS.

I gues we may want to rethink what a computer actually is.

I guess it should be possible to write (or use existing) virtualization software and run each application in its own virtual computer, give each application its own 'harddrive' without access to the rest of the disk, and most importantly make sure that the application cannot cross its VMs boundaries. Obviously each application that is not the OS itself should have run as a user and not as an administrator, but in a VM it shouldn't even matter that much.

To share data between applications that really need sharing, it should be possible to open 'network' connections.

In case when Intel or some other chip manufacturer will come up with multi-core processors (real multi-core, something like 10-1000 cores per CPU,) each application could also run in its own real processor space. A CPU could be rated something like: 100 simultaneous processes, and actually really run 100 simultaneous processes without time-slicing. Wouldn't that be a day? To accomodate memory per process, there could also be another independent administrator process runing, that would detect real time memory requests and manage memory accordingly (it could prepare memory ahead of time to avoid bottlenecking.)

It also should be possible to run an image of the OS per process (but this should be optional, depending on the tasks at hand.) Of-course a CPU like that would also be great for parallelizing threads in processes (if there are resources.)

In a computer like that, with each program only being able to affect its own computer space (CPU, RAM, disk space, network,) it should be possible to detect unwanted behaviour that could be caused by a virus. Attempts at 'networking' to the administration process, attempts at gaining unauthorized disk space, attempts at 'networking' with any other processes in the computer can be intercepted. In case when a virus (or a poorly written piece of software) behaves suspiciously or deadlocks or crashes or whatever, the rest of the machine should be protected and unaffected. The misbehaving process can be killed by the administration process and restarted or scanned and repared etc.

I don't think the future of the home computers is in bigger gigahertz numbers, it is at parallelizing, virtualizing, making the software more stable and less dangerous for everyone.

Re:No S**t

[vux984]

If you could just stick to some guidelines strictly, you will be safe against any virus, not just old and new ones. And yes, for free (as in beer) too.

In other words ... "If you could just stop being a fallible human being indefinately..."

In other words, you are right, but the conditions you require are unattainable so its not a terribly useful solution.

Re:No S**t

[Phisbut]

I'd say that depends largely on which virus scanner you end up choosing.

Kapersky was noted as having a 90% hit rate, for example.

It also depends on which virus scanner you're actually allowed to choose from. Kaspersky might have a 90% hit rate, and we know it's good... but at the office, we had to go with McAfee (which is also a terrible ressource hog) and were not even allowed to evaluate Kaspersky... because... well... you know... Russians are evil... they could be spying through their software...

Sadly, I'm not making this up.

I'm happy though, I am fortunate enough to be working on a Linux box. However, I pity my coworkers that have to endure Windows and McAfee.