Slashdot Log In
Why Popular Anti-Virus Apps 'Don't Work'
Posted by
ScuttleMonkey
on Sat Jul 22, 2006 02:29 PM
from the build-a-better-mousetrap dept.
from the build-a-better-mousetrap dept.
Avantare writes "ZDNet Australia has a writeup about why AV apps don't work. The reason given is because the malware authors are writing code that will get around the signatures of the application by testing their code on the most popular anti-virus software before release." This comes as a follow up to another article detailing the sad state of anti-virus software currently on the market.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
No S**t (Score:5, Insightful)
Still an interesting point it raises, and a good example to give to none believers if you ever have to give the "Nothing is perfectly secure" speach to a client.
Re:No S**t (Score:5, Informative)
At least people are starting to realize this.
As for myself, I used to use Symantec's antivirus software both at home and at work, but a year ago decided it just wasn't worth it. The program was the most obscene resource hogs I've ever had the displeasure to use, and in the 7+ years of using the program it never once protected me from getting a virus. The same can be said for a lot of other AV offerings, and yet you still see some idiots suggesting you run 2-4 different AV applications just to "be sure you're safe".
Once people realize that the single best and most effective method of protecting themselves is common sense, they will be a lot better off. If you don't download from untrusted sources, don't click banners, don't install just any (activeX|extensions), and keep your machine patched, you'll be fine (YMMV of course).
The problem is that while people can buy Symantec's latest breakthrough in keeping your processor occupied, they cannot buy common sense.
Parent
In my experience, Symantec software is worse... (Score:5, Informative)
You didn't mention the bugginess.
Parent
Re:No S**t (Score:4, Interesting)
It's a year later and, other than my systems running almost twice as fast and having a lot fewer weird hangups and crashes, I have not had a single problem.
Parent
Re:No S**t (Score:5, Interesting)
I cancelled the insurance on my home. One year later other than saving $550 I have not had a single problem. I wasn't robbed, it didn't burn down, and no hurricanes, floods, or earthquakes hit me either...
Just because the "worst" didn't happen, doesn't mean it won't.
Plus what is the "worst"? Its ill-defined. In my opinion its *not* a virus/spyware that pops up 400 popups and makes your computer an unusable steaming turd. Its the virus that installs a rootkit and remote control software, and adds your PC to a zombie spam network, and/or sets it up as "free ftp space" for child porn. All this after scanning your PC for passwords, financial records (the save files from tax software, credit card information, etc etc...), and installs a keylogger. And then it runs like this for 6 months without you knowing about it.
Then you get a low disc space warning and that's when you find the hidden folder full of child pornography you've been serving up for the last year.
I'm not saying Norton's software is better than garbage. I too think its over rated, over priced crap. But sadly, installing nothing and doing regular backups is far less protection than you might think.
I recall one virus in particular that periodically would randomly pick a file and rewrite a few dozen bytes in it in some random place. In theory it could run for months without getting detected. Gradually your doucments would become corrupt, or applications would start having issues until finally it would hit something critical and your pc would fail. Restoring from backups was worthless because this thing had been damaging files for ages, and your backups were full of damaged files.
For what its worth, I tend to agree that "real-time" protection is over-rated, 0-day exploits and so one will continue to get through, but frequent full system scans with the latest definitions are a good idea.
Parent
Re:No S**t (Score:5, Funny)
Are you saying you don't make regular backups of your house? Man, you are really tempting fate.
Parent
Re:No S**t (Score:3, Insightful)
Sadly, Symantec and most popular anti-virus apps now want to do *everything*. They install a firewall, anti-spam, anti-phishing, web content blocker, etc. And usually, turning off these features simply mean they won't actively filter/block but will still be residing in memory.
All I want is an antivirus that doesn't try to do everything for me. I've been a user of Panda Software for a while, but I won't be renewing my subsc
Re:No S**t (Score:4, Interesting)
The home editions are a resource hog. The enterprise edition (at least of mcafee) has a very small footprint and is lightning fast. Mcafee should consider using the same build on their home editions.
Parent
Re:No S**t (Score:5, Funny)
That's the same logic that keeps me from throwing away my anti-vampire rock. Ever since I've had it I haven't seen a single vampire so that proves it must work.
Parent
The AV app would tell him (Score:5, Interesting)
More than once, Symantec AV has told me that it's detected and neytralized a Web page with the WMF vulnerability. I guess that's interesting to know, even though my system was fully patched so I wouldn't have been vulnerable anyway. It's also told me that my PC was being probed by hacking scripts, though (again) I was already protected through patches and not having the necessary ports open.
The real question is, how do any of us know that we're not already infected by a super-devious rootkit that no AV apps recognize?
Parent
Re:The AV app would tell him (Score:4, Informative)
This is an excellent question. Mostly, you notice a well-hidden rootkit by using tcpdump on some other machine to sniff all of the traffic from the suspect machine [1], and then concentrate on stuff that's not local to your subnet.
If you don't have a user on the machine running a chat program, seeing traffic to or from the IRC port, 6667, tends to be a very common sign that the machine is giving or receiving orders as part of a botnet. Forcing the machine to do all web access via a proxy and then checking the proxy logs after a day or two also tends to be revealing.
[1]: This should be done where both machines are connected on the same hub, or perhaps using the "monitor" or "span" port that newer intelligent switches have for diagnostic testing.
Parent
Did I miss something? (Score:4, Insightful)
Nothing to see here, move along please.
And they are both wrong. (Score:5, Insightful)
So, the reason that anti-virus software sucks is because the "bad guys" are writing BETTER "viruses" that can bypass the anti-virus programmers' software.
And the reason for that is that anti-virus software is REACTIVE.
A proactive system would patch the holes that are being exploited.
A reactive system issues patches to remove all the specific threats encountered so far.
That approach will ALWAYS result in the "good guys" being behind the "bad guys". Like DUH!!!
Parent
Re:And they are both wrong. (Score:4, Insightful)
Once a user runs software, if that software is malicious, that computer is compromised. Period.
Parent
Linux is not a silver bullet. (Score:5, Informative)
* Delete files
* Read confidential files from that one user (a typical computer might only have 1 or 2 users)
* Send out spam
* Install a keylogger
* Read the users contact list and forward itself to all users on that list.
* Install itself to start up with user priveleges when the computer boots (by modifying the users configuration files)
* Pretty much anything...
However having separate users does limit the damage and it makes it a lot easier to clean up since no executable files are affected, root should be safe, and the system should still be stable and consistent once the virus is removed. (This is not true if the virus has gained root priveleges, and really you should assume that it has, if you really want to be safe).
Much of the security of Linux comes from:
* The peer review process.
* The speed that the most serious holes are patched and the ease of applying these patches on most distribution.
* Vulnerable services are not usually open to attack after a default install.
* 'Biodiversity' - an attack against a specific application will not affect all users.
* New install media with latest bug fixes issued regularly and easy to obtain.
* Large amounts of software is available from the distribution repository so you don't need to download and run installers from third-party web pages.
* Smaller market share gives attackers less incentive to attack.
I'm not saying that ALL software for Linux is secure, and that ALL distributions respond promptly to security vulnerabilities, but it is possible to be reasonably secure if you choose the right vendor and don't be stupid by installing random screensavers from dodgy websites.
Parent
Re:Linux is not a silver bullet. (Score:4, Insightful)
The one reason viruses aren't a problem in linux: fewer gullible users.
The one reason worms aren't a problem in linux: the small number of diverse builds.
User seperation has very little to do with it.
Parent
Re:And they are both wrong. (Score:4, Informative)
The problem here is that virus don't typically exploit any hole. They are simply programs that run with the privileges of the user who executes them.
A typical (old school) virus would do three things:
There are only two things you can do to protect against this, in general:
In Windows it is the second issue which allows viruses to spread - typically the local user would have write access to the system binaries, so eventually Notepad.exe would get infected, etc. Under Linux/Unix root generally is the only person who can write to system binaries, so a typical user can't infect them.
However Linux viruses do exist, and are trivial to write. The reason they don't spread is partly because users are used to getting their binaries from trusted sources, partly because they download things from source, and partly because most users don't run with the ability to modify system files. (Sure you might be able to infect ~/bin - but there isn't a big gain)
Windows is getting better at allowing non-Administrators to work properly, so sooner or later the ability of joe-random-desktop user to modify system binaries will disapear and at that point viruss will stop. Still there will be worms, trojans, and all the other nasties left!
I've gone on a bit much, but I wanted to drive the point home : Viruses do not exploit security holes. (In general)
Parent
Re:Did I miss something? (Score:4, Informative)
At the rate things are going, article writers won't even bother with the body of the story any more, it will just be a title and ads.
Parent
Just follow a few basic steps... (Score:4, Insightful)
1. Firefox with popup blocker
2. Firewall software
3. Sit behind router
4. Use AV software
5. Don't click on anything that pops up without read it!
http://religiousfreaks.com/ [religiousfreaks.com]Re:Just follow a few basic steps... (Score:5, Informative)
Remove administrative priviledges from your everyday account.
Keep your software and OS updated.
Do not run software with a bad security record.
Parent
Re:Just follow a few basic steps... (Score:5, Funny)
Parent
Re:Just follow a few basic steps... (Score:3, Insightful)
Re:Just follow a few basic steps... (Score:4, Insightful)
Parent
Re:Just follow a few basic steps... (Score:3, Insightful)
When you use windoze, you're using the most targeted OS on the Earth ... you're lumping yourself in with a vast crowd of people who know absolutely nothing and suspect even less. Putting one of these machines on the 'Net is an invitation to be robbed -- literally; in many, many ways -- not to mention being held hostage by MS and whatever
Dedication to QA (Score:5, Funny)
Signature-based recognition was doomed (Score:5, Interesting)
The whole concept of recognizing known viruses was fundamentally flawed. It had a good run, but that was because virus writers were mostly trying to get attention, not steal. Now that viruses are an ongoing criminal enterprise, the old dumb tactics won't work.
We're going to have to give up on recognition and put more effort into partitioning. We need setups where each web page renders in its own jail, and it doesn't matter if the browser is insecure - when the page closes, a program exits and any corrupted info goes away.
Of course, this will break Active-X, toolbars, downloads, etc. Then again, on business systems, you want those things broken.
Once the browser is locked down like that, you need a "guard" program. When you want to move a file out of a browser's jail, it has to go through a program that "sanitizes" it. Often, a translation to a well-documented format that doesn't contain execution capability will do the job. Converting incoming .doc files to Open Document XML format, for example.
It's quite possible to completely solve this problem.
Re:Signature-based recognition was doomed (Score:3, Insightful)
IMHO, the problem comes down to how security works on PC's - it's based on the user, not the app. This is true on Linux as well as Windows. An application runs under the security context of what the user can get to. Applications ought to run under their own security accounts, and when they try to write somewhere they have not been authorized to write before, the user ought to get warned. If the application makes an outbound Internet connection or starts listening on a port without prior authorization,
Safer link to Systrace (Score:3, Informative)
Re:Signature-based recognition was doomed (Score:3, Informative)
More than ten years ago, before windows 95, and most people were using DOS and DOS virus scanners, I had someone (comparable to a modern day script-kiddie) from my high school ask me to scan a disk to see if the viruses he had on there were detected. Even then he knew if the popular virus scanners of the day couldn't detect them, that he could potentially use them. It was then I realized that virus scanners were a jok
Harder than it sounds (Score:3, Interesting)
The program that reads that well-documented format might have a vulnerability which the theoretically non-executable file could exploit. That's happened in real life, with JPEG and PNG.
Worse, the line between executables and data isn't as sharp as we usually think it is. After all, an executable is nothing but data for the CPU's decoder. We *hope* that $WORDPROCESSOR doesn't do anything except display documents in response to the instruct
What I do (Score:4, Informative)
Default Deny (Score:4, Insightful)
Re:Default Deny (Score:3, Interesting)
Hmm. Like Linux/UNIX that does not store executable permissions on email attachments w/o user intervention? Like OS X's behavior to ask the user the first time they run an associated file with an app for the first time? Like viruses are a Microsoft problem, and not a feature of other OSes?
I can't ever seem to type the last question here on
Ummm ok (Score:3, Insightful)
Ok but what aobut at home? You are the admin there. Who looks over your shoulder and determines if something is safe? You can set the OS to default deny running things by running it as a non-administrative a
AV stuff serves it purpose (Score:4, Insightful)
AV isn't supposed to make your computer stupid-proof. If you download and run every single application you can find no AV in the world will help.
If you happen to stumble on a 4 week old virus that either got bot-mailed to you or stored in a public archive they're a godsend. Specially since most AVs scan archives so before you even open it you're good.
Tom
Antiviruses are flawed by design (Score:4, Interesting)
Re:Antiviruses are flawed by design (Score:3, Insightful)
Because viruses aren't using any security flaws.
But... (Score:5, Interesting)
Aren't most of the viruses and worms that are out there just variants of other viruses? It seems like most of the time that I hear about a "new" terrible virus, it's really a slightly modified version of one that's been around for awhile, and usually if you're up to date on your antivirus and security patches the new virus won't do anything anyway. And let's not forget that there are still plenty of old viruses on non-secured machines that an antivirus application will protect you from.
I can see their point where people developing a new virus are concerned, but as the lifecycle of a virus is often longer than the time it takes to update the signatures, I think that they are overstating their case by saying that the AV apps "don't work."
Re:But... (Score:3, Informative)
All true, but your conclusion was false.
The codebase between variants can easily be changed to the point where heuristics & previous def files will not recognize it.
It's worse with a (encrypted) polymorphic virus, because those are hard enough for the anti-virus guys to
The Black Hats are winning... (Score:4, Insightful)
It's a sad state of affairs that worms, trojans and viruses are probably more tested before release than the anti-virus software.
I know this, you should know this (Score:3, Interesting)
I'm sure other posters will provide the real answers to security, like limited user access, a good firewall, not running intrusted code, and using a web browser that isn't garbage.
I went for 3 years using just these precautions, but used no antivirus whatsoever. I never become infected by a single thing. I only recently grabbed ClamWin [clamwin.com], a port of ClamAV, for my Windoze box because I wanted to scan a program I got via P2P.
What do these guys think signatures are, anyway? (Score:5, Interesting)
Honestly, I do not know anyone who believes that an AV program is going to protect them from unknown viruses! The whole point of AV software is to give you protection from viruses as they are discovered. I mean everyone knows that if they do not update their virus signatures on a constant basis (several times a day on my mail servers), they may as well not be running virus protection at all. OK. Maybe some people are dunces about this, but honestly, even my 81 year old grandmother knows that she has to keep her AV current, or she's unprotected.
I mean, for crying out loud, what are these signure updates for? For catching known viruses. Mega duh!
Eye-Candy (Score:3, Insightful)
I gave up a long time ago on NAV because it had a heavy interface -- fancy background, fade in/out, and all the other stuff that don't really contribute to its operation, especially for an application whose GUI you don't really pop or see very often.
Simple buttons and windows are enough, coupled with a good proper operation within a restricted account -- i.e. good communication with the service that runs in the background.
That is why I like the free AVG option.
I Tell My Clients the Following (Score:5, Informative)
1) You're not a company that gets thousands of virus-laden emails a day. You don't need to pay for Norton or McAfee. A 98-99% detection rate is perfectly adequate for a home user.
2) Install AVG or Avast AV. They're free, they update automatically, they're light on resources and they work.
3) Install Spybot Search and Destroy, SpywareBlaster, Ad-Aware and Windows Defender.
4) Install a software firewall like Kerio or just use Windows XP's firewall. If you install Kerio, use V2.1.5 because it's non-intrusive. The later versions are too picky and get in your face.
5) Stop using IE and use Firefox.
6) Lately, since trojans are on the upswing, I say install A-Squared anti-trojan which is free with manual updates.
7) Don't click on popups. Don't even click on the "No" button - click the window close button.
8) Don't install anything offered you by a Web site unless the site is a general freeware or shareware site that explicitly states it checks for spyware and adware.
9) Keep up with Windows updates and updates for the malware detector software.
10) Run a scan once a week or if you see any popups at all.
I've used these rules on Windows 98, 2000 and XP for four years with virtually NO spyware getting through - and that's with porn site visits and whatever else the Web can throw at me.
The single most important rule is number 5 - use Firefox. With no ActiveX, the stuff can't get in unless you have an OS vulnerability or you deliberate install it in response to a prompt you don't understand.
Finally, if they really want to be secure, switch to Mac or Linux.
virtualization + detection (Score:5, Interesting)
I gues we may want to rethink what a computer actually is.
I guess it should be possible to write (or use existing) virtualization software and run each application in its own virtual computer, give each application its own 'harddrive' without access to the rest of the disk, and most importantly make sure that the application cannot cross its VMs boundaries. Obviously each application that is not the OS itself should have run as a user and not as an administrator, but in a VM it shouldn't even matter that much.
To share data between applications that really need sharing, it should be possible to open 'network' connections.
In case when Intel or some other chip manufacturer will come up with multi-core processors (real multi-core, something like 10-1000 cores per CPU,) each application could also run in its own real processor space. A CPU could be rated something like: 100 simultaneous processes, and actually really run 100 simultaneous processes without time-slicing. Wouldn't that be a day? To accomodate memory per process, there could also be another independent administrator process runing, that would detect real time memory requests and manage memory accordingly (it could prepare memory ahead of time to avoid bottlenecking.)
It also should be possible to run an image of the OS per process (but this should be optional, depending on the tasks at hand.) Of-course a CPU like that would also be great for parallelizing threads in processes (if there are resources.)
In a computer like that, with each program only being able to affect its own computer space (CPU, RAM, disk space, network,) it should be possible to detect unwanted behaviour that could be caused by a virus. Attempts at 'networking' to the administration process, attempts at gaining unauthorized disk space, attempts at 'networking' with any other processes in the computer can be intercepted. In case when a virus (or a poorly written piece of software) behaves suspiciously or deadlocks or crashes or whatever, the rest of the machine should be protected and unaffected. The misbehaving process can be killed by the administration process and restarted or scanned and repared etc.
I don't think the future of the home computers is in bigger gigahertz numbers, it is at parallelizing, virtualizing, making the software more stable and less dangerous for everyone.
Re:I don't use Norton.. (Score:5, Funny)
Hm. You can call that area on Paris Hilton a lot of things, but "private" isn't one them.
Parent
Re:you are not supposed to cure the symptoms (Score:3, Funny)
Re:Kaspersky? (Score:3, Informative)
Re:Anti-virus Programs Aren't Up to Snuff (Score:4, Informative)
Parent
MOD PARENT DOWN. Bad Link. (Score:4, Informative)
Official Clam Anti-Virus for Windows link: ClamWin [clamwin.com]. ClamWin is free and excellent, but slower at scanning than commercial products, in my experience.
Parent