Anti-Virus Effectiveness Down from Last Year

juct sends us Heise Security's summary of an article detailing the abilities of 17 current anti-virus solutions. German computer magazine c't has found that, compared to last year, the virus scanners are having a more difficult time recognizing malware. Quoting Heise: "For real protection, however, in view of the flood of new malware, the way these programs cope with new and completely unfamiliar attacks is more important. And that's where almost all of the products performed significantly worse than just a year ago. The typical recognition rates of their heuristics fell from approximately 40-50 per cent in the last test - at the beginning of 2007 - to a pitiful 20-30 per cent."

yeah, but..

[xubu_caapn]

do they run on Linux?

Re:yeah, but..

[_merlin]

Considering how few viruses run on Linux, it's not as big a deal for Linux users. However, Linux machines that deliver content to Windows users (mail servers, usenet servers, bulletin boards, etc.) are a useful application for Linux virus scanners that detect viruses for other platforms. And the big names do function in this role: Kaspersky and AVG both have products for doing just this. And there's the free ClamAV as well, of course. The Linux versions of the big name products are probably no more or less effective than the Windows versions.

Re:yeah, but..

[allcar]

You make an excellent point.
Pro Linux, as I am, I still do not feel that we can afford to be complacent about the malware issue. The reason that Linux is largely unaffected is that it is not very widely used, especially by the sort of numpties that get tempted by exciting new screensavers baring trojans.
If/when we succeed in bringing Linux to the masses, this layer of protection will be torn away. I hope and believe that Linux is more secure by design and the same is probably true of many of the apps that are popular in Linux distros - you won't find ActiveX cheerfully opeing the door to anyone. However nobody should be ignoring malware with the excuse that Linux is immune.

where are all the Linux server exploits ..

[rs232]

"The reason that Linux is largely unaffected is that it is not very widely used .. If/when we succeed in bringing Linux to the masses, this layer of protection will be torn away"

If that were true, where are all the Linux server exploits being actively being used it the wild. A Linux desktop logged in as standard user is safe from the numpties and is still usable. The dangers of screensavers wouldn't even apply here; even if a user managed to run some malware script it would most probably be confined to the users home dir, the core system would remain immune.

Re:yeah, but.. (Score:5, Interesting)

Re:

[keesh]

Normal users on a Unix system have more than enough privileges to send out a million emails a day.

Re:

[cheater512]

Granted but its significantly easier to clean such infections (they cannot hide as easily), it only affects that one user on a multi user system and it cannot infect the core system.
If the user doesnt log in, then the malware cannot run.

yes it can

[Anonymous Coward]

man cron; man at

Re:where are all the Linux server exploits ..

[jimicus]

Oh, there's plenty of Linux server exploits. Most depend on specific applications (eg. bind, sendmail), misconfigurations or both.

The other thing you have to look out for is web applications - which of course tend to be exploitable regardless of what OS is running the website. These are notorious for providing holes. If you're lucky, all that happens is your website is replaced with a single page which says "pwn3d! l053rz!".

If you're unlucky, you get to announce to the world that you've lost the credit card details of 20,000 people.

(This, by the way, is not drastically different from the current state of security in Windows Server. A careless administrator is probably the biggest security hole known to IT).

Re:where are all the Linux server exploits ..

[FireFury03]

If that were true, where are all the Linux server exploits being actively being used it the wild.

Linux server exploits _are_ being actively used in the wild. If you don't keep your server patched up then you stand a pretty good chance of being rootkitted. However, Linux distros tend to be pretty hot on security updates, meaning that a fully up to date system has very few known security holes. I suspect there are also more "idiot" server admins in charge of Windows servers than Linux servers (that is not to say that Windows admins are idiots, I just suspect there is a higher proportion of clued up admins in the Linux world).

However, the server world is very different from the desktop world - in the server world you can be relatively trustful that the admin won't go and install some random shiny new screensaver, etc. whereas on the desktop most people are not (and do not have access to) qualified admins.

A Linux desktop logged in as standard user is safe from the numpties and is still usable. The dangers of screensavers wouldn't even apply here; even if a user managed to run some malware script it would most probably be confined to the users home dir, the core system would remain immune.

There are a couple of important points here though:

1. Your average home user does _not_ have a dedicated sysadmin. When they want to install a package they (generally) need to become root to do it - that means that the numpties are equally capable of installing screensavers^Wmalware under Linux as they are under Windows. The thing the privilege separation gets you is that you can't _accidentally_ install something as root (e.g. via an exploit in your browser / mail client / whatever).

2. Even without root, a user still usually has plenty of permissions to do some evil things. They can't do some particularly bad things like SYN floods but they can still send out millions of emails and compromise other hosts.

3. Is the protection of the "core system" actually that important when you have a single user machine and so all the important data is owned by that user? The only thing this really gets you is the knowledge that your system binaries are probably safe (so you can trust that ps, netstat, etc are giving you accurate results rather than hiding the malware that is running).

There may be some merit in mounting all the filesystems the normal user can write to as "noexec" so that malware can't just install itself and run as the normal user. But this may place too much of a limit on usability and most distros certainly don't do this by default today.

Re:where are all the Linux server exploits ..

[GreggBz]

A user compromise on a Linux system would provide suitable functionality for today's typical malware.

On my defualt, fully security patched Mandriva workstation:

- I have full read write execute permission to my home directory.
- I can run wget to download anything, and put it as an executable anywhere in my home directory.
- I can use perl, awk, whois, grep, sed, whatever, to craft some pretty nasty scripts.
- I can use telnet and I could write an expect script to send spam with telnet.
- Or, I could just download a precrafted elf binary to run as a mini-mail server in my home directory.
- It's not to hard to imagine that I could pop something in /tmp or elsewhere that would persist on the system even after the user had been deleted.
- I could fire off a fork bomb that will crash the system instantly.

I does not take to much imagination to figure out some suitably bad stuff that you could do as any old user.

Of course, hiding yourself on the system and ensuring your survival could be difficult. It would be easy to find all the nasty services running as said user, since top, ps, etc.. would not have been compromised.

Re:

[Knuckles]

Well, they should have backups. I mean really, it's the same as the hd dying or something.

Re:

[baadger]

If you can tell me a way to cheaply and conveniently backup my /home, which is approximately 1 TB in size, please do so.

Re:

[DaveWick79]

Buy a 1TB external disk for under $300. Or a couple of 500GB drives, which will be cheaper.

You've really got no excuse for not doing backups, it's going to cost you a heck of alot more to recover that data if you don't have the backup.

Re:where are all the Linux server exploits ..

[Dr_Barnowl]

I don't think so.. on my MythTV box, I always run as root ; but the only time I log into it is to do sysadmin, so that's reasonable. It doesn't have a desktop environment, just a single application (MythTV) that runs on a bare X server.

It got up my nose slightly when I installed Ubuntu on my desktop and I needed to supply a password to perform admin tasks, and type "sudo" before admin commands in a terminal, but on the whole, it achieves the desired effect ; it makes you actually consider what you are doing before doing it.

I *do* habitually run Windows as Admin, because if you are a developer it's a pain in the arse not to. But I don't pick up malware of any kind because I don't download software from untrusted sources, use IE, or open unknown email attachments. Once in a while I install anti-malware and run it. And scan it from the Linux instance on the same box as well.

Will Linux newbie users infect their systems with huge amounts of malware? Well, I don't think so.

  * As people noted, there isn't a huge amount of desktop malware around NOW because the Windows target is so much bigger.
  * The vast majority of software installed on desktop distributions of Linux is done using a package manager. Any package manager worth it's salt will be operating out of a reputable source, with checksum verification.
  * The vast majority of software that the average user uses has an equivalent in the official package repositories.

On the other hand, nothing is foolproof and there an awful lot of fools out there, like my sister in law who infected her machine with 427 nasties by believing things she saw in IE.

The kind of targets

[_merlin]

I disagree. I think the reason there are fewer pieces of malware floating around for Linux is because of the kind of roles Linux machines typically serve in. Most Linux machines are servers or enterprise workstations. In the case of a server, there will be a system administrator who is responsible for configuring the server, locking it down, and keeping it up. Chances are, they'll notice malware pretty quickly, and do something about it. Enterprise workstations aren't an attractive target, either: they're usually either a shared machine that's locked down hard, and under the eye of a sysadmin, or they're the pet of a tech-savvy user who wants his box in top condition so s/he can get stuff done.

Malware is all about money these days, whether it's herding bots so you can sell spamming services, or getting paid to DDoS someone's competitor, sniffing credit card numbers to buy stuff, or sniffing personal details for identity theft. Remember that your attack isn't 100% reliable, so you want as many potential targets as possible, and you want to attack weak targets so as to get the highest possible success rate. All so you can make as much money as possible, of course.

And what's the best target? Home Windows PCs, of course. No vigilant sysadmin monitoring the system; average Joe user doesn't grasp the concept of locking his box down, let alone have the m4d skillz to do it; Joe doesn't install patches regularly because he sees the downloads and restarts as nothing more than an annoyance; Joe doesn't really understand his computer, so he doesn't know how to look for the telltale signs of malware; Joe doesn't understand that he has to keep his virus scanner's definitions up to date, and turned off the annoying prompts; Joe doesn't understand a firewall, so he just clicks "Allow" to get rid of the warning message; the list goes on forever...

Now that MacOSX is becoming more popular, we're seeing a bit of malware for it, too. Example, that thing that claimed to be a video codec, but was really a DNS redirector. Now this one is a very good example of how malware authors target uninformed users: in the standard OSX installer program, there is an option to show the files that will be installed; if you or I (as /. geeks) looked at the files that this "codec" was installing, we would see that it couldn't be a real codec at all, and we could cancel the install; but an uninformed user won't know to look at file listings, and won't know what looks right, and what doesn't. It wasn't a failing of the OS: it was a valid installer package that prompted for authorisation to run; it was all about users who don't know how to administer a system.

Until Linux is popular in the hands of inexperienced, non-tech-savvy home users (as opposed to enterprise), it won't be an attractive target for malware authors, and we won't see its security put to the test. When it does become popular, I expect we will see Linux malware, and I expect it will be like OSX malware, in that it relies on failings of the user, rather than the system itself.

For the record, I use OSX and Solaris at home, and develop for whatever I'm paid to develop for at work (which was, until recently, Windows, Linux, Solaris and OSX - looks like it will be just Solaris soon).

Re:

[arminw]

..... in that it relies on failings of the user, rather than the system itself..........

Most users, will give the password if prompted. We mitigate these user failings here by not letting them know the administrator password. Then if they want to install something that asks for this, they are stuck. This works poorly for Windows because there are still many legit programs that will not work unless the user has admin rights over the whole system.

Mac users have no real reason to know the system password for e

Re:

[gzipped_tar]

Surely the weakest part is between the chair and the keybord.

A search on secunia [secunia.com] tells a story of an old Linux virus (or rather, a piece of malware). The virus comes from a phishing mail in C sourcecode. Unless the luser has root privilege and is nuts, nothing could happen at all.

Consider one day M$ is dead and every luser in the corner of the world runs a Linux desktop. Then the luser happily su and make install, without even a single glance at the sourcecode.

Re:

[SCHecklerX]

Um. Many mail gateways are linux boxes. That is the place you should be scanning your incoming mail for stuff that your non-clueful users will gleefully run on their windows boxes. See mimedefang.

smitFraud

[Freaky Spook]

I've had a lot of people bring me infected PC's with smitFraud, that the big AV's have not even recognised or been able to properly remove, they have been pretty angry that the $90 or so they paid for a complete Internet Security product was not able to protect them.

It causes windows to pretty much choak and die as it just consumes so many resources and provides so much irritation, but major products like Trend or Symantec have not been able to successfully protect or remove them, I have had to use custom written tools that you get off the net for free. They really dropped the ball with that one.

Re:

[yoyhed]

I know - you'd think they'd have figured it out by now since it's so easy for someone like you or me to identify it with a cursory look at the machine - although SmitFraudFix in safe mode works fine, you're right about the angry customer thing.

Re:smitFraud

[Barny]

Been getting this one a lot, the fix is usually fine for older varients but new versions and revisions spring up that it just seems to miss. The system seems clean at first, but usually about a month later it is all back.

I usually tell customers this, and tell them they have two choices:
1 we can try smittfraud fix and who knows, it might be lucky, but if they have to bring it back in a month we will charge them again.
2 we can backup all their data, format, reinstall and remove any executable files from their backup.

The second always works, have never had a re-infection (well, have, but that is usually thanks to someone surfing porn regularly, proven to the customer by showing them the browse history) with it.

Best protection for it, firefox + no-script, which I tell the customer and offer to install for no extra cost of course :)

Only problem is, my boss kinda hates me, we don't get the same people bringing their machines in every 2 months anymore needing a software clean done :P

Re:

[Ephemeriis]

I don't think I've seen a computer with a traditional virus infection in months now. They're all coming in with that smit crap - and you're right, commercial antivirus doesn't pick it up at all.

The diagnosis is quick and obvious, the machine literally screams at you that it's infected. The disinfection tools are readily available, quick and effective. All things considered it's relatively painless to disinfect one of these machines.

But I'm really surprised that commercial antivirus software isn't picking

after the ffact

[wizardforce]

I think the real problem with malware is that by the time an antivirus/antispyware program is needed IT IS TOO LATE. you have already been infected, antivirus software is for after the fact, cleaning up the files that were installed or warning you of their presence in a file atatchment etc.. The real defense here is preventing this from happening in the first place. That is, educating users not to click haphazerdly at anything that they feel like and that is a heck of a challenge. most users do not understand what can happen and many likely do not really care, they just want their new screensaver or whatever to work [bundled with spyware of course] and when their bad habits finally catch up with them when their computer slows to a virtual crawl, they go out and buy a new one thinking computers decay over time or something.

Re:

[RAMMS+EIN]

``The real defense here is preventing this from happening in the first place.''

Yes.

``That is, educating users not to click haphazerdly at anything that they feel like''

No [ranum.com].

Because, as you yourself point out,

``and that is a heck of a challenge. most users do not understand what can happen and many likely do not really care'' ...and they shouldn't have to. You open these attachments (etc.) because you think they will do something good. You don't expect them to mess up your computer. Without support from the op

Re:

[Opportunist]

But that would have to be a feature of the OS, not the program. That your program "behaves" is nice, but that doesn't keep another program (i.e. malware) from being not nice.

Now, if the OS takes good care of security, a lot of things that can actually be a security risk or a feature won't be possible anymore. Certain tools require you to be able to tap into another processes memory or network traffic to be useful. Also, plugins and the like (the dreaded BHO security hole in IE, which is actually meant as a

Re:

[Suddenly_Dead]

I think the real problem with malware is that by the time an antivirus/antispyware program is needed IT IS TOO LATE. you have already been infected, antivirus software is for after the fact, cleaning up the files that were installed or warning you of their presence in a file atatchment etc

There's this not-too-recent development in Antivirus programs where they actually scan executables before and as you execute them, preventing the infection.

Of course it's not perfect, but it's probably the reason most peop

Re:

[Opportunist]

Not-too-recent is good. That feature is a few decades old.

The problem is that you have to know a virus to detect it. Welcome to the arms race! That's why heuristics have been the way to go for a while now, because that way you can at least flag something as suspicious if you don't know it. But ... well, the drugs don't work anymore.

Re:

[Tony Hoyle]

The problem with that is badly implemented versions (*cough* Norton *cough*) that scan everything..executable or not, and slow the machine down so much that the cure is worse than the disease - I've had machine to sort out that have been using 80% of their cycles just scanning text files over and over again.

Re:

[Opportunist]

Recently I got a lecture from my boss, telling me I should not say anything bad about competitors. So now my comment about Norton is usually "Their product comes in really good looking boxes".

While it makes sense to scan everything, not only PE32/64 executables (ya know, exploits and macros), it does NOT make sense to spend an evening scanning your correspondence. It is actually fairly easy to detect an exploit (they have to be done in very, very specific ways to work, obviously), and macro malware doesn't

Re:

[Ephemeriis]

I think the real problem with malware is that by the time an antivirus/antispyware program is needed IT IS TOO LATE. you have already been infected, antivirus software is for after the fact, cleaning up the files that were installed or warning you of their presence in a file atatchment etc.

Generally speaking, the antivirus that we sell and install is a preventative measure. Sure, educating users is the best way to go...but even then you've got mistakes and mis-clicks. And some folks just don't learn. Goo

Re:

[wizardforce]

most systems will grind to a halt in a few years from the accumulation of registry keys and can't-uninstall software

yes, eventually thi is true but malware does a fine job of speeding up the process by a good 10 fold or more. winboxes will work for a pretty long time if they are not constantly installing and uninstalling software- the old compaq still has win95 on it and works fine- it just wasn't constantly burdened by a bunch of garbage accumulating over time. if a winbox like that is taken care of it

Re:

[Tim C]

Oh rubbish. In more than a decade of Windows PC ownership and use I've not had a single machine grind to a halt in this manner. The machine I'm typing this on now I've had for 3+ years without ever reinstalling it.

I'm not saying that it can't happen, but it most definitely is not inevitable.

Re:

[Ajehals]

You are right, a well managed Windows environment can be perfectly stable for long periods (assuming you carry out the usual maintenance tasks as required). The problem is that well managed generally means that you are not installing little bits of software whenever the need strikes you, you don't grab a copy of Windows Weekly with £500 worth of free ware, trial ware and demo's every other week and install them all and then remove most of them again. Most people (tm) do, and as such most windows ins

Re:

[Opportunist]

Well, it doesn't have to be that way. One could argue that if you install software bundled with questionable drivers (aka "copy protection mechanisms"), with strange install and uninstall routines (staple with certain "freeware", that would be more correctly be labeled adware) or from questionable sources, you're prone to ending up with software that doesn't cooperate properly with your OS.

I don't even want to give MS the blame here. When you load your machine with drivers that hog more system resources tha

Re:

[Sloppy]

If people would start making an effort to use common sense in web surfing, would the need for an anti-virus disappear? Or is more practical to run an imperfect, bogged-down piece of security software (that really doesn't work too well, judging by my survey of people's computers) so that people can surf without thinking?

Both approaches are wrong. The best approach is for network client applications (web browsers, email readers, and maybe even removable media filesystem mounters) to make usage not dangerou

My expectations are not that high...

[RuBLed]

I always assume an antivirus is only as good as its current signatures. Heuristics are good but nowadays, I could literally count with my fingers the number of times it did the job. The best defense is still knowing what you are running with or without an antivirus. Most of the annoyances I see are done by the local script / virus kiddies, their work rarely make it outside the country so the signatures against those are not a priority. (Although what I hate is that most of this local scripts/virii are just copycats of popular ones, yet popular AV's rarely detects them...)

Re:

[Opportunist]

That's maybe the most insightful I've read in this thread so far.

I work for an AV company. Our focus lies on "local threats". Not necessarily the local scriptkiddy community, more the phishing and ID fraud thing.

For about a year now, those things have been "localized". I'm not joking when I say that, depending on the country you're in, you get different versions of a certain trojan, targeting exactly YOUR banks, YOUR finance services, YOUR online stores. They actually go to the lengths of recreating the loc

Re:

[Thaelon]

If you don't want to be flamed or constantly corrected, stop spelling viruses, "virii". Besides it diminishes your credibility significantly.

running multiple antiviruses

[improfane]

No one company has the resources to be aware of every virus. The standard advice is to run more than one.

In Windows, if you wanna run more than one, you can only have the real time protection of a single anti-virus enabled or you get conflicts.

Meaning you rely on the on-demand protection of every other anti-virus and have to manually run them regularly OR set up schedules. What kind of user will do that?

Re:

[allcar]

Even if you could run more than one in real time, on normal hardware, it would be insane. I am forced to use McAfee at work and the delay in opening even moderate sized files is really noticable. For large files, it's really intrusive. When a I make a large EAR file for deploying to an application server, it can take several minutes. Much of that delay is due to the AV. Performing a similar operation at home on comparable hardware running Linux without AV if much faster. If two virus checkers insisted on in

Re:

[MrMr]

It's a sad fact that the hardware industry is being driven by bloatware and anti malware
You should look on the bright side: Since everybody has to buy high-end hardware, it also becomes much cheaper for people who need it for more interesting stuff.
(I would for instance very much like to see the next main-stream OS requiring 16 cores or more to run a simple email client on a desktop machine...)
 

Re:

[martin-boundary]

Nice theory. In practice though, you'll be using 15 cores just to draw fancy menus and bouncing icons. The 16th one will be shared between your app and the system sound effects manager.

User friendlyness is the worst idea since the mouse.

Re:

[MrMr]

You miss my point: I wouldn't run a gui on such a 16-core desktop box.

Re:

[Opportunist]

Then you won't run Windows and won't need it in the first place.

Re:

[martin-boundary]

You'd have to run a custom stripped down OS with only the processes you're sure you want running. That would rock. Of course, it could be _always_ cheaper to run a Beowulf cluster, eg when 16 processor desktop systems are standard, just get two 8 processor systems without the redundant monitors etc.

Re:

[Atario]

All too true. These AV programs need huge overhauls. [thepcspy.com]

Re:

[jonbryce]

Not only that, but the two virus checkers would insist on scanning each other before letting the other scan the file, and probably before allowing each other to scan each other.

Re:

[Tony Hoyle]

The problem with nod32 is it interferes with the tcp/ip stack and stops lots of programs working.

What the hell it's doing even hooking into it is beyond me.. it's just feature creep.. it should be checking opened files only.

Standard advice? Ouch.

[Xest]

That's some pretty poor advice to run multiple anti-virus apps. other than AV vendors who all want a piece of the pie where is this being suggested? Initially there's the fact many conflict in their tasks and implementation to the point where having multiple AV software will sometimes goes as far as giving you a nice BSOD each time you boot up until you can mangle one AV app out of your system using recovery console or safe mode (Some versions of Symantec and McAfee for example). Ignoring that however there

Re:

[barzok]

I'm not entirely sure why we haven't seen extremely vicious viruses yet but I'd like to think that it's because anyone competent enough to writing such a virus would be intelligent enough to put their efforts elsewhere for good use.

I think it's more because a "mildly irritating" virus will be removed, leaving the host to get infected again. An "extremely vicious" virus will take out the host and whatever replaces it will be better protected. Enough of this goes on and the number of available hosts drops s

Re:

[Xest]

Sorry I should have clarified, by vicious I didn't so much mean damaging but more one that has extremely strong infection capabilities and strong countermeasures against removal (anti-anti-virus etc.).

In a P2P virus network there's no reason the virus couldn't update itself with new plugins for exploiting new vulnerabilities allowing it to spread yet further. If the virus could also update anti-anti-virus techniques it could potentially be very hard to wipe out whilst still fulfilling the same purposes as e

Just dont do it...

[Dishevel]

Just don't have AV's installed at all. Not having AV installed on my system keeps me from even thinking of trying anything stupid. every month or so I download a free trial of a Non Norton / Non Mcaffee AV program, update it and run a full scan. Then I do the same with a different one. Then I repeat with Spyware/malware programs. All that has ever been found is a few cookies. Safety through not doing stupid shit.

Re:

[jimicus]

That might work for the average /.'er on a single PC on its own.

It doesn't work in an office full of people, and it doesn't work with the average /.'ers grandma.

Re:

[Tony Hoyle]

In an office full of people they won't have admin rights and the system policies would have locked down any ability to install anything.. so AV isn't an issue there either. All it'll do is slow them down and cause random BSODs, program failures etc.

Re:

[Opportunist]

Now, of course I have an ulterior motiv for saying that, but I wouldn't want to see what happens when the general population follows that advice (not only because it would most likely mean I have to find me a job where I actually have to work for my money).

You might not need an AV tool. You don't click every stupid button, open every attachment labeled "important info from your bank" or "last reminder", but you'd be amazed how many do.

Re:

[zerocool^]

FREE ENTERPRISE-GRADE ANTIVIRUS SCAN

1.) go to Trend Micro's download page [trendmicro.com]
2.) lower right side, click "Damage Cleanup Engine", and download sysclean.com:
"If you are not a Trend Micro customer please download the following file.
Sysclean Package 3.2MB
MD5 checksum: 4cb85b5a3c097fcb494dceed216b8d9e"
3.) go back to the download page, lower right side, click "Trend Micro pattern files"
4.) download the latest official or controled (beta) virus defs.
5.) stick these on a usb key, reboot in safe mode, copy to t

Re:

[Ephemeriis]

Just don't have AV's installed at all. Not having AV installed on my system keeps me from even thinking of trying anything stupid. every month or so I download a free trial of a Non Norton / Non Mcaffee AV program, update it and run a full scan. Then I do the same with a different one. Then I repeat with Spyware/malware programs. All that has ever been found is a few cookies. Safety through not doing stupid shit.

That works fine for cautious and educated users... But it relies on the user not being stupid,

Virus?

[hax0r_this]

Are viruses really still a big deal? My impression for the last few years has been that even windows has gotten to the point where you basically have to grant a virus permission at some point along the line. I haven't used an anti virus in years and to my knowledge my windows installations are all clean (I do check them periodically with that Trend Micro online scanner dealie).

Re:Virus?

[Barny]

Yeah, now that world + dog uses a NAT router for their broadband and the lack of kazaa, virus' and worms are a dieing breed. We swapped them for intrusive spyware and identity theft-ware that is much harder to get rid of and, thanks to the wonders of social engineering, much harder to stop joe-sixpack from getting :/

Re:

[ConceptJunkie]

If you're using Vista, that's probably true, but after the first thousand times, giving a program permission to run becomes a reflex and no one will pay attention to it any more, and the one thing Microsoft actually seems to have accomplished with Vista, improved security, becomes moot. Thanks, Microsoft, you managed to invest about as much time and energy into Vista as the entire Apollo program and have nothing to show for it.

Re:

[jonbryce]

Yes, but given that you need to give the computer permission to delete a desktop icon (if it is in the "all users" folder), most users will just grant permission whenever it is requested.

Antivirus is just bandaid.

[miffo.swe]

The real problem is that its possible to just click on random stuff from mail, on the web and in IM clients and it gets installed. Because its such a big source of malware it shouldnt be done at all really. Many malware uses defects in browsers and OS and Antivirus is not a solution at all to those problems. Its not even bandaid then.

What i would like to see is Microsoft shipping a Windows version thats fairly secure out of the box. Then and only then Antivirus becomes something useful as a second added sec

read Ranum on enumerating badness ..

[rs232]

Why are we still talking about this in late 2007. What have the supreme innovators being doing the past decade. Ranum laid out the solution here:

"if I were to simply track the 30 pieces of Goodness on my machine, and allow nothing else to run, I would have simultaneously solved [ranum.com] the following problems":

* Spyware
* Viruses
* Remote Control Trojans
* Exploits that involve executing pre-installed code that you don't use regularly

Re:

[QuantumG]

Blah, the real solution is to have open software that you can trust because everyone knows you could look inside it so they don't try to sneak something past. If you can't have that, at least run every program in a separate virtual machine and only allow a program access to the documents it requires to have access to instead of giving it full control to do anything on the system, including modifying the kernel, which is what 99% of Windows users do.

Re:

[darthflo]

Open software is fine and all, but would you mind finally giving up the "I can look inside, so it's secure" bull?
In theory it works, but it's not practically employable. Most mainstream distros install binary packages. Even if source packages are available, did you check each and every changed line after each and every security update? Simple answer: Either you don't or your software's very outdated and thus probably vulnerable.
Even given the benefit of the doubt (imagining you've got a whole team of peop

Re:read Ranum on enumerating badness ..

[QuantumG]

Meh, people can so you'll be leaving your big fat paw prints on it if you try. See, that's the cool bit. I can say "on line 2105 of blah.c in package foo version 4.321 I found that some fucker had tried to put in a backdoor.. can you guys check your revision control to see where this came from?" and there's this public audit trail. If I managed to find something in a binary that isn't in the source I can easily find out who made the package and where they got the binaries from. That's what security is.. it's people and accountability.

solution for real protection ..

[rs232]

Use a Linux desktop distro [distrowatch.com], disable exec on the /home and /tmp directories, don't allow users to install software, case closed ..

Yes, I know what you're going to say, there aren't any Linux viruses because there aren't many Linux desktops out there. But where are all the server exploits out there being actively used in the wild. I'm talking about commercial servers being hacked not some msging board ..

Re:

[QuantumG]

If you honestly think that servers don't get hacked then you probably should go talk to a security sysadmin or two.

The trade in zero day exploits is alive and well.. the only difference between today and 10 years ago is that the sale of zero day exploits has become slightly more legitimized. i.e., the "good guys" will now buy an zero day exploit off anyone selling, not just the "bad guys".

But getting back to the topic, you don't need exploits to write a virus. What you need is an infection vector, the use

Re:

[rs232]

"If you honestly think that servers don't get hacked then you probably should go talk to a security sysadmin or two"

Can I have some real world examples, not some home box, but commercial servers being hacked and customer records stolen, like the TJ Maxx [bbc.co.uk] case ..

Re:

[QuantumG]

Dude, it happens every day. That's why it isn't news. As I said, go talk to a security sysadmin or two.

Re:

[rs232]

"Dude, it happens every day. That's why it isn't news. As I said, go talk to a security sysadmin or two"

In other words no, you can't produce any real word examples, dude ..

Re:

[darthflo]

Use Windows, only allow the programs* needed to be run (via GPO), case closed ..

* An execution white- or blacklist can be created with hashes or executable file names. Obviously don't use the latter possibility.

Re:

[SCHecklerX]

Yes, I know what you're going to say, there aren't any Linux viruses because there aren't many Linux desktops out there. But where are all the server exploits out there being actively used in the wild. I'm talking about commercial servers being hacked not some msging board ..

It happens all the time. Usually through unpatched software, or misconfigured apache servers. The security team responsible for the DMZ network and firewall rules usually has no power over the guys who administer and program the syste

Heuristics in "easily defeated" shock

[Cheesey]

The funny thing is that AV software has been almost totally useless ever since we moved from floppy disks to Net connections - long before they started whitelisting malware from major corporations. As soon as it became possible to distribute malware more quickly than AV updates, AV software was dead in the water. And even before then, the writing was on the wall: the problem of detecting a virus is undecidable [all.net] and you can't change the laws of math.

Good luck convincing your boss that AV software is snake-oil

Re:

[Opportunist]

Take that tin foil hat off for a moment to vent some hot air, please.

Could you first of all please inform us what has been whitelisted? Aside of copy protection mechanisms (which should be classified malware, but guess what: PEOPLE WANT TO BE ABLE TO PLAY THEIR GAMES!), I'm not aware of any whitelisting taking place. At least in the more reputable companies in the biz.

Second, yes, with networking it's easy to distribute malware quickly. But the other way around is true too, AV vendors get new samples much m

Re:

[SCHecklerX]

The problem that AV tries to 'solve' is simply a user behavior problem. Bad approach, and it obviously doesn't work. Worse, the AV software does what I would personally consider bad things on the systems it runs on: killing IO, potentially corrupting files that are being written, eating cpu cycles, etc.

Yes, I understand that attempts at education aren't working either. Most people are screwed either way. I deal with it by not supporting anybody who won't take the time and effort to learn how to properl

Re:

[Opportunist]

The problem is that those people are not only a problem for themselves. Actually, more often than not, they're more a problem for others than themselves.

If they could only trash their own machine, then I'd find me another (most likely better paying) job, maybe as a security guy with one of our online casinos. You trashed your computer due to your own stupidity? Good! Means you're off the net and, hell, let Darwin be right, who's not fit to live will die, who's too stupid for a computer doesn't deserve one.

T

There are just too many false positives

[someone1234]

AVG for example shows nwn2main.exe (Neverwinter Nights 2 from Obsidian) as false positive.
Sure, it is partly because of the inane copy protection, but AVG should make some tests before issuing such a crap.

Luckily the 'infected exe' is recoverable, and after disabling the resident shield it will run. But then, why do you have AV in the first place?

Re:

[Opportunist]

Sorry, but it's not easy for AVG to take care of that. There are billions of programs out there, many using calls and features the average malware will use, too. Self modification, installation of drivers, calling drivers in more than just a little strange ways, debugger and tracer detection routines and so on.

In short, copy protection mechanisms share a fair lot of features with malware. It is often not easy to discriminate between them.

Now, it's likely that AVG didn't have access to NWN2 to ensure their r

Last years was better?

[Oktober Sunset]

So what I need to do is uninstall my current anti virus and install one from last year, and not update it to the new less effective version from this year?

Re:

[Opportunist]

I'm aware that you're joking, but I honestly fear that others would come to that conclusion without joking, unaware that malware isn't a static field, set in stone and never evolving. Those are essentially the same people complaining that they bought an AV scanner 3 years ago, never updated it, and now it won't find a thing.

Re:

[Oktober Sunset]

wait, if it won't find a thing, then surely their computer is free from viruses, that process "fuckallyourshitupandstealyourbankdetails.exe" must be totally normal.

Useless

[Jessta]

Antivirus has always been useless. It's not proper security.
Imagine having a door man that has a list of everyone you hate and everyone on that list is not allowed in your house. An enemy is prevented access but a stranger can still walk away with your TV. Wouldn't it be better to give the door man a list of all your friends instead.

Blacklisting is a really bad way to prevent unwanted activity. Whitelisting is much better.

Re:Useless

[ledow]

The trouble with antivirus is that the doorman is actually sitting upstairs with a note on the front door that says "Report to the doorman upstairs, please." By the time AV spots a virus it's usually already far too late and the first thing that any virus does is to turn off AV, usually in such a way that the user doesn't notice (the equivalent of swapping your doorman for a clone).

AV is good only as a system check. It is no good as a frontline defence. It can't spot viruses until they are either already in memory or sitting on your disk. Some of the time it will spot them before they get executed but most of the time not. When I used to use Windows at home (I only use it on school networks now, I work as a tech in schools) the one way to "tell" that you had something dodgy going on was when Zonealarm went ape. Even the integrated Zonealarm Security Suite, AVG etc. didn't detect the stuff that I was testing. But when something starts asking for Internet access out-of-turn, you know something's wrong. And when your AV is less use than a freeware firewall that bothered to ask you, you know it's a waste of time.

AV-scanning-proxies : excellent idea
AV scans of networks: good idea
AV scans of home machines: pointless and doesn't tell you what you can't find out in ten seconds of using the machine as an IT professional.
AV "real-time scanners": Well, yes, if you must, have CPU to spare and ignorant users using the machine. Otherwise, they're pointless.

Re:

[Opportunist]

That's how most firewall tools work. What do you think would happen when something like this becomes the norm in the AV world?

A firewall only cares about programs that try to create connections to the outside world. And even though it doesn't really seem that way, those programs are a tiny minority of the things running in your machine. Still, if you ever used some firewall software, you'll quickly notice that as soon as some part of your OS gets updated, it starts to puke, scream and pop up every few secon

AV software causes more problems then it solves

[Tridus]

I've known that AV software doesn't work very well for quite a while. Its really nothing new. It is nice to have someone doing tests that I can shove in peoples faces, though.

This isn't the biggest problem though. AV software is actively harmful. Aside from dramatically slowing down EVERYTHING, it can flat out break stuff. Norton in particular is notorious for screwing things up, to the point that if someone asks me about a problem with their computer now, my first answer is always "uninstall Norton."

Running the gambit from games being intolerably slow to programs crashing to drivers inexplicably failing to install (even after turning Norton off), to date "uninstall Norton" has never failed to fix the problem.

(Really, Norton and the virus makers themselves aren't much different, in that both of them prey on the computer illiterate.)

Re:

[Opportunist]

You judge the AV industry by your experience with Norton. That's like saying cars are crap because you didn't like that old Lada you got.

It's a bit like saying webcams crash your system because you had one from Logitec (whose driver actually does just that). Or like saying OSs suck because you've seen what Vista is like.

There are decent AV companies about who do take care that the footprint they leave in the system is small, and that their drivers (which have to be quite invasive, unfortunately) don't ruin

Of course effectiveness is falling...

[A Pressbutton]

And it will fall still further.
Time was a virus would either just pop up an annoying message or delete random data or reformat your PC. Effectively viruses and virus writers were hunters and once they had got the target they had no further interest.

Virus writers have now become 'civilised' farmers. They now get paid for their efforts.
The writers have a tame herd (of infected PCs). They will spend their time trying to make sure the AV software will not interfere (to them these things are the infection). They spend their time tending their herd and catching 'wild' examples - other peoples virii (?) so they cross-breed.

One consquence of this (if correct) is that viruses may well start to remove other infections, and generally tune up your PC. After all, if your PC is working just fine, why would you bother keeping the AV scanner up to date?

Re:

[SixFactor]

That is an excellent analogy: hunter/gatherers transformed into farmers (or ranchers). Tend the crops (or herd), and they ensure continued profitability.

I like it.

There is a better strategy

[Frozen Void]

Never install anything executable ,where you do not trusts the author.
No single virus for all these years.
and if you do really need something try
http://www.virustotal.com/en/indexx.html [virustotal.com]

Viruses are a 'stupid user' issue

[SCHecklerX]

You can't hope to really fix bad behavior with technology. This is why instead of giving dad a false sense of security with cpu/disk thrashing AV software, I took the time to show him the nastiness that can go on, especially with email attachments, and downloading and running software he doesn't know anything about. I also set him up with firefox with the adblock plus extension. On his own (even though I didn't feel it was necessary), he manually runs adware detecting software to make sure nothing has been slipping by. Three years, and he has yet to be infected with anything (manual AV scan with latest signatures when I was there the other day confirms).

Tools and their uses:
- Firewalls: block stuff you shouldn't be listening for anyway, also help to mitigate against attacks against stuff you do listen for.
- Service Lockdown (difficult on windoze, see "Firewalls" above): You can't exploit something that's not there
- Proper configuration of what you do need listening: default stuff on that linksys router, for example
- Patches: Deal with worms (not viruses)
- AV software: tries to correct user stupidity. Not exactly a winning battle, as can be seen by the existence of this article.
- IDS: Never for an end user. How are they to know how to tune it, and what the messages mean, etc?

My experience has been that AV software gets in the way, causes system instability, and provides a false sense of security. None of this provides a significant benefit for a user who already practices good hygiene on their computer.

Why the drugs don't work anymore

[Opportunist]

It was prone to happen. Actually I'm amazed it's considered news.

The malware-antimalware war ain't a static one. Both sides are engaging in a quite impressive arms race. They start creating morphing trojans, we create ways to detect them, they create global trojan floods, we employ detection networks to catch them, they switch from mail distribution to infected webpages, we start sending out spiders, they start using targeted spam, we create fake personalities to be "interesting" for them, they ...

It's just the same with the detection and elimination routines. They use certain API calls, we start listening to those calls carefully, they switch the calls, we follow, they start using executable packers, we develop exec unpackers, we discover that malware PE headers have a certain format, they change the format and create "filler" sections to look normal...

It's just a chapter in that arms race. Give us 2 months and we're back on par.

Skewed

[raijinsetsu]

I don't think that it's the effectiveness of the heuristics that has decreased. It's probably the virus and malware programmers have gotten craftier: studying how these algorithms work and countering them. It's one of the reasons why I stay away from the mainstream AVs.

Re:

[Valdrax]

Still get RSI though.

That's 'cause you got arrogant and didn't properly firewall your hand before connecting it to the net.

welcome to the modern ages ...

[freaker_TuC]

... where you can whistle in 1200 baud and more over the phone ...

Re:

[TheVelvetFlamebait]

That's true. I've uninstalled my AV software, and I haven't been notified once that my computer's infected. Plus it's cheaper too!

Re:AV's???

[Opportunist]

He's right. He's just right.

True story:

A customer call. Quite irate person, yelling and screaming at our poor techie, telling him in no uncertain terms that he finally uninstalled our piece of junk and installed $competitor_software, because our piece of electron crap kept popping up and nagging him with some "virus found" junk and cutting into his productivity while $competitor_software doesn't.

So. Now question for 500: What the heck do you tell him?

Re:

[Opportunist]

An Opportunist would say that heuristics are overrated and that he told you all so for years, and that he decided years ago already to move away from a dated way of detecting malware.

Mostly because the heuristics in his tool really sucked to begin with. :)

Re:

[Opportunist]

I tried that too, and it was the only time I ever got infected by accepting some random packets. No thanks, I'll stay with what I know.

Re:

[Opportunist]

Windows is an insecure piece of crap. Ok. So far, so good. But the real reason why it is the main target for malware is simply that it is the most used system.

Malware has turned into a business. It's no longer the 16 year old pimple-face that wants to prove he has the longest virtual dick. It's biz. Malware is being written in almost normal looking "companies", cranking out quite professional software, complete with versions, updates, CVS systems and other things you'd expect in a "normal" software company.