The End of Signature-Based Antivirus Software?

nosig writes "PCMagazine is running a story around the latest AV-TEST response time and proactive detection test for the latest MS05-039 vulnerability related attacks. The test results were announced by the author to the focus-virus discussion list. What's really impresive, besides the huge difference between response times among antivirus companies, is that two products succeeded to proactively detect all 6 attacks without any signature update. "

Data from the article

[Anonymous Coward]

The product scores (only the trolls need more karma). Or you can try page 4.

BitDefender 6/6
Fortinet 6/6
Nod32 5/6
eSafe 3/6
F-Prot 3/6
Panda 3/6
QuickHeal 3/6
McAfee 2/6
Norman 2/6
AntiVir 1/6
ClamAV 1/6
Proventia-VPS 3/6
Panda TruPrevent 6/6

Hotmail is doing this already?

[Thunderstruck]

I think, based on my personal experience, that Hotmail is already moving away from virus definitions to a more general measure of "traits." In the case of Hotmail, the primary trait used in determining whether a file contains a virus is whether or not it has a really long name and more than one "." (dot) in it.

I base this on the fact that, after exporting a document from StarOffice 7 directly to a .pdf file, and using a filename with two "dots." I send this document to a Hotmail user, who wrote me back that Hotmail had declared the file to contain an incurable virus. Reasonably sure that my Xandros linux box had no virii on it, I renamed the file something more Microsoft friendly. The file was received with no problems.

So there you have it, any file with a suspicious name must contain a virus. Easy, reliable detection.

Re:well

[the_mighty_$]

It just means that they already had the signature.

No, it means that the AV program was using "proactive virus protection."

That simply means that the AV program monitors the behavior of programs and makes sure they don't violate security policy. If they do, the AV software assumes it is a virus.

Missing end of summary

[Tx]

...using heuristic detection rules that generate a high number of false positives as well, if scanned files are simply runtime-compressed.

Thanks, but I prefer not to throw the baby out with the bathwater.

Re:Hotmail is doing this already?

[Rude Turnip]

"I didn't understand, because PDFs should not have viruses, right?"

Getting a virus by opening an email was just a myth until Microsoft made it a realtiy. Adobe is doing the same with PDF now, by introducing a bunch of javascript/multimedia BS that can be integrated in PDFs.

I don't use an antivirus and don't suffer at all

[zlogic]

Just follow the simple rules:
1) Never install stuff from the browser (like ActiveX etc.)
2) Never open email attachments that are executable (most mailer warn about it)
3) Never download software from third-party sites, only from the vendor's site
4) Scan all suspicious files with an online scanner (or send them through a virus-protected mailbox)
5) Configure your firewall properly (close all ports you don't need)
If you follow these rules you aren't likely to get any infection at all. I didn't have ANY anti-virus software when I had Windows and didn't get ANY infection in about ten years.
Antivirus software on the other hand requires constant updates, slows down PCs (I can determine if an antivirus is running without pressing Ctrl-Alt-Del or looking at the taskbar) and eats your money. What's more, if a virus is new and the user doesn't have the latest updates, he can be easily infected. The only users of antivirus software should be Windows users with relatively no computer experience. This way, the antivirus will probably protect evil from happening when a user doesn't understand what's happening to his PC.
Oh, and some (but not all) antivirus programs are simply a waste of time and money. This applies to most mobile device software. I remember a Norton Antivirus For PalmOS which had an impressive database of FOUR variations of ONE virus. That's all. And yet it cost something like $30 and required yearly subscription in order to receive updates.

Re:The problem isn't the software...

[99BottlesOfBeerInMyF]

very non-technical idiot in the other offices opened up multiple copies of those e-mails anyway.

You're confusing idiocy, with reasonable expectations. I expect that my e-mail program will read e-mail. I expect that when I open an e-mail it will display the text, included images, and, if I request it, it will display remote images. My e-mail client does that, and so did my last 3 or 4 e-mail clients over the last 10 years. What I do not, and should not expect, is for my e-mail program to run a virus, install anything, run random scripts, connect to remote servers, touch any of my files, write to my hard drive, or run any sort of executable. If it does that, it is broken. If it does that all the time, it is fundamentally broken and needs to be replaced, and the vendor blacklisted.

You complain about how stupid the non-technical users are, but you should not have to be technical or an expert to read e-mail. You should just open your messages and be able to read without fear. If you are one of those rare few people who need to have executables e-mailed to you, fine, but you should have to turn that feature on manually and your e-mail program should say, "hey this e-mail has an executable in it, do you want to install or run it? (Note this may be a worm or virus!)" I mean how hard is that already? Viruses should not run when you preview a mail, nor when you open a mail, nor when you double click on an attachment. They should run when you double click on them and then confirm that you know the contained item is a program that might be a virus.

If all e-mail programs did that (pretty much all but MS ones do now) would there still be viruses? Sure, but there would be a lot fewer and they would spread more slowly. And there is no reason why the number could not be further reduced by running new apps with restricted privileges, requiring you to not only agree to run a strange and untrusted program but to explicitly grant it access to the internet and/or your personal files and/or your operating system files. Sure there are people who would agree to even that, but those few people cannot be helped. The problem is more a technical one right now than an end user education one. Give them the right tools and then if they still screw up you can complain justly. End users of e-mail should not have to be experts.

Re:The problem isn't the software...

[qray]

Stupid user + Stupid software companies = comprimised security.

I can easily lock my Window's machine down as tight as Linux. The problem is that half the software won't install in such a restricted account, and even if it does, it's likely to fall down later on.

Linux/UNIX users are used to avoid running as root. Most Windows users never give it a thought and those that do often give up when the software won't install or won't run under a restricted account

I guess Microsoft could create a default user account at install time. But then I'm sure they'd get a ton of support calls from clueless users complaining that their favorite software doesn't run under Windows.

--
Ogdrip froptor nogro docor

Re:well

[globalar]

Testing virus definitions is somewhat straightforward. Aside from variations (which can still be detected in many cases), you're just looking for a pattern that you already have.

A policy approach is practically an AI problem. We can describe it in terms of patterns, but it should be very easy to find a loophole in the logic (or too many false positives). Most importantly, the problem frequently begs for intrinsic knowledge of a system - but the whole goal is to find a general solution to specific problems (hence "policy").

In true /. tradition, let me give a shoddy example. Consider the crime of murder. There are many ways to kill someone. If we want to detect this crime, we need to analyze one of two perspectives: the ability of a human to survive or the functions required for life (alternatively the presence of death). Looking for death and looking for a life-taking action are not too difficult (with exceptions). But the in-between, fuzzy areas where the subject might be dead but could be alive are very difficult.

We also have to identify the cause of the crime. Not to mention since this action is automated, we need a way to double check our data and ensure it hasn't been tampered with.

Frankly, signature matching is what I pay for in an AV client. The vast bulk of threats are known and preventable. Until I know more about the policy logic of a client, I cannot afford to bank on it.

Re:The problem isn't the software...

[why-is-it]

You truly don't know anything about "Unix", do you?

He might. I am wondering just how much you know about it though...

From what I have read, many (but not all) trojans , viruses and spyware can operate just find in the user space, without needing to be root. It all depends on what the vx'er wanted to achieve. Sure, if they want to 0wn j00, they want root access. But you would not need root access to:

• install a TCP-based application in $HOME/bin and phone home
• participate in a DDOS attack against a specific host
• send spam via sendmail (user-mode)

There are lots of malevolent things that could be done without being root. Fortunately, the vx'ers want the most bang for the buck and target windows users.

The pp's point was entirely valid. It has just as much to do with user education as it does with securing your boxen.

Except for MS05-39, of course

[freeweed]

Sure, users can cause problems on every platform.

However, what this article is about is worms. Specifically, "flash" worms that spread faster than AV vendors can respond with signature updates. Worms don't spread through user interaction, they spread through vulnerabilities in the OS/application suite, and they spread FAST. Most places were hit with Zobot hours before users had much if anything to do with it, and in some cases days before virus signatures were out.

even if everyone in the world used Linux, the hackers would still write viruses to exploit the same vulnerabilities

Nice try, but no Linux distribution that I'm aware of has its hardware discovery service bound to the network interface, by default. And very few Linux distros (if any these days) are shipped with *any* listening services by default. A worm like this, or Code Red, or Nimda, or Slammer, or Blaster, or Sasser simply isn't possible. If it was, believe me, you'd have seen it - there's a whole buttload of Linux servers out there in the wild, and believe me, worm authors would love that prize.

But sure, keep spreading the "nothing is 100% secure, therefore everything is equally insecure" myth. I need a chuckle from time to time.

Re:well

[jim_v2000]

That simply means that the AV program monitors the behavior of programs and makes sure they don't violate security policy. If they do, the AV software assumes it is a virus

Unfortunately, according TFA, the programs that did the best "proactive" virus detection also tend to catch a lot of false positives.

Kinda like shooting squirrels with cruise missiles. Effective....yes. But was it worth taking out the tree/yard/half a house the squirrel was next to?

Why not Grisoft AVG?

[Jherek Carnelian]

I don't recognize about half of those anti-virus products, but I do not see my personal favorite - AVG from Grisoft [grisoft.com]. It is free for personal use and you get access to the same timely updates as the paying corporate customers. So you don't have to worry about your virus definition subscription expiring or not working because your laptop is no longer on the campus network so can't get the site-license for the updates.

Panda TruVent found 3/6

[Tetravus]

clerical error in parent