The End of Signature-Based Antivirus Software? 290
nosig writes "PCMagazine is running a story around the latest AV-TEST response time and proactive detection test for the latest MS05-039 vulnerability related attacks. The test results were announced by the author to the focus-virus discussion list.
What's really impresive, besides the huge difference between response times among antivirus companies, is that two products succeeded to proactively detect all 6 attacks without any signature update.
"
Sandbox (Score:5, Interesting)
Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.
So a worm or virus would begin to make calls out to the various sub-systems to hide itself and open up ports, then the AV would nip it in the bud.
Re:Hotmail is doing this already? (Score:2, Interesting)
In the case of Hotmail, the primary trait used in determining whether a file contains a virus is whether or not it has a really long name and more than one "."
<conspiracy>
Interesting, as a significant number of linux apps are distributed in the form APPNAME.V.R.S.tar.gz.
</conspiracy>
Heuristics (Score:5, Interesting)
Disclaimer: I worked for a household-name antivirus sw firm in the past and now work for one that does filters network-based viruses as a network service.
Not any time soon. (Score:3, Interesting)
Why? Because the systems couldn't be guaranteed to win 'bake off' tests versus their signature based competators. Competators that often only had signatures for the often ancient and arcane vulnerabilites used in the tests.
Such shiny statistics are like catnip for executives it seems.
Anyways, this sort of setup is wonderful that not only does it detect new attacks, it's also usually an order of magnitude faster than the signature scanners.
Re:Virus proliferation (Score:3, Interesting)
Which stone are you hiding under?
Putting free stuff on gets them nothing, where as something people may pay for in the future will.
The company will give them incentives, maybe pay them a small ammount to bunbdle, give them concessions on other software to budle etc.
Furthermore, yes I use AVG free edition on my windows box's however I can see why it doesn'y get bundled.
Re:Sandbox (Score:4, Interesting)
I apologise in advance for not having a link or a referrence. I did a quick read on a paper from SANS [sans.org], wherein they commented on an exploit referred to as "the red pill". IIRC the gist of the exploit is that it tests for the memory segment it is run in. A VM sandbox runs in a higher memory segment. If the exploit tests and finds itself being run in a higher memory segment it becomes dormant, if, OTOH, it tests and finds it's being run in a lower memory area it releases its payload.
Sorry I can't link to the pdf. I have the file but haven't the time to search for it at the moment.
cheers
Antivirus is basically bunkum (Score:2, Interesting)
Nobody knows.
The only trustworthy solution to malware is a read-only system: the system and application partitions must not be modifiable without rigorous user-initiated discipline including disconnecting from the network and rebooting to a known-clean state.
This sounds crazy, but it is practicable. It requires some technology and some resetting of expectations. One way to think of it is how game systems like the PS/2 operate: you boot the system and save the data to removable media. There are no PS/2 viruses.
What I do today is re-dump my system partition image every couple of days. The image is highly compressed and the dump actually is actually faster than a virus scan. Now my system partition is perfectly organized. Whenever I want to install some new software, I disconnect from internet, re-dump, install the new software, and then re-image. Keeps the harddrive nice and organized. I put data files on removable media. Its remarkable how well this system works; and its great to have piece of mind that my system is not growing crufty over time.
Switch A/V S/W from a blacklists to whitelists? (Score:5, Interesting)
Users don't add new apps to their computers that often, and corporations wouild welcome the chance to ensure only approved and paid-for programs can run on their systems.
When you uploaded free software to a reputable FTP site, getting a suitable signature so that people could download it and use it would become a routine part of the upload procedure, and certainly one that the sort of geeks who use those services can handle.
It's true that a comprehensive whitelist database would be a big file, but why does that matter? No-one runs
If you use whitelists, the only time code needs to be checked is when new exectuable code files arrive on a system; given a competent gatekeeper program, all pre-existing stuff will be known-approved and won't need to be checked. That would provide a significant speed-up too.
Is this feasible? Where's the downside?
Polymorphous, anyone? (Score:2, Interesting)
Re:Sandbox - No, this doesn't work (Score:1, Interesting)
A good discussion of this is the somewhat famous Halting Problem:
http://en.wikipedia.org/wiki/Halting_problem [wikipedia.org]
My favourite use of this was a book by Greg Bear (Legacy/Eon, I believe) where the protaganists capture an alien, and then clone its mind in a computer simulated world in order to question it. However, the alien knowns how to determine that it is in a virtual environment, and the virtual alien commits mental suicide (somehow). Great book, mind blowing hard sci fi.
Regardless - sandbox technology only catches the really dumb viruses, which are pretty easy to catch anyways. You can pretty much count on any viruses taking advantage of new advances in other viruses pretty quickly - whether it be host file rewrites, building botnets, disabling AV functionality, keylogging, auto-upgrades, encrypted command and control channels, etc.
And yes, I do work for an AV company.
Re:The problem isn't the software... (Score:2, Interesting)
No, users need to know what the heck they are doing. The problem with Windows is that it was selling people the idea that you could do complex tasks with a computer without actually knowing what you are doing. That idea is plain false. You either have to have tasks which are simple in reality, or have tasks that are complex in reality. That doesn't mean that they have to be hard-to-use, but that it recognizes the complexity of the task which is being handled.
"I haven't seen all three of those yet, anywhere but it is very possible."
While a minority of what you are saying is possible, this assumes that someone can in theory (and in practice):
(a) predict all of the needed options. The fact that you know of an option or two that everyone needs does not mean that all needed options are known.
(b) with all of the options produced by (a), make it in such a way that a user can perform their task easily.
(c) make users understand both the consequences of the individual options listed in (a) and the consequences of combinations of these options.
Here's some better solutions from the "keep-it-simple" table:
You may say that your business cases require #1 to not be the case. But what I'm saying is that you are using Microsoft Word for something that you shouldn't be using it for. If you need your Word document to be an application program, then write a frickin application program!. If _really_ need customizations done to word, then the way they are loaded on needs to be as different from loading "normal" files as the east is from the west. It's the muddle that we are getting ourselves into where Microsoft Word is our development platform, and somehow we wonder why it's unsafe to even open a text document.
These are my two basic rules:
1) If a process needs to be simple, it must ACTUALLY be simple.
2) If a process needs to be complex, it must be UNDERSTOOD by its users, and its complexity must not be hidden (it can be moved out-of-the-way of normal processes, etc., but it should not be hidden).
You can be simple, or you can be complex, but to be complex-while-pretending-to-be-simple-but-only-fo
Re:The problem isn't the software... (Score:3, Interesting)
predict all of the needed options. The fact that you know of an option or two that everyone needs does not mean that all needed options are known.
You're mistaken. There is no reason to predict all possible options. You need merely provide a few, easy to understand template ACLs and let the programs request additional resources. If Windows did this two things would happen very quickly. First developers would write programs to match up with the templates to minimize user support costs. Two users would become suspicious of programs that requested access to things they do not understand. Basically access to the internet, user files (not created by this program), system files (not created by this program), and peripherals. Applications could be simply internet or not internet and it would be a big step forward. So you get a program in the mail. Your mail program should tell you, "hey this is a program, not a file." If you run it anyway it should say, "hey this is reading your personal files." if the user says ok to that it should say, "hey this is modifying your operating system" and if the user says ok to that it should say, "hey this wants to connect to the internet. Finally, it should say, "hey this wants to use your webcam. All of these things are pretty understandable, even to a novice user. If most of their applications (legitimate ones) behave properly and don't access their personal files or their os or the internet or their webcam, they will then be suspicious of programs that do access those resources, unless of course they are expecting the program to use their webcam and the internet.
That is not pretending to be any simpler than it is, but it is telling the user in plain english what is going on and giving them the option to allow it or stop it. Right now, unless they are an expert, they are not given any of these options, are not warned when applications do suspicious things, and are shown endless OK/Cancel dialogue boxes, or even just OK boxes, with no other options. The problem is that functionality is missing and the good UI design is missing. Add those two elements in and not only will education be greatly simplified, but in some cases it will be wholly unnecessary because the UI is self documenting.
Now I agree Word has no business accessing the internet or running executables and e-mail should, by default, never allow a user to open an executable. That still does not stop trojans or do anything about viruses that do find a chink somewhere. The key is letting users know what is going on, doing the right thing by default if they don't know, and explaining it to them. Do that and legitimate developers will fall in line or suffer for it and trojans and viruses will be largely mitigated.
Antivirus vs. WIndows Update (Score:2, Interesting)
Re:The problem isn't the software... (Score:1, Interesting)
I don't run linux under root. I do run Windows under an admin account.
Many of my Windows programs won't run without admin privs. Most especially, my children's educational games won't run without admin. So I finally gave up and made them admin. At that point I surrendered everything.
Re:Sandbox (Score:3, Interesting)
How does it find that out honestly? It's running in a sandbox.
Unless it's running in a really crappy sandbox. The point of this protection mechanism is to dupe the virus into running normally....