Cisco CSO Says Antivirus Money "Completely Wasted"

mernil writes with an excerpt that kicks off a story at ZDNet Australia: "Companies are wasting money on security processes — such as applying patches and using antivirus software — which just don't work, according to Cisco's chief security officer John Stewart. Speaking at the AusCERT 2008 conference in the Gold Coast yesterday, Stewart said the malware industry is moving faster than the security industry, making it impossible for users to remain secure."

Re:Agreed -Free For Personal Use

[Bullfish]

Most free anti-virus apps available are free for personal/non-profit use only. If you want to deploy them on a commercial network I beleive you have to pay for almost all of them.

Re:Quick linux question

[Anonymous Coward]

no, and no

Disagree

[Dop]

Correct, patching your systems isn't going to protect you against state-of-the-art malware. What patching does is protect you against script kiddies running exploits that are 6 months old. The majority of the successful attacks I've seen are against old vulnerabilities, not new ones.

Additionally, patching isn't just about security. It's about fixing software bugs that could cost you time/money later.

Duh!

[mlwmohawk]

Sorry, but it is beyond laughable that this is news. Anti-virus software is like prayer. It lets you think you're doing something.

Anti-virus software is by its very nature a "post damage" measure, like closing the barn door after the horses leave. Of fixing the roof after the house is wrecked from rain.

The *only* way to prevent viruses is to understand that your computer only does what it is told and you need to control who gets to tell it what to do.

Windows, and we are talking about Windows here, is designed to allow foreign agents to control your system without your consent. Microsoft has so many holes in its system beyond just stack overflow exploits, but protocols and APIs designed to make it "easier" for application to do things "for you," and are we surprised that it is exploited?

Re:Stating the obvious..

[Dak RIT]

I generally agree with your sentiment, although I feel compelled to correct one of your points...

The previous Slashdot article didn't say 66% of all PC's, it said 66% of all PC's (over $1000) sold in retail. That's still impressive for Apple and shows a lot of growth potential as it expands its retail presence, but it's a very different market than 66% of all PC's.

Re:Problem of assessing success...

[QuantumPete]

Exactly. There would be a lot *more* malware out there if it weren't for basic security measures. Just because houses get broken into, doesn't mean that you're wasting your money on front doors.

Viable alternative.

[rindeee]

I have two Windows computers that I use. They are rarely used (Govt issue). In addition I have 3 Macs, two Sun boxes (Solaris 9 & 10 respectively) and a number of Linux boxes. I run Symantec on the two Windows machines (comes pre-installed) but it has never caught anything. This is not because there was nothing to catch, but rather because I have very high security at the demarcation point of my network at home. I run a router with PacketProtector (a great OSS project...if you've not tried it out, you should) which runs ClamAV, Inline SNORT, DG, TinyProxy, etc. etc. etc. which pretty much stops everything in it's tracks. I wouldn't call it ready for prime time as there are still some bugs, but implementing the same packages on a old PC would be simplistic. My point is that it's relatively easy to stop darn near everything at the entry point to the Network rather than waiting for it to make itself known on one of the PCs. Catching it on the host should be the last resort, not the first line of defense. Hopefully projects such as OpenWRT, PacketProtector and IPCop will make it easier for the average user to make this a reality. There is certainly a need for more effective anomaly based analysis and filtering vs. signature based, but there seems to be a lot of progress in that direction by SourceFire and others. Of course it would be nice if MS would stop producing virtual petri dishes, but in the mean time....

Re:Cure the viri

[jeiler]

* http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html [sophos.com]
* http://www.sophos.com/pressoffice/news/articles/2007/11/mac-osx-trojan.html [sophos.com]
* http://www.sophos.com/pressoffice/news/articles/2006/02/macpoll.html [sophos.com]

"Mac users cannot keep thinking that they are invulnerable to these threats." -- Graham Cluley

Gonna make any other jackass statements?

Re:Stating the obvious..

[jedidiah]

When you consider the fact that the Microsoft OS du jour is forcefed to everyone through the OEM channel it is.

Re:Agreed

[Fast Thick Pants]

AFAIK, the only free AV products whose license permits business use are:

• Comodo [comodo.com] - Still in beta, lots of false positives. Configuration is all in local text files, so some level of remote management is possible, but they certainly don't provide the tools for it.
• PC Tools [pctools.com] - Requires interaction from the user to do updates, so not a contender.
• ClamAV [clamav.net] is free of course, but does not provide a scan-on-access monitor. More suitable for mail servers than workstations.
• Winpooch [sourceforge.net] - uses the ClamAV engine for on-access scanning, project seems dead, never tried it.
• Spyware Terminator [spywareterminator.com] - Also does AV using the ClamAV engine. I'd never heard of this one before today, and unfortunately their site design looks a little on the fly-by-night side. They offer a corporate edition with central administration for the wacky price of $2 per seat per year.

Please add to/subtract from/comment on these if you know something!

Re:Stating the obvious..

[egomaniac]

Nonsense. If you're running any Windows other than Vista, odds are that you are at all times in possession of administrator privileges. And that means that any piece of software you run also has your administrator privileges. If such a piece of software -- Firefox, for example -- has a security hole which allows arbitrary code to run, that arbitrary code has all the permission it needs to do absolutely anything it wants to your computer, such as planting keyloggers.

This is not the case with Mac OS X. My current account has administrator privileges, but they are inactive by default. I have to enter my password in order to elevate to admin permission, and such elevation applies only to the program which requested the change. This makes an attack both less likely and easier to defend against, as the program can't just silently go in and modify my applications -- it has to at least ask for permission first.

Obviously there are still dangers. My user files are still vulnerable to attack at all times, but of course Time Machine means I have backups of my files going back weeks. There is also the danger that a program could trick me into entering my password when its try intentions are nefarious, thereby getting the required permission to trash my computer. The only way to defend against that is to be very careful about when and where I enter my admin password, but that's true of any OS.

Re:Agreed

[Fast Thick Pants]

I'm pretty sure they have licenses that prohibit commercial use and therefore don't belong in this list. (Granted, it is possible to have a complicated home network that would benefit from AV "administered at the network/Domain level", but I don't think that's what grandpa meant.)

Re:Agreed

[Warll]

Those are only free for home use.

Re:Agreed

[billcopc]

It sounds goofy, but try a virtual firewall... e.g. Smoothwall in VMWare. Even with the VM layer, it's still far more conservative (and reliable) than any windows-based firewall junk. Mine runs with only 16mb of Ram allocated, and it's completely non-intrusive.