McAfee Artemis Claims Protection Online, On-the-Fly 107
Seems like McAfee has created a new Internet-based service to provide active protection on the fly when a PC gets hit by malicious computer code. "[Artemis] is a lot faster than traditional methodologies and it closes the gap between when a piece of malware is written, discovered, analyzed and protected against ... Artemis is available at no charge as part of McAfee VirusScan Enterprise or McAfee Total Protection Service for small and medium-sized businesses. Artemis is also available for McAfee's consumer products, where the functionality is called Active Protection."
This is why you read the fine print... (Score:5, Informative)
TFA basically states that anything behaving "suspiciously" on your PC will be automatically back to McAfee for analysis. There's no mention at all of possible privacy risks.
Sheezus.
Artemis is available at no ADDITIONAL charge (Score:5, Informative)
"Artemis is available at no charge as part of McAfee VirusScan Enterprise or McAfee Total Protection Service for small and medium-sized businesses."
I guess enterprise editions don't come at no charge.
I guess this is the new "cool thing" (Score:5, Informative)
F-Secure Deepguard: http://www.f-secure.com/deepguard [f-secure.com]
Threatfire: http://www.threatfire.com/ [threatfire.com] (recently acquired by Symantec... so they are in the game now)
DriveSentry: http://www.drivesentry.com/ [drivesentry.com]
Prevx: http://www.prevx.com/ [prevx.com]
Re:This is why you read the fine print... (Score:5, Informative)
I've actually spoken with McAfee about this at length. If a suspicious file is found (not going into what is deemed suspicious out of professional courtesy) a fingerprint (hash) of the file is sent back to McAfee to see if it matches a known malware sample. If it matches, then the file is deleted or quarantined, or whatever the default behavior is. This only takes place if the malware doesn't trigger one of the other protection pieces in place.
There are settings in both the corp and home editions that let you decided if you want to send samples back to McAfee or just turn the feature off. It's a surprisingly cool thing to come out of one of the big players.
Re:ugh. (Score:5, Informative)
What could go wrong?
Re:Antivirus software is bullshit (Score:4, Informative)
You think you can educate the user(s) to remember to always hold down shift when inserting a CD/DVD? Yeah, good luck with that.
Re:This is why you read the fine print... (Score:1, Informative)
If only a hash is sent back to McAfee it seems like it would be trivial to code a virus (or other malware) that will go unnoticed. All you would need to do is add a few extra bytes in the file and fill them with random data when the machine is infected. Because the hash depends on this random data it is not likely to match another hash from the same virus on a different machine, so the virus will go unnoticed.
Re:Antivirus software is bullshit (Score:3, Informative)
That's wrong, not informative. Any modern Windows OS (XP SP2, Vista) pops up a box asking what you want to do when you insert the disk (which includes the option "Run the program"). It will not, however, automatically run anything.
Re:Flawed methodology (Score:2, Informative)
Running as root would be just as stupid (something Ubuntu does not have one do by default but I believe Mac does?)
What Macs and newer Linux distros, Ubuntu included, do is make the first user created on the system a "computer administrator". Only such a "computer administrator" can install software outside the home directory or change system settings and all such activities are password prompted. Unless that password is supplied for administrative actions, these users have no more privilege than regular users.
It isn't perfect. A nasty could run in the background as that user and silently sniff for that password but such attacks aren't common. It is fairly common practice to mitigate that on Linux systems by forbidding software to execute from the home directories. That would be possible on OS X as well but doesn't seem to be a very common practice.
gone in 60 seconds (Score:3, Informative)
Really can they do that? Code Red (admittedly a worm not a virus) took what, 8 minutes, to do most of its propagation. I don't think they can do anything useful in terms of speedy. Getting out the defs a few days faster protects me from 20% more viruses. That's about meaningless. Unless you're going to knock it down a few orders, you're not helping the situation very much.
Re:This is why you read the fine print... (Score:5, Informative)
You're reinventing the wheel here. Viruses that did that were common back in the early 90s.
First, the more stupid AV programs would use a hash. The virus writers countered that simply by including an infection counter. The counter would increase with every infection, modifying the hash.
Then the less gifted AV program writers would hash just certain parts. The virus writers countered that by having the first instruction of the virus be a jump to where the virus was, and the actual virus block being moved at random within a bigger block whenever a new infection occurred.
So then the AV writers scanned for identifiers without looking at the location. The answer from the virus writers was to insert NOP statements at random inside the code, and shuffle these around at every new infection.
Incidentally, my own antivirus program (VScan) would in its deepest mode disassemble the code and emulate the actions of it without executing it, to see whether the result of the code would perform certain actions which only OS routines and viruses would ever do. This foiled some attempts at stealth, like adding numbers to generate an offset, or mutating the registers being used, and also allowed for finding new viruses that used the same techniques but not the same code as older viruses.
Then came XOR'ing the virus, then self-extracting compression, then actual encryption -- and the race is still on.