Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Businesses Software The Almighty Buck Windows

Anti-Virus Is Dead (But Still Makes Money) Says Symantec 254

judgecorp (778838) writes "Symantec says anti-virus is dead but the company — the world's largest IT security firm — still makes 40 percent of its revenue there. AV now lets through around 55 percent of attacks, the company's senior vice president of information security told the Wall Street Journal. Meanwhile, other security firms including FireEye, RedSocks and Imperva are casting doubt on AV, suggesting a focus on data loss prevention might be better."
This discussion has been archived. No new comments can be posted.

Anti-Virus Is Dead (But Still Makes Money) Says Symantec

Comments Filter:
  • by Anonymous Coward on Tuesday May 06, 2014 @09:53AM (#46928735)

    "AV now lets through around 55 percent of attacks" What happened? What's the big game changer from the 95% detections of just a few years ago?

    • by Anonymous Coward on Tuesday May 06, 2014 @09:57AM (#46928785)
      Because marketing is more effective than a quality product.
      • Because AV's business model is only helped by more computers swimming in viruses.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Between the ages of 13 and 16, I made about $50,000 selling a bogus antivirus program that I wrote (didn't really do anything, looked cool though).

    • by Xicor ( 2738029 ) on Tuesday May 06, 2014 @09:59AM (#46928807)
      they dont update the virus signatures anymore, because ppl who use symantec antivirus dont have any clue wtf they are doing. it is kindof like going to a steak restaurant and ordering your steak well done. the restaurant has lower quality meat for those people because it is cheaper and they cant tell the difference.
      • by Kjella ( 173770 )

        Ignorance or preference? I assume those who order it well done have tried medium and didn't like it. Maybe they don't really like it at all, if you go to s sushi restaurant they usually have something for kids, people with allergies and others who got dragged into a sushi place. If they're happy, the restaurant is happy then I don't really care if a chef's heart breaks by turning a juicy steak into leather.

        • by Xicor ( 2738029 ) on Tuesday May 06, 2014 @11:26AM (#46929869)
          yes, but when you can cut costs and not have any issues, a lot of places will do it. theres no point in spending 20$ on a prime steak if the person eating it cant tell the difference between a shoe and a steak.
          • by AthanasiusKircher ( 1333179 ) on Tuesday May 06, 2014 @12:35PM (#46930905)

            yes, but when you can cut costs and not have any issues, a lot of places will do it.

            I'd like to see reliable evidence of this. I've heard this crap ever since Anthony Bourdain included it in some rant in one of his books about people who liked meat cooked more than medium-rare. Perhaps he was known to serve crappy food to those people, but I'd be really interested to know how widespread the practice is.

            Because if you search around on some cooking forums, you'll see other actual chefs chime in and say they do NOT do this. Actual chefs will tell you that they tend to have thinner cuts available for people who like well-done, so as not to delay the entire order while cooking one steak longer. (If they don't have this, they'll generally offer to butterfly the cut.) But actually serving people crappier meat? Not so much that I've heard, outside of Tony's confessions of being a jerk.

            theres no point in spending 20$ on a prime steak if the person eating it cant tell the difference between a shoe and a steak.

            "Prime" ratings refer to marbling, not necessarily quality of taste. So, if you pay more for "prime," you're paying for more fat. That fat won't disappear completely if the steak is cooked well done: in fact, more of it will often soften, because temperatures about 130 F (temp for medium-rare) allow faster break-down of a lot of fat. Case in point: taste a low-quality fatty cut cooked fast on a hot grill (often lots of gristle) vs. similar meat from the same part of the cow cooked to a much higher temperature longer as a pot roast... all that fat will be melt-in-your-mouth tender. A well-done steak, done properly, can be somewhere in between.

            For the record, I generally order my steaks medium rare, and I agree that that maximizes certain aspects (particularly juiciness and tenderness).

            But for those who like well-done, they often get extra browning flavors from the Maillard reaction and caramelization, and the extra fat break-down can do good things for the fat (though making the muscle tougher). If the steak is heated slowly before grilling or finished in the oven at a very low temperature, it can also be quite juicy (contrary to popular belief). Cooking a steak well-done that tastes good is also an art, and probably even more finicky that cooking one medium-rare.

            Anyhow, sorry, but if you are actually able to tell a prime-grade steak at medium-rare, you should also be able to tell one at well-done. If you can't, you probably don't know as much about steaks as you think you do. Different people like different things, but that doesn't excuse insulting them or serving them crappier food.

            • As a lover of well done steaks, thank you for saving me the trouble of replying. Most places that I've ordered well done steaks at will do exactly what you say, and it seems to work out ok. I've only had one restaurant give me trouble about it, so I will never eat there again. I swear, steak snobs like Xicor (or Anthony Bourdain) are worse than wine snobs sometimes.

            • by cHALiTO ( 101461 )

              I agree.
              If your steak feels like a shoe when it's well done, then it's not well done, it's burnt. That or the meat is crappy to begin with, and you'll notice whether it's raw, well cooked or whatever.
              Here in Argentina many people tend to ask for well done steaks, and if the meat is decent, you can pretty much cut it with a spoon. Its quality also depends on the amount of fat vs amount of actual meat, and other stuff (nerves, for example). Tenderness also depends on the type (cut) of meat.. but I hear our cu

              • by Xicor ( 2738029 )
                it doesnt really matter how you cook a steak... if it is well done, it will be leather(well done is 155+ degrees) this is well above the temperature at which a steak is best served.
                • by cHALiTO ( 101461 )

                  (well done is 155+ degrees)

                  155+ degrees for 1 second doesn't make a steak well done. And lower temperatures over a long time can turn a steak into leather as well.
                  Cooking a steak isn't just applying heat to it. Some people like it crispy on the outside but 'saignant' on the inside, so you use higher temperatures over a relatively short time. Others like it "well done" (though maybe we use the term differently here) overall, so less heat over a relatively longer time, and you get it well cooked inside and ou

        • My mother-in-law always orders her steak medium but wants there to be no pink visible inside. We always correct her order to well-done immediately after she orders because she returns any steak with pink visible because like many people with red meat, she doesn't understand the difference between 'not cooked' and 'still pink'.

      • Of course they update the signatures. A lot of threats target things that AV running on a PC can't catch is all. How is PC AV going to help your Android device?
    • by manu144x ( 3377615 ) on Tuesday May 06, 2014 @10:01AM (#46928823)
      One answer could be because now threats are mostly targeted at the biggest weakness: humans. Phishing, scams, and all that are much more profitable and incredibly hard to detect programmatically. Legit websites are hacked daily and injected phishing sites and then removed fast.

      They all rely pretty much on human stupidity and ignorance, and that is very hard to stop...
      • by Anubis IV ( 1279820 ) on Tuesday May 06, 2014 @10:19AM (#46929069)

        Bingo. Back when automated worms were the biggest threat we faced, programmatic tools were very effective. Likewise when viruses needed to be passed manually from user to user via infected files, AV could do a lot to stop it. Meanwhile, trojans weren't too effective, since software was still being distributed via physical media, so people were distrustful of downloadable executables. Nowadays though? Users are enticed to install trojans on their computers, which is now a perfectly normal thing to do, since that's the simplest vector most of the time, unaware that what they are doing is harmful.

        As the saying goes, you can't fix stupid.

        Even so, I rather like OS X's current way of combatting trojans, which gives the user three options in the System Preferences: allow anything to run, only run stuff from registered developers, and only run stuff from the Mac App Store. Doing so leaves the control in the user's hands, but allows them to choose the level of protection against executables coming from illegitimate sources that they want. The middle option in particular is a nice one (and used to be the default, though the Mac App Store one may be the default now...not sure), since it's rare that I encounter a legitimate Mac developer who isn't registered, meaning that the warnings about software from unregistered sources are exceedingly rare. Warnings that are rare are exactly the sort of thing we want, since it makes them stand out more and means that users are less likely to become blind to them.

        Quick aside: I'm not suggesting anything about the relative worths of the various platforms, nor am I suggesting this feature is unique to OS X (e.g. I know Microsoft has dabbled with registered developer security features in the past). I'm merely citing a feature I think manages to nail a nice middle-ground between providing warnings without rendering users blind to them, while still leaving folks like us with the ability to install whatever the hell we want.

        • by mlts ( 1038732 ) on Tuesday May 06, 2014 @10:46AM (#46929405)

          One of the biggest infection vector these days are holes in Web browsers or add-ons. I don't see worms and viruses a common threat these days. It is mainly something from a website or even worse, an ad server. By using adblock, noScript (or the "click to play" functionality in Chrome), and SpywareBlaster's black list, this has kept my machines clean where the AV program is mainly for scanning a download (and even then, for small downloads, VirusTotal does the job better.)

          IMHO, an AV maker should take a page from that book and start blocking URLs and bad sites. Some ad company allowing malware to get posted through their server? Block it by IP and/or URL.

          So far, this has done a good enough job for protection. I mainly browse the Web in a VM, and when I take the VM offline and scan the disks with a decent AV program, the scans turn out clean.

          This doesn't mean AV is useless. Not using it is similar to leaving the key in the ignition when running into a gas station. However, it would be nice if AV programs could build in functionality similar to AdBlock and block not just by IP, but by URL.

          • Depends how often the user downloads and installs something like a new program. There are still plenty of sites out there with shady "add-ons" bundled into the program installer. They'll take a legitimate program, which has no adware/malware attached, re-bundle it, and then SEO their way to the top of the search results.

            We also block a few hundred executable scripts attached to spam at the mail gateway each week. So that vector is alive and well.

            For everything else web-related (infected ads being mos
        • by CastrTroy ( 595695 ) on Tuesday May 06, 2014 @10:49AM (#46929441)
          This is similar to the reason that I think the iPad is what most users really want/need. Techies complain about the walled garden, and how that limits what they can do with the hardware. But that's exactly what end users want. They want to be able to install and use software without thinking about all the bad consequences that could come of it.

          Imagine going to a store and buying a toaster. Some toasters would be cheap, but would sometimes catch on fire and burn your house down. Some toasters would be cheap but listen in and record all the conversations going on in your kitchen. Some toasters would be more expensive and actually just toast the bread, without any ill effects. Sure it's the customer's choice which one they buy, and you can tell them to read reviews and be careful, but that's really not a good situation to put the customer in. The customer should have reasonable expectations that the product is safe and isn't trying to be malicious. But when installing software, it's very hard to verify that an unknown program is actually safe or not.
          • by King_TJ ( 85913 ) on Tuesday May 06, 2014 @02:42PM (#46932629) Journal

            It constantly irritates me when I see people installing all sorts of junk simply because they can't be bothered to READ what's on the screen, right in front of them. Thanks to the proliferation of "free" software for Windows (as opposed to true freeware), the installation programs often ask you if you'd like to ALSO install one of several other questionable toolbars, add-ons or other utilities, with an "opt in" default for each prompt. Really, there's no secret here.... It tells you right on the screen what it wants to install, and you simply de-select a check-mark to skip it. But people blow right through those prompts, clicking as fast as they can find the button, and then wonder where the "Super Cool MegaSearch" toolbar came from that keeps popping up ad banners while they surf the web.

        • How is this different from UAC on Windows? I get the app store and I love that concept as it makes publishers liable but for the rest you need some control and UAC is the only control available in MS products.

          At the end of the day you don't want to make users unproductive by removing their flexibility but at the same time they are very unproductive when their system is down or important information leaks from threats and such.

          It's not that people are dumb, it's that they don't have our technical understand

          • How is this different from UAC on Windows?

            Other than that they're aimed at attacking the same problem, the two really aren't alike at all. If I had to summarize the key difference though, I'd say it's that UAC's warnings are based on the action being done, whereas Gatekeeper (the Mac feature I was describing) bases its warnings on the level of trust (or lack thereof) it has in the app's source at the time that you first launch the app.

            Put differently, whether I wrote the app myself, downloaded it from a shady site, or got it on physical disc from a

    • by Tridus ( 79566 )

      Attacks are more sophisticated now, lists of bad things that we've seen before aren't adequate to stop a serious attacker.

    • by Sycraft-fu ( 314770 ) on Tuesday May 06, 2014 @11:18AM (#46929783)

      Good anti-virus still has high detection rates. AV Comparitives puts most virus scanners above 90% detection in their March real world protection test. The better ones are in the 98%+ range. http://www.av-comparatives.org... [av-comparatives.org]

      Of course Symantec isn't on that list... perhaps there's a reason :).

      • by cellocgw ( 617879 ) <cellocgw&gmail,com> on Tuesday May 06, 2014 @11:32AM (#46929937) Journal

        There are statistics and then there are useful statistics. If an AV product is capable of catching 95% of all the viruses ever written, you should
        A) use it
        B) be really worried because you don't know what good it's actually doing.

        Remember, 99% (a made-up stat) of all malware is no longer used at all because it's either blocked by every tool in existence or doesn't do something actually useful, like bringing cash to the distributor of said malware.
        What matters is what percentage of currently active (and dangerous) malware the AV tool can catch, and further, whether the types of malware it can't catch pose a danger to your personal types of computer usage. As a contrived example, all Flash-based malware is irrelevant if you never visit any Flash-enabled web page (and don't run Flash modules locally either).

        • by asavage ( 548758 )
          I remember when Microsoft first came out with their antivirus it seemed to test quite well compared to other antivirus software. Now it comes with windows 8 it seems to have fallen off the chart which makes sense as any virus writer should make sure it works against a default windows 8 install.
      • The stat you're quoting is "how many of the things we're designed to look for do we find" not "how many of the things that cause problems do we find."

        Anti-virus software doesn't work because MOST problems now aren't and don't look like viruses.

    • THEIR AV maybe.

      Yeah, I believe that without a doubt. I'd have guessed more, to be honest, though.

    • Security is a cat-and-mouse game; where the attacker knows everything about the anti-virus. The virus writers can test before releasing their software to make sure Symantec doesn't detect it, so Symantec can never win.

      The question is whether they were really getting a 95% rate, or if they were gaming the numbers
    • by Bacon Bits ( 926911 ) on Tuesday May 06, 2014 @12:09PM (#46930483)

      Viruses used to be targeted at impacting systems. Destroying data. Disabling operations. They were focused on taking your computer down. It was very obvious when you had a virus because your computer was obviously broken. There was no way for a virus creator to make money.

      Viruses today are used to steal information, steal resources (network, CPU, etc.), or open access. To function, they require your computer to be on, fully functional, and connected to the Internet. It's trivial to make money with a botnet, meaning viruses are now funded by major criminal business enterprises.

    • Because some of these companies have discovered that they can sell products that don't work and still make a boatload of money. Declaring AV dead as an excuse to avoid investment in security threat mitigation technology and still sell the product that doesn't work is basically fraud as far as I'm concerned.

      We have switched to Sophos which seems to be doing the job. I'd be very interested in hearing opinions of which AV products aren't dead.
    • Symantec, McAfee, etc really never said this AFAICT, it's people promoting other malware solutions and/or being disingenuous by saying that PC AV won't stop non-PC malware such as embedded and mobile devices get. Well no kidding. Clickbait.
    • by WD ( 96061 )

      When on earth did AV detect 95% of attacks? (hint: never)

    • "AV now lets through around 55 percent of attacks" What happened? What's the big game changer from the 95% detections of just a few years ago?

      The was no change. The 95% claim was BS.

  • by timeOday ( 582209 ) on Tuesday May 06, 2014 @09:56AM (#46928771)
    Sure they want to sell you something in addition to "anti-virus" software with a fresh new name. But host-based security software isn't going away.
  • It has become so easy to make a virus, that creators abandon old virus methods before anti-virus companies even find out that they existed. Unless they come up with new ways to predict the attacks, they will never keep up.
  • Makes sense (Score:4, Insightful)

    by American AC in Paris ( 230456 ) on Tuesday May 06, 2014 @10:03AM (#46928851) Homepage

    When the back door was made of cloth and paper, there wasn't much sense in trying to fool the user guarding the front gate. Now that we've locked that down with a steel door and a proper deadbolt, it's a lot easier to try to sneak past the guard--and it's a lot harder to upgrade a guard than it is to upgrade a door.

    I think we're entering a period where forensics and an effective legal apparatus are going to become the primary means of defense.

    • Re:Makes sense (Score:5, Interesting)

      by Charliemopps ( 1157495 ) on Tuesday May 06, 2014 @10:15AM (#46929015)

      I noticed my idiot bother-in-laws computer was sitting on a wide open wifi connection, no password, no encryption. Then I looked and the computer had no antivirus, UAC, the Firewall, everything was disabled. I pointed all this out to him and he said "I don't get viruses anymore." So I ran a standard on-line anti-virus product and he had hundreds of infections. I doubt he's done anything with it at all.

      The authors of viruses make a profit off your infection by either displaying ads to you, or using your computer to host data or attacks. If they make what they are doing too obvious, you're going to do something about it. So it's in their best interest to make sure you don't notice it. Why fix something that's not bothering you? My brother-in-law has no idea the risks he's taking and likely thinks I'm dumb for bothering him with it. I suspect the majority of the people feel the same way.

      • Shields Down! (Score:4, Interesting)

        by epine ( 68316 ) on Tuesday May 06, 2014 @02:10PM (#46932209)

        I suspect the majority of the people feel the same way.

        Not even close, unless you also think that the majority of people who suffer in silence all fret over the same life issue.

        Apathy has at least a dozen different root causes at the level of kingdom and phyla. Some people dislike how their computer turns into a vat of sticky molasses right after the anti-virus software gets installed. They didn't know you need twice as much bare metal to eke out a tolerable user experience once the protective condom—prosthetic cylinder—is superglued onto the pink skin under the hood. When you find a male user whose entire panoply of defences are on the floor (or around his ankles), one suspects the anti-virus software was interfering with a cherished late-night hobby.

        The entire anti-virus program was misconceived to begin with. It's not ultimately impossible to write secure code, but it will remain impossible until we've exhausted every other dodge.

        You can always count on Americans to do the right thing - after they've tried everything else. — Winston Churchill

        Note that by "secure" I don't mean "flawless". A better proxy is that once a flaw is discovered, it takes far longer to work up a successful exploit than it does to fix the problem and test the patch, assuming both lines of development hear the same gun.

        I've been reading security threads for at least two decades. There's always someone who pipes up with the view that because the travelling salesman problem is NP-complete, you might as well plan your route by flipping coins. This is the strange and not-so-wonderful archaea kingdom of the apathy tree. Brain the size of a planet, and all these people can manage is to cop a snivel. These people have their edge enhancement (aka paranoia) dialed up so far, the entire universe looks like a chessboard in the movie Tron. I'm guessing that the evolution of intelligent life is also NP-complete, yet somehow it happened. Hard to notice this if your giant brain perceives itself as living on planet Tron.

        At the end of the day secure code has no hope of survival in a winner-take-all market with a short little span of attention (winner take all, until it's all siphoned away by a Chinese triad). It probably boils down to prisoner's dilemma—until there's a sea change, and secure code gets the girl.

        The answer lies in a systems theory analysis of human mating-instinct time horizons. This is a different difficulty class than NP-complete, founded on the technique of proof by partial induction: well, we're still here.

    • In the email world there are 'reputation' providers that will give an IP address a score (e.g. from 0 to 100). On many domains if your 'reputation' is too low, the email bounces. However we are heading towards an IPv6 world where ip-reputation is too hard (too many addresses). So you need another way to base your reputation on (e.g. your domain name or email address).

      Who is providing the content and are they trusted (you better prove you are trustworthy). Just another option.
  • by Eravnrekaree ( 467752 ) on Tuesday May 06, 2014 @10:08AM (#46928917)

    Part of the problem may be the closed source nature of AV itself. I have always wondered if the closed source AV vendors are basically reinventing the wheel and needlessly wasting resources on finding viruses that have already been found by other companies, and that maybe there should be a central virus database that all of the companies would contribute to instead. The model of each company having to independantly find viruses is inefficient and leads to much slower progress on eliminating them. It is wasted time and effort reinventing the wheel, and as well it actually worsens things for users because things do not work as well as they could.

    Does anyone here have a recommendation for the best AV software?

    What about ClamAV? Is this as good as the closed source AV products?

    • I use Avast for AV and Bitcoin Vigil for IDS. Both are free and work well together (although, Avast does noticeably lag my computer -- but less so than competitors)
    • >> Does anyone here have a recommendation for the best AV software?

      The built-in Windows AV on modern OS's works OK. (We don't have any machines except test machines older than Windows 7.) I guess I haven't even thought about Symantec or McAfee for the past few years.

      >> What about ClamAV? Is this as good as the closed source AV products?

      IMHO, it's slower and not as thorough. I wouldn't use it on Windows.

    • by Arker ( 91948 ) on Tuesday May 06, 2014 @10:40AM (#46929327) Homepage
      The problem is deeper than that. It goes back decades to the very idea of a scanner vs other methods of security. Scanners are good 'solutions' if you dont really want to solve the problem but rather want to profit from it. They are reactive, they require constant updates (which justifies continuing payments) and will absolutely never do more than partially ameliorate the problem. Scanners only find old threats and it's a very old game to just switch bytes around until the scanner says you are clean.

      A system actually designed for security would instead focus on behavior and abilities, and look more like SELinux than a traditional virus scanner. It wouldnt care if a program was exceeding its authority because it's a virus or because it's damaged or just because it's poorly programmed - it would prevent it from doing damage regardless.

      This is far from impossible, but as an industry we turned away from that road several decades ago, because it's slower, more expensive, and harder to develop for. First to market seems to trump well designed every time. :(
      • by westlake ( 615356 ) on Tuesday May 06, 2014 @12:56PM (#46931195)
        Your typewriter needs a new ribbon.
      • I do agree that making systems secure to begin with is vitally important. This includes making sure the software is not running vulnerable versions to attack. Part of the problem with Windows and some other UIs is that they make it inconvenient, even unnatural for non-tech users to take advantage of the privelege seperation features. Which is why the OS should have a wizard that on first boot puts the user into a non-root account by default. Another is to have app stores for desktop OSs. Another is to prohi

      • In case you hadn't noticed, Credit Card companies secure your credit card using techniques very similar to A/V vendors' products. They do heuristic scanning of transactions, looking for consumer spending patterns and throwing red flags when they change significantly. You can wax poetic all you want about "smart cards" but the system is big enough that we'll probably *never* be without similar methods for protecting your bank account

        • by Arker ( 91948 )
          Latest statistics I found with a quick LMGTFY says just under $12 BILLION last year in cc/dc fraud alone, so it sounds like you just supported my point rather than disagreeing with it.
      • by Burz ( 138833 )

        Security by isolation [qubes-os.org] is one way to solve that problem. With a hypervisor designed for strong security instead of primarily for conveniece as is usually the case, users can safely allocate their tasks and data to different domains. For instance, 'Work' and 'Personal' could be two domains that have network access, whereas 'Vault' would hold the most sensitive info (like certain keys and passwords) and have no networking. An 'Untrusted' domain is used for most of the general web surfing-- reading articles, wa

    • You are absolutely correct, this drives me nuts. An illustration from the corporate end user perspective: it is almost impossible to get any information from any AV vendor about WHY a certain signature was triggered. Given the prevalence of false positives with the latest heuristic and reputation-based detections, this information can be absolutely vital to making the correct decisions. But the best you can usually get is 'it is a trojan' or some other vague crap. They seem to view their signatures as some
      • And the flipside: if I have a known malware sample ignored by the AV, why can't I add its signature to the database myself? Why must I submit it to the vendor first to await their sluggish response?

        You are absolutely correct, this drives me nuts. An illustration from the corporate end user perspective: it is almost impossible to get any information from any AV vendor about WHY a certain signature was triggered. Given the prevalence of false positives with the latest heuristic and reputation-based detections, this information can be absolutely vital to making the correct decisions. But the best you can usually get is 'it is a trojan' or some other vague crap. They seem to view their signatures as some sort of secret sauce that must never be revealed.

    • by CAIMLAS ( 41445 )

      ESET is by far the best I've had the opportunity to use.

      Yeah, it's actually worth paying for: it's unobtrusive where it needs to be and I've not seen anything sneak by. The big things that break other AV doesn't hurt ESET. I make it a pre-requirement for anyone who wants my help on their Windows, and so far... no "I've got a virus" type requests. :)

      • by Quirkz ( 1206400 )

        I've been looking for a replacement AV so I can get rid of Symantec Endpoint Protection at work. I've been looking at Eset, but the initial test had me concerned. Windows popped up every time I changed network, asking me to make choices, and there were a handful of other notifications that I don't want to inflict on users. Maybe once I dig around in the preferences there's ways to silence those things, but it didn't seem ideal out of the box.

  • Sounds about right. I've had at least 3 viruses that have circumvented Norton -- but caught by Bitcoin Vigil (a honey pot based approached to catching malware). I guess it's a combination of outdated signatures, and novel attacks and Antivirus needing to limit its false positives
  • Most AV is malware (Score:5, Interesting)

    by EmperorOfCanada ( 1332175 ) on Tuesday May 06, 2014 @10:14AM (#46929001)
    Of all the problems that my relatives have called upon me to fix on their machines AV might be the number one complaint. They buy a machine from some big box store (against my recommendation) and the AV becomes more and more threatening as to the dire situation their machine is in and how only a subscription to their product will solve the problem.

    Then to make it worse the AV infests the machine like a spreading cancer. The browsers work funny, the startup is longer, the thing periodically pigs out on the internet. But it might be the popups that are the worst. We have all see the public jumbotron/Kiosk with a big AV popup front and center.

    Personally I blame AV bloatware for being one of the downfalls of the PC industry. People were buying their shiny new machines hoping that all their problems would go away and poof their new machine is effectively just as crappy as their old machine with these incomprehensible popups and threats.

    My only happiness in this situation is that the AV products haven't managed to get much traction in the mobile device industry.

    The key thing to keep in mind is that when you buy a basic PC from a manufacturer that they don't make much if any profit from the machine. It is the kickbacks they get from the crap AV, crap game, and crap music services that come as trialware. So if the AV industry has a business model based upon fooling people, kickbacks, and annoying people; then they can't die too soon.

    The horrible thing is that some products like NOD32 were awesome and didn't play those MBA games.
    • by CAIMLAS ( 41445 )

      What do you mean, "were" awesome? NOD32 is still the best game in town. Not sure what you mean by "didn't play those MBA games"...

      • I can't say much about them as I haven't used them in years. My "were" was more my own subjective were. I don't hear much about them but I have never heard anyone in my circle ever complain about them.
      • Sorry for the two replies. But by MBA games I find that many MBA schools teach the wrong half of Game Theory. It seems that most people who leave with an MBA find some metric of success and then beat it to death. Sales are an easy metric and often a good one. But in this case I think that they pushed sales so hard that people began to hate the entire PC experience, let alone the AV experience.

        AVG is a good example. Basically you can instal the free version but if you click on the wrong thing( as probably
    • It's my theory that any OS that is secure enough not to get malware is secure enough to not allow AV software.

      A user shouldn't be able to install software that scans every other file arriving on the computer, and alters or deletes executable files. If they are allowed to, then they will install every item of malware presented to them.

      As illustration I give you iOS. An AV scanner is not technically possible (from anyone other than Apple). 2013 malware threats: zero.
      http://www.forbes.com/sites/go... [forbes.com]

    • I agree completely with the "trial" ware on "new" computers. Personally, I think the first thing to be done when getting such a computer is cleaning out the HD and reinstall the system. That's the only way you can be certain that this pest is gone.

      Aside of that, I can't really agree with the sentiment that antivirus is useless. For most people it does serve a very valuable purpose, if, and only if, it is actually antivirus software and doesn't try to be every- and anything from AV to firewall to content fil

      • I wouldn't say useless but that it has become malware in its own right. A symptom in the past that someone's machine was infested were casino and porn ads relentlessly popping up. Now there are AV ads relentlessly popping up. Even if you have a subscription there are two pop ups. One telling you how smart the software was do detect a cookie or something; and as the end of your subscription comes near the death threats begin.

        Not to mention that some AV software will begin to interfere with the smooth opera
        • Which AV software bugs you with popups that tell you just how cool it is, without the option to simply tell it to STFU? Just so we can avoid it altogether.

  • My fear is that some neophyte will read this and believe he doesn't need an anti-virus application anymore because they don't work. While AV applications are not my favorite thing to spend money on, they do have their place for less-then-savvy users who may be surfing or downloading from areas that may not be safe.

    • by fnj ( 64210 )

      My fear is that some neophyte will read this and believe he doesn't need an anti-virus application anymore because they don't work.

      Funny, my take-away was a little different - that AV is no goddam good for nothing.

  • by argStyopa ( 232550 ) on Tuesday May 06, 2014 @10:28AM (#46929183) Journal

    I wouldn't use a Symantec product if it was an extinguisher and I was on fire.

    Nobody even vaguely familiar with PC support over the last 20 years can possibly fail to be acquainted with what was (is?) the most complicated, agonizing, and laborious process that was removing a Symantec/Norton antivirus "product" from a computer.
    Seriously, with a newer machine, just re-installing the OS was far quicker, easier, and less likely to leave you with later issues.

    As an AV product, it was not terribly successful in most neutral tests I saw.

    If you didn't uninstall it, it was a resource hog, bringing even powerful machines to their proverbial knees when scanning. If you were foolish enough to install the 'suite' of security applications, it would involve literally dozens of services installed obscurely across your system. Removing it was very much like (or worse than) trying to get rid of some of the most tenacious malware I've ever encountered.

    Truly, the 'cure' in this case was nearly worse than the disease. They *owned* the PC security market in the early days...why do you think its competitors have been so widely successful?

    • In Soviet Russia, McAfee sets you on fire!

    • by yuhong ( 1378501 )

      Eventually Norton AV began to take less resources and I think became easier to uninstall, but I am not sure about the detection rate.

  • by Virtucon ( 127420 ) on Tuesday May 06, 2014 @11:08AM (#46929663)

    It's now crapware, sorry but Symantec should now be thoroughly flogged in public for turning a once great, working, AV product into a piece of shit. I can't say much about the other vendors in the AV space, well I can for a few and I don't really trust any of them right now because they all miss shit and have lousy customer support.

    • The worst part is that they ditched the two half-decent products they HAD - PartitionMagic was excellent in its day, and Ghost 2003 was a great tool as well. Symantec discontinued both,leaving Acronis and OSS to eat their lunch in both departments. Alas, the dark side of chasing after subscriptions. ...and, shocker of shockers, they're offering 'cloud storage' now. I'm just waiting for 7-11 to start doing that.

  • by clickclickdrone ( 964164 ) on Tuesday May 06, 2014 @11:23AM (#46929833)
    I suspect the key to the 55% number is the word 'attacks' i.e. not viruses, worms etc but using OS holes and other such exploits.
  • Paradigm Shift. (Score:3, Informative)

    by Anonymous Coward on Tuesday May 06, 2014 @12:23PM (#46930719)

    Malware constitutes the following:
    [Injection Method] + [Exploit] + [Persistence or Self-Removal Configuration] + [Payload]

    You can jumble around solutions to create a virus.

    AV companies have to figure out both signature based and heuristic detection methods as they can't just MD5 and ban files. Malware writers can build files that defy algorithmic description; that self-jumble every time they are copied.

    Most viruses can emulate user activities sufficiently that antivirus cannot stop them.

    E.G. Cryptolocker. Users have rights to use windows cryptographic processes to encrypt files.

    Thus the focus has gone straight to controlling user activities and user data securely. Assume the user is a criminal, what can they do, what can I do to stop them?

    Assume the end user will get hijacked; what can they do? Compartmentalize them and their job so the damage done is minimal. E.G. Publishing every application via Citrix Remote applications and setting the interface with the OS on some of them so you cannot copy specific fields in forms. E.G. Websense.

    Assume multiple end users will get compromised, Log every attack so each attack becomes a one-trick-pony. E.G. Most Firewalls and their monitoring features.

    Assume the end user will take off with their files; encrypt them and setup a system by which the keys are kept locally. E.G. Microsoft RMS or "Next Gen" Firewalls.

    This is a big shift in paradigm for security and for Sarbox organizations where compliance objectives trump everything else. It's also a fantastic way to completely decimate an organization, because you limit the ability of organic growth to fudge over incompetent management.

    For your Ma' and Pa' business, things have stayed business as usual. And really, there's a whole new set of skills and features big enterprises are expecting out of IT that they will not be able to find in the field or in current certification paths.

  • by Karmashock ( 2415832 ) on Tuesday May 06, 2014 @01:21PM (#46931579)

    All antivirus software is ultimately based on the notion of a blacklist. That has failed. Whitelists however... that is lists of known good applications are more reasonable. Yes, they require users to know the difference and not just white list any nonsense. But white lists are much better at dealing with zero day attacks etc.

    This is what anti virus should be... white lists.

  • by DarthVain ( 724186 ) on Tuesday May 06, 2014 @01:39PM (#46931835)

    First off, most of the commercial ones like Norton, are barley better than the viruses they claim to protect you from. Except they are more bloated, you pay for them, and usually come pre-installed on your system if you buy retail. Many of the "free" (usually pay for upgrade) options are actually much better. My two favorite are MSE and Spybot. However even they have limitations now. From experience MOST baddies, are not really the viruses of old, but rather adware of some creed. Anyone who had gotten and removed from some of these can tell you about the painful process of trying to go through the complex process to get rid of some of these insidious things. Having a 2nd computer or smart phone is handy in trying to do this so you can take the affected system offline so it doesn't automatically re-infect itself halfway through the process. In many cases it is just easier to wipe the slate clean and install clean again. AV is going to have a very hard time automating some of those complex processes to remove the agent. Hell a good chunk of the malware you are going to get is likely produced with the specific purpose of selling AV software in the first place. Having some AV is a good idea, but it is only a very small piece of the puzzle. Firewalls are more critical. Even more so than that is being critical about what you run, visit or install on your machine. Knowing if you go to a sketchy site you are running a risk. Have install disks. Have a decent backup. That is the world we live in now. I know what the hell I am doing, but every now and again even I get owned. Many of them aren't really infecting your system, so much as vulnerable software, particularly browsers. The last one I had, was easily removed from the "system", but it continued to completely own Chrome, which you would have to go into and manually change all the settings back, or re-install a clean version of Chrome with default settings.

    So anyway to summarize, it just isn't all that useful anymore, but like anything you can sell it to people who don't know any better.

  • The simple fact is the most basic crypter can defeat 99% of the antivirus that are on the market and the 1% that does catch something that is crypeted just gets lucky. Until the app has spread around enough for the antivirii databases to learn the hash of the file in question, only then it gets flagged and nearly all antivirus programs catch it instantly. This is obviously a download and run scenario not a drive by attack (crypted files). Either way you look at it you can expect to get owned with a clever 0

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...