Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

The End of Signature-Based Antivirus Software? 290

nosig writes "PCMagazine is running a story around the latest AV-TEST response time and proactive detection test for the latest MS05-039 vulnerability related attacks. The test results were announced by the author to the focus-virus discussion list. What's really impresive, besides the huge difference between response times among antivirus companies, is that two products succeeded to proactively detect all 6 attacks without any signature update. "
This discussion has been archived. No new comments can be posted.

The End of Signature-Based Antivirus Software?

Comments Filter:
  • by gtrubetskoy ( 734033 ) * on Thursday August 25, 2005 @02:47PM (#13400521)

    From the referred posting: You can find the information how fast the AV companies have reacted with a solution against Bozari.A/B, Drudgebot.B, IRCBot!Var and Zotob.A/B in an Excel sheet (18 KB ZIP file) which is available at http://www.av-test.org./ [www.av-test.org]

    At first glance this looks like a clever variation on "important document attached" e-mails we all get every day...

  • by twigles ( 756194 ) on Thursday August 25, 2005 @02:51PM (#13400560)
    This week on /., "The Death of [fill in the blank]!" It's just one test, slow down and breath.
  • NGSCB/Palladium (Score:3, Insightful)

    by electrosoccertux ( 874415 ) on Thursday August 25, 2005 @02:52PM (#13400567)
    We better find a way to secure our computers without Bill's help. Otherwise he has a major reason for why we "need" the NGSCB....even though it would most likely be used to accomplish other things.
    • Something like TCPA (or whatever they are calling it this week) could be very good when used in combination with something like NetBSD's Verified Exec. Don't allow any kernel to run, unless it's hash matches one added by someone with physical access. Don't allow any program to run outside a sandbox unless it has a hash which matches the one set by root.
    • We've got that. Just try this [grisoft.com], thisthis [clamwin.org], or, if all else fails, this [linux.com].
  • by cryptoz ( 878581 ) <jns@jacobsheehy.com> on Thursday August 25, 2005 @02:52PM (#13400570) Homepage Journal
    The anti-virus companies have finally learned that the type of viruses they're creating are too difficult to fight against. So they've decided to start writing slightly new viruses that can be more easily killed through their new type of program, which will cost the unsuspecting Windows user, oh, only a few dozen more dollars a month.

    I love the world of GNU/Linux.
  • by Anonymous Coward on Thursday August 25, 2005 @02:52PM (#13400572)
    The product scores (only the trolls need more karma). Or you can try page 4.

    BitDefender 6/6
    Fortinet 6/6
    Nod32 5/6
    eSafe 3/6
    F-Prot 3/6
    Panda 3/6
    QuickHeal 3/6
    McAfee 2/6
    Norman 2/6
    AntiVir 1/6
    ClamAV 1/6
    Proventia-VPS 3/6
    Panda TruPrevent 6/6

    • Ummm, I take issue with the following bit of the summary:

      is that two products succeeded to proactively detect all 6 attacks without any signature update

      Note that the listis NOT ordered, there are 3 products that scored 6/6. ;-)

      .
    • by Baron von Leezard ( 675918 ) on Thursday August 25, 2005 @04:29PM (#13401562)
      This is a meaningless test. I can write an AV program that will get 6/6 no matter what you feed it: it always returns positive. Is that actually helpful? Obviously not. The article mentions that the products that scored 6/6 have a higher false positive rate. Sounds harmless, but even the tiniest false positive rate renders a product completely unusable when the volume of scanned items is high. So what does this test actually reveal? Absolutely nothing. [BvL]
    • I don't recognize about half of those anti-virus products, but I do not see my personal favorite - AVG from Grisoft [grisoft.com]. It is free for personal use and you get access to the same timely updates as the paying corporate customers. So you don't have to worry about your virus definition subscription expiring or not working because your laptop is no longer on the campus network so can't get the site-license for the updates.
    • by Tetravus ( 79831 ) on Thursday August 25, 2005 @05:17PM (#13402009) Homepage
      clerical error in parent
  • Sandbox (Score:5, Interesting)

    by hrieke ( 126185 ) on Thursday August 25, 2005 @02:53PM (#13400576) Homepage
    A thought, and perhaps a better mind can say why this would or would not work.
    Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.
    So a worm or virus would begin to make calls out to the various sub-systems to hide itself and open up ports, then the AV would nip it in the bud.
    • Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.

      Do you mean for a limited time so that it does not hurt performance (in which case worms/viruses can get around it by sleeping for a predefined time) or do you mean running in a VM all the time, which is actually just good ACLs for userland applications (something I have been preaching along with an easy UI

      • Perhaps a VM for unsigned / unknown programs.
        So your copy of Word (okay, bad choice) would run normally, but anything that you download from the net would run inside of a VM.

    • Re:Sandbox (Score:4, Interesting)

      by Quirk ( 36086 ) on Thursday August 25, 2005 @03:15PM (#13400799) Homepage Journal
      Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.

      I apologise in advance for not having a link or a referrence. I did a quick read on a paper from SANS [sans.org], wherein they commented on an exploit referred to as "the red pill". IIRC the gist of the exploit is that it tests for the memory segment it is run in. A VM sandbox runs in a higher memory segment. If the exploit tests and finds itself being run in a higher memory segment it becomes dormant, if, OTOH, it tests and finds it's being run in a lower memory area it releases its payload.

      Sorry I can't link to the pdf. I have the file but haven't the time to search for it at the moment.

      cheers

      • Re:Sandbox (Score:3, Interesting)

        it tests for the memory segment it is run in

        How does it find that out honestly? It's running in a sandbox.

        Unless it's running in a really crappy sandbox. The point of this protection mechanism is to dupe the virus into running normally....
    • fine. quarantine for X minutes and observe behavior... then hax0r writes malware that hibernates for X+1 minutes...
    • and if determind to work normally

      There's your problem right there. How do you differentiate between work normally and not? Viruses aren't doing anything that the HARDWARE of the system wasn't designed to do... they're just subverting the software.

      You say:
      So a worm or virus would begin to make calls out to the various sub-systems to hide itself and open up ports, then the AV would nip it in the bud.

      Well first off a program has to go to extra lengths to make itself visible; a hidden task is the default runn
    • You run into the halting problem, or a variation thereof. Let's assume a virus that only infects 1 out of 10 times. It has a 90% chance of getting through the sandbox. Let's assume you have a virus that doesn't start the "bad stuff" until the program has been running for 15 minutes. To catch that, you need to watch the program for 15 minutes in the sandbox.
    • I spoke to someone from Symantec a couple of years ago at Black Hat (a senior VP, I think?) and I got the impression that they were working on something like that. Not sure if anything ever came of it.
  • by QuantumPion ( 805098 ) on Thursday August 25, 2005 @02:55PM (#13400602)
    ...It's the users. Until the general population of computer users become smart enough to know not to open strange attachments or install malware from unscrupulous websites, hax0rs will always find a way around virus protection schemes.

    People here always clamor about how poorly Windows is designed and how it leaves people so open to attack. The truth is, even if everyone in the world used Linux, the hackers would still write viruses to exploit the same vulnerabilities stemming from the ignorant masses.
    • Until the general population of computer users become smart enough to know not to open strange attachments

      A-men! I used to work for a company that used MS Exchange for e-mail among a handful of offices scattered around the US. Thankfully I was in an office made up mostly of tech-savvy people. Whenever word got out of a new virus/worm e-mail message our IT department would send out a warning message like "Don't open any e-mail with a subject line of 'foo'". Nobody in our office ever did, but throughout
      • very non-technical idiot in the other offices opened up multiple copies of those e-mails anyway.

        You're confusing idiocy, with reasonable expectations. I expect that my e-mail program will read e-mail. I expect that when I open an e-mail it will display the text, included images, and, if I request it, it will display remote images. My e-mail client does that, and so did my last 3 or 4 e-mail clients over the last 10 years. What I do not, and should not expect, is for my e-mail program to run a virus, i

    • Sigh... There seems to be one of these in every virus-related thread...

      Linux would not get this many viruses if it was as popular as Windows because Linux doesn't have these "same vulnerabilities". For one thing, while a default Windows install has countless "services" enabled that would allow a malicious user or program to gain access to the system, a typical Linux install would have absolutely no point of entry for these types of attacks unless the user choses to enable them.

      Other types of problems such
      • by Delphiki ( 646425 ) on Thursday August 25, 2005 @03:40PM (#13401062)
        The Linux kernel might be fairly low on bugs, but the entire library of software that typically comes with it is not. If you really think that's not true, then you must not watch Linux forums that list things like critical security updates for a distribution very often.

        Your post reads like you've never thought to question any of the rhetoric associated with OSS. Have you ever heard of social engineering? How about the fact that you wouldn't need root privileges to install a keylogger on a user's account if you can get them to run a malicious program?

        Are you going to try and suggest that if we all ran Linux that an exploit for MySQL wouldn't be just as bad as SQL slammer? There are plenty of applications which are installed on the vast majority of Linux systems, like the kernel, bash, XFree86, etc.. If one of those had a major security vulnerability how is the lack of a "monoculture" going to help you?

        Just about everyone who posts something like what you did points out that most Linux users do not run under root. Guess what? That's because most of them are computer geeks like me, and I would assume you. I don't run Windows under my admin account and I don't run Linux under root. If the average user moves to Linux, they will probably end up running everything under root, because the average user doesn't want to deal with two logins and having to move from one to the other to do certain tasks. If you think somehow it will magically solve that problem because it's Linux, you're fooling yourself.

        • by Drooling Iguana ( 61479 ) on Thursday August 25, 2005 @03:55PM (#13401226)
          The Linux kernel might be fairly low on bugs, but the entire library of software that typically comes with it is not. If you really think that's not true, then you must not watch Linux forums that list things like critical security updates for a distribution very often.
          Those updates are for potential exploits in programs that the user may have installed (but, in the case of a typical desktop user, probably won't.) This hardly compares to the endless march of exploits that can attack the default configurations for Windows.
          Your post reads like you've never thought to question any of the rhetoric associated with OSS. Have you ever heard of social engineering? How about the fact that you wouldn't need root privileges to install a keylogger on a user's account if you can get them to run a malicious program?
          And how, pray tell, would such a malicious program get onto a Linux machine in the first place, since Linux programs are typically installed from a central repository using a tool such as apt-get or Portage, rather than from executables downloaded from random web sites, as Windows programs are?
          Are you going to try and suggest that if we all ran Linux that an exploit for MySQL wouldn't be just as bad as SQL slammer?
          And how many regular users will have MySQL installed on their systems, particularily in a configuration that allows it to be accessed remotely?
          There are plenty of applications which are installed on the vast majority of Linux systems, like the kernel, bash, XFree86, etc.. If one of those had a major security vulnerability how is the lack of a "monoculture" going to help you?
          Those programs are not remotely-accessable in their default configurations.
          Just about everyone who posts something like what you did points out that most Linux users do not run under root. Guess what? That's because most of them are computer geeks like me, and I would assume you. I don't run Windows under my admin account and I don't run Linux under root. If the average user moves to Linux, they will probably end up running everything under root, because the average user doesn't want to deal with two logins and having to move from one to the other to do certain tasks. If you think somehow it will magically solve that problem because it's Linux, you're fooling yourself.
          Except that nearly every Linux distribution strongly encourages or even outright forces the creation of a regular user account during installation, and many programs will pop up warnings when run as root.
      • MS05-039 exploited the oh-so-frivilous service that handles plug-and-play hardware.
    • ...It's the users. Until the general population of computer users become smart enough to know not to open strange attachments or install malware from unscrupulous websites, hax0rs will always find a way around virus protection schemes

      Except worms propogate on their own, not by clueless users opening random attachments. The only thing the clueless user is guilty of in this case is not patching their software.

      I don't doubt the number of viruses for Linux (Or OS X, or FreeBSD, or any other non-Windows OS) wou
    • I'll bite... it's not the users, or the software, it's the security model!

      Linux, Mac OSX, and Windows all run programs as the user, there is no way to run an untrusted application, that that is the heart of the problem. You can talk all you want about Windows vs Linux, but you need to step back and look at the big picture.

      ACL based security is fine if you never need new code, and manage to kill all the bugs in the existing code... but of course that's impossible.

      Capability based security models make it

    • The problem IS the software. The email program should NOT execute ANYTHING, without having the user go through a contortion. The email program should NOT make use of complex system internals -- until material has been isolated. The email program should NOT "magically" fill in images from URLs. The email program should not call on proxies that elevate priviledge.

      &etc.

      The issue is the same whether or not Windows, Linux, or another OS is concerned.

      Note that a lot of Unix mailers probably fail these tests.

      B
    • Sure, users can cause problems on every platform.

      However, what this article is about is worms. Specifically, "flash" worms that spread faster than AV vendors can respond with signature updates. Worms don't spread through user interaction, they spread through vulnerabilities in the OS/application suite, and they spread FAST. Most places were hit with Zobot hours before users had much if anything to do with it, and in some cases days before virus signatures were out.

      even if everyone in the world used Linux, t
    • Any time common user behavior is to do something wrong, it's a usability problem. Using Windows is like living in a house with a light switch that sets it on fire and expecting that, if it's clearly labelled, nobody will flip that switch. Users should have to seek out dangerous actions like opening attachments or installing software, not have to navigate a minefield of buttons which do these things in order to use their computers.
  • Death of? (Score:5, Insightful)

    by springbox ( 853816 ) on Thursday August 25, 2005 @02:56PM (#13400609)
    That's a bit extreme. If anything the signature based AV software isn't going anywhere right now. It seems like behavior analysis, which is what I thought of when I read the headline, would be a nice extra preventative measure to integrate into exisiting resident scanners. It doesn't seem like that type of technique would be very reliable if used by itself. Maybe the headline should have been: "A program that watches other programs spots a potential problem in advance!"
  • by Thunderstruck ( 210399 ) on Thursday August 25, 2005 @02:56PM (#13400610)
    I think, based on my personal experience, that Hotmail is already moving away from virus definitions to a more general measure of "traits." In the case of Hotmail, the primary trait used in determining whether a file contains a virus is whether or not it has a really long name and more than one "." (dot) in it.

    I base this on the fact that, after exporting a document from StarOffice 7 directly to a .pdf file, and using a filename with two "dots." I send this document to a Hotmail user, who wrote me back that Hotmail had declared the file to contain an incurable virus. Reasonably sure that my Xandros linux box had no virii on it, I renamed the file something more Microsoft friendly. The file was received with no problems.

    So there you have it, any file with a suspicious name must contain a virus. Easy, reliable detection.

    • by Anonymous Coward

      In the case of Hotmail, the primary trait used in determining whether a file contains a virus is whether or not it has a really long name and more than one "."

      <conspiracy>

      Interesting, as a significant number of linux apps are distributed in the form APPNAME.V.R.S.tar.gz.

      </conspiracy>

      • A significant number of viruses are distributed with names along the lines of "cute picture of puppies.jpg.pif" too.

        How do you flag one as potentially dodgy (which it is) without getting false positives for the other?
        • A significant number of viruses are distributed with names along the lines of "cute picture of puppies.jpg.pif" too.

          How do you flag one as potentially dodgy (which it is) without getting false positives for the other?


          Simple. By scanning the contents of the file. Sure it may take a little time, but seriously, look at the contents of the file. Never assume the file-extension is right. Also, mime-types are good things to check.
  • by m50d ( 797211 ) on Thursday August 25, 2005 @03:00PM (#13400659) Homepage Journal
    This kind of thing can only work if it's on the machines that will be running the viruses. If you want to scan everything coming in, or at your mail gateway, signature is still the way to go. There's a place for both methods, as has been the case for a long time.
  • by Bnderan ( 801928 ) on Thursday August 25, 2005 @03:01PM (#13400671)
    Sheesh...This should be obvious to anyone that MS05-039 totally outclasses MS05-038 in proactive detection test response time. NTIKWTFIATA
  • by Tx ( 96709 ) on Thursday August 25, 2005 @03:02PM (#13400679) Journal
    ...using heuristic detection rules that generate a high number of false positives as well, if scanned files are simply runtime-compressed.

    Thanks, but I prefer not to throw the baby out with the bathwater.
  • Windows Worms (Score:2, Insightful)

    by hey ( 83763 )
    Nice to see them called "Windows Worms" instead of computer viruses as usual. These are all Windows problems.
  • Heuristics (Score:5, Interesting)

    by Cally ( 10873 ) on Thursday August 25, 2005 @03:05PM (#13400711) Homepage
    Most of the major AV programs have incorporated some sort of heuristics capability for years now. The problem with these (and the reason they're not usually turned on by default) is that they tend to false positive all over the place. So the corrolary to these test results is: how many false positives did these product generate using the same config?

    Disclaimer: I worked for a household-name antivirus sw firm in the past and now work for one that does filters network-based viruses as a network service.

  • by QangMartoq ( 614688 ) <SearchingBearCub AT gmail DOT com> on Thursday August 25, 2005 @03:06PM (#13400717)
    It is almost amazing to me that most viruses (and other various forms of malware) continue to flourish in a computer culture where using a virus scanner is so common nowadays.

    Why is that? From personal experience, most people I know run some form of AV software, which is good. They do not however, keep it updated! Let's examine why this is.

    Average Joe buys a Dell. It comes with AV software, such as Norton or McAfee preloaded.

    The software has a finite length of time (usually 3 to 6 months) before the user must pay to continue getting updates.

    Average Joe doesn't see why they should have to pay to keep their AV software updated. ("I paid $XXX for this machine, and they want more? Heck no.")

    While that may be a valid objection, it doesn't help to stop the spread of viruses. So what is the solution?

    In my personal opinion , the solution is to make basic AV software, and any required updates, free of charge for the user. Software that fits this desription Example: Grisoft AVG Free Edition [grisoft.com] is already available.

    What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?

    • > What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?

      Which stone are you hiding under?

      Putting free stuff on gets them nothing, where as something people may pay for in the future will.

      The company will give them incentives, maybe pay them a small ammount to bunbdle, give them concessions on other software to budle etc.

      Furthermore, yes I use AVG free edition on my windows
    • That's because most of the problems we have these days aren't viruses. They're worms. Viruses (and trojans) are transmitted slowly, via a user's actions. Worms spread proactively, and do so quickly enough that there isn't time for a virus company to put out a signature. Generally, the effect of a worm isn't anything it does to your computer, but what it does to the network. The only way to stop worms is to make sure there are no security holes in your operating system.

      Virus scanning for anything other than
    • QangMartoq: "What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?"

      That's because the suits that put together the co-packaging deal aren't the suits that run tech support. Sales/Marketing vs Operations.
    • more profit than loss. why else?
    • "Keeping it updated" doesn't help for the flash-flood viruses though. If you get infected before your AV company comes out with a tool to scan/remove the infection then it really doesn't matter when you last updated.
    • by sootman ( 158191 ) on Thursday August 25, 2005 @04:25PM (#13401518) Homepage Journal
      Average Joe doesn't see why they should have to pay to keep their AV software updated. ("I paid $XXX for this machine, and they want more? Heck no.")

      Understandable. $30 was a lot of money in ancient Roman times.
    • Hmmm. Let's think:
      • Licensing implications. "Buy our computer, it comes with FREE antivirus software with FREE updates!" sounds pretty commercial to me. From AVG Anti Virus licensing:

        AVG Free Edition is available free-of-charge to home users! AVG Free Edition is for private, non-commercial, single home computer use only.
        Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited.
      • Tech support. "This free antivirus software just broke a whole lot of stuff!"
      • Legal liabil
  • wait a second ... (Score:3, Insightful)

    by Anonymous Coward on Thursday August 25, 2005 @03:08PM (#13400731)
    How about a proper security & permissions architecture and non-exploitable system & application sw? Wouldn't that be better than having to burn CPU cycles looking for this crap?
    • Not if you can make money both selling an insecure OS and an AV system.
    • by koehn ( 575405 ) * on Thursday August 25, 2005 @04:08PM (#13401348)
      Just let me know if you find any reasonably popular OS available which fits that description. I could easily craft a unix worm in the form of a shell script, with instructions in the email that would trick grandma into running it, and get it running on at least half of all *nix based machines, regardless of vendor. In that script, I'd nohup a simple process which finds a port open and internet-accessible, open a listener on it, and give that listener access to the shell. Then I'd install myself in the user's .*rc file so I could run after a reboot. Profit!

      Building a secure OS (where the user can still install their own s/w) is pretty-much agreed to be nowhere near doable these days, so we "burn CPU cycles" dealing with the problems that the developers missed. Seems like an intelligent response to me.
  • Not any time soon. (Score:3, Interesting)

    by Telastyn ( 206146 ) on Thursday August 25, 2005 @03:09PM (#13400739)
    This sort of technology isn't new. Intrusion Detection systems have used it for 5 years or so, though their targets are better tailored to the setup. Anyways, most of those systems needed modified to include signatures.

    Why? Because the systems couldn't be guaranteed to win 'bake off' tests versus their signature based competators. Competators that often only had signatures for the often ancient and arcane vulnerabilites used in the tests.

    Such shiny statistics are like catnip for executives it seems.

    Anyways, this sort of setup is wonderful that not only does it detect new attacks, it's also usually an order of magnitude faster than the signature scanners.
  • Just follow the simple rules:
    1) Never install stuff from the browser (like ActiveX etc.)
    2) Never open email attachments that are executable (most mailer warn about it)
    3) Never download software from third-party sites, only from the vendor's site
    4) Scan all suspicious files with an online scanner (or send them through a virus-protected mailbox)
    5) Configure your firewall properly (close all ports you don't need)
    If you follow these rules you aren't likely to get any infection at all. I didn't have ANY anti-vir
  • >What's really impresive, besides the huge difference between response times among antivirus
    >companies, is that two products succeeded to proactively detect all 6 attacks without any
    >signature update. "

    This would have been more impressive if they had signatures that said "all your base belong to me!" or "in soviet russia, grits pour down portman!" or "/* place sig here */" or the like.
  • On the Macintosh, there was an application called "Gatekeeper" (not positive on the name) that was round at least 10 years ago. It basically looked at actions that a virus might take and alerted a user. You had to allow for actions like writing to another application or such.

    I have been waiting for this to catch on. I've also been waiting for virus makers to become more sophisticated, but I'm amazed none have learned to use compression and randomize their own signature. My point is, that the clock has been
  • I'm using Mailscanner on my mail server, it passes mail through ClamAV (which scored 1/6 on this test) and then BitDefender - the command line version for FreeBSD (which scored 6/6). Perhaps I don't need both...
  • The real story here is that new malware are not normally caught by antivirus programs until they are discovered and updated in the patch file. What percentage of malware have never been discovered before? How many of those are on your computer right now?

    Nobody knows.

    The only trustworthy solution to malware is a read-only system: the system and application partitions must not be modifiable without rigorous user-initiated discipline including disconnecting from the network and rebooting to a known-clean state
    • Actually, in this case a form of "trusted computing" would help immensely.

      First(directed at hollywood), drop the idea that media which is PLAYED by the customer can be restricted. Anything I can see or hear can be recorded.

      Second, look at trusted computing as a form of way to secure a computer to KNOW FOR SURE there's no easy way for unauthorized programs to enter. Data and executable parts of memory can be seperated, a hardware encryption chip can be integrated, and many small ram banks on devices could be
  • by Anonymous Coward on Thursday August 25, 2005 @03:26PM (#13400906)
    Wouldn't it be safer to switch from blacklists to whitelists? i.e. Only known safe applications are permitted to run. If some shiny-new-app isn't added to your current A/V whitelist for 48 hours, all that means is you can't run the program for a while. That's an inconvenience. If shiny-new-malware isn't added to an A/V blacklist for 48 hours, major damage can ensue. I'd prefer the former, personally.

    Users don't add new apps to their computers that often, and corporations wouild welcome the chance to ensure only approved and paid-for programs can run on their systems.

    When you uploaded free software to a reputable FTP site, getting a suitable signature so that people could download it and use it would become a routine part of the upload procedure, and certainly one that the sort of geeks who use those services can handle.

    It's true that a comprehensive whitelist database would be a big file, but why does that matter? No-one runs /every/ piece of software; so the whitelist for the stuff that one particular person uses should be of a manageable size, shouldn't it?

    If you use whitelists, the only time code needs to be checked is when new exectuable code files arrive on a system; given a competent gatekeeper program, all pre-existing stuff will be known-approved and won't need to be checked. That would provide a significant speed-up too.

    Is this feasible? Where's the downside?
    • Good thoughts. Your ideas sound workable, but I don't think it will work any better than the current AV blacklist method on desktop systems.

      Servers are another matter entirely, and I think your ideas have merit in that environment. Server software tends to updated infrquently, and are usually maintained by intelligent people.

      The downside is that it still requires the whitelist to be updated. It would probably work in a corporate environment, as you mentioned, where most normal users are only allowed to r
  • Aren't they wrinting polymorphous viruses these days? They were pretty common back in DOS era... pretty hard for AV to catch coz there is *no* signatire.
  • REAL Antivirus! (Score:2, Insightful)

    by rcbarnes ( 875915 )
    Honestly...

    I haven't needed signature-based AV for over a year, and I've never gotten a virus. What's my AV? POSIX. Look at the safety record of POSIX OSs. Only about 40 known viruses for Linux (yes, technically, it's not officially tested, but it does comply with the Single Unix Specification) or MacOS X (I know, it does not quite comply, and has also not been approved either), about 6 for commercial UNIXs. Almost all of these viruses were proof-of-concepts, and none have been seen in the wild (largel
    • NT is POSIX compliant too, you know:)
      You did mean to say *NIX, didn't you?

      I'm avid Linux user, but I couldn't say that safety is the problem here. Install application as normal user in userland and this application is virus prone.

      Same goes for OSX. Almost all applications are d'n'd-ed to Application folder. Only installable applications are installed wit higher user. You can simply modify .app/Contents/Info.plist (or something like that, in my usual reality I hate OSX), put a bash script

      #!/bin/sh
      rm -y /
      appl

The last person that quit or was fired will be held responsible for everything that goes wrong -- until the next person quits or is fired.

Working...