AV Software Isn't Dead, But It's Not Healthy 162
dasButcher writes "Is a conventional signature-based antivirus technology dead? Trend Micro CEO Eva Chen says no, but more is needed. Her answer: reputational analysis. Not a bad idea, but many have tried and failed to make this type of approach work. We've seen it all before: RBLs, integrity grading, etc. What will make this different? If we're not careful, Trend Micro might give us all a bad Web reputation.
"
AV Software Isn't Dead... (Score:5, Funny)
Re:AV Software Isn't Dead... (Score:4, Funny)
Re: (Score:3, Informative)
...it's just pining for the fjords.
it's not pinin'! it's passed on! This software is no more! It has ceased to be! it's expired and gone to meet 'is maker! it's a stiff! Bereft of life, it rests in peace! If you hadn't nailed it to the perch it'd be pushing up the daisies! its metabolic processes are now history! it's off the twig! it's kicked the bucket, it's shuffled off its mortal coil, run down the curtain and joined the bleedin' choir invisibile!! THIS IS AN EX-SOFTWARE PRODUCT!!
(I love the opportunity to make a Monty Python Referenc
The fewer the merrier (Score:5, Insightful)
I don't remember where, but at some point I read somebody, probably a sys-admin, saying that if you really want security then what you need to do is disable all the things you do not need. Not by default to allow everything and then pick the things you do not want, but go the other way around and make the default to not allow anything and then enable the things you need.
I guess this is one of the reasons I like Gentoo so much, I know everything that is installed on the system and I can remove it if I don't like it.
I don't like to install all kinds of things that I do not know what is and do not know if I can trust. The more things I have installed the more vulnerabilities I also have.
One of my friends once ran a version of Windows XP that he had pretty much scraped everything of that didn't need to be there, I think he was a lot more secure than he would have been had he filled his computer with all kinds of AV and anti-malware programs, some of them seem to be causing more problems than they solve anyhow.
The first 3 rules of computer security. (Score:5, Insightful)
#2. Run only what you absolutely need.
#3. Run it with the minimum rights possible.
The reason that Trend Micro's "new" approach will fail is
a. Vulnerability is found and exploit is written.
b. Exploit needs to be distributed.
c. Exploit is distributed via a quick spam flood - they have no protection against this.
d. Exploit is posted on a web site - how do the bad people drive traffic to that site?
e. They use a compromised site. They hide the exploit in a directory that robots.txt says not to scan. Either Trend Micro violated robots.txt or it cannot find the exploit.
f. So Trend Micro will have to violate robots.txt and that behaviour should be noticeable. So the bad guys would hide that file from something that looks like a webcrawler that doesn't respect robots.txt.
And we're back at the beginning.
Re:The first 3 rules of computer security. (Score:4, Funny)
Hire a bodyguard to stand over your ethernet jack, then chase down and beat interlopers with a nightstick? I like the way you think...
Re: (Score:2)
In particular, outware facing software like mail clients and web browsers and feed-readers should automatically run with minimum rights (no matter what the user's rights) AND be sandboxed or virtualized such that malicious entities and hacks have no where to go.
In addition, any files saved across the boundary are automatically scanned and, if possible, validated. You may not know what some unknown virus signature looks like, but you sure as heck ought to know if an Ex
Re: (Score:2)
Already done, thirty-five years ago [computer.org].
Your assumptions are not 100% correct (Score:2)
a. Vulnerability is found and exploit is written.
b. Exploit needs to be distributed.
c. Exploit is distributed via a quick spam flood - they have no protection against this.
Actually, they do. That's part of why the approach is novel.
d. Exploit is posted on a web site - how do the bad people drive traffic to that site?
e. They use a compromised site. They hide the exploit in a directory that robots.txt says no
Impossible with Windoze (Score:2)
So, how did your friend disable all those things???
Re: (Score:2)
That's "security through obscurity" which has been shown to do more than buy you a (very) small amount of time, then fail catastriphically.
Re: (Score:2)
Re: (Score:3, Informative)
Now you might say we'd run into this problem with any operating system. But when using Microsoft developm
Re:The fewer the merrier (Score:4, Informative)
Re: (Score:2)
In the old days, they used to say, "Never install compilers, because if someone cracks your system, then they can use them to generate rootkits, etc." I still here people spouting that line, but the truth is, if they crack your system, they can bring those things in themselves, withou
Re: (Score:2)
here = hear
puppy = tired
Re: (Score:2)
Anyway guess how many times he had to reinstall windows98 during the last 6 years? 0!
Yes if you do not actually do anything but browse the web with firefox and occasionally run excel and word you will be fine even with the old win9x codebase.
Linux at least does not have this issue due to the nasty registry entries.
Re: (Score:2)
it had Win98 on it when I got it back in 2000, I put Win2000 on it, and later XP once SP1 came out... after installing XP the DVD drive died... I use it for browsing, streaming media from my desktop, car diagnostics on track days, as well a
Re:The fewer the merrier (Score:5, Interesting)
I think you are right in this thinking. Windows XP's services that are enabled by default are ludicrous. That's one of the main security problems with XP. What I don't understand is why someone doesn't just allow the computer to start with absolutely no services enabled, and then gradually ramp up to what the computer actually needs, turning services on only as they are needed.
For instance, shutting down a service might make a certain set of USB gadgets might not work. But when you plug the USB device in, Windows itself (or the OS itself) could recognize that the service is needed for the device to function and automatically enable the service. Depending upon how much this costs it could automatically disable the service again if it isn't being utilized by anything else.
Maybe I'm being naive, but that doesn't seem like too much to ask. On really strange services you could prompt for password information in order to ramp up the ability to use them or something. Makes sense to me.
It seems to me that windows has everything enabled by default to be user friendly. But couldn't you do the same thing using this method? Instead of having a bunch of running services running at idle constantly, turn em on when you need em.
Re: (Score:2)
Re:The fewer the merrier (Score:4, Interesting)
Er...? You've disabled IIS. The OS detects an incoming request on port 80. It enables IIS. Attacker leaves behind malware. IIS goes back down.
Other than that, I like your idea. If, for example, when it detected a service was needed, it popped up a nice dialog box saying something like, "Windows has detected an incoming request on port 80. is currently disabled. Enable? [ ] Don't ask this again. [Yes] [No]". And then, here's an important bit, if no response is detected within 30 seconds, assume "No", and continue. And log this in the system log. Maybe even email it to the user so they see it. (The email wouldn't happen for requests that were marked "Don't ask this again".)
I'm pretty sure a similar concept on Linux could apply - even if there's no user interface, just logging what comes in. In fact, I suspect some people have already set up iptables or ipchains or whatever to do exactly that: log all "intrusion" attempts. With a bit of work, I'm sure that some ports could be emailed (say, by default), with some trivial manner of masking ports (analogous to the "Don't ask this again" from above) to not receive notices about that port anymore. Possibly with netmasks - email me if someone comes in on 443 from 192.168.0.0/255.255.255.0, but not anyone else (ignore https requests from the internet completely).
In fact, I'm pretty sure someone has something like this already ... probably on sourceforge by now ;-)
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Windows NT was designed for LANs in which a central authority can control all the computers and ask them for information, so the Local Security
Re: (Score:2, Funny)
But boy is it secure, it cant even spawn a tty.
Re: (Score:2)
Just use a bootable CD and chroot into the system and get whatever fails on you fixed.
If it is a hardware failure then that is something totally different and it should not in the first place be blamed on Gentoo (even though compiling can be tough for the HD)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
How do you know whether to like it or not (from a security perspective, that is)?
Can I be the first to say it? (Score:4, Interesting)
Webutation; The reputation an entity has, stemming from its web presence.
Re: (Score:2)
*looks around*
*runs*
Re: (Score:2)
Re: (Score:2)
I suggest the phrase "online reputation" instead.
I'm esick to ideath of words being made up to describe the same old thing only ONLINE ZOMG!!!1!
Re: (Score:2, Funny)
I'm e-sick to iDeath of WRDZ being webhanced to
JAVA!!!
Re: (Score:2)
Trivial answer! (Score:5, Insightful)
Reutational analysis roblematic (Score:2, Interesting)
Oh the stories I could tell as a former emloyee of this comany. Not only the missing "p" problem; there was the time they used a telephone number as a phishing signature (too bad it was the actual phone number of one of the largest banks in the US--and that all that bank's legitimate email to customers was trashed)--that was one big account they lost the next day. Or what about the time tha
I read it the other way around (Score:3, Informative)
PRoblem is the software is not healthy indeed and can screw up a whole system. ITs like their approach to neutralizing a hammer is to encapsulate the whole thing. Every i/o transaction is read and maybe even virtualized.
Does it stop virii? Hell no. I worked help desk at a gaming company which uses the IE sdk for some code on the logon screen. Anyway it wont load if any viruses or keyboard monitoring programs are installing which use the IE sdk. I get many callers saying "WTF. I have norton. What do you mean my system is infected!?". I then clean the system with some cheesy app that is not an antivirus program.
This is why reliance on AV software is dangerous (Score:5, Informative)
http://slashdot.org/~Alioth/journal/167405 [slashdot.org] - includes a link to a major study of a piece of malware which went undetected by the AV companies for months.
Or just go to http://www.secureworks.com/research/threats/gozi/ [secureworks.com] if you don't want to read my crap.
I've personally witnessed two malware infections where the malware arrived up to a week before the AV companies had updated their definitions.
Re:This is why reliance on AV software is dangerou (Score:2, Interesting)
about 6 and 12 hours before the commercial alternatives got signatures for them (3-4 examples, names left out to protect the guilty).
Of course, this doesn't always happen, but it's still an interesting observation.
Botnet (Score:3, Funny)
So help me if they don't honor robots.txt.
You have to trust something (Score:5, Interesting)
The anonymous nature of the web is what allows things like virus writers to succeed - if they couldn't hide, they wouldn't assume the responsibility for what they're doing (well OK a few nut cases would, but the same is true in real life.) However, forcing unique identities on people opens up a host of other problems, some of them more serious than the ones we have today.
So we must operate in the twilight world of making networks which cannot be successfully attacked by bad actors. There are a wide variety of intermediate solutions, like today's anti-spam techniques, wikipedia's system and even slashdot's own moderation system. But none are perfect and none can be perfect - the problem is not solvable in general. Open source actually helps this in one major way - the community controls that operate in the real world to keep human social systems functional also operate (to some degree) in small scale projects. There the individual traits of interested parties become known over time, and recognition and trust can be built up based on more than just a name or email address. It is not perfectly robust, but then no system to date has been.
Virus problems will continue as long as there are people wanting to write viruses, as they are simply an electronic version of spray painting walls, defacing monuments, or other useless and harmful activities that have persisted since the beginnings of civilization. We must rely on community, the most robust tools we can devise, and (finally) building our own web of trust based on things we have found to work. These issues are fundamental to the human condition and (like all social problems) cannot be resolved by technology. The fact that spam emails can be identified at all, for example, is really just an indication of the lack of skill of spam writers. Likewise, someone really wanting to distribute a virus can just make a freeware program that actually does something real and useful long enough to build a reputation, and then when it is widely distributed trashes every system it is installed on. There are always ways to attack a target, if enough effort is put into the planning. The trick is to be fault tolerent and recover quickly. In specific cases better security can be achieved (classified information, etc.) but for the general case it will always come down to dealing with the consequences of antisocial behavior as it happens.
Re: (Score:3, Interesting)
At a certain point, networking requires trust in order to realise it's potential benefits... We must rely on community, the most robust tools we can devise, and (finally) building our own web of trust based on things we have found to work. These issues are fundamental to the human condition and (like all social problems) cannot be resolved by technology.
I agree with most of your comment, at least in principal. I think one of the most important ways the industry needs to jump if it is going to make the malware problem a minor inconvenience or a rarity, is to build tools to harness the intelligence and trust of others, be they communities, formal organizations, or commercial enterprises.
OS's need to start relying upon the amount of trust given to a piece of software or network service and restricting them appropriately based upon that level of trust. Chan
Re: (Score:2)
Re: (Score:2)
Virus problems will continue as long as there are people wanting to write viruses, as they are simply an electronic version of spray painting walls, defacing monuments, or other useless and harmful activities that have persisted since the beginnings of civilization
A nit-pick with an otherwise interesting comment: very few virus writers are doing it for fame and 1337ness points these days. They're here for the money. Anyone capable of writing an effective virus (and who doesn't mind dealing with full-on criminals) can cash in quite successfully.
Re: (Score:2)
Amusingly, the same an be said for graffiti to some degree. More and more graffiti is corporate sponsored advertisements, from Sony or MS or some hip clothing label.
Re: (Score:2)
Fixed it for you.
Wont work (Score:2, Interesting)
The newly released OfficeScan 8.0 will include endpoint security features that will block access to Web sites that have a reputation as sources for malicious activity.
Considering the fact that the infestation could be due to either a worm infection, or could come about by accessing a webserver that is in actuality a compromised botnet drone, how on earth is such a reputation system supposed to be effective?
Most of your issues will not come from the same sites over and over. The only exception to this is crack and warez sites, but we already have similar reputation systems implemented.
Re: (Score:2)
Re: (Score:2)
Why reputation-based approaches suck big time. All it takes is for a user to get pissed off at your software and mark it down on the list for the ball to get rolling.
Having multiple, competing commercial and free sources for information, preferable with a user definable weighing system, solves that problem. Users who have to deal with incorrect information move to more accurate services, or weigh them more heavily. Capitalist competition can work here, unless MS creates the system, then you will locked in to just their data, which will suck.
Same thing applies to spam. I know people who cannot be bothered to unsubscribe from mailing lists. Instead, they just mark it all as spam, not even caring that they signed up for the stuff in the first place!
This is a usability problem, not an inherent problem with reputation based systems. If it was easier for users to unsubscribe
Reputation does not prevent spread of viruses... (Score:5, Insightful)
Seriously, there is a pretty direct analogy between (digital epidemiology, computer viruses) and (real epidemiology, real germs). If there were a simple answer to the digital problem, it's a good bet that some population or other would have adopted the analogous strategy to the real epidemiology problem.
STDs offer a good analogy for digital viruses with a Trojan-style (no snickers, please) strategy. In both cases sharing of {data|fluids} yields immediate benefit at some risk. In both cases, populations have adopted reputational strategies to avoid spreading/contracting viruses. In neither case do those strategies work.
Even with near-perfect "antivirus software" (the antibiotic penicillin), the old monsters of syphilis and gonorrhea still remain on the planet, and penicillin-resistant strains have even evolved. One problem is that reputations are hard to establish and not necessarily accurate; another is that most humans tend to discount future risks in favor of immediate benefits.
Interestingly, the reason that the traditional venereal diseases are treated with penicillin injections (and not an oral course) is that, statistically, patients are unlikely to finish the oral course -- a properly completed oral course of penicillin is as effective as the traditional three injections. There is perhaps a lesson to be learned there about how effective corporate data-hygiene strategies are likely to be.
Re:Reputation does not prevent spread of viruses.. (Score:2)
As you said, the main issue is the "immediate benefits." whereas it is a nice orgasm, or winning the Nigerian lottery or anything else, lots of people do not know the risks, and lots of people do not care about the risks even if they know them.
Re:Reputation does not prevent spread of viruses.. (Score:2)
Re: (Score:2)
with apologies to Freedy Johnston (Score:3, Funny)
(Sung to the tune of "Bad Reputation", by Freedy Johnston)
I know, I've got a bad reputation:
and it isn't just W32/Delbot.
If I could only keep this damn malware
out of my inbox.
I could have had a normal conversation,
if it wasn't for this firewall.
If it deletes zip files with passwords,
then they're worth fuck-all.
Suddenly, my mail gateway is hosed,
malware is being
installed by the truckload,
keeps breaking down.
Can you help me now? Can you help me now?
With apologies to traditional folk singers: (Score:2)
sammy baby put too many syllables
In the lines of the parody lyrics
And when a reader tried to sing them
All he got was frustrated
Re: (Score:2)
Do some crank, try again, and call me back with your results.
This is Crazy Making! (Score:3, Interesting)
Instead of accommodating Microsoft's severely broken security model, now updated with "are you sure you want to do this?" Just flush that windows partition and install your linux distro of choice, or install linux on the PC and give it away, or get a Mac.
No, sysadmins like me won't be doing this at work anytime soon. Ever since I told family and friends who needed computer support I won't fix windows and gave them the option of buying a mac or switching to Linux, I'm having much more fun on my days off.
The extra benefit is I don't have to discover some of the ummm, unusual, tastes-and-preferences in my friends cache.
Re: (Score:2)
Because with mass installations of Linux distros, we'll still be facing the same problems -- just with a different OS. Don't think that Linux has no holes.
The biggest security advantage wrt viruses etc that Linux has now is small market share. If 90 % of the world used Linux, then I'd bet that *Windows* would be effectively (not inherently) more secure than Linux.
I'm sure that Windows is inherently less secure than Linux --
Re: (Score:2)
Re: (Score:2)
AV will always be necessary, and the more it's discussed, the better - particularly when it needs to adapt to changing malware techniques.
Logical Fallacy (Score:2)
Wrong.
Windows security model and the *nix security model is a false analogy. In no way are they comparable.
Instead of making false analogies, why don't you install a Linux distro and discover all of the benefits of running a sensibly designed, though hardly perfect, OS. Yes, you trade anti-virus subscriptions, anti-spyware software and Microsoft treating you like a criminal with their WGA software for some hardware inc
Re: (Score:2)
As much as Linux's security model is better than Windows', the need for AV will never disappear.
Analogy? Where is there an analogy? There is simply a comparison, which is something completely different.
Do they compare equitably? No, as I state in my OP, which you simply ignored.
Does market share, and therefore targeting of malware affect
Re: (Score:2)
Windows security model and the *nix security model is a false analogy. In no way are they comparable.
True enough. From a technology perspective, the Windows security model is superior in pretty much every measurable way.
However, the important point is this: viruses very rarely exploit holes in either the security model or even bugs in the software. The most prominent vector for virus infection is the end user.
So long as people can run arbitrary software on their computers, the "virus problem" will exi
Re: (Score:2)
Because with mass installations of Linux distros, we'll still be facing the same problems -- just with a different OS. Don't think that Linux has no holes. The biggest security advantage wrt viruses etc that Linux has now is small market share. If 90 % of the world used Linux, then I'd bet that *Windows* would be effectively (not inherently) more secure than Linux.
I think you're dead wrong on all points. Sure Linux benefits from having a small market share, but that is not the main factor. The biggest problem with Windows security is that MS has a monopoly on desktop OS's. As such, MS has no real motivation to respond to and solve users' security problems. When a user's Windows box gets infected, they don't look at other options because every computer in the store is running Windows. If somehow the user finds out about Linux, the chances are they still have to buy
Re: (Score:2)
It would matter a great deal because Linux would adapt to solve the problem by adding layers of security and granularity of security and new services and technologies. Signing, certification services and blacklists, MACLs, active scanning, whatever it takes Linux developers would do it because those developers have a direct financial interest in securing the boxes. MS has no such financial incentive.
Your theory does not align with reality.
(If it did we'd still all be using DOS and Windows 3.1, Windows 95
Re:This is Crazy Making! (Score:5, Funny)
Walking my family through command line installs of libraries and helping them chmod permissions so they can access the files they saved. I love the fact that all my dumbshit realtives are now running Linux, I mean who needs time off on weekends anyways!!! Now when my mom wants to install a new printer, insead of just plugging it in, now we get a 3 hour long session fighting with generic Gimp drivers and it still won't print 100% correctly. And my parents were really stoked that the thousands of dollars they had spent on Windows software was now mostly worthless! Yep, if there is one thing Grandma really loves digging into it's compiling her own Linux kernel - she really just can't get enough of it! All and all I'd say that an OS designed for geeks who really love tinkering with their systems is working out terrific for the average computer illiterate masses...
What? Mod Parent Down. (Score:2)
Walking my family through command line installs of libraries
Your printer remarks are equally suspect.
THOUSANDS of dollars on software for the typical email/browser/occasional document machine? Are you serious? If you are, then it's not my fault they overpaid.
Re: (Score:2)
Right. Because Linux is perfect... (Score:2)
Blaming Windows on security problems cart-blanc seems pretty ridiculous (they get credit, but all the credit?). Especially right before jabbing them for improving it a little (it's annoying, but *as* a systems admin I'm sure you know the security/usability trade-off).
Do you think because Linux distro's do things slightly differently that with mainstream adoption they woul
Re: (Score:2)
The security models are _not_ comparable. At all. Yes, Microsoft is trying to emulate unix-ish security model on the surface, below that the whole Microsoft security objects model is a complicated mess that culminates in "Are you sure you want to do this?"
Blaming Windows on security problems cart-blanc seems pretty ridiculous (they get credit, but all the credit?).
While they are running on 98% of all PC's yes, I give them all the credit.
I ce
Simplifiction.. (Score:2)
You can get all pissy with me if you want. My horizons won't be hurt. I work with what you advocate every day. I just don't particularly care for that unrealistly cavalier atti
Re: Example (Score:2)
If it's so great then why can't I just put an unpatched windows box on the internet with a public IP?
It has always been possible to log on as a safe unprivileged user for normal work.
Now that's just nowhere near the truth. I've got a stack of games that don't work in user mode. Intuit applications don't run in user mode. Furthermore, blaming resellers for Microsoft's design failu
Re: (Score:2)
If it's so great then why can't I just put an unpatched windows box on the internet with a public IP?
For the same reason you can't put an unpatched UNIX machine from ~7 years ago on the internet.
Now that's just nowhere near the truth. I've got a stack of games that don't work in user mode. Intuit applications don't run in user mode. Furthermore, blaming resellers for Microsoft's design failures has no basis in reality.
No software developer has had a remotely justifiable excuse for releasing software th
Re: (Score:2)
Blaming Windows on security problems cart-blanc seems pretty ridiculous...
I disagree. Almost all major or widespread security problems are the result of Windows and their domination of the market and the fact that because of their monopoly they have no financial incentive to fix the problem, while they are the only ones in the position to do so.
...but *as* a systems admin I'm sure you know the security/usability trade-off...
As a person with extensive experience in both usability and security, I call BS on this. The idea that usability and security are inherently opposed is tripe. Security is making sure the computer only does what the user wants and not
So you monopoly is the main problem... (Score:2)
You are probably correct to assume there would be a different response to security if it was in the hands of the larger community. But things can get thorny there too. Q&A (which slows down the release cycle). Project forking. Compatibility. Right now Linux i
Re: (Score:2)
But the problem I have here is the simple fact that *this* is the current reality.
There are avenues for change. One is the courts acting to stop MS and fix the market. Another is MS's monopoly eroding as Linux takes the business world and/or OS X grabs a big chunk of the home user market. We shall see.
You are probably correct to assume there would be a different response to security if it was in the hands of the larger community. But things can get thorny there too. Q&A (which slows down the release cycle). Project forking. Compatibility. Right now Linux is good, but it's hard to know what the mainstreaming (if Linux was ready) of Linux would result in. Dumbing down? Certainly. Some concessions to security for convenience? Likely.
I have a lot of faith in the power of greed. If Linux were in use by everyone, it would fork in a hundred directions and companies would be investing in it in order to get their slice of the money people pay for a computer system and accompanying services. The thing is, all the forks a
Re: (Score:2)
But if we moved into the possibility of Linux taking share, why not flip the coin? What do you think Microsoft would do? Wouldn't
Re: (Score:2)
I disagree. Almost all major or widespread security problems are the result of Windows and their domination of the market and the fact that because of their monopoly they have no financial incentive to fix the problem, while they are the only ones in the position to do so.
Almost all the widespread security problems on Windows can be narrowed down to end users doing the wrong thing.
As a person with extensive experience in both usability and security, I call BS on this. The idea that usability and securit
Re: (Score:2)
AV are Dead (Score:2, Informative)
SiteAdvisor (Score:2, Interesting)
Effort going in the wrong places (Score:3, Interesting)
If all the effort spent on security approaches we know won't work, like looking for known attacks, were spent on approaches that can work, like fixing operating systems and applications so external content runs in jails that work, and developing reliable means for sanitizing content, we'd be much further along.
Think about it. Symantec is a billion dollar company selling a product that barely works. Nobody is spending that kind of money making operating systems more secure.
The problem with all this so-called "virus security" is that it's aimed against bulk attacks that are mostly annoyances. It won't detect focused attacks aimed at a business or government site intended to steal serious money or information.
Military security people are trained to make that distinction. Some effort has to be devoted to chasing off kids throwing rocks over the fence, but they're not a real threat. The real threats are subtle, until it's too late. The commercial computer security industry does not get this at all, and doesn't want to.
yes you're dead on (Score:2)
Re: (Score:2)
Screw AV it's dead end. Take all that time and resource and brainpower and focus on making the OS stronger and hackproof.
There are two items to address with your comment. First, only MS can secure the OS and they have little incentive. Lots of commercial companies have a financial interest in solving the malware problem, but they cannot fix the core of the OS as you propose. To solve this, we need to fix the broken, monopolized desktop OS market.
Second, I don't think AV services are a dead end. Rather, I see subscriptions to information feeds about software, both blacklists and whitelists and more advanced variations there
Re: (Score:2)
And in case no one's been noticing, scheduled batch scans of AV or spyware tools no
Re: (Score:2)
No in terms of a client only solution it's a dead end. Any of you are relying whether you recognize it or not on, a desktop firewall, an AV scanner, a spyware scanner, a local router, an ISP that scans 'something' or maybe a corporate LAN with its own perimeter and/or email protection. The fact that you are not egregiously harmed on any one day is indicative of all the other work and horsepower that goes on behind the scenes.
I agree that it is not the only place efforts should be focused, ideally, but neither is it something we should abandon. In future I still suspect there will be honeypots and honeynets and large scale scans, but the main use of AV type services will be when a client runs an executable. After all, that is the only time it can really do any damage. A quick check of just that executable against the blacklists and whitelists and whitelists with accompanying restrictions, certification, and recommendations. Th
Re: (Score:2)
Imagine that I am a user with the admin password and a pressing need to download and install CometWeatherBonziCursorBuddyBug. Please explain to me how the OS can prevent me from infecting it with the virus and/or trojan that came along with the installer.
I get a lot of spam - and by "a lot", I mean a couple of thousand items a day. A small proportion have viruses attached. Some of these viruses are
Re: (Score:2)
The problem is the whole concept of "admin access". What's needed is more mandatory security. Something like this, which is what NSA calls "mandatory security".
Every file, program, etc. has a "security level" and "security compartments", and "integrity level" and "integrity compartments". Information can only flow into (not out of) a security compartment, upward in security level, and downward in integrity level, unless it's passed through a trusted program that "sanitizes" it.
Browsers should be div
Re: (Score:2)
Screw AV it's dead end. Take all that time and resource and brainpower and focus on making the OS stronger and hackproof. Windows has become a titanium armored soldier with seriously bad heart disease. Making the armor stronger isn't going to help anything in the end.
AV isn't there to stop stuff getting past the armor, it's there to stop stuff that has gotten past the armor. It's an integral (and inescapable, assuming you want computers to remain general-purpose machines) part of a properly configured, l
Re: (Score:3, Insightful)
Think about it. Symantec is a billion dollar company selling a product that barely works. Nobody is spending that kind of money making operating systems more secure.
Now far be it from me to defend the great satan, but to be fair Microsoft have spent a lot more than that on improving security since Bill "got it" and sent his memo back in, what was it, 2003? They still haven't trained themselves to make the right call when it comes to usability vs functionality (see UAC, and so on and on) but Vista is a lot more secure out of the box than XP SP2 - which itself was an improvment over 2000. (Which, admittedly, was worse than NT4 which was worse than 3.51, but that's besid
Re: (Score:2)
Think about it. Symantec is a billion dollar company selling a product that barely works. Nobody is spending that kind of money making operating systems more secure.
Symantec is a billion dollar company spending money to make money. MS has not such motivation to fix their OS since if it is insecure, people have to buy it anyway... it is the only thing in Walmart or K-mart or 90% of all stores.
The real threats are subtle, until it's too late. The commercial computer security industry does not get this at all, and doesn't want to.
The commercial "security" industry has given up Windows as a lost cause. No credible security person who wants a secure server or workstation considers Windows a viable option. There is plenty of work being done on real security, like SELinux based solutions. The problem is yo
Two Words ... (Score:3, Interesting)
We have seen it in firewalls. We have seen it in military-grade physical security. We have seen it in banking. But, why, oh why, do we not see it with malware?
[Analogy warning] About the best analogy I can come up with that describes just exactly how modern anti-[virus, spyware, threat du jour, or just plain "malware"] is this: Enterprises and home users are outsourcing the task of determining the trustworthiness of software applications that reside on their computers. However, they are forcing the outsourcers (the AV companies) to work both backwards and blind. "Blind" in that the outsourcers are not allowed access to see what applications are actually running within the trusted computing environments (or how well those applications play with others (do they run with scissors?)) and "Backwards" in that the outsourcers are not allowed to simply identify trustworthy software applications-- they're forced to identify the good by ruling out everything that is bad. And we all know that "good" and "bad" are in the eyes of the (ahem) beclicker. [End analogy]
What we need instead is a serious set of solutions (and some are starting to crop up, but I won't cite any because I cannot vouch for their quality) that work in the POSITIVE direction, and not the NEGATIVE direction. In other words, we need anti-malware that simply inventories known good applications, comparing all code execution requests against the guest list before letting them get CPU resident. Assuming that code injection techniques (e.g. buffer overruns) can be quelled by other means (microkernels, randomized memory addressing, read only data memory, etc.), then the likelihood of malware infection with a Default-Deny approach (deny all applications except those on the guest-list/inventory) would dramatically approach zero.
The real problem is
And, like many other comments here have already noted, privilege escalation cannot be overlooked. Supposing a default-deny-anti-malware approach exists (and is worth using), if I operate the computer at the same privilege level of the tool itself [regardless of OS], it is possible for malware to disable the controls. And for the clever readers out there, yes, a set of default deny application inventory controls does seem similar to file system level controls--only execution controls further extend the FS permissions to cover the missing gap.
Who cares about behavioral analysis? What behavior I dislike another will certainly like! Who cares about reputational analysis? What you trust, I may not! But, if we all just stop assuming that we can never speak intelligently about the inventory of "good" applications, then we might finally arrive at a solution that ends malware once and for all (well 99.999% anyway, we'd still have to worry about insider-threat
I guess I went over my two words. Apologies
Re: (Score:2)
We have seen it in firewalls. We have seen it in military-grade physical security. We have seen it in banking. But, why, oh why, do we not see it with malware?
Because it invalidates one of the primary reasons for having a computer - its ability to act as a general-purpose device and run arbitrary software at the users demand.
There *are* default-deny configurations out there - Windows has had facilities for whitelisting program execution for years - but the biggest problem with doing that is you *blacklis
Re: (Score:2)
Ahh the good 'ole days
Re: (Score:2)
Re: (Score:2)
AV softwares never been any good, my little sister put Norton on her PC because she had a msn Malware problem. Norton caused more hassle and effort than the stupid bonzi buddy add did. Its been 3 months since then and I still haven't actually managed to uninstall norton. I keep deleting files and it keeps downloading them again. My expearenc
Re: (Score:2)
Trend Micro is a company that makes a variety of mediocre software that is constantly lauded as being superior to all others by ignoramuses who don't keep up with the modern world.
Among these products, unfortunately, is a system built into various Cisco security appliances. It is used to classify software. For example it is certain that various password sniffing utilities are trojans/malware. I was trying to save the IT depart
Re: (Score:2)
Re: (Score:2)