Cisco CSO Says Antivirus Money "Completely Wasted"

mernil writes with an excerpt that kicks off a story at ZDNet Australia: "Companies are wasting money on security processes — such as applying patches and using antivirus software — which just don't work, according to Cisco's chief security officer John Stewart. Speaking at the AusCERT 2008 conference in the Gold Coast yesterday, Stewart said the malware industry is moving faster than the security industry, making it impossible for users to remain secure."

Agreed

[pak9rabid]

Why pay for it, when there are plenty of free alternatives?

Re:Agreed

[Eg0Death]

Do you know of any free alternatives that can be administered at the network/Domain level?

Re:Agreed

[Fast Thick Pants]

AFAIK, the only free AV products whose license permits business use are:

• Comodo [comodo.com] - Still in beta, lots of false positives. Configuration is all in local text files, so some level of remote management is possible, but they certainly don't provide the tools for it.
• PC Tools [pctools.com] - Requires interaction from the user to do updates, so not a contender.
• ClamAV [clamav.net] is free of course, but does not provide a scan-on-access monitor. More suitable for mail servers than workstations.
• Winpooch [sourceforge.net] - uses the ClamAV engine for on-access scanning, project seems dead, never tried it.
• Spyware Terminator [spywareterminator.com] - Also does AV using the ClamAV engine. I'd never heard of this one before today, and unfortunately their site design looks a little on the fly-by-night side. They offer a corporate edition with central administration for the wacky price of $2 per seat per year.

Please add to/subtract from/comment on these if you know something!

Re:Agreed

[Fast Thick Pants]

I'm pretty sure they have licenses that prohibit commercial use and therefore don't belong in this list. (Granted, it is possible to have a complicated home network that would benefit from AV "administered at the network/Domain level", but I don't think that's what grandpa meant.)

Re:Agreed

[number11]

Grandpa!? Who you callin' grandpa, you whipper snapper? When I was your age, we only had BASIC, and we where HAPPY!

You kids had it easy. When I was your age, we just had ones and zeros. And sometimes we didn't have zeros, had to make do with recycled oh's and hope no one would notice.

Re:Agreed

[stonecypher]

When I was your age, this joke was still funny.

Re:Agreed

[Thelasko]

Yes! exactly. I'm no sysadmin, but I understand that running a virtual machine firewall on a host that is insecure makes none of it more secure. To be secure, it has to be the other way around. The host has to be the secure machine.

This whole thing makes me wonder why there isn't a lightweight Linux distribution thats sole purpose is to run another OS in a virtual machine. A user could then run a firewall/etc on this hypervisor to protect the guest.

I know Vista is supposed to do this, but let's face it, it's a big target, and it's created by Microsoft.

Re:Agreed

[Z00L00K]

It exists malware for both Apple and Linux too, but not in the same volume as for Microsoft's OS:es.

And it's not completely useless to have anti-virus software on your machine, but the problem is that they are always a bit behind so there are always a few that takes a hit before the propagation is halted by updated AV software.

Unfortunately there have been too many mistakes made throughout history with the intent of making it easy for users to work with a computer. This way of relaxed behavior is kicking back because it also makes it easy to create malware.

Re:Agreed -Free For Personal Use

[Bullfish]

Most free anti-virus apps available are free for personal/non-profit use only. If you want to deploy them on a commercial network I beleive you have to pay for almost all of them.

Re:Agreed -Free For Personal Use

[pak9rabid]

Whos says the alternatives have to be anti-virus applications? ;)

Re:

[Hojima]

Just get a separate hard drive or a flash drive and store the stuff you need there. Then have a reformatting partition on your drive and press f11 during startup to clean everything out. If this process was faster and easier, anti-virus would be out of business completely.

Re:

[iminplaya]

Then have a reformatting partition on your drive and press f11 during startup to clean everything out.

That's a bit complex. Why not just run a liveCD then? Cache it into RAM, and it runs very fast.

Re:Agreed -Free For Personal Use

[Crayon Kid]

I find it very interesting, as well as sad, to see this kind of solution. You're basically saying "you can't protect against malware, let's give up and use backup as the only defense".

Is this really what it's like? Is having malware violating your personal computer the norm? Is it really impossible to design secure OS's and applications from the ground up instead of making them full of holes and relying on "solutions" that pick up the pieces? Is it really better to do damage control than prevention?

I find that very hard to believe. I think it's more likely that the current state of the software industry is based on complacency and no respect for the customer and his or her personal data.

If it turned out that the maker of your main door lock made a shoddy product that allowed anybody to unlock it and have their way with your house... you'd be mad, right? You'd hold them responsible, want your money back, never buy from them again, maybe even sue them and ask for reparations if they acted like assholes.

But when your personal computer gets broken into you don't make a peep, you just sigh and use a backup, if they have one. Then it's back to the torture of finding and paying for antimalware, knowing full well that one day you'll get shafted again.

Someone please explain this self-abuse to me. The only explanation I've come up with is that people are ignorant and/or brainwashed into thinking there's no alternative so they'll put up with anything and think that's how it's supposed to work.

Software industry needs to grow a spine, take responsability and stop all the "no guarantees" crap. Than maybe, just maybe we'll see some improvement on the malware front.

Re:Agreed -Free For Personal Use

[Hojima]

Using your comparison of malware to the real life scenario of your house being broke into, it's impossible to make a house that can't be penetrated (or would be so difficult that it's not worth it). It would be the equivalent of building a fortress and running it with the various employees. Assuming people wanted to get into your house to bug it for information (i.e. spyware), it would be much more efficient to have a cheap house that you can demolish and rebuild.

Re:Agreed

[morgan_greywolf]

Why pay for it, when there are plenty of free alternatives?

No, he's saying the free alternatives are wasted effort as well.

Re:

[Cro Magnon]

Untrue. I'm sure Avast is worth every penny I spent on it.

Re:Agreed

[m.ducharme]

Only if your time is worth nothing to you. :-p

Re:Agreed

[Tenebrousedge]

Time is not generally measured in pennies.

Re:Agreed

[ichigo 2.0]

Again with the imperial measurements! Just switch to metric already!

Re:Agreed

[houstonbofh]

If it is created by man then man can break it. Can you make an Operating System that contain millions of lines of code 100% error free and 100% optimized? Also can you make it free from errors that may allow hackers to exploit code remotely?

It is easier to put a lock on a door if the building is designed with walls to begin with. Windows was an open air pavilion that had clapboard and sheeting tin added on after the fact. And yes you can "pick the locks" on Linux, as the Debian key debacle has so aptly proved, but with windows you just kick out some tin sheeting.

Re:

[richlv]

why, yes. switch underlying platform, that way you get away with antivirus requirement (except clamav on the mailserver to keep crapmail volume low), and get patch distribution system as well ;)

Re:Agreed

[Beardo the Bearded]

Don't you get it?

The bad guys have access to all the same tools you have. They can get their hands on ClamWin, Avast, AVG, etc. They have full access to Windows in any flavour, every variety of Mac OS, and the rainbow of Linux. These aren't script kiddies farting around in their parents' basement. The "bad guys" are groups of organized professionals that know more about your computer than you do.

THE MALWARE DOES NOT GET DETECTED BY ANTIVIRUS SOFTWARE BECAUSE THE WRITERS TEST IT USING THE SAME TOOLS WE USE!

To completely harden your system against an intrusion, you have to patch every single hole and then guarantee that there are no more holes. Further, every program that you install on your computer has to be guaranteed to have no holes. Finally, all your hardware (AND its firmware, I'm looking at YOU, 2-wire!) has to pass the same test - NO HOLES! Ask MS how happy they were with the folks who made GoldenEye.

To hack into a system, you merely have to find ONE hole. That's it. You're banking the health of your computer on the hopes that not one single person has put in an exploitable bug. Nobody on sourceforge made an error. None of the "featured articles" on TDWTF are in your code. None of the lowest bidders from Elbonia pasted together snippets from codesamples.com. All your pointers are bound, all the copying templates are limited (K&R, I'm calling YOU out on this!), and your multi-threaded application is coded properly. Did someone stay up until midnight to meet an arbitrary deadline? Is your program "good enough for who it's for"?

And you, just now, said, "I want to spend as little as possible on my security systems". Now, I fully agree that the free alternatives are significantly better than the ones that come bundled with your HP-branded Staples Windows Vista Ultimate Ice-Cream PC (Printer Included with Bundle). But the attitude is, "I'll slap on a few quick and easily downloadable programs and call my system secure." The bad guys get these programs too, and they probably know them as well, or better than, the authours.

One error, anywhere, and your security becomes "by obscurity". That's really what I use at work and at home. I don't have anything valuable on my computer, and I am not a worthwhile target for phishing, exploiting, hacking, etc.

Any system is exploitable. One error. That's all it takes.

Re:Agreed

[Z00L00K]

If you are a malware writer you only have a few days for your application to kick in or the AV companies will keep up. So it's not completely futile to run AV software but you will get some that aren't caught. The difference is that if no AV software was employed we could have a computer pandemic.

So even if AV software isn't the best solution but merely a patch it at least protect us somewhat.

But what's needed is a completely different design of the operating systems we have. SELinux is far too weak in reality - even if it is a good step forward it is very static in it's behavior. It is also necessary to have more dynamically adapting operating systems that can see overall patterns and be able to lock down certain processes if they start to behave in an unexpected way.

Re:Agreed

[Tom]

SELinux is far too weak in reality

Come again? I've got a long list of stuff I'd wish SELinux were better in, but "weak" isn't anywhere on it and I think of myself as knowing quite a bit about it. What exactly do you mean by "weak" ?

Re:Agreed

[Tom]

The bad guys have access to all the same tools you have.

That was 20 years ago. Today, malware is being developed for profit, for the russian mafia or some other organized crime. Unless you're a top security researcher, the bad guys have access to more and better tools than you have.

Re:

[LurkerXXX]

Personally, I'm not trying to harden every single desktop I have against all possible exploits. It's simply too much work to tempest-proof everything.

I have a air-bag in my car as well. It doesn't guarantee I'll live in all car crashes. But it will save me in some. And the risk/benifit is enough that I like to have an airbag in my car.

I'll also continue to run an anti-virus scanner on my computers. I know full well they won't save me from bad behavior and many/most nasty root-kits, etc, but they will s

Re:

[Beardo the Bearded]

Three words:

Power on LAN.

Stating the obvious..

[somersault]

Companies are wasting money on Windows ;)

Patching software does work though, I don't see the alternative if you have an exploitable bug in your code? You want that code fixed. It doesn't matter if no damage can be done to your system, you still want all your applications running as expected.

Re:

[jellomizer]

Well it is not completly a windows problem. If people stop using windows then malware writters will make their stuff work on a different platform. Granted Windows Need to run as administrator to do some basic tasks makes it easer to do suff. But how many newbee Linux users run as root all the time. Also much of the malware takes advantages of social hacking making the person want to click to add and hit OK for the security alerts. However if you leave a Linux server running unpached for a while chanses ar

Re:

[somersault]

Yeah that's why I talked about patches too.. OSS apps have patches out all the time, and that is a Good Thing. Designing and implementing the system with appropriate permissions can stop most exploits from doing anything useful though. Antivirus really only is a Windows issue at the moment, and so technically it is a waste if it means that Microsoft are more lax about security issues (and maybe even in their quest for profit would let things slip a bit just to keep certain AV vendors in business, if the pri

Re:Stating the obvious..

[bigtomrodney]

Well it is not completly a windows problem. If people stop using windows then malware writters will make their stuff work on a different platform. Granted Windows Need to run as administrator to do some basic tasks makes it easer to do suff. But how many newbee Linux users run as root all the time.

I really don't buy that targetted-system argument. It takes a lot more to damage a Unix-like system for architectural reasons. I can tell you first hand that every [linuxforums.org] new user coming to linuxforums.org is given a good earbashing on why they shouldn't run as root and 99% accept the reasons and move on. With newbie-friendly distros like Ubuntu actually preventing you from logging in as root the number really dwindles. Logging in as root is something that users only do for the first couple of days until they learn better.

Also much of the malware takes advantages of social hacking making the person want to click to add and hit OK for the security alerts.

Unix systems don't have execute-by-default permissions.

However if you leave a Linux server running unpached for a while chanses are someone will get in, I have seen that multible times even recently.

There's a difference between a directed attack and the type of stuff most Windows users are experiencing. And even with that in mind a lot of distros don't run ssh or other listening services by default. Add to that in this day and age the majority of people are behind NAT routers which require you to specifically forward a port to gain access from the WAN

The main problem with windows is there are too many Windows users

That's certainly motivation but that doesn't mean that a switch to Mac/Unix/Linux/BSD/whatever by all will let the malware follow with the same success.

a better security design (however more difficult to maintain) would have a more diverse set of systems. Windows, Unix, Linux, other... so when there is a problem it would be more difficult for it to spread.

Glad we can agree!

It is easy to blame Windows but windows has actually gotten fairly secure over the past decade. And it is nowhere as bad as it use to be.

I would certainly agree with this. I wouldn't switch back to Windows in a mad fit but I'll give them marks for effort.

Re:Stating the obvious..

[Dak RIT]

I generally agree with your sentiment, although I feel compelled to correct one of your points...

The previous Slashdot article didn't say 66% of all PC's, it said 66% of all PC's (over $1000) sold in retail. That's still impressive for Apple and shows a lot of growth potential as it expands its retail presence, but it's a very different market than 66% of all PC's.

Re:

[Lumpy]

Exactly. I had 2 requests for PC clean and repair. It would cost the Pc owner $400.00 for my cleaning and repair. I told them that they can go to dell.com and buy a new on WITH a 20" flat panel screen for less than my fee.

windows Pc's are cheapie throw-aways. Get a virus infection, toss it and get a new one.

And yes it IS profitable to me. I still get $100.00 for data backup and moving, plus I get a PC from them for free to recycle that I sell on ebay for $100.00 with a fresh reinstall of XP from it's C

Re:

[Lumpy]

Reinstalling the OS and all software and moving the data ALSO costs $400.00 because of the time involved.

90% of pc owners do not have the ability to install windows XP it's just too difficult.

Re:

[DAldredge]

140,000,000 sold copies and 5-15 times the desktop share of Linux isn't "businesses rejecting Vista in droves.

Re:Stating the obvious..

[jedidiah]

When you consider the fact that the Microsoft OS du jour is forcefed to everyone through the OEM channel it is.

Re:

[cHiphead]

Every XP license my clients buy thru open license /etc IS A VISTA LICENSE with the XP downgrade option.

Re:

[daveewart]

The problem is Windows, and Microsoft could have fixed much of this, but decided that having an insecure OS...

I'm not convinced the problem is that it's insecure as such (which it may well be), more that patching the system AND ALL THE APPLICATIONS is so difficult. Even on a 'managed' network of Windows machines, it is extremely hard to keep all applications up-to-date, even assuming that patches for applications are available.

WSUS Updates may help if set up, but other applications all have their own

Re:Stating the obvious..

[thermian]

The problem is Windows

Don't be naive. The problem is simply worse for Windows because windows is the most heavily used OS.

This idea that Linux is immune from viruses is just stupid. It's not the primary target of most malware, but it is a target. A poorly configured Linux server is pure gold to a spammer.

Thinking that you are safe just because you use Linux is, well, dumb.

And as for Apples various OS products? Well they have only a tiny market share. There isn't going to be the same return on investment of time and effort to attack that as much as windows is attacked.

Re:Stating the obvious..

[jedidiah]

Not quite.

The fact remains that the OS vendor here is in the habit of finding new
ways to do boneheaded things with software. You could even say that you
are far less likely to have Windows malware problems if you avoid as
much Microsoft product as possible while running Windows.

This is not unlike how earlier versions of Windows were much more crash
prone if you use MS apps as well.

This brings up an interesting problem of using Microsoft software on
other operating systems. That's bound to create problems that would
not exist on a platform otherwise.

Yes, sometimes a particular manufacturer (like McDonalds or GM) just makes crap.

"other than by trickery"

[Animaether]

okay, genuine question... who's got statistics on malware infections on windows that can be used to separate 'by trickery' versus 'by automated exploit'.

And 'by trickery' I would take anything from "double-click this exe in this e-mail to see a naked chicks!" to "you must download this program to play this audio file"; i.e. anything that actually requires the user to okay the action taken in one way or another.

Automated I would assume anything that either requires no user interaction whatsoever (somebody ha

Re:Stating the obvious..

[egomaniac]

Nonsense. If you're running any Windows other than Vista, odds are that you are at all times in possession of administrator privileges. And that means that any piece of software you run also has your administrator privileges. If such a piece of software -- Firefox, for example -- has a security hole which allows arbitrary code to run, that arbitrary code has all the permission it needs to do absolutely anything it wants to your computer, such as planting keyloggers.

This is not the case with Mac OS X. My current account has administrator privileges, but they are inactive by default. I have to enter my password in order to elevate to admin permission, and such elevation applies only to the program which requested the change. This makes an attack both less likely and easier to defend against, as the program can't just silently go in and modify my applications -- it has to at least ask for permission first.

Obviously there are still dangers. My user files are still vulnerable to attack at all times, but of course Time Machine means I have backups of my files going back weeks. There is also the danger that a program could trick me into entering my password when its try intentions are nefarious, thereby getting the required permission to trash my computer. The only way to defend against that is to be very careful about when and where I enter my admin password, but that's true of any OS.

Re:

[jsebrech]

There is also the danger that a program could trick me into entering my password when its try intentions are nefarious, thereby getting the required permission to trash my computer. The only way to defend against that is to be very careful about when and where I enter my admin password, but that's true of any OS.

That's not necessarily a defense. The virus could modify code that runs just after a legitimate privilege escalation, and then wait until the next time you need to perform that privileged action.

I a

Quick linux question

[thecheatah]

As a desktop linux user, has anyone EVER gotten a virus? Or better yet has any anti-virus program saved your ass?

Re:

[Anonymous Coward]

no, and no

Quick Mac question

[MacDork]

As a desktop Mac user, has anyone EVER even heard of a virus? I mean seriously, has there even been ONE virus on OS X since it was released nearly a decade ago? I can even count the number of worms and trojans on two hands and have fingers to spare. Better yet, have you ever even installed anti-virus software of any kind? I mean, who even uses that stuff?? I think those virus things are Windows only ;-)

Re:

[Tenebrousedge]

I know people who bought antivirus products for a Mac. It speaks more to their gullibility than anything else. Probably if you're dumb enough to think you need it, you need it.

Re:

[SCHecklerX]

a) probably. b) no.

Stupid people will do stupid things, regardless of the OS they use.

Re:

[HerculesMO]

It's a question of proliferation of malware.

Why would a malware writer write software that will only affect technically elite users? The goal in his eyes, is to damage as many people as possible through the least path of resistance.

That means Linux simply isn't targetted.

This is a stupid question.

Re:Quick linux question

[Paradigm_Complex]

http://www.winehq.org/pipermail/wine-users/2005-January/016730.html [winehq.org] Just limit wine to your ~/.wine/drive_c folder so. Should you catch a windows virus, it can't do anymore harm then messing up that one folder. I've purposefully tried to get my wine directory owned before - wine is getting pretty good, 'cuz I succeeded(ish) :D Don't know about fixing that kind of thing with some AV, I just deleted the folder and copied everything from backups, as one usually would with a VM.

Problem of assessing success...

[johndiii]

If your security works, nothing happens. So it's easy to say that money is "wasted". If the security doesn't work, the problem is a little more obvious.

I read this story yesterday, and the quote is a little misleading. Here's the context:

"If patching and antivirus is where I spend my money, and I'm still getting infected and I still have to clean up computers and I still need to reload them and still have to recover the user's data and I still have to reinstall it, the entire cost equation of that is a waste."

"It's completely wasted money," Stewart told delegates.

Exactly. If it does not work, the money spent on it is wasted. Not exactly controversial.

Re:

[kamochan]

If your security works, nothing happens. So it's easy to say that money is "wasted". If the security doesn't work, the problem is a little more obvious.

True story: our office building had a long standing contract with a rat exterminator. We had never seen a rat while we had been there (a few years), so we ended the contract. In three months, guess what? Rats. The rat catchers' contract was immediately renewed.

I guess the difference to the referred-to Windows world is, that our solution actually solved

Re:

[mweather]

My roof will always leak, so I shouldn't bother fixing the gaping holes?

Re:Problem of assessing success...

[Tony Hoyle]

AV is like putting more and more buckets in the attic to catch leaks, rather than fixing the holes.

If your roof isn't leaking all those buckets are wasted money.

If they're norton buckets they're also (a) glued to the floor so you can't use them anyway, and (b) full of holes themselves.

Re:

[QuantumPete]

Exactly. There would be a lot *more* malware out there if it weren't for basic security measures. Just because houses get broken into, doesn't mean that you're wasting your money on front doors.

Riiight.

[SatanicPuppy]

But all the money spent on Cisco's obscenely overpriced security appliances is well spent, right?

There are a lot of people profiteering in the computer security market, and Cisco is up there.

I'm a believer

[everphilski]

I haven't run AV products since leaving for college. I run a router with everything blocked but what I need. I run multiple Windows computers. I have a wife and kids. Yet we don't get viruses.

I'm a firm believer that hardware prevention is much greater than AV detection.

Once a friend challenged me, saying that "there's no way you have no viruses" so I let him run the scanner of his choice on the desktop at home. A few hits, all cookies. No viruses.

And I haven't reformatted Windows in 3 years (replace

How does this work?

[Nerdposeur]

I run a router with everything blocked but what I need.

Does that mean "you can't visit randomwebsite.com because it's not on our white list?" How do you determine what to block?

I'm curious, because it does seem a lot more logical to say "here is what's allowed" than to say "here is a list of (we hope) everything nasty that's out there." An exclusive club doesn't try to keep a list of everyone who isn't allowed in.

I read somewhere that if I didn't run Windows as an admin, that would help a lot, which i

That's correct, do not run Windows as admin.

[Nick Driver]

I read somewhere that if I didn't run Windows as an admin, that would help a lot

That's absolutely correct. If you avoid logging onto Windows as Administrator, you greatly lessen your exposure to security hazards. Especially since in the real world you can hardly run any useful software unless you're logged on as admin, therefore your using the Windows box less, and naturally, less use equals less exposure to danger. In fact if you just keep your Windows box powered off, then it will be the absolute most secure against malware.

Re:

[mweather]

So how do you determine you don't have any viruses without using AV products to detect their presence? That's a useful skill!

Re:

[SatanicPuppy]

I bet you don't use a multi-thousand dollar cisco security appliance either.

My home firewall router does everything a semi-equivalent cisco router [newegg.com] would do; VPN, multi-ISP support, DMZ, firewall, etc, etc. The difference is mine is OSS based, running on an old desktop, and cost me, conservatively, 50 bucks, where their equivalent product runs $1000+ and doesn't have gigabit or fibre support.

For what they offer, their appliances are wildly overpriced.

Re:

[hal9000(jr)]

I agree with your sentiment on personal computers. I have *never* gotten a virus alert or a virus on a personal computer in well over 20 years. But then, I don't engage in "dangersous" activity like downloading crap higgeldy-piggeldy. I have also been running Netscape then FF for at least 12 years, not for security reasons but because of superior features, and I view any security improvements as a side effect of browser choices. The scenario changes in enterprises, which is the audience Stewart addressing.

Re:

[TheNucleon]

I downloaded higgeldy-piggeldy and scored 17,342 points on my first game. I'm pretty sure it doesn't have any spyware, but it's weird how IE keeps telling me I'm "pwned" or something.

Re:

[richlv]

i don't think it can be called "hardware" prevention here. pulling out the cable, that would be hardware prevention, but in this case you have software solution, only you have pushed it to another device. this changes the layout, but the approach stays the same.

WTF?

[Enlarged to Show Tex]

Unless he's expressing his vested interest in using hardware firewalls to keep viruses and malware away from the end user PC, this statement makes absolutely no sense.

Generally, a rational botnet creator would tend to try to pwn the low-hanging fruit first - i.e. the ones that have no updates, malware detection, AV, etc. Only if he/she is unable to get a large enough botnet after applying those tools would one resort to the higher-level techniques.

It's rather like saying that Timothy McVeigh would rather have used nuclear ordnance when a U-Haul full of fertilizer served his purpose just fine...

Re:

[richg74]

Looking just at the "headline" statement, you're right. The underlying idea, here as in many other places, is that security is a binary thing, like pregnancy: either you are or you aren't.

That is, of course, nonsense. A rational defender proportions his precautions to the expected threat. The front door and locks on my flat are doubtless less secure than the vault door at the Bank of England, but that doesn't mean they are worthless or a waste of money.

To be fair to Mr. Stewart, reading the whole arti

Re:

[Vancorps]

If you're working for an organization of computers though, particularly one marketing oriented how in the world could you maintain any sort of white-list?

In the Windows world it's fairly easily management on a broad scale with mandatory profiles and a login/logout script which writes to a database.

Of course you can do the same thing on a broad scale with most Linux distros out there.

White-listing the web or email is simply not possible for a lot of companies though.

You're right, security is a proce

Inadequate != Nothing

[Doc Ruby]

Sure the current antivirus industry isn't protecting us 100% (or even close) from viruses. But if there were no antivirus industry, that protection level would be a lot closer to 0% than to 100%. And the risks and losses would be much greater. Probably the global Windows installed base would be a botnet, making the Internet an impossible, not just an inconvenient, platform.

I don't think that Cisco's CSO is a total waste of money. But if he's going to equate "inadequate" to "nothing", Cisco needs to upgrade

Re:Inadequate != Nothing

[Tridus]

"And the risks and losses would be much greater."

Based on what? The cause of infection is pretty much the same with or without AV software:
- Application exploits (AV software only stops known ones, all the new ones constantly coming out get through just fine)
- Stupid users saying "sure I want to run this random .exe file someone emailed me" (AV software is no help at all)

I'm not seeing any real world evidence that AV software is reducing the damage being done by all these viruses.

I mean really, when was the last time you had AV software catch a virus that would have otherwise infected your system?

They want to go to whitelisting

[tepples]

From the article:

A better way of dealing with the unknown is to use whitelists -- where only authorised or approved software can execute, said Stewart.

"I'm sick of blacklisted stuff. I've got to go for whitelisted stuff -- I know what that is because I put it there," he said.

This might work for a corporate environment. But how will PC users in home environments know what to put on a whitelist and what not to put on a whitelist?

Re:

[i.r.id10t]

Much like DNS blacklists for spam, etc. I'm sure someone or some company would start a public list that is updated regularly... Or where they work will give them the info to take home. Our help desk here has done that a few times - they send out a hosts file that blocks a lot of annoying ads, etc via the domain and login scripts, but after folks have said "I don't want the ads at home either" they've given copies and directions to take home.

Re:

[BMonger]

From e-mails they get from friends that came from a very knowledgeable friend of a friend of a friend who knows about computers even though nobody knows who the original friend of a friend of a friend is.

Re:

[kamochan]

This might work for a corporate environment. But how will PC users in home environments know what to put on a whitelist and what not to put on a whitelist?

Why, iexplore.exe. Isn't that all you need?

Re:

[richlv]

this could work quite nicely for most home users who are satisfied by what linux distributions offer, actually.
distribution packages are pgp signed, and are the only things whitelisted. there, no need for the user to know anything, distro people will know what to whitelist.
and with different mandatory access control mechanisms, each application can b restricted even more to only access resources it is intended to, prventing some exploits in the app itself from working as well.

Not completely wasted...

[Coopjust]

The A/V industry is having difficulty keeping up with the ever evolving and growing malware industry, but "completely wasted"? I don't think so.

For Geeks who delete suspicious emails, use Thunderbird (so emails are not rendered in the IE engine), etc., sure, an AV may be a useless waste of CPU cycles. But for the nontechnical user, it's important. While it's difficult to keep up with outbreaks, it's important for older viruses in the wild- something Grandma may not catch.

Now, as for a whitelist. Dumb idea. It puts too much power in the hands of AV companies (who can say "$$$ to get on the list!" or if users can change it, they'll get "IMPORTANT WINDOWS UPDATE- REMEMBER TO ADD TO YOUR WHITELIST!". What about unsigned programs? Updated versions?

A whitelist might work for children, for work PCs, for other non-administrators. But people ultimately want to install their own programs without the blessing of company XYZ.

And, as a geek, I strongly disagree that it's impossible to remain secure, it just takes a little training. I know nontechnical users, I teach them for 10 minutes, and they have good habits. Don't open emails saying "A greeting card from a classmate", don't run unsolicited programs, if you get an email saying it's from chase.com "Important Account Update" visit their directly, etc.). Those habits go a long way, along with some layered protection (ZoneAlarm Free, Router w/ a firewall, Avast Home, Immunize in SpywareBlaster, and Immunize in Spybot S&D). That user still has some trouble with some tasks, but with a little common sense and some good protection, they've stayed infection free for 4 years.

(And, of course, I fix the computer as a friend, and I occasionally run rootkit detection and AV from a LiveCD just to make sure).

Re:

[Uncle Focker]

Now, as for a whitelist. Dumb idea. It puts too much power in the hands of AV companies (who can say "$$$ to get on the list!" or if users can change it, they'll get "IMPORTANT WINDOWS UPDATE- REMEMBER TO ADD TO YOUR WHITELIST!". What about unsigned programs? Updated versions? A whitelist might work for children, for work PCs, for other non-administrators. But people ultimately want to install their own programs without the blessing of company XYZ.

Huh? I've re-read the whitelist quote and I'm failing to see what this random rant has to do with what he is saying. Where in his statement did he say that you should just be a zombie and create a whitelist based on only what your AV company tells you?

Re:

[flyingfsck]

"Don't open dubious email" is bulldust. The email program should be secure. I can click on anything and everything with wild abandon and never have any trouble on both my Windows and Linux systems.

Disagree

[Dop]

Correct, patching your systems isn't going to protect you against state-of-the-art malware. What patching does is protect you against script kiddies running exploits that are 6 months old. The majority of the successful attacks I've seen are against old vulnerabilities, not new ones.

Additionally, patching isn't just about security. It's about fixing software bugs that could cost you time/money later.

Traditional AV technology dead, film at 11

[jaredmauch]

This has been the case for quite some time. Expect signed binaries to come before long because people can't stop downloading and installing the malware. I dislike the idea, because it can lock some legit folks out of a platform, but expect something like a trusted developer program across all platforms in the future since people just can't do the right thing, and when they make a mistake, there are no real consequences.

So, about those Cisco products...

[SuperBanana]

Like this [cisco.com], which are designed to keep you off a network unless your system is up to date with all major OS patches, and has antivirus software with current definitions? If it's a waste of money to spend effort on keeping up with patches and antivirus software/definitions, I think it'd be hard to argue for spending money on systems which enforce hard-line policies (thus not only "wasting" IT's time, supposedly- but now also wasting employee time as they can't work until things are fixed.)

I agree. But...

[hyperz69]

Even if you made every OS somehow 99.999% malproof somehow. Someone would still be selling a Norton like utility that you need. Security is big business, since fear is the best motivation for buying you can have.

If they couldn't justify the fear, they would themselves research the holes JUST so they have something to patch or utility to sell us. While in a perfect world we could just patch our OSes for bugs and no need for anything running in the background to protect us from boogie men. Companies like No

clam

[Lord Ender]

Cisco is integrating ClamAV in to their "Cisco Security Agent" HIDS product. They clearly think AV is useful, just not other peoples' AV.

Re:

[jalefkowit]

Or maybe they think AV is important to sell product to people (like corporate IT drones) who buy based on the number of checkboxes ticked off on the feature list. In other words, they don't think the AV feature is really useful, but they can't sell a security product that doesn't have the "AV" checkbox ticked on the feature list. So they grab the cheapest possible option (an open source toolkit), roll it in, and now they can check that box. (I have no idea if this is actually Sun's thinking or not, I'm j

Cancel or Allow?

[starglider29a]

I'm waiting for the day when a malware possesses the UAC.

"You are receiving HTML which speaks unfavorably about me. Cancel or Allow?

patches do more then make you secure and you shoul

[Joe The Dragon]

patches do more then make you secure and you should still install them for other things.

What About a Proactive Security Tool?

[FurtiveGlancer]

Oh, M$ patent [slashdot.org], nevermind.

Duh!

[mlwmohawk]

Sorry, but it is beyond laughable that this is news. Anti-virus software is like prayer. It lets you think you're doing something.

Anti-virus software is by its very nature a "post damage" measure, like closing the barn door after the horses leave. Of fixing the roof after the house is wrecked from rain.

The *only* way to prevent viruses is to understand that your computer only does what it is told and you need to control who gets to tell it what to do.

Windows, and we are talking about Windows here, is designed to allow foreign agents to control your system without your consent. Microsoft has so many holes in its system beyond just stack overflow exploits, but protocols and APIs designed to make it "easier" for application to do things "for you," and are we surprised that it is exploited?

Despair

[nsuccorso]

Stewart said the malware industry is moving faster than the security industry, making it impossible for users to remain secure.

He then set his hair on fire and ran screaming from the stage.

Agree somewhat

[SCHecklerX]

AV is completely wasted money. Patching isn't. Especially for systems that expose that particular service to a hostile network. Internally behind firewalls, not as much of a threat, but should still be addressed. It all comes down to risk assessment. AV simply tries to solve a user stupidity issue with technology. That will never work, while making your systems less stable and more costly to maintain in the process.

And in other news...

[ds_job]

Cisco CSO says "You are all going to die so put down the muesli bar and pick up that burger."

He's right. Now we need secure operating systems.

[Animats]

He's right. Anti-virus tools only work against previous-generation attacks and inept attackers.

Antivirus as virus

[pubjames]

I'm sure it's a common experience to Slashdotters to have a friend/relative show them their PC that they think it has a virus because it runs so slowly, when of course the reason it is running so slowly is all the anti-virus crap installed on it.

Viable alternative.

[rindeee]

I have two Windows computers that I use. They are rarely used (Govt issue). In addition I have 3 Macs, two Sun boxes (Solaris 9 & 10 respectively) and a number of Linux boxes. I run Symantec on the two Windows machines (comes pre-installed) but it has never caught anything. This is not because there was nothing to catch, but rather because I have very high security at the demarcation point of my network at home. I run a router with PacketProtector (a great OSS project...if you've not tried it out, you should) which runs ClamAV, Inline SNORT, DG, TinyProxy, etc. etc. etc. which pretty much stops everything in it's tracks. I wouldn't call it ready for prime time as there are still some bugs, but implementing the same packages on a old PC would be simplistic. My point is that it's relatively easy to stop darn near everything at the entry point to the Network rather than waiting for it to make itself known on one of the PCs. Catching it on the host should be the last resort, not the first line of defense. Hopefully projects such as OpenWRT, PacketProtector and IPCop will make it easier for the average user to make this a reality. There is certainly a need for more effective anomaly based analysis and filtering vs. signature based, but there seems to be a lot of progress in that direction by SourceFire and others. Of course it would be nice if MS would stop producing virtual petri dishes, but in the mean time....

Re:Viable alternative.

[Shados]

If you have that kind of knowledge and the ability to install all that stuff, there there IS nothing to catch. With the very rare exception of a media exploit or something (like the old jpeg exploit, which virtually none of the above would notice at the source), just "knowing what you're doing" will allow you to avoid damn near 99.999% of malware. I have a douzan Windows machines, used for just about everything, from gaming to work, and I download a lot of software, browse a lot of web sites...

None of my machines have anti-virus on them (I use one-shot scanning tools every couple of months to be sure all is good), and I have only ever caught ONE virus, which I noticed with my 2 eyes 5 minutes after I caught it, on a totally out of date lap-top that I hadn't used in over a year (so it wasn't updated), through the COM+ jpeg exploit. And I sure don't have anything beyond a 40$ NetGear router.

There simply isn't all that much to catch, unless you take needless risks.

In other news...

[saleenS281]

Cisco says they have a great new hardware firewall that will stop *ALL* malware. You just need to sign a contract indemnifying them should you have a malware outbreak on your network...

Some things can't be fixed with software

[jon3k]

The problem is the users. No matter how secure you make an operating system users will still click on every link and give people their passwords.

Re:Some things can't be fixed with software

[jon3k]

My password is mustang63 do you have a link or is there like a torrent or something?

Facing metaphorical mortality of your OS

[Junior J. Junior III]

Following the "virus" metaphor from biology, if the computer is an organism, and AntiVirus is part of its immune system, we should realize that at some point, just like any biological organism, the system will die.

A healthy system may have the latest and best immune system known to man, but this does not guarantee and should not be construed to mean that the system is invulnerable or immortal. It is merely immune or resistant to the diseases that it has been exposed to or evolved resistance or immunity to.

We don't expect medical science to ever eradicate all disease and make us perfectly healthy; why do we think it's possible for computers? (Or conversely, why do we think that building an immune system is wasted effort?)

Then again, perhaps turing/von neumann machines and biological organisms aren't so similar after all. It's hard to assess whether this extended metaphor is too forced to be useful or not.

Correction

[AlgorithMan]

the malware industry is moving faster than the security industry, making it impossible for users to remain secure...

... on Windows machines!

Re:

[MacDork]

I don't have to cite thousands of potential malware infections to prove the claim false--one will suffice.

AC didn't say malware. There has never been a Mac OS X virus. Ever. Period. And by your own admission, even worms and trojans are incredibly rare. Feel free to cite a virus if you can, I'd love to read about the thing if it were to exist.