Tavis Ormandy Criticizes Meaningless Antivirus Excellence Awards (softpedia.com) 72
An anonymous reader writes: A Google security expert (Tavis Ormandy) has become annoyed with antivirus products receiving awards a week after he finds huge security holes in their software. He's talking about Comodo who received an "excellence" award from Verizon, after the researcher discovered 4 security issues in the past four months, and is in the process of submitting a fifth. His criticism of Comodo and Verizon's silly awards is also validated by the fact that during the past year, he discovered security flaws in numerous antivirus and security software such as Avast, Malwarebytes, Trend Micro, AVG, FireEye, Kaspersky, and ESET.
The awards (Score:2)
Bloatware (Score:4, Interesting)
Many antivirus products started as small, useful tools which genuinely helped detect and neutralize viruses, at least still in the 90s and early 2000s. For some reason which I can only compare to gluttony for more "features" and attention, most have grown to bloatware with flashing popups, nagging screens and award stickers collected like flairs which are supposed to validate their usefulness, but are meaningless. When friends ask me to set up a newly purchased laptop, one of the first things to do is remove all that antivirus crap and educate them on PC hygiene.
Re:Bloatware (Score:5, Informative)
Most AV programs have not only become bloatware, adding more and more useless "features", but they have actually become malware themselves.
For example [softpedia.com]:
The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users install AVG antivirus, is vulnerable to trivial XSS (cross-site scripting) attacks.
"This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page. The installation process is quite complicated so that AVG can bypass the Chrome Store malware checks, which specifically tries to stop abuse of the Chrome Extension API."
Re: (Score:2)
Since Windows 7, Microsoft has included Windows Defender in the installation package. Windows Defender was a #1 virus scanner that MS bought out. Do you really need to disable Defender and install another virus scanner?
Re: (Score:3)
Technically, Windows Defender in Win7 is was built from Giant AntiSpyware and only provided anti-spyware/anti-adware protection; it doesn't have detection for things like worms and other sorts of malware. For that you need the (free, but optional download) Microsoft Security Essentials [microsoft.com]. However, starting with Win8, Defender (the built-in thing) includes the MSE scanning engine and signatures.
The obvious difference between Win7 and Win8 in this regard is that when Win7 came out, MS was still under some anti-
Re: (Score:2)
1 Dependency installer
No further "installation" ne
Re: (Score:2)
The conventional antivirus has became all but useless to deal with the latest zero-day threats. At best, an AV program is useful for scanning a download for a potential Trojan... but even with that, one is better off just using VirusTotal if the executable is small, or use the MD5/SHA hash if the file is bigger.
I'd like to see an AV program actually do something useful:
1: Filter by IP address. This is especially useful with third party malvertising which is a large infection vector.
2: Set kill bits and
Re: (Score:2)
1, this is what a firewall does...
3, OSX does this by default - although signed binaries is not a perfect solution
5, i scripted something similar for a linux kvm based hypervisor setup, it mounts each of the vm disk images readonly and scans them... you can also scan your backups in this way which gives your backup server something to do during the day when its not actually making backups.
6, selinux/apparmor policies do this - access to unexpected locations are logged and/or denied, the problem with windows
background bloat (Score:1)
Antivirus was most useful in the days prior to it needing to be always running. TSR's started down the path towards bloat and instability, but prior to that it was quite helpful to be able to pop in a read-only floppy with antivirus and run a scan on your local drives.
Once they started running as TSR's (background programs), they became a constant hog of system resources oft-times worse than the viruses themselves. The internet furthered this in many ways because - previously - viruses generally spread thro
Re: (Score:2)
Welcome to capitalism...
You can't keep selling the same product, you have to offer perceived "improvements" or people won't upgrade, and under the hood improvements are not visible to users so won't compel them to buy more - only highly visible and flashy features will make clueless users think they're getting value for money.
Another thing to consider, is should users have to be educated about hygiene and learn how to deal with such things? For the vast majority of users that is wishful thinking, and they'd
Re: (Score:1)
Excellent Award! (Score:2)
We've been there before. [youtube.com] (17 seconds clip and it's NOT Rick Astley)
And The Best AntiVirus is.... (Score:4, Insightful)
Linux is your best bet for a general purpose operating system
Re: (Score:2)
Which is why we need diversity, a variety of different systems being used with interoperable data files between them... If no single system has more than 30% market share then malware writing will become far less profitable.
Re: (Score:1)
Oh, you're killing me. Do you do live stand up too, or just hilarious Slashdot posts? Linux is a geek's operating system. It is your best general purpose operating system only if your purposes aren't mainstream and general. Is Linux a good OS? Of course - it certainly is. Best for general purposes? Haha, that's a good one.
Re: (Score:2)
I don't know about all that... As the phrase in use here is general purpose then I can say that I am content to use Linux for my computing needs - all of them. I'm not a gamer so I don't care about that. However, the term is general purpose and not gaming purpose so I'm thinking it doesn't much matter.
Note: I did not say that it has or should have (or even will have) mainstream acceptance. I'm okay with that. I don't really care if there's a year of the Linux Desktop. Hell, I don't even actually care what o
Re: (Score:2)
All the big operating systems are aimed at geeks, the average user is not really capable of managing a complex general purpose computer system and that's the whole reason why such problems as malware are so prevalent.
But there's also the fact that very few people actually need a general purpose system, most people do a small subset of things so devices built to do these things are a far better choice for most people. Think games consoles, chromebooks, tv sets, phones, routers etc... And a lot of these speci
Re: (Score:2)
Missing the point. (Score:1)
switching to an Operating System that is not the target of virus writers, or at least less of a target
Linux is your best bet for a general purpose operating system.
You don't chose an operating system because it is free of risks.
You chose it because it supports the programs and services you want and need to run on the hardware you find attractive and affordable. You chose it because it is a comfortable fit for your level of interest and involvement. Not everyone enjoys spending time under the hood.
It's telling that the only flavor of Linux to achieve mass-market status is the malware-ridden Android platform.
Re: (Score:2)
Re: (Score:2)
Did I just call the entire computer security industry a scam? Why yes, I did. Tell me I'm wrong please, and try and add a believable argument.
Okay. You're wrong.
You've painted the entire computer security industry as being nothing more than virus scanning software. For an example of how just wrong this is, you need to look no further than the summary; "the researcher discovered 4 security issues in the past four months, and is in the process of submitting a fifth." Security researchers who find flaws, the programmers who implement encryption algorithms to keep your data safe, the manufacturers of firewalls that help protect everyone's systems
Re: (Score:3, Informative)
He may be inarticulate, but he's not wrong.
The entire "computer security industry" is little more than scammers selling nothing but snake oil, i.e., security products which themselves are full of exploitable vulnerabilities and in many cares are very close to being malware.
Re: (Score:2)
He may be inarticulate, but he's not wrong.
The entire "computer security industry" is little more than scammers selling nothing but snake oil, i.e., security products which themselves are full of exploitable vulnerabilities and in many cares are very close to being malware.
This argument is why terms need to be defined. You and the GPP are defining "computer security industry" as the set of people and companies that build and sell security products. Even with that definition, the accusation of snake oil is overly broad; there are a few security products which are actually useful. The GP is defining "computer security industry" as the set of people and companies that work on and around computer security, including security researchers that find vulnerabilities, and engineers th
Re: (Score:2)
No it's just that the scammers selling snake oil are noisier, have bigger marketing budgets and are more trusted by those who don't know any better...
There are plenty of competent people out there, doing research, finding and fixing security holes, trying to write secure code themselves and trying to improve the coding and general security practices of others. The problem is that setting things up securely or building secure code requires a high level of (expensive and rare) skills, whereas trusting the sna
Re: (Score:2)
Re: (Score:2)
Maybe you're right, but I still can't figure out how these guys [openbsd.org] are scamming us. They sure look innocent.
Verizon (Score:2)
Well you know, it is Verizon handing out the rewards.
It's much easier to be skeptical after realizing that.
"Meaningless"? (Score:2)
Meanwhile, closer to home... (Score:2)
Who watches the watchers? (Score:2)
.
One A/V product pokes around my network trying to find my router and determine whether or not I have it configured properly? Give me a break. Focus on the reason I purchased the product, and stop surveying my network. If the router settings have changed, then the A/V product failed in its core goal.
Re: (Score:2)
Shady Industry (Score:2)
Meaningless awards (Score:2)
An "award" is totally arbitrary and meaningless anyway, anyone can provide an award, for anything, based on any criteria and don't have to even disclose the criteria on which the award is based.
The problem is that people think any of these awards have any value whatsoever, so vendors will take steps to acquire them and use them in marketing material.
Re: (Score:2)
Yes - thank you. For example - did Verizon feel that the winner responded to issues in a timely fashion? Was this company somehow ahead of the others in either securing systems or repairing issues quickly?
Nobody has perfect AV/firewall software. Do some companies do a better job at doing their best? Do they fix the underlying problem or issue lots of hot-fixes?
It's a beauty contest. Next Verizon will announce that product as being the Select Vendor or it's already in use within their cloud. And - He
Almost Anything Else is Better (Score:2)
Antivirus is borderline useless these days.
Application whitelisting, generally by publisher certificate, is the only way to lock things down meaningfully. Use hash-based exceptions for unsigned apps. Too bad all the tools are priced for enterprise.
SELinux is good, but it takes a lot of work to get it into shape if you are doing anything that lacks an out-of-the-box config.
Behavior-based anomaly detection is the next big thing. But the last I checked, it takes forever to establish your baselines, and false p
Re: (Score:2)
Re: (Score:2)
AppLocker [microsoft.com], in recent Windows versions (and building on Software Restriction Policies, dating back to XP), provides similar controls. It's actually a lot more fine-grained than that, though it can be made to act much like how you describe.
Re: (Score:2)