Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Google Security IT

Tavis Ormandy Criticizes Meaningless Antivirus Excellence Awards (softpedia.com) 72

An anonymous reader writes: A Google security expert (Tavis Ormandy) has become annoyed with antivirus products receiving awards a week after he finds huge security holes in their software. He's talking about Comodo who received an "excellence" award from Verizon, after the researcher discovered 4 security issues in the past four months, and is in the process of submitting a fifth. His criticism of Comodo and Verizon's silly awards is also validated by the fact that during the past year, he discovered security flaws in numerous antivirus and security software such as Avast, Malwarebytes, Trend Micro, AVG, FireEye, Kaspersky, and ESET.
This discussion has been archived. No new comments can be posted.

Tavis Ormandy Criticizes Meaningless Antivirus Excellence Awards

Comments Filter:
  • were for the holes.
  • Bloatware (Score:4, Interesting)

    by Anonymous Coward on Wednesday March 16, 2016 @05:59AM (#51706453)

    Many antivirus products started as small, useful tools which genuinely helped detect and neutralize viruses, at least still in the 90s and early 2000s. For some reason which I can only compare to gluttony for more "features" and attention, most have grown to bloatware with flashing popups, nagging screens and award stickers collected like flairs which are supposed to validate their usefulness, but are meaningless. When friends ask me to set up a newly purchased laptop, one of the first things to do is remove all that antivirus crap and educate them on PC hygiene.

    • Re:Bloatware (Score:5, Informative)

      by rudy_wayne ( 414635 ) on Wednesday March 16, 2016 @06:50AM (#51706543)

      Most AV programs have not only become bloatware, adding more and more useless "features", but they have actually become malware themselves.

      For example [softpedia.com]:

      The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users install AVG antivirus, is vulnerable to trivial XSS (cross-site scripting) attacks.

      "This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page. The installation process is quite complicated so that AVG can bypass the Chrome Store malware checks, which specifically tries to stop abuse of the Chrome Extension API."

    • No real surprise in all of this, tbh. ~15 years of writing AV stuff getting me absolutely nowhere, and I got burned out, hence pulling the plug. I've said this many times, but there needs to be a centralized database that vendors pull their info from. The next step is seeing which AV vendor can write the most efficient detection algorithm. The only thing I brought table with my project was a bare minimum standard of efficiency. The result was this:

      1 Dependency installer
      No further "installation" ne
    • The conventional antivirus has became all but useless to deal with the latest zero-day threats. At best, an AV program is useful for scanning a download for a potential Trojan... but even with that, one is better off just using VirusTotal if the executable is small, or use the MD5/SHA hash if the file is bigger.

      I'd like to see an AV program actually do something useful:

      1: Filter by IP address. This is especially useful with third party malvertising which is a large infection vector.
      2: Set kill bits and

      • by Bert64 ( 520050 )

        1, this is what a firewall does...
        3, OSX does this by default - although signed binaries is not a perfect solution
        5, i scripted something similar for a linux kvm based hypervisor setup, it mounts each of the vm disk images readonly and scans them... you can also scan your backups in this way which gives your backup server something to do during the day when its not actually making backups.
        6, selinux/apparmor policies do this - access to unexpected locations are logged and/or denied, the problem with windows

    • Antivirus was most useful in the days prior to it needing to be always running. TSR's started down the path towards bloat and instability, but prior to that it was quite helpful to be able to pop in a read-only floppy with antivirus and run a scan on your local drives.

      Once they started running as TSR's (background programs), they became a constant hog of system resources oft-times worse than the viruses themselves. The internet furthered this in many ways because - previously - viruses generally spread thro

    • by Bert64 ( 520050 )

      Welcome to capitalism...
      You can't keep selling the same product, you have to offer perceived "improvements" or people won't upgrade, and under the hood improvements are not visible to users so won't compel them to buy more - only highly visible and flashy features will make clueless users think they're getting value for money.

      Another thing to consider, is should users have to be educated about hygiene and learn how to deal with such things? For the vast majority of users that is wishful thinking, and they'd

  • We've been there before. [youtube.com] (17 seconds clip and it's NOT Rick Astley)

  • by FudRucker ( 866063 ) on Wednesday March 16, 2016 @06:25AM (#51706501)
    switching to an Operating System that is not the target of virus writers, or at least less of a target

    Linux is your best bet for a general purpose operating system
    • by Anonymous Coward

      Linux is your best bet for a general purpose operating system

      Oh, you're killing me. Do you do live stand up too, or just hilarious Slashdot posts? Linux is a geek's operating system. It is your best general purpose operating system only if your purposes aren't mainstream and general. Is Linux a good OS? Of course - it certainly is. Best for general purposes? Haha, that's a good one.

      • by KGIII ( 973947 )

        I don't know about all that... As the phrase in use here is general purpose then I can say that I am content to use Linux for my computing needs - all of them. I'm not a gamer so I don't care about that. However, the term is general purpose and not gaming purpose so I'm thinking it doesn't much matter.

        Note: I did not say that it has or should have (or even will have) mainstream acceptance. I'm okay with that. I don't really care if there's a year of the Linux Desktop. Hell, I don't even actually care what o

      • by Bert64 ( 520050 )

        All the big operating systems are aimed at geeks, the average user is not really capable of managing a complex general purpose computer system and that's the whole reason why such problems as malware are so prevalent.

        But there's also the fact that very few people actually need a general purpose system, most people do a small subset of things so devices built to do these things are a far better choice for most people. Think games consoles, chromebooks, tv sets, phones, routers etc... And a lot of these speci

    • Therefore GNU Hurd. In fact if you want to get malware you have to write it yourself.
    • switching to an Operating System that is not the target of virus writers, or at least less of a target
      Linux is your best bet for a general purpose operating system.

      You don't chose an operating system because it is free of risks.

      You chose it because it supports the programs and services you want and need to run on the hardware you find attractive and affordable. You chose it because it is a comfortable fit for your level of interest and involvement. Not everyone enjoys spending time under the hood.

      It's telling that the only flavor of Linux to achieve mass-market status is the malware-ridden Android platform.

    • Grow Linux desktop usage above 10% and he WILL be a target for script kiddies with viruses.
  • Well you know, it is Verizon handing out the rewards.

    It's much easier to be skeptical after realizing that.

  • I should think not! They paid good money for that award!
  • Perhaps said Google employee should focus on Google, which tends to be clueless about a lot of things. If you install a private CA cert, your Android phone will then start lying to you, claiming "This network may be monitored by an unknown party." (or similar). Nope. I who they are, I deliberately installed the cert, and your incorrect message only makes me tend to ignore any warnings you give in the future. OTOH, it also comes pre-loaded with a shitload of enabled CA Certs, most of which I likely have no u
  • The A/V companies made the significant strategic error of starting a race to add more and more features to their products, resulting in insecure bloatware that is tasked with monitoring our PCs for malware.

    One A/V product pokes around my network trying to find my router and determine whether or not I have it configured properly? Give me a break. Focus on the reason I purchased the product, and stop surveying my network. If the router settings have changed, then the A/V product failed in its core goal.

    • by AHuxley ( 892839 )
      The AV product just looks for the standard factory set admin password and suggests a change as malware has been found using the default hardware password lists.
  • An AC posted in reference to AV software once being nimble and useful before mutating into the crapware we see today. This is of course true. Things have escalated to such a level of what the fuck, I have been wondering if some AV companies are not covertly writing virus and malware software themselves, concurrent with the patch so that once they manage to get the virus\malware propagating out of the dark web, they can demonstrate how quickly they are able to update their software and better "protect" their
  • An "award" is totally arbitrary and meaningless anyway, anyone can provide an award, for anything, based on any criteria and don't have to even disclose the criteria on which the award is based.
    The problem is that people think any of these awards have any value whatsoever, so vendors will take steps to acquire them and use them in marketing material.

    • Yes - thank you. For example - did Verizon feel that the winner responded to issues in a timely fashion? Was this company somehow ahead of the others in either securing systems or repairing issues quickly?

      Nobody has perfect AV/firewall software. Do some companies do a better job at doing their best? Do they fix the underlying problem or issue lots of hot-fixes?

      It's a beauty contest. Next Verizon will announce that product as being the Select Vendor or it's already in use within their cloud. And - He

  • Antivirus is borderline useless these days.

    Application whitelisting, generally by publisher certificate, is the only way to lock things down meaningfully. Use hash-based exceptions for unsigned apps. Too bad all the tools are priced for enterprise.

    SELinux is good, but it takes a lot of work to get it into shape if you are doing anything that lacks an out-of-the-box config.

    Behavior-based anomaly detection is the next big thing. But the last I checked, it takes forever to establish your baselines, and false p

    • Application whitelisting, generally by publisher certificate, is the only way to lock things down meaningfully. Use hash-based exceptions for unsigned apps.

      Agreed 100%.

      Too bad all the tools are priced for enterprise.

      It's already in OSX. I've had to grant the exception for one app, but it's rare.

      Allow app downloaded from:
      -Mac App Store
      -Mac App Store and Identified developers (what I keep mine set too)

      • AppLocker [microsoft.com], in recent Windows versions (and building on Software Restriction Policies, dating back to XP), provides similar controls. It's actually a lot more fine-grained than that, though it can be made to act much like how you describe.

A university faculty is 500 egotists with a common parking problem.