Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy Software

Antivirus Software Is 'Increasingly Useless' and May Make Your Computer Less Safe (www.cbc.ca) 212

Emily Chung, writing for CBC: Is your antivirus protecting your computer or making it more hackable? Internet security experts are warning that anti-malware technology is becoming less and less effective at protecting your data and devices, and there's evidence that security software can sometimes even make your computer more vulnerable to security breaches. This week, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) issued a warning about popular antivirus software made by Symantec, some of it under the Norton brand, after security researchers with Google's Project Zero found critical vulnerabilities. "These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," wrote Google researcher Tavis Ormandy in a blog post. Symantec said it had verified and addressed the issues in updates that users are advised to install. It's not the only instance of security software potentially making your computer less safe. Concordia University professor Mohammad Mannan and his PhD student Xavier de Carne de Carnavalet recently presented research on antivirus and parental control software packages, including popular brands like AVG, Kaspersky and BitDefender, that bypass some security features built into internet browsers to verify whether sites are safe or not in order to be able to scan encrypted connections for potential threats. In theory, they should make up for it with their own content verification systems. But Mannan's research, presented at the Network and Distributed System Security Symposium in California earlier this year, found they didn't do a very good job. "We were surprised at how bad they were," he said in an interview. "Some of them, they did not even make it secure in any sense."
This discussion has been archived. No new comments can be posted.

Antivirus Software Is 'Increasingly Useless' and May Make Your Computer Less Safe

Comments Filter:
  • by zenlessyank ( 748553 ) on Friday July 08, 2016 @09:07AM (#52470623)
    ilcreasingingly
  • by zenlessyank ( 748553 ) on Friday July 08, 2016 @09:10AM (#52470651)
    Is like having a guy with peanut allergies pushing Planters products.
  • by martyros ( 588782 ) on Friday July 08, 2016 @09:11AM (#52470659)
    After a recent debacle where Symantec apparently didn't get the proof-of-concept exploit sent to them by a security researcher because the mail filter automatically opened the document and crashed, I friend of mine joked that antivirus software was actually a tool to "automatically click on attachments for you".
  • by Anonymous Coward on Friday July 08, 2016 @09:11AM (#52470661)

    ok look, i do some malware analysis.

    the thing is, 99% of the malware you run into is run-of-the-mill stuff.

    to paraphrase someone who was talking about EMET:

    not running AV because some researcher are doing next-level shit is like not wearing your seatbelt because a sniper might get you.

    Tavis Ormandy has uncovered a shit-ton of serious vulnerabilities in some big name AV / Endpoint Protection products. Great! Those will get fixed and life goes on. There are also some AV suites that taviso has NOT found bit problems in.

    keep in mind also that some other big names in "next level" endpoint protection and security services who monetarily gain from pushing the idea that "endpoint security is dead".

    • by EndlessNameless ( 673105 ) on Friday July 08, 2016 @09:37AM (#52470871)

      not running AV because some researcher are doing next-level shit is like not wearing your seatbelt because a sniper might get you

      To extend your analogy, we are now driving at speeds that render the seatbelt inadequate. While it may still be wise to buckle up, we need a better seatbelt design, a supplementary measure, or a replacement.

      Right now, we have IDS/IPS applications and ad/script blocking as reasonably good supplements. But even that isn't enough anymore---just as adding an air bag isn't enough to make a car safe at racetrack speeds.

      There are suitable solutions for enterprise where the budget and administrative skills can support it, but there is really nothing for home users.

      • by rtb61 ( 674572 )

        The correct slashdot car analogy. Is anti virus software is like a really secure armoured truck that will protect you money but they armoured truck comes from an unsecure yard where anyone can take it over and then drive up and take your money. The antivirus software can still secure you hugely unreliable operating system, it just can not secure itself because they failed to pay attention to that part and because the security software stuck itself in with root access, hack the security software and you gai

    • by swillden ( 191260 ) <shawn-ds@willden.org> on Friday July 08, 2016 @10:22AM (#52471205) Journal

      the thing is, 99% of the malware you run into is run-of-the-mill stuff.

      Which Windows' built-in antivirus protection will stop.

      not running AV because some researcher are doing next-level shit is like not wearing your seatbelt because a sniper might get you.

      Nonsense. There's nothing "next level" about this. What Tavis found is that running vulnerable A/V software adds a large and easily-exploitable attack surface to your system. The fact that most current-generation malware isn't exploiting these bugs yet doesn't mean they won't, soon.

      Tavis Ormandy has uncovered a shit-ton of serious vulnerabilities in some big name AV / Endpoint Protection products. Great! Those will get fixed and life goes on.

      And how many more will be added? A/V software adds attack surface to your system, running at high priority. That's bad. In the past it was a net win because the base OS did nothing to protect against malware, but that's no longer the case. Does Symantec actually provide additional protection over Windows Defender? If so, how do you balance that against the additional risk it adds?

      • by emil ( 695 ) on Friday July 08, 2016 @11:35AM (#52471765)

        Privilege separation and sandboxing are well-tested mitigation techniques that allow OpenBSD to assert "Only two remote holes in the default install, in a heck of a long time!" - this security record is far, far superior to the Windows OS and the virus scanners that run atop it.

        What Microsoft still fails to grasp, even after Gates' force majeur with the XP-SP2 security redesign, is that all applications should default to a strong sandbox. When a developer pushes code outside the sandbox, it should trigger more aggressive audits prior to listing in the Windows store, and user warnings of increasing severity upon installation.

        The pertinent question for developers and administrators, especially with regards to network-facing services, is "how strong can we build the cage, and how little can we let out?" Until OS-designers build from this focus, the security tsunami will continue.

      • by Khyber ( 864651 )

        " What Tavis found is that running vulnerable A/V software adds a large and easily-exploitable attack surface to your system."

        I would argue he didn't find shit. Stupidity like this has been known since startkeylogger/stopkeylogger in Norton products. He's only re-iterating that AV products are simply shit, much like other 'security' solutions ACs tend to post here.

    • 99% of the malware you run into is run-of-the-mill stuff

      You're likely casting as wide a net as you can to find that malware. The malware that actually works its way through the Internet to the endpoint of an average person will also sail on by standard AV because there are no definitions for it yet. I'm not talking Stuxnet, I'm talking the same run-of-the-mill malware that you are, just slightly tweaked to require a new definition/hash.

      There are products that are good at stopping even re-hashed malware (Cylance), but they are effective in part because nobody is

    • not running AV because some researcher are doing next-level shit is like not wearing your seatbelt because a sniper might get you.

      I think that a better analogy is that not running AV is like disabling the Takata airbag on your Honda.

  • Adblock (Score:5, Insightful)

    by Anonymous Coward on Friday July 08, 2016 @09:11AM (#52470663)

    I think installing an adblocker in your webbrowser is probably the best antivirus available today.

    • by tnk1 ( 899206 )

      Best antivirus in a qualitative sense? Probably not.

      Best antivirus in the sense that it blocks the source of significant amounts of malware, yes.

      It does need to be pointed out that you're going to cut down considerably on malware by closing that channel, but you're still toast if you are opening attachments or you are the target of a specific attack which is less scattershot than an ad network.

      We do need something *like* dedicated antivirus. It just has to be light-years better than the bloated crap that

      • Re:Adblock (Score:5, Interesting)

        by Anonymous Coward on Friday July 08, 2016 @10:00AM (#52471027)

        For people that don't open attachments, and are more resistant to Trojans, malvertising is probably the top infection vector there is.

        I did a test on this a few years back. VM #1 running XP hasn't been patched, other than the browser (Firefox), and doesn't have any AV on it. VM #2 was patched all the way with Windows and all applications and add-ons (Flash, Acrobat, etc.) has all AV stuff, but no ad blocking.

        I used VM #1 for dedicated web browsing for a long while, and when I shut it down, mounted the virtual drive, scanned it as well as used Autoruns to look at the registry, it was clean. VM #2, which was used for browsing a few mainstream social media sites was nailed in less than ten minutes with pop-up scareware ads, then software using a third party add-on exploit.

        Moral of the story: I can go without AV and have a clean system. AV doesn't do anything against malvertising, and with the advent of sites using Flash + EME to protect their content, AV only adds complexity, expands the attack surface, and does nothing.

        • by Etcetera ( 14711 )

          For people that don't open attachments, and are more resistant to Trojans, malvertising is probably the top infection vector there is.

          Moral of the story: I can go without AV and have a clean system. AV doesn't do anything against malvertising, and with the advent of sites using Flash + EME to protect their content, AV only adds complexity, expands the attack surface, and does nothing.

          BS. "Malvertising" doesn't exist fundamentally at a technical level any more than "malshareware" exists. The problems are, respectively, vulnerabilities in flash/imagemagick/browser software/etc and intentionally subversive code that doesn't do what it claims to do. "Restricting advertising" as an AV response is catching things in the dragnet, but that's much more just rationalizing the fact that you just don't want to see ads on websites.

          We've all seen parents' and friends' computers that didn't have AV so

          • Nice to hear someone without a clue comment on the topic. Speaking as someone who actually works in an IT security position (responsible for a ~8000 node network or so -- you have to decide how you're going to count it...) there are two basic measures that cut the majority of infections off at the knees:

            1) block advertising

            2) blackhole DNS

            While some advertising industry shills get very shrill about #1, the problem is solidly in their court due to their increasingly obvious inability to stop malware from bei

      • My brother and I were talking the other about how things appeared to have changed over the years and how the line between legitimate program and scourge of the internet is awfully thin.

         

    • And NoScript, and a custom HOSTS file... or just run a proper OS. ;)
      • It'd be nice if this proper OS existed at the present time because I'm not going back to Amiga despite its lack of viruses. I'm reading between the lines here, but I infer you are setting up Linux or a BSD variant as this hypothetical proper OS, all of which have their fair share of vulnerabilities and are even harder for non-technical end users to configure correctly to avoid problems.
        • by arth1 ( 260657 )

          I'm not going back to Amiga despite its lack of viruses

          This is rather funny, considering that the Amiga was infamous for its plethora of viruses.
          Some of which were rather amusing, like playing a song with the stepper motor of the floppy drive, or using any modem found to dial the home phone number of an Antivirus creator, or randomly inserting words like "sex" in any text files. All in the 1kB boot block.

          • > considering that the Amiga was infamous for its plethora of viruses.
            > Some of which were rather amusing, like playing a song with the stepper motor of the floppy drive, ..

            Go on ...

            Now I've heard of Beagle Bros' "Silicon Salad" TL:CHUGGACHUGGA [archive.org] for the Apple ][ before

            0 REM AJIT JOSHI--CANTON,MI
            1 HOME: POKE 50,223:FOR X = 150 to 255:SPEED=X:PRINT PEEK (49385) + PEEK (49386);:PRINT "CHUGGA";: PRINT PEEK(49387);:NEXT:END

            but I haven't heard that about one !

        • Aspiring programmers created many viruses for the Amiga. If memory serves, LAMER was one of the more prevalent ones. It was so-named for being targeted at pirates (and quite possibly written by a commercial software programmer). The Amiga had *zero* security features. Any application could write to any portion of memory which made poorly written but otherwise non-malicious software a problem for system stability. It was an inherently single-user system. File attributes are not protection. RDB permitted the

    • Perhaps. But the biggest vulnerability in Windows computers (for home users) comes from users running as an administrator. The Windows install process should really be changed to setup an administrator account as well as a standard user account. Very few users get viruses when they have to elevate privileges.

      I currently have 117 home and small business clients that I've educated about this. I create a new administrator account and change their original user account to standard. Only one of my clients that

  • by tepples ( 727027 ) <tepples@gmai3.14159l.com minus pi> on Friday July 08, 2016 @09:22AM (#52470751) Homepage Journal

    Antivirus software that detects apps known to be harmful is a form of blacklisting. But as a general rule, blacklisting is considered less secure than whitelisting. An antivirus using whitelisting, such as PC Matic, allows only known good apps to run.

    The obvious problem with this approach is who defines the set of known good programs. In a corporate environment, an IT department has the resources to review the programs on which employees rely. But a home PC owner who isn't quite a PC expert may not feel qualified to do this, instead delegating review to a trusted party. This has led to cases of rent-seeking, where a gatekeeper demands payment from each developer to review each app.

    Bruce Schneier explains further [schneier.com]

    • And the moment you put a whitelisting antivirus on a programmer's machine, who will often compile their own executables, the corporate plan goes to shit anyway.

      Just like how IT departments often make programmers' kufe hell by not make exceptions for a directory used for compilation and artifact downloading. Triple your compile times for no good reason!

    • Whitelisting doesn't help when adding a whitelist creates an exploitable remote vulnerability that doesn't require user interaction, like Symantec and TrendMicro
  • by nateman1352 ( 971364 ) on Friday July 08, 2016 @09:26AM (#52470775)

    Seriously why the hell does Antivirus software need to run its scan engine at Admin group privileges, and why is half of the scan engine running in Ring 0 kernel drivers?

    Its amazing, my work laptop BSODs about once a day just because of some crappy driver included in the Antivirus software installed by IT.

    Since it crashes that frequently just in normal operation it seems likely that there is at least 1 vulnerability in that driver which is exploitable from user mode.

    • If the scan engine wasn't running as Ring 0 kernel drivers, then it wouldn't be able to detect Ring 0 rootkit drivers, and other such crapware. Since we know there are kernel vulnerabilities which allow infection with Ring 0 malware, not running your scanner at least partially in Ring 0 would make it even less useful than it currently is.

      • Since the whole point of it is security it really makes sense to have two copies of your scan engine installed, one in Ring 0 for early boot rootkit detection that scans every driver as it loads and only scans if the binary passes MSFT's driver signing checks first.

        All of your scanning of code modules after the kernel is up should be forwarded to a sandboxed user mode service so that even if the scan engine is compromised the malicious code can't go anywhere. Not a bad idea to fire up a new process for ever

      • We're just lucky it's not a ring -3 antivirus coprocessor embedded in the northbridge.
  • by zenlessyank ( 748553 ) on Friday July 08, 2016 @09:26AM (#52470777)
    Almost every client that I have had to deal with infected machines were looking for free movies on the web. They lie and say they have no idea, but when I show them their browsing history then they get all stuttery and defensive. I would say it is about 50/50 with porn and regular movies. I haven't seen many infections thru e-mail that actually make it to the machine.
    • I would say it is about 50/50 with porn and regular movies.

      Which I don't understand. You can get porn risk free pretty much on all big platforms. Free porn is a solved problem. No need to go to shady websites.

      Hell, it's in the interest of most porn providers to avoid infecting you because, they'd rather have you as a paying customer. Go to the big streaming porn websites, invariably there are payvideo on demand, webcam sites and dating sites behind them. They want you to pay for that. They don't wan

      • I should have added that the porn wasn't the usual porn that they were looking for. Usually animal and scat. Sometimes other things which I wont even speak of. I have had several clients call the police on their significant other also after seeing the list of filth right in front of their eyes.
    • by account_deleted ( 4530225 ) on Friday July 08, 2016 @10:17AM (#52471171)
      Comment removed based on user account deletion
    • I have been working in IT security for nearly 3 decades. Work for a mail hosting company or support large mail infrastructure if you want to find people infected by mail. I have, do, and can tell you that most business PCs are infected through email and attachments. For home PCs, you are right that most comes from malicious sites often hosting video. There is another very small set of hosts who get attacked quite differently. These are targeted service attacks generally masked by a massive DDOS. They

      • Thank you for reminding me that I am stuck in a house with a blown out back and just don't have the clients flowing through..... I always appreciate the sly underhanded comments on Slashdot. ...... Looking forward for more!!!
        • Pain medication may also induces paranoia. There was no "sly underhanded comment" at all, it was a very detailed response with a factually verifiable view of the world outside of your personal anecdote.

          As a person who has had a full shoulder reconstruction (18 Mitek anchors collar bone, shoulder blade, ball joint), 3 knee surgeries (ACL and Kneecap once, MCL and meniscus twice), and 4 damaged disks (L1-4) I speak from experience in that category too. The Army was fun, but may also cause permanent injury.

          • What pain medication? I would have to have some form of medical insurance to get pain medication. Dope ain't free.
        • by PCM2 ( 4486 )

          My actual, literal first thought was: "WTF? Why doesn't he fix his damn house?"

          I'll get the lights on my way out.

      • I'll see your anecdote and raise you: most are caused by malvertising from general web browsing. Perhaps you aren't seeing other infection vectors if your work focuses on the email side? I don't run the mail service or the network, but I'm responsible for security generally. Most of the unwanted email we see is spam, a bit of phishing, and of course login attempts from Nigeria. Email is normally how *accounts* are exploited here, but *system* compromises usually originate from malvertising.

        Of course, we als

        • by s.petry ( 762400 )
          I did not discount that pr0n was an attack surface, I said that the majority of businesses are hit at surfaces other than pr0n. I don't work only in email, I work at the infrastructure layer so get the joy of seeing it all.
    • by NetNed ( 955141 )
      "I don't even look for porn/movies online" = "I look for movies and porn online all the time"

      Funnier is some that I know are quite the church goers and then I find traces from "girl on girl" or "young sluts" on their computers. Wouldn't believe how fast they blame someone else.
      • Yet if we saw all those people at school we would think someone is trying to steal some kids. The point being that eventually you graduate and leave school. These fuckers keep going for 20+ years!!! How much church schooling do you need???!!! There is only ONE FUCKING BOOK to read.
        • by NetNed ( 955141 )
          Ahhh isn't that true about any religion?? Unless I missed something.......
          • I thought the term 'Church' covered all the bases. Don't really feel like typing synagogue and temple and mosque and cowfield and morgue and all the other places man sits down with satan and breaks bread.
  • It is a huge liability to rely on virus definitions and heuristics engines. They are often too little, too late. The trend toward rapid development and advanced threats started about 15 years ago, and it has been making antimalware applications increasingly irrelevant.

    Ad- and script-blocking helps, but those are targeted primarily at web browsing, and that is certainly not the only attack vector.

    Whitelisting and mandatory access controls (e.g., SELinux) are the only truly effective measures, and they requir

    • After watching a server and network upgrade for my company, I am convinced that user actions are likely much less of a problem than technicians not understanding security, remote management tools, full Linux stack in access points, routers, cameras, and copiers, and the giant attack surface that is the IoT.

      It used to be that my emergency contingency plan was to pull the incoming network cable... but once you add site-to-site resource dependencies that quickly becomes suicide. This could easily be much wors

    • by tepples ( 727027 )

      There are adequate [application whitelisting] solutions, but they raise the bar in terms of the expertise, expense, and effort required. Even if a company addressed the "expense" issue by releasing a consumer-priced whitelisting application for Windows, there is no clear way to eliminate the other requirements.

      I know of a couple consumer whitelist tools for Windows. One is the SuperShield feature of PC Matic. Another is the SmartScreen feature of Internet Explorer since 9 and Windows since 8, which prompts the user to delete programs that are "not commonly downloaded". But I've read complaints on forums that the EV code signing certificate needed to immediately pass SmartScreen for a new release can be too expensive for part-time developers.

    • Whitelisting and mandatory access controls (e.g., SELinux) are the only truly effective measures

      And the shit storm from the general population with this will be a huge problem. It already is for me trying to get a very regulated industry to do it.

  • by Opportunist ( 166417 ) on Friday July 08, 2016 @09:33AM (#52470843)

    Saying that Antivirus Software is useless and using Symantec as an example is like saying that editors are useless and using /. editors as examples.

  • Comment removed based on user account deletion
  • After a stream of viri made it past the dictionary lookuip and a low hit rate on new viri, I made a decision to not install anti-viris software on any newly built virt boxes.

    To replace it, I added an execute permission restrictions policy, so that any thing a limited user downloaded or any file that resided in his/her directory/server file tree could NOT execute. 2nd, I hired a company called "spam experts" [spamexperts.com] to filter incomming emails/ (primary infection path). Lastly and very important, setup a filter fo

  • Antivirus is useless ? News at eleven.

  • AV software should meet the standards for medical treatments, following the virus analogy. First, they should be clearly shown to be 'safe' - to not cause problems on the machine or introduce new vulnerabilities. Second, they should be shown to actually stop known viruses, be able to react to new infections, and in general do a better job than the OS vendor in rapidly adapting to threats.

    Frankly, on Mac OS, I don't think any product meets these standards.

  • Here's what I wrote in Avast Acquiring AVG thread. It's even more relevant in here.

    First off, all virus come from the internet nowadays. Yeah there's USB stick, but, in most case, you plug them between stuff at your house.

    Add a good browser paired with ad-block kinda remove all threat from your usual website. Now even Chrome block you from entering website with reported attack. Even sending virus through email seems like a challenge with build-in antivirus check scanning the crap out of every byte in your attached file.

    And, as a final layer of security, there's the new Microsoft antivirus (Defender, ex. Microsoft Security defender) that seem to give a decent security. And it's got the most importing feature that all others antivirus seem to lack, it's not a virus itself.

    How many time I have checked a slow laptop only to uninstall Norton and see it running fine again? And what about the other free antivirus? When they don't put adware and trick you into giving them money, they just simply sell your data : http://www.pcmag.com/article2/... [pcmag.com]

    So, back to my initial question, are antiviruses still relevant today?

  • Not only blocking viruses, but even ads and windows 10?

Computer programmers do it byte by byte.

Working...