Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Anti-Rootkit Security Beyond the OS

samzenpus posted more than 3 years ago | from the building-a-better-wall dept.

Intel 176

Orome1 writes "Cybercriminals know how to evade current operating systems-based security, demanding a new paradigm – security beyond the operating system. On that note, McAfee demonstrated the workings of its new McAfee DeepSAFE technology at the Intel Developer Forum on Tuesday. Co-developed with Intel, it allows McAfee to develop hardware-assisted security products to take advantage of a 'deeper' security footprint. It sits beyond the operating system and close to the silicon, and by operating beyond the OS, it provides a direct view of system memory and processor activity."

Sorry! There are no comments related to the filter you selected.

So I have to ask (2)

mikerubin (449692) | more than 3 years ago | (#37405064)

Why doesn't McAfee just write an OS?

Re:So I have to ask (1, Informative)

MichaelKristopeit417 (2018862) | more than 3 years ago | (#37405140)

Why doesn't McAfee just write an OS?

what do you think this is?

Re:So I have to ask (2)

monkyyy (1901940) | more than 3 years ago | (#37405282)

either some hard ware that double checks everything and slows everything down to a standstill,
or a bootloader

cant be sure they are using vague marketing terms

Re:So I have to ask (-1, Flamebait)

MichaelKristopeit417 (2018862) | more than 3 years ago | (#37405540)

you think something that actively runs constantly is a bootloader? also, you think hardware is 2 words?

you're an idiot.

Re:So I have to ask (1)

monkyyy (1901940) | more than 3 years ago | (#37405722)

mind pointing out where it says constantly running? and me not typey english

anyway can anyone figure out what sort of thing this actually does? is it a bootloader that runs a scan on boot,(cause thats the only thing i can think of based off there diagram that isnt terrible, mainly because that wouldn't need writing rights) or something really dumb that can actually can effect to os if it gets hacked

Re:So I have to ask (1)

MichaelKristopeit414 (2018850) | more than 3 years ago | (#37405790)

"footprint"

Re:So I have to ask (1)

monkyyy (1901940) | more than 3 years ago | (#37405914)

*ggg image here*
loves and tolerates the trolls

Re:So I have to ask (-1, Troll)

MichaelKristopeit414 (2018850) | more than 3 years ago | (#37405934)

ur mum's face is the trolls

cower in my shadow some more behind your chosen ambiguous primate buddhist based pseudonym, feeb.

your completely pathetic.

Re:So I have to ask (2, Insightful)

Anonymous Coward | more than 3 years ago | (#37405296)

1) a pseudo-OS shimmed in between the OS and the hardware
2) Another another vulnerability point that can be compromised

Re:So I have to ask (0)

MichaelKristopeit417 (2018862) | more than 3 years ago | (#37405782)

a pseudo-OS? it's the lowest level software governing system operation. how is it any different than a non-pseudo-OS that has a virtualization platform built on top of it?

you're an idiot.

Re:So I have to ask (1)

LordLimecat (1103839) | more than 3 years ago | (#37405788)

Im sure its well coded and quite fast, though-- after all, this IS McAfee.

Re:So I have to ask (0)

Anonymous Coward | more than 3 years ago | (#37405350)

Do you really mean it? I wouldn't use their O/S for sure.

Too busy with current commitments (1)

syousef (465911) | more than 3 years ago | (#37406210)

Why doesn't McAfee just write an OS?

Too busy writing software to destroy performance on Windows. Can't spare any staff otherwise someone out there on a PC infected with^H^H^H^H^H^H^H^H^H^H^H^Hrunning McAfee might get some work done. What if that were the accountant? He might close the company account with McAfee!

Ohhh (2, Informative)

Anonymous Coward | more than 3 years ago | (#37405070)

Scary.

We need scanners that run the OS in VM. (1)

Zaphod-AVA (471116) | more than 3 years ago | (#37405086)

I think an anti-malware scanner that ran from a boot disk and loaded the OS on the drive into a virtual machine would be an incredibly valuable tool.

Or we could just switch to cloud based security white-listing and kill the majority of the malware industry overnight.

Re:We need scanners that run the OS in VM. (1)

Microlith (54737) | more than 3 years ago | (#37405204)

we could just switch to cloud based security white-listing

Explain this, please?

Re:We need scanners that run the OS in VM. (3, Insightful)

blueg3 (192743) | more than 3 years ago | (#37405400)

It means he doesn't understand the problems inherent in computer security.

Re:We need scanners that run the OS in VM. (3, Funny)

Alimony Pakhdan (1855364) | more than 3 years ago | (#37406518)

But he does understand how to use buzzwords. That has to count for something, right?

Re:We need scanners that run the OS in VM. (1)

monkyyy (1901940) | more than 3 years ago | (#37405320)

NO!!!, whitelisting the internet is out of the questoin

And then.... (3, Funny)

Anonymous Coward | more than 3 years ago | (#37405098)

10 years later..

"Cybercriminals know how to evade current silicon-based security, demanding a new paradigm - security beyond the hardware and the OS. On that note, McAfee demonstrated the workings of it's new invention - the non-dumb user."

Re:And then.... (0)

Anonymous Coward | more than 3 years ago | (#37405226)

Supply would never meet demand...or would it?

Re:And then.... (1)

Anonymous Coward | more than 3 years ago | (#37405236)

"On that note, McAfee demonstrated the workings of it's new invention - the non-dumb user."

Psh... I've had one of those for years now.

Re:And then.... (1)

c0lo (1497653) | more than 3 years ago | (#37405730)

"On that note, McAfee demonstrated the workings of it's new invention - the non-dumb user."

Psh... I've had one of those for years now.

Keep it safe, preferable in a cryogenic enclosure. The species is going extinct, we'll need the DNA for cloning in the near future.

Re:And then.... (0)

Anonymous Coward | more than 3 years ago | (#37405390)

"demonstrated the workings of it's new invention - the non-dumb user."

Correct use of the apostrophe: still too complicated.

Re:And then.... (2)

Baloroth (2370816) | more than 3 years ago | (#37405414)

I'm pretty sure that would destroy McAfee's entire business model.

Re:And then.... (0)

Anonymous Coward | more than 3 years ago | (#37405708)

Actual proof as to how stupid these capitalistic companies still are. Once again, they will prove that a security system built to make money, will fall to someone wanting to crack it just for shits, giggles, and cred. Need anyone say more?

lower level added latency (4, Insightful)

MichaelKristopeit418 (2018864) | more than 3 years ago | (#37405116)

it is ignorant hypocrisy to assume your product deserves to be trusted to process everything because another product is vulnerable to exploit.

now you've got your silicon running under the assumption that the OS is not implicitly trusted, but for some reason, some other OS should be trusted and should process every bit of information a 2nd time before anything is accomplished.

#dumb

Re:lower level added latency (2, Funny)

Anonymous Coward | more than 3 years ago | (#37405748)

(marking this day in the calendar. The first post in a while from MichaelKristopeit that does make some common sense. Maybe there's still hope in this world?).

That just sounds like another level to infect (2, Informative)

Anonymous Coward | more than 3 years ago | (#37405148)

Just like ring 0 and ring -1 have been abuse, I'm pretty sure that in a few years, we'll read headlines "New persistent rookit infects McAfee DeepSafe"!

Re:That just sounds like another level to infect (1)

Anonymous Coward | more than 3 years ago | (#37406272)

It's rootkits all the way down.

better idea (2, Informative)

Anonymous Coward | more than 3 years ago | (#37405154)

hammer a nail through the cpu it'll kill all the vira, and it will still have more computing power left than if it was running McAfee ...

Re:better idea (0)

Anonymous Coward | more than 3 years ago | (#37405650)

On that note, the laptop at my last job was set to run McAfee daily and all the settings were locked down. The laptop also had an obscure 'data' folder with what looked like installation files that I could not touch but was included in the virus scan.

The scan took 7 hours and started every morning.

Yes, my work laptop was _continually_ running a McAffee scan. Imagine the excruciation.

It got especially lovely when it was running Windows File Indexing at the same time.

Re:better idea (1)

c0lo (1497653) | more than 3 years ago | (#37405852)

hammer a nail through the cpu it'll kill all the vira, and it will still have more computing power left than if it was running McAfee ...

Vira?! Why don't you stick with "viruses"? ("virus" is a mass-noun in Latin - means "venom" - doesn't support plural forms. Using the contorted neo-latin "vira" is pretty much like you'd use "malwares" in English - maybe not incorrect, but doesn't sounds good to me).

Re:better idea (0)

Anonymous Coward | more than 3 years ago | (#37406280)

Sorry, but you doesn't sounds like an English expert either

Re:better idea (0)

Anonymous Coward | more than 3 years ago | (#37406344)

Sorry, but you doesn't sounds like an English expert either

You mean what exactly?

Re:better idea (1)

c0lo (1497653) | more than 3 years ago | (#37406370)

Yeah, my apologies. Still having an opinion on vira/viruses that you can share?

Just great... (4, Insightful)

Hylandr (813770) | more than 3 years ago | (#37405164)

Now the hardware can be ground to a halt without ever loading an OS.

Given the choice of McAfee or malware at this level, I would choose the malware.

- Dan.

Re:Just great... (0)

Anonymous Coward | more than 3 years ago | (#37405316)

Given the choice of McAfee or malware at this level, I would choose the malware.

- Dan.

Tell me again what the difference is?

Re:Just great... (0)

Anonymous Coward | more than 3 years ago | (#37405434)

agreed...McAfee, svchost.exe.....'nuff said

Re:Just great... (5, Insightful)

xMrFishx (1956084) | more than 3 years ago | (#37405454)

Given the choice of McAfee or malware at this level, I would choose the malware.

- Dan.

Tell me again what the difference is?

You can remove malware.

Re:Just great... (1)

RobbieThe1st (1977364) | more than 3 years ago | (#37405528)

Mod prent funny... but true.

Re:Just great... (1)

Kagetsuki (1620613) | more than 3 years ago | (#37406004)

ditto, I wish I had mod points. Nice zing there.

Re:Just great... (0)

Anonymous Coward | more than 3 years ago | (#37405550)

McAfee takes your money then gets on your computer. Malware gets on your computer then takes your money.

Re:Just great... (1)

libkarl2 (1010619) | more than 3 years ago | (#37405716)

Given the choice of McAfee or malware at this level, I would choose the malware.

- Dan.

Tell me again what the difference is?

TCO.

Re:Just great... (1)

maxwell demon (590494) | more than 3 years ago | (#37406572)

Given the choice of McAfee or malware at this level, I would choose the malware.

- Dan.

Tell me again what the difference is?

Most malware doesn't make your computer unusable.

Re:Just great... (1)

flappinbooger (574405) | more than 3 years ago | (#37405864)

I think the only reason McAfee still exists is because of their deals with ISPs and product placement at WalMart. Certainly not because of their reputation in the security industry.

Oh, and because they just get bought out ... by Intel. Yeah. And here we all thought (hoped) Intel would let McAfee die quietly in the corner.

Is this a more annoying version of data execute prevention? Maybe call it DERP?

Rootkit Making Tool (0)

Anonymous Coward | more than 3 years ago | (#37405196)

This is great, sounds like a tool that would be great for MAKING new rootkits, actually.

Also, you can make sure that yours is hidden even from hardware-based antivirus. .... paranoia asside, it is the right way to go... but I don't really think McAfee will put a dent in serious viruses.... they still don't even detect ircphate...

turtles (3, Informative)

Anonymous Coward | more than 3 years ago | (#37405198)

it's turtles all the way down!

Might as well just return to the Tandy 1000 days (2)

dsanfte (443781) | more than 3 years ago | (#37405228)

With a core operating system in ROM, mounted as a system disk. Flash your new OS like a BIOS.

That'd stop a lot of this rootkit crap cold, wouldn't it?

Re:Might as well just return to the Tandy 1000 day (0)

Anonymous Coward | more than 3 years ago | (#37405338)

And require physical manipulation, e.g. jumper or dipswitch, to flash that ROM in case you want to re-install/upgrade OS.
While write mode is ON the box is isolated from rest of the internet.
At this point you only have to make sure that your update isn't infected. This can be easily verified using public key embedded in the current OS assuming that the vendor hasn't pulled a DigiNotar.

Re:Might as well just return to the Tandy 1000 day (0)

Anonymous Coward | more than 3 years ago | (#37405582)

Can it stop God? You've picked a side.

10 i = i + 1
15 IF i > 99999 THEN PRINT ".";: i = 0
20 IF INKEY$ = "" THEN 10
30 PRINT "King James Bible, Line:", i

Line:46410
7:12 If he turn not, he will whet his sword; he hath bent his bow, and
made it ready.

7:13 He hath also prepared for him the instruments of death; he
ordaineth his arrows against the persecutors.

7:14 Behold, he travaileth with iniquity, and hath conceived mischief,
and brought forth falsehood.

7:15 He made a pit, and digged it, and is fallen into the ditch which
he made.

Re:Might as well just return to the Tandy 1000 day (1)

maxwell demon (590494) | more than 3 years ago | (#37406584)

Can it stop God?

God only infects human brains, not computers.

Re:Might as well just return to the Tandy 1000 day (1)

Solandri (704621) | more than 3 years ago | (#37405922)

That's what I was thinking. A SATA/USB3 adapter I bought [newegg.com] has a jumper to make the drive read-only. That got me thinking - why can't we have a hardware toggle switch to make the boot drive read-only? You can't root it if you can't modify any of the bootable system files, or if you do manage it a reboot will clear it up. Yeah you'd have to toggle the drive writeable to install new software or update. But is there really any point to leaving the boot drive writeable when you're not updating or installing?

Re:Might as well just return to the Tandy 1000 day (1)

microphage (2429016) | more than 3 years ago | (#37405926)

"Might as well just return to the Tandy 1000 days With a core operating system in ROM, mounted as a system disk. Flash your new OS like a BIOS. That'd stop a lot of this rootkit crap cold, wouldn't it?"

That solution wouldn't work with today's `innovative' desktop operating systems and besides there's no money in your solution ..

Re:Might as well just return to the Tandy 1000 day (1)

jackbird (721605) | more than 3 years ago | (#37406168)

Windows on a cartridge sure would deter piracy...

Re:Might as well just return to the Tandy 1000 day (1)

S77IM (1371931) | more than 3 years ago | (#37406228)

It's our only sure defense against the Cylon menace!

Social Engineering (2)

AJNeufeld (835529) | more than 3 years ago | (#37405244)

Yet another technology to confuse the end users. There will be countless 3rd party versions of this, due to anti-competition legislations, a significant portion which will be "free" or "lower cost alternatives" and not do what it promises to do.

Nothing should get between the OS and the metal. The OS should be smart enough to watchdog all processes.

Re:Social Engineering (0)

Anonymous Coward | more than 3 years ago | (#37405480)

Theres plenty of things that go between the OS and the metal, such as hypervisors, firmware etc.

Problems: (2)

Tastecicles (1153671) | more than 3 years ago | (#37405248)

OK, this is another layer to slow the system down before the OS is even loaded.

Where's the UI? Via the OS? Is McCaffee writing a UI for NT, Mac OS, Linux...? Fine, so develop a sandbox then they write the circumvention saving the script kiddies the bother...

Does anybody really want (0)

Anonymous Coward | more than 3 years ago | (#37405260)

McAfee that deep and cozy with the bare hardware?

Not much of an article (1)

Pete Venkman (1659965) | more than 3 years ago | (#37405298)

What a waste of bits. The article didn't talk about much more than what was in the summary.

Re:Not much of an article (0)

Anonymous Coward | more than 3 years ago | (#37405348)

you must be new here.

We're heading for the days of DRM everything... (5, Interesting)

garcia (6573) | more than 3 years ago | (#37405328)

Beginning back in 2003 [slashdot.org] I talked about the future of computing which will include DRM in the BIOS. I have posted numerous times about it and even once noted DRM'd BIOSs will eventually be required to connect to the "safe" Internet [slashdot.org] .

We're one step closer now with this... Oh looky, we have the perfect way to stop this from happening. A totally secure DRM'd BIOS. Just use our product and the secure Internet won't have any spyware/malware/etc.

Oh, and in order to do online banking, pay the electric bill, connect to webmail from Google, etc will all require you to have a DRM-enabled BIOS.

IPs may not point to an individual computer but the DRM'd BIOS sure will.

Re:We're heading for the days of DRM everything... (1)

RobbieThe1st (1977364) | more than 3 years ago | (#37405536)

Yeah, true. Unfortunately, it won't solve the problem. Someone'll just get control of one of the signing keys, and then we'll have non-removable, trusted malware!

Re:We're heading for the days of DRM everything... (0)

Anonymous Coward | more than 3 years ago | (#37406326)

Beginning back in 2003 [slashdot.org] I talked about the future of computing which will include DRM in the BIOS. I have posted numerous times about it and even once noted DRM'd BIOSs will eventually be required to connect to the "safe" Internet [slashdot.org] .

We're one step closer now with this... Oh looky, we have the perfect way to stop this from happening. A totally secure DRM'd BIOS. Just use our product and the secure Internet won't have any spyware/malware/etc.

The reason I'm not afraid of such a thing is that it can't work. As soon as the "safe internet" is launched, it'll be immediately proven to be no more secure than the internet we have now. When it gets broken, who's going to want to pay for it? And there won't be any keeping secrets about it. Everyone who cares will know it broke, since it's on the internet.

Re:We're heading for the days of DRM everything... (1)

c0lo (1497653) | more than 3 years ago | (#37406458)

We're one step closer now with this... Oh looky, we have the perfect way to stop this from happening. A totally secure DRM'd BIOS. Just use our product and the secure Internet won't have any spyware/malware/etc.

Secured BIOS doesn't automatically mean the sky is falling on a DRM-ed world (I can have one of the OpenBIOS [wikipedia.org] variant secured).

Has little windows to look in at the bytes? (0)

Anonymous Coward | more than 3 years ago | (#37405330)

It sits beyond the operating system and close to the silicon, and by operating beyond the OS, it provides a direct view of system memory and processor activity."
Has she got little windows to look in at the bytes going by or bye?

One more thing to pwn! (2)

Sarusa (104047) | more than 3 years ago | (#37405358)

'it provides a direct view of system memory and processor activity, allowing McAfee products to gain an additional vantage point in the computing stack'

So it's visible from the OS. Now we have another vector of attack. How long before it's exploited to create even deeper rootkits, eh? Unless it's completely uncrackable, like the PS3.

Re:One more thing to pwn! (1)

v1 (525388) | more than 3 years ago | (#37405412)

It may simply be something that runs on a parallel level with the main processor, that has access (read/write) to the main system, but that cannot be modified (or even detected) by the main system. Not a bad place for AV software really. But as several have pointed out, it has to allow the user at some point to make changes/updates to it, and that means users will be letting zero-day nasties get into the protected space and then you're hosed good.

Yeah, exactly (1)

Giant Electronic Bra (1229876) | more than 3 years ago | (#37405622)

Any new layer of software like this will be complex enough to be hackable and has to be maintained, so it has to have ways to get into it. Even with TPM or some similar scheme there are ALWAYS weaknesses, timing attacks, back doors, bad implementation, etc.

Re:One more thing to pwn! (1)

RobbieThe1st (1977364) | more than 3 years ago | (#37405546)

I dunno. Sitting between the processor and the OS... Sounds a lot like a Linux system running Windows in a VM. And, they are right, that *would* improve matters, thanks to snapshots and virtual hardware. :P

Re:One more thing to pwn! (1)

Sarusa (104047) | more than 3 years ago | (#37405750)

I'm not reading this as a hypervisor (though it's a good idea) - it certainly could be, but they're not providing enough detail and there are already hypervisors out there.

The FAQ on this thing isn't really a FAQ, it's just marketing bullshit, but they keep talking about the DeepSAFE hardware working in concert with the MacAfee software - there might not even be any anti-virus software as such running on the DeepSAFE hardware itself.

That sounds more like a JTAG-type debugger for the CPU that lets software running on the PC get a raw look at the contents of memory and various CPU registers and bits while completely bypassing all of the OS/CPU controls on that.

Which of course would also be great for malware to have access to as well.

Re:One more thing to pwn! (1)

Just Brew It! (636086) | more than 3 years ago | (#37406002)

My take on it is that it is in fact some sort of hypervisor. The "hardware assist" they refer to is probably nothing more than VT-X/VT-D (or possibly some minor variation thereof). I find it a pretty big stretch to believe that Intel would spend a lot of effort developing a major new hardware feature just to accommodate McAfee.

Re:One more thing to pwn! (1)

Sarusa (104047) | more than 3 years ago | (#37406106)

I was thinking this was for Ivy Bridge or Haswell - Intel /bought/ McAfee, so adding extra future hardware support is somewhat plausible.

But now I see a 'The technology is expected to launch in products later in 2011' line, and Ivy Bridge isn't till 2012, so you're probably right.

Re:One more thing to pwn! (1)

RobbieThe1st (1977364) | more than 3 years ago | (#37406156)

It'd also be great for breaking any sort of drm that relies on privledged apps in the OS. Great!

Re:One more thing to pwn! (0)

Anonymous Coward | more than 3 years ago | (#37406482)

I just hope it doesn't become another issue to deal with for anyone not running Microsoft Windows

Cat and Mouse (2)

EMG at MU (1194965) | more than 3 years ago | (#37405388)

What is going to be different about this software layer?

Is it going to be written in some new magical language that prevents programmers from fucking up and having buffer overflow/underflow or other common problems that you see in C and C++, the most likely languages that this kind of software would be written in?

Just today there was an article on ./ about BIOS infections. Isn't the BIOS a layer between the OS and "silicon". Sure, the BIOS wasn't written to be a security layer but just because a software layer is below the OS doesn't mean that is is immune to being exploited.

From TFA:

Provides real time CPU event monitoring with minimal performance impact.

(bold tags added by me)
Bullshit. Just like normal AV has minimal performance impact now.

Besides all of the obvious reasons that this is just another gimmick by McAfee to get more $$ from corporate IT departments with MBA directors that don't even know what the "silicon" in the marketing press release, sorry "article" means, when this gets exploited and there are viri for this layer I bet McAfee will have a AV for this layer to sell.

Oh, thats not what first comes to mind (0)

Anonymous Coward | more than 3 years ago | (#37405486)

"and by operating beyond the OS, it provides a direct view of system memory and processor activity."

I thought you meant "Seal Team 6 and a bullet between the eyes" beyond the operating system.

xzibit (1)

Georules (655379) | more than 3 years ago | (#37405488)

I rootkitted your rootkit so you can rootkit while you rootkit.

Been doing the same 4 DECADES already (1)

Anonymous Coward | more than 3 years ago | (#37405530)

Via tools U already own: Windows Install Media (read-only), & it's RECOVERY CONSOLE - Fixmbr, Disable, & Listsvc are all you needed to "take out" anything in the way of rootkits (or, those combined w/ botnets + "3rd party malware" they download & use)... it works & has worked recently.

Even vs. the last allegedly "indestructible botnet" & it's hello_tt.sys bootsector protectant driver... which disable from RC stalls on reboots, then it's fixmbr to blowout the MBR$ infesting rootkit itself.

(Listsvc's only for seeing driver &/or service names + their load states, etc. (when you don't know the name of the rootkit's driver, IF ANY, most rootkits don't use that & a "phalanx" formation extra driver protector either though, luckily, not yet @ least))

In the case of the "allegedly indestructible rootkit", this worked, in perhaps @ most, 3 min. time...

(Especially for those that know & recognize valid service &/or driver names used by Windows itself too, saves time googling from another system for driver &/or service names + purposes).

APK

P.S.=> The weakness the "allegedly indestructible rootkit" had is that it's driver also didn't protect ITSELF @ the registry driver parameterization itself...

Now, think about that, given the tools I've been using for ages vs. rootkits - IF it did that? The technique above might not have worked vs. it!

This one this article's about?? Looks like a mean cookie what-with the BIOS being thrown into the mix as well... to me @ least?? It'd mean time.

Time tp bootstrap from a DOS bootdisk with bios flashware & latest/greatest ROM for that mobo, & reburn that too - timeconsuming b.s.!

However, not avoiding it - it would NEED TO BE DONE, otherwise that rigs "permanently hosed" - period. It's @ BIOS hardware ROM level then, have to cleanse it or it's typhoid Mary basically... anyhow...

Know the tools you already own - they can do a hell of a job in minutes on rootkits of ANY kind (MBR, driver driven, or a "blended threat" that uses both)...

... apk

Re:Been doing the same 4 DECADES already (1)

lennier (44736) | more than 3 years ago | (#37406282)

Been doing the same 4 DECADES already

You've been doing virus removal for 40 years? I guess you got your start on OS/360!

Translation: (1)

jrbrtsn (103896) | more than 3 years ago | (#37405548)

McAfee thinks that Microsoft will never be able to write a secure OS, so they are taking matters into their own hands.

Re:Translation: (2)

Tastecicles (1153671) | more than 3 years ago | (#37405640)

why on Earth would they do something so drastic as put themselves out of a job?

Wrong problem to solve (2)

i_ate_god (899684) | more than 3 years ago | (#37405560)

Considering the vast majority of attacks relies on human stupidity, why don't we try to solve that problem first. Security should be part of the educational package in high schools. How to be secure with your digital life.

But rather than call it security, just call it safety. Kids have to be taught how to be safe in all sorts of situations, computers shouldn't be any different.

Re:Wrong problem to solve (0)

Anonymous Coward | more than 3 years ago | (#37405654)

Yeah the *RIGHT* problem to solve is to make the bios read only. Problem solved. Want to write to it. Must move a jumper...

Co-developed with Intel (2)

airfoobar (1853132) | more than 3 years ago | (#37405576)

FYI, Intel owns McAfee now. This sounds like something between Trend ChipAwayVirus, a hardware debugger and draconian DRM.

Pre-Boot Antivirus (3, Interesting)

a_nonamiss (743253) | more than 3 years ago | (#37405596)

I use an Ubuntu USB drive that I created for the specific purpose of scanning systems before they boot into the OS. It won't detect malware in real-time, but it should, in theory, catch a root kit that's well hidden from being detected within the OS. What I don't understand is why there's not something commercial out there that does this. With my home-made drive, I can boot, mount a truecrypt volume (all our computers are truecrypted) and scan a Windows file system with several different free tools. The only problem is, since they are free, they tend to be not very good. I scanned a system I was working with yesterday, and ClamAV, Avast!, BitDefender and AVG all missed a boot sector virus. The system was clearly infected, judging by all the BSODs and other strange behavior, but all these tools came up clean. They were also slow as hell. Each scan took hours. Finally, I attached the hard drive to a Windows machine and ESET picked up the virus right away, although it wasn't able to clean it. Had to download a separate tool from Kaspersky to do that.

What I'm saying is most of the stuff I did is not accessible to the unwashed masses. On top of that, I would actually pay good money for a tool that I could use and not have to screw with 5 different immature anti-virus platforms that could be used to remove rootkits. Nothing about this virus was particularly fancy, once you got it outside of the OS. (It loaded kernel mode drivers to prevent it from being seen within Windows.) Why don't one of the major players start looking into something like this? Bootable, able to update definitions over the Internet and fast. I, and probably my company, would pay really good money for that.

Re:Pre-Boot Antivirus (1)

TubeSteak (669689) | more than 3 years ago | (#37406560)

The system was clearly infected, judging by all the BSODs and other strange behavior, but all these tools came up clean.

Malware writers do one of two things:
1) Write custom code and/or
2) Use off the shelf encryptors

Then they submit their code to multiple scanners until it comes up clean.
And there's a brisk business in encryptors that will hide your code from the 20~30 most common virus scanners.

The specific terminology escapes me because it's been so long.
I just vaguely remember it all this from one guy who hung out on IRC and liked to talk about his botnet.
He'd spend hours combing malware forums for the latest encryptor that wouldn't be picked up by n+1 scanners.

security always matter of tension (1)

allursolve (2461654) | more than 3 years ago | (#37405598)

i think, here also need to add that spyware [allursolve.com] also great problem for PC users. we need enough protection against it.

CommonSense 2011 (0)

Anonymous Coward | more than 3 years ago | (#37405610)

All computer users need it; few computer users have it.

UGG Adirondack (-1)

Anonymous Coward | more than 3 years ago | (#37405624)

Herve Leger Bandage Dress
http://www.vipeveningdress.com
Herve Leger Dress
http://www.pergaminhobotas.com
  UGG Adirondack UGG Alto
http://www.besthowdy.com
< MBT Men TupuCat
http://www.maxnikechaussures.com
Nike Air Max 180 Nike Air Max 2009
http://www.nikeairmaxgreek.com
Nike Air Max 180
Nike Air Max 2009
Nike Air Max 2010
http://www.mbtskovip.com
dame MBT sko herre MBT Sko MBT Amali
http://www.suprashoes.co.nz
    Supra Bandit ShoesSupr Supra Cruizer Sho

Why not just boot from CD? (2)

Hentes (2461350) | more than 3 years ago | (#37405658)

Why don't they make a bootable antirootkit like bitdefender? That's the easiest solution to the problem. Getting closer to the metal is an uphill battle because eventually malware writers will figure out how to get there themselves, and the situation just becomes worse. In fact, as antivirus software get more and more privileges they beacome more and more like viruses. Cannot be closed, always running in the background, inspects/modifies/deletes files without your permission. Sometimes I wonder if the reason of not fixing OS bugs is that Microsoft is afraid to make AVs incompatible.

Re:Why not just boot from CD? (2)

c0lo (1497653) | more than 3 years ago | (#37405880)

Why don't they make a bootable antirootkit like bitdefender?

How could McAfee slow down your OS if you boot from CD?

Re:Why not just boot from CD? (1)

TubeSteak (669689) | more than 3 years ago | (#37406574)

How could McAfee slow down your OS if you boot from CD?

By forcing your CD drive and HD to run in PIO mode?

Re:Why not just boot from CD? (1)

vetman (629670) | more than 3 years ago | (#37405992)

It doesn't matter how you boot, CD, ROM, Write Protected Disk...Now in the internet age, if your machine is vulnerable you will reboot clean and be re-infected. We need to write better software.

Immutable OSes (2)

gswallow (115437) | more than 3 years ago | (#37405984)

Bah. Back around the turn of the century I constructed the most hack-proof OS install ever. My FreeBSD-running-Squid solution mounted the entire OS off of a CD-ROM, created a 2MB RAM disk, mounted it as /etc and copied the entire /etc directory from floppy disk. After booting, it unmounted the floppy disk and I called the NOC to eject it, creating a 1cm air gap between the read-write heads of the floppy drive to the floppy disk contents. The collocation space and bandwidth were free and the floppies and CD-Rs cost $.10 each. If I ever suspected rootkits I would just shut the machine down as I had half a dozen of these 1U servers, at $100 each off eBay! Take that cloud computing and McAfee ROMs!

Re:Immutable OSes (1)

itsme1234 (199680) | more than 3 years ago | (#37406322)

Nope.
Immutable means no updates = nothing to prevent the malware from getting back in once you rebooted the box. Unless your idea of security is pulling the cord and leave it like that.
There were worms that used RAM-only and would not survive a reboot, for example http://en.wikipedia.org/wiki/Witty_(computer_worm) [wikipedia.org] (this would only destroy data on hdd but not install there).

Really? (0)

Anonymous Coward | more than 3 years ago | (#37406022)

I would suspect this would be more for MBR exploits than anything else. On the other hand, if they are going to try to sample instructions in real time, they would not need to sit between anything as a majority of people on here seem to suggest, they could simply send an interrupt whenever something is detected... just like every other piece of hardware on the system does. My only concern would be is how they handle the interrupts, if it halts the system, blocks processes etc it would be relatively simple for someone to write code to effectively brick motherboards.

sheesh (2)

alienzed (732782) | more than 3 years ago | (#37406040)

why can't people just stop allowing themselves to be tricked. Trust the internet like you'd trust any stranger and you'll be OK.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?