Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The End of Signature-Based Antivirus Software?

CmdrTaco posted more than 8 years ago | from the one-can-only-hope dept.

Security 290

nosig writes "PCMagazine is running a story around the latest AV-TEST response time and proactive detection test for the latest MS05-039 vulnerability related attacks. The test results were announced by the author to the focus-virus discussion list. What's really impresive, besides the huge difference between response times among antivirus companies, is that two products succeeded to proactively detect all 6 attacks without any signature update. "

cancel ×

290 comments

Excel sheet Zip file???? (5, Funny)

gtrubetskoy (734033) | more than 8 years ago | (#13400521)


From the referred posting: You can find the information how fast the AV companies have reacted with a solution against Bozari.A/B, Drudgebot.B, IRCBot!Var and Zotob.A/B in an Excel sheet (18 KB ZIP file) which is available at http://www.av-test.org./ [www.av-test.org]

At first glance this looks like a clever variation on "important document attached" e-mails we all get every day...

Re:Excel sheet Zip file???? (1)

El_Muerte_TDS (592157) | more than 8 years ago | (#13400548)

Is it safe to open?
I just updated my virus scanner and I want to see how effective it was according to the tests. But I'm not just going to open that zip just to found out that virus scanner apperently didn't do that well afterall.

Re:Excel sheet Zip file???? (1)

hobbesx (259250) | more than 8 years ago | (#13400592)

But I'm not going to open that zip just to found out that virus scanner apperently didn't do that well afterall.


Why not just scan the zip file? Your AV program should be able to uncompress it safely.

Re:Excel sheet Zip file???? (3, Insightful)

Skiron (735617) | more than 8 years ago | (#13400759)

http://marc.theaimsgroup.com/?l=focus-virus&m=1124 89911518567&w=2

Perhaps. But unless you are on windows, and with the additional £300 MS Office, you are not going to see a lot?

Straight away any creditabilty to a study group issuing information in a non open standard application leaves doubt.

Re:Excel sheet Zip file???? (0)

Anonymous Coward | more than 8 years ago | (#13400826)

Just go to OpenOffice.org and you can open just about any Excel, Word, or PowerPoint document.

Re:Excel sheet Zip file???? (1)

hobbesx (259250) | more than 8 years ago | (#13400881)

Looks like a communications issue- I think the GP was expecting the Excel file to be infected with the viruses- I did RTFA before posting, but I figured that I must have misunderstood.


BTW, OpenOffice opens Excel files just fine in my experience, Windows or Linux. Still, I see your point. Why not just release the information in the post?

Re:Excel sheet Zip file???? (2, Insightful)

Anonymous Coward | more than 8 years ago | (#13400853)

Is it safe to open?

Go ahead. It's safe.

(You are using OpenOffice under Linux or BSD, right?)

Re:Excel sheet Zip file???? (0, Offtopic)

Anonymous Coward | more than 8 years ago | (#13400564)

What no tripmasterbater monkee with first prost? I miss seeing the little ascii guy that I haven't seen since I was in middle school....

Re:Excel sheet Zip file???? (5, Funny)

milimetric (840694) | more than 8 years ago | (#13400864)

what I find interesting here is that whereas in the detection time sorted column Symantec performed at an average level, in the alphabetically sorted column they performed very badly, being one of the last ones in the list. Judging by a quick glance at this, I will switch my antivirus software to AntiVir which was at the TOP of the list.

First post? n/t (-1, Offtopic)

Yaa 101 (664725) | more than 8 years ago | (#13400527)

wow

YOU FAIL IT! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13400542)

YOU FAIL IT!

yeah but... (-1)

hjf (703092) | more than 8 years ago | (#13400539)

virus don't run in BSD

Re:yeah but... (-1)

Anonymous Coward | more than 8 years ago | (#13400562)

well why would they bother to run on a dead OS, am I right?

well (-1, Flamebait)

geekoid (135745) | more than 8 years ago | (#13400552)

It just means that they already had the signature.

Re:well (4, Informative)

the_mighty_$ (726261) | more than 8 years ago | (#13400621)

It just means that they already had the signature.

No, it means that the AV program was using "proactive virus protection."

That simply means that the AV program monitors the behavior of programs and makes sure they don't violate security policy. If they do, the AV software assumes it is a virus.

Re:well (2, Informative)

globalar (669767) | more than 8 years ago | (#13400960)

Testing virus definitions is somewhat straightforward. Aside from variations (which can still be detected in many cases), you're just looking for a pattern that you already have.

A policy approach is practically an AI problem. We can describe it in terms of patterns, but it should be very easy to find a loophole in the logic (or too many false positives). Most importantly, the problem frequently begs for intrinsic knowledge of a system - but the whole goal is to find a general solution to specific problems (hence "policy").

In true /. tradition, let me give a shoddy example. Consider the crime of murder. There are many ways to kill someone. If we want to detect this crime, we need to analyze one of two perspectives: the ability of a human to survive or the functions required for life (alternatively the presence of death). Looking for death and looking for a life-taking action are not too difficult (with exceptions). But the in-between, fuzzy areas where the subject might be dead but could be alive are very difficult.

We also have to identify the cause of the crime. Not to mention since this action is automated, we need a way to double check our data and ensure it hasn't been tampered with.

Frankly, signature matching is what I pay for in an AV client. The vast bulk of threats are known and preventable. Until I know more about the policy logic of a client, I cannot afford to bank on it.

Re:well (1)

mrdaveb (239909) | more than 8 years ago | (#13400805)

How can they already have the signature for a virus before the virus actually exists? They obviously managed to detect the virus by some general heuristics for spotting suspicious behaviour. ... unless you are suggesting the AV companies were the virus authors? :-)

Re:well (3, Funny)

Drakonite (523948) | more than 8 years ago | (#13400980)

unless you are suggesting the AV companies were the virus authors? :-)

I might suggest that, but I don't want a sudden string of viruses to attack my computer...

Re:well (0)

Anonymous Coward | more than 8 years ago | (#13401025)

lol what?

signatures? (1)

milktoastman (572643) | more than 8 years ago | (#13401004)

Now, I don't know about any of you, but I myself have never found it necessary to give my signature out to McAffee or Norton to get their products to work. Maybe I had a cracked version, I don't know, but I've always been able to install and operate without signing a damn thing....okay, okay, I'm kidding! Sorry to all you who were about to just rip into my stupidity. I've taken away your fun! I'm just foolin'!

The death of X (4, Funny)

twigles (756194) | more than 8 years ago | (#13400560)

This week on /., "The Death of [fill in the blank]!" It's just one test, slow down and breath.

Re:The death of X (0)

Anonymous Coward | more than 8 years ago | (#13400771)

This week on /., "The Death of [fill in the blank]!" It's just one test, slow down and breath.

Here, I'll spot you an 'e'.

Re:The death of X (3, Funny)

woah (781250) | more than 8 years ago | (#13400932)

Death of X?

Not my X!

*sob* *hugs monitor running X session*

NGSCB/Palladium (3, Insightful)

electrosoccertux (874415) | more than 8 years ago | (#13400567)

We better find a way to secure our computers without Bill's help. Otherwise he has a major reason for why we "need" the NGSCB....even though it would most likely be used to accomplish other things.

Re:NGSCB/Palladium (1)

TheRaven64 (641858) | more than 8 years ago | (#13400752)

Something like TCPA (or whatever they are calling it this week) could be very good when used in combination with something like NetBSD's Verified Exec. Don't allow any kernel to run, unless it's hash matches one added by someone with physical access. Don't allow any program to run outside a sandbox unless it has a hash which matches the one set by root.

Re:NGSCB/Palladium (1)

Limburgher (523006) | more than 8 years ago | (#13400766)

We've got that. Just try this [grisoft.com] , thisthis [clamwin.org] , or, if all else fails, this [linux.com] .

In other words... (3, Funny)

cryptoz (878581) | more than 8 years ago | (#13400570)

The anti-virus companies have finally learned that the type of viruses they're creating are too difficult to fight against. So they've decided to start writing slightly new viruses that can be more easily killed through their new type of program, which will cost the unsuspecting Windows user, oh, only a few dozen more dollars a month.

I love the world of GNU/Linux.

Re:In other words... (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13400656)

Even ignoring the implicit GNU/stupidity in that logic, it makes zero GNU/sense. Why would they write viruses they can't GNU/identify, GNU/huh?

Re:In other words... (1)

cryptoz (878581) | more than 8 years ago | (#13400943)

Woah. Troll? Eh? I don't follow the logic of the mods here. I was trying to, uh, be..."funny". But I guess I'm just not. Ouch.

Data from the article (5, Informative)

Anonymous Coward | more than 8 years ago | (#13400572)

The product scores (only the trolls need more karma). Or you can try page 4.

BitDefender 6/6
Fortinet 6/6
Nod32 5/6
eSafe 3/6
F-Prot 3/6
Panda 3/6
QuickHeal 3/6
McAfee 2/6
Norman 2/6
AntiVir 1/6
ClamAV 1/6
Proventia-VPS 3/6
Panda TruPrevent 6/6

Sandbox (4, Interesting)

hrieke (126185) | more than 8 years ago | (#13400576)

A thought, and perhaps a better mind can say why this would or would not work.
Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.
So a worm or virus would begin to make calls out to the various sub-systems to hide itself and open up ports, then the AV would nip it in the bud.

Re:Sandbox (1)

trosenbl (191401) | more than 8 years ago | (#13400669)

Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.


That's more or less what's going on here. They aren't necessarily running it in a virtual machine, that would be enormous overhead. But they do watch for types of behavior that is typical for a virus. They don't need the sandbox approach, because the execution can still be stopped before actual damage occurs.

Re:Sandbox (1)

hobbesx (259250) | more than 8 years ago | (#13400674)

But how would you determine 'normally'? By prompting the user?


You've changed data in a cell, are these changes ok?


I don't see AV software companies jumping from the signature-based detection just yet. No, this is just another bullet point to add to a list of features:
* Guaranteed to catch know-viruses with your current signature update!
* Catch new viruses before we even know about them 95% of the time!
* Send us your money now, and then send more to us again later!

Re:Sandbox (1)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#13400714)

Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.

Do you mean for a limited time so that it does not hurt performance (in which case worms/viruses can get around it by sleeping for a predefined time) or do you mean running in a VM all the time, which is actually just good ACLs for userland applications (something I have been preaching along with an easy UI and good defaults for several years)? Heck this can be done right now with Java application, except I don't know any JVMs that give the user the configuration tools needed to use them properly. When you download/install an application it should be ACL'ed with a preconfigured setting, like game, internet game, offline application, internet application, etc. This would have the added benefit of keeping developers from accessing the internet with applications that don't really need to, and encouraging them to use OS hooks to do updates. By default most applications don't need to use the internet and most don't need to access any files either not created by them or not specified by the user. That right there would kill 90% of the worms and viruses we see today.

Re:Sandbox (3, Interesting)

Quirk (36086) | more than 8 years ago | (#13400799)

Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.

I apologise in advance for not having a link or a referrence. I did a quick read on a paper from SANS [sans.org] , wherein they commented on an exploit referred to as "the red pill". IIRC the gist of the exploit is that it tests for the memory segment it is run in. A VM sandbox runs in a higher memory segment. If the exploit tests and finds itself being run in a higher memory segment it becomes dormant, if, OTOH, it tests and finds it's being run in a lower memory area it releases its payload.

Sorry I can't link to the pdf. I have the file but haven't the time to search for it at the moment.

cheers

Re:Sandbox (1)

jcuervo (715139) | more than 8 years ago | (#13400994)

IIRC the gist of the exploit is that it tests for the memory segment it is run in. A VM sandbox runs in a higher memory segment. If the exploit tests and finds itself being run in a higher memory segment it becomes dormant, if, OTOH, it tests and finds it's being run in a lower memory area it releases its payload.
So have the VM lie to the program about where it's running. Easy.

how long do you quarantine? (1)

Sagarian (519668) | more than 8 years ago | (#13400862)

fine. quarantine for X minutes and observe behavior... then hax0r writes malware that hibernates for X+1 minutes...

Re:Sandbox - No, this doesn't work (1, Interesting)

Anonymous Coward | more than 8 years ago | (#13400925)

Simply put, it is relatively trivial for a virus writer to have the virus determine whether it is running inside a virtual environment/sandbox. This is a known problem in the AV world - shortly after the first attempts to create this sort of sandbox the virus writers demonstrated this capability in the wild.

A good discussion of this is the somewhat famous Halting Problem:
http://en.wikipedia.org/wiki/Halting_problem [wikipedia.org]

My favourite use of this was a book by Greg Bear (Legacy/Eon, I believe) where the protaganists capture an alien, and then clone its mind in a computer simulated world in order to question it. However, the alien knowns how to determine that it is in a virtual environment, and the virtual alien commits mental suicide (somehow). Great book, mind blowing hard sci fi.

Regardless - sandbox technology only catches the really dumb viruses, which are pretty easy to catch anyways. You can pretty much count on any viruses taking advantage of new advances in other viruses pretty quickly - whether it be host file rewrites, building botnets, disabling AV functionality, keylogging, auto-upgrades, encrypted command and control channels, etc.

And yes, I do work for an AV company.

Re:Sandbox (1)

merlin_jim (302773) | more than 8 years ago | (#13401043)

and if determind to work normally

There's your problem right there. How do you differentiate between work normally and not? Viruses aren't doing anything that the HARDWARE of the system wasn't designed to do... they're just subverting the software.

You say:
So a worm or virus would begin to make calls out to the various sub-systems to hide itself and open up ports, then the AV would nip it in the bud.

Well first off a program has to go to extra lengths to make itself visible; a hidden task is the default running mode until you start creating UI. And there's tons of legitimate software that create legitimate but hidden processes to help themselves out.

As far as port opening; they have software to regulate that. It's called a software firewall.

Now there is a virus detection method known as heuristics, which basically looks for virus like behaviour. Things like copying your own code en masse, spitting it out to network ports, scanning for certain types of files. It's not easy and it's not perfect but it does work. It also takes a long time to do.

good av software (0, Troll)

l3v1 (787564) | more than 8 years ago | (#13400581)

Experience taught me that no av solution is good enough if it's just some string scanner. The best solutions I've come across are those which offer string search + resident protection + web shield + resident p2p/torrent and im scan + file hashing with file altering monitoring, and the whole combined with a good firewall. With time I have found the one for the first and one for the second task which I'm satisfied to the point that I quite rarely evaluate newly popped up solutions and install these every time. I won't name them 'cause I'm no free advertiser for nobody. I'm sure the thousands of security experts the /. crowd has :P will provide you with a gazillion of options to choose from :]

Re:good av software (0)

Anonymous Coward | more than 8 years ago | (#13400886)

from a resource consumption standpoint, i'll take spyware and viruses anyday over the array of resident software that a modern AV+firewall setup requires.

put another way "when the solution is worse than the problem" ......

The problem isn't the software... (4, Insightful)

QuantumPion (805098) | more than 8 years ago | (#13400602)

...It's the users. Until the general population of computer users become smart enough to know not to open strange attachments or install malware from unscrupulous websites, hax0rs will always find a way around virus protection schemes.

People here always clamor about how poorly Windows is designed and how it leaves people so open to attack. The truth is, even if everyone in the world used Linux, the hackers would still write viruses to exploit the same vulnerabilities stemming from the ignorant masses.

Re:The problem isn't the software... (0)

Nutria (679911) | more than 8 years ago | (#13400668)

The truth is, even if everyone in the world used Linux, the hackers would still write viruses to exploit the same vulnerabilities stemming from the ignorant masses.

You truly don't know anything about "Unix", do you?

Re:The problem isn't the software... (0)

Anonymous Coward | more than 8 years ago | (#13400756)

Some 'program' they download doesn't work, and suggests they sudu chmod +x whatever, and i guarantee you, people will do it.

Re:The problem isn't the software... (1)

QuantumPion (805098) | more than 8 years ago | (#13400829)

Exactly! As a perfect example, Microsoft really helped security issues with the changes to IE in service pack 2. Things like the data execution prevention stuff, and the information bar that stops activex apps from running automatically are really helpful to those of use who actually read the warning messages and click "no way, man!". But already the unscrupulous websites have gotten around this. Just look at all the warez sites on the net that require you to install their activex or java app to download their goodies. They all have the same flash animation that directly points out how to disable the security features.

Re:The problem isn't the software... (1)

Drooling Iguana (61479) | more than 8 years ago | (#13400890)

In most distributions, Linux programs aren't simply "downloaded", as they are in Windows. They're installed from a central repository through a special utility (such as Debian's apt-get and Gentoo's Portage.) This prevents users from being tricked into installing maliscious software as they will not be used to simply downloading and running programs from strange websites, as they must in order to install most programs in Windows.

Re:The problem isn't the software... (1)

QuantumPion (805098) | more than 8 years ago | (#13400795)

I know how to install and use Linux/Unix. I occasionally load a distro on my box at home and I often use Unix at work. I'm no expert though, I don't know much about customizing, script files, Linux-from-scratch, etc. The deepest I have ever delved was customizing the kernal a bit.

What I do know is how the average computer user behaves. I worked as a university tech support guy for 3 years. Hackers always target the largest base of vulnerable, ignorant users. That happens to be the average Windows user right now. But Windows can be made secure, simply by keeping up with the update patches to prevent infection from zombie machine attacks, and by using common sense to not open virus attachments or install malware activex or java apps.

Linux can be made more secure then Windows, but because of its complexity, the average computer user will probably be more vulnerable. E.g. running as root all the time in linux or just having a weak root password can lead to more disastrous consequences then running as admin in Windows.

My original point though was that hackers target what everyone uses. If everyone used Linux, hackers would FIND a way to exploit it.

Re:The problem isn't the software... (2, Informative)

qray (805206) | more than 8 years ago | (#13400924)

Stupid user + Stupid software companies = comprimised security.

I can easily lock my Window's machine down as tight as Linux. The problem is that half the software won't install in such a restricted account, and even if it does, it's likely to fall down later on.

Linux/UNIX users are used to avoid running as root. Most Windows users never give it a thought and those that do often give up when the software won't install or won't run under a restricted account

I guess Microsoft could create a default user account at install time. But then I'm sure they'd get a ton of support calls from clueless users complaining that their favorite software doesn't run under Windows.

--
Ogdrip froptor nogro docor

Re:The problem isn't the software... (3, Insightful)

johnnyb (4816) | more than 8 years ago | (#13400841)

Most of these problems are not problems specific to Windows but are specific to dumb users.

Windows viruses usually don't propogate by modifying system files and whatnot. They do it just through the user's own account.

If a UNIX user opened what was advertised as a pr0n screensaver, and it wound up infecting his .bashrc file and creating an SMTP worm, there is absolutely NOTHING in the UNIX architecture that would stop this.

The problem is the culture that Windows has engendered, which says "everything should be automagic -- don't think! -- just click and the world will be yours!" It was caused by Windows, but bringing users of the same mentality to UNIX will just cause the problem to exist on UNIX, too.

Re:The problem isn't the software... (3, Insightful)

saintp (595331) | more than 8 years ago | (#13400849)

You don't know anything about users, do you? You can always get a user to something stupid, no matter what OS they're running. It's just that Windows usually makes it easier to do stupid things. Keeping the OS updated isn't even hard -- hell, you configure it once and never click anything again -- but users can't seem to do it. I don't care if everyone on the planet ran BSD or AIX or Trusted Solaris or friggin' VMS; there would still be plenty of morons who would be unable to keep their boxes patched to even remotely current levels, and even more who would happily type in their root password to get a "free web accelerator!" or to see "so cool a movie." It doesn't matter how secure an OS is if the computer has a stupid operator.

Re:The problem isn't the software... (1)

Tim C (15259) | more than 8 years ago | (#13400872)

You don't know anything about users, do you?

Tell me, what is it about Unix and other similar systems that prevents a malicious executable from wreaking havoc on the machine when run by a user in possession of the root password?

Don't tell me about having to use chmod, or file system permissions, or anything like that; I know all that. I am talking about a user, with the root password, a desire to run this cool-sounding app he's just downloaded, and enough knowledge to chmod +x file && sudo ./file to do it. (Or, more likely, a user with the root password who's gotten so sick of logging out and back in or using su or sudo that he just runs as root the whole damn time anyway)

Re:The problem isn't the software... (4, Informative)

why-is-it (318134) | more than 8 years ago | (#13401027)

You truly don't know anything about "Unix", do you?

He might. I am wondering just how much you know about it though...

From what I have read, many (but not all) trojans , viruses and spyware can operate just find in the user space, without needing to be root. It all depends on what the vx'er wanted to achieve. Sure, if they want to 0wn j00, they want root access. But you would not need root access to:

  • install a TCP-based application in $HOME/bin and phone home
  • participate in a DDOS attack against a specific host
  • send spam via sendmail (user-mode)

There are lots of malevolent things that could be done without being root. Fortunately, the vx'ers want the most bang for the buck and target windows users.

The pp's point was entirely valid. It has just as much to do with user education as it does with securing your boxen.

Re:The problem isn't the software... (1)

Iphtashu Fitz (263795) | more than 8 years ago | (#13400737)

Until the general population of computer users become smart enough to know not to open strange attachments

A-men! I used to work for a company that used MS Exchange for e-mail among a handful of offices scattered around the US. Thankfully I was in an office made up mostly of tech-savvy people. Whenever word got out of a new virus/worm e-mail message our IT department would send out a warning message like "Don't open any e-mail with a subject line of 'foo'". Nobody in our office ever did, but throughout the rest of the day we'd get spammed with multiple copies of the spam/virus/worm because it seemed that every non-technical idiot in the other offices opened up multiple copies of those e-mails anyway.

Re:The problem isn't the software... (2, Informative)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#13400888)

very non-technical idiot in the other offices opened up multiple copies of those e-mails anyway.

You're confusing idiocy, with reasonable expectations. I expect that my e-mail program will read e-mail. I expect that when I open an e-mail it will display the text, included images, and, if I request it, it will display remote images. My e-mail client does that, and so did my last 3 or 4 e-mail clients over the last 10 years. What I do not, and should not expect, is for my e-mail program to run a virus, install anything, run random scripts, connect to remote servers, touch any of my files, write to my hard drive, or run any sort of executable. If it does that, it is broken. If it does that all the time, it is fundamentally broken and needs to be replaced, and the vendor blacklisted.

You complain about how stupid the non-technical users are, but you should not have to be technical or an expert to read e-mail. You should just open your messages and be able to read without fear. If you are one of those rare few people who need to have executables e-mailed to you, fine, but you should have to turn that feature on manually and your e-mail program should say, "hey this e-mail has an executable in it, do you want to install or run it? (Note this may be a worm or virus!)" I mean how hard is that already? Viruses should not run when you preview a mail, nor when you open a mail, nor when you double click on an attachment. They should run when you double click on them and then confirm that you know the contained item is a program that might be a virus.

If all e-mail programs did that (pretty much all but MS ones do now) would there still be viruses? Sure, but there would be a lot fewer and they would spread more slowly. And there is no reason why the number could not be further reduced by running new apps with restricted privileges, requiring you to not only agree to run a strange and untrusted program but to explicitly grant it access to the internet and/or your personal files and/or your operating system files. Sure there are people who would agree to even that, but those few people cannot be helped. The problem is more a technical one right now than an end user education one. Give them the right tools and then if they still screw up you can complain justly. End users of e-mail should not have to be experts.

Re:The problem isn't the software... (1, Insightful)

Drooling Iguana (61479) | more than 8 years ago | (#13400833)

Sigh... There seems to be one of these in every virus-related thread...

Linux would not get this many viruses if it was as popular as Windows because Linux doesn't have these "same vulnerabilities". For one thing, while a default Windows install has countless "services" enabled that would allow a malicious user or program to gain access to the system, a typical Linux install would have absolutely no point of entry for these types of attacks unless the user choses to enable them.

Other types of problems such as trojan horse attacks and spyware would also find Linux machines far more difficult to exploit as all system files are kept in directories that typical users do not have write access to. Yes, I know it's possible to enable such a system on recent versions of Windows, but many users do not do so and many programs will not work in such a configuration.

Add this to the fact that Linux is not a monoculture, and that an exploit that opens up on one configuration will most likely not be a problem on others, and you have a system that is not and never will be as inherantly insecure as Windows.

Ummm... (1)

Wuher (899286) | more than 8 years ago | (#13400937)

Did you just defend Windows' security? You may be barking up the wrong tree... ;) I think you have to assume the user is ignorant. An OS designed to be used by such users should not be able to be taken down by a single double-click. Whether or not Windows should be designed with these kinds of users in mind is a different issue altogether.

Re:The problem isn't the software... (1)

PygmySurfer (442860) | more than 8 years ago | (#13401032)

...It's the users. Until the general population of computer users become smart enough to know not to open strange attachments or install malware from unscrupulous websites, hax0rs will always find a way around virus protection schemes

Except worms propogate on their own, not by clueless users opening random attachments. The only thing the clueless user is guilty of in this case is not patching their software.

I don't doubt the number of viruses for Linux (Or OS X, or FreeBSD, or any other non-Windows OS) would rise were one of them the dominant platform. However, the very design of these platforms severely reduces the possible exploits, as well as the impact any possible exploits would have.

Re:The problem isn't the software... (1)

ka9dgx (72702) | more than 8 years ago | (#13401039)

I'll bite... it's not the users, or the software, it's the security model!

Linux, Mac OSX, and Windows all run programs as the user, there is no way to run an untrusted application, that that is the heart of the problem. You can talk all you want about Windows vs Linux, but you need to step back and look at the big picture.

ACL based security is fine if you never need new code, and manage to kill all the bugs in the existing code... but of course that's impossible.

Capability based security models make it possible to set up systems to run any cool new thing, and be reasonably certain it won't take everything out. Some folks might object that Capability based systems are vaporware, and they'd be right... but at least the path is clear.

--Mike--

Death of? (4, Insightful)

springbox (853816) | more than 8 years ago | (#13400609)

That's a bit extreme. If anything the signature based AV software isn't going anywhere right now. It seems like behavior analysis, which is what I thought of when I read the headline, would be a nice extra preventative measure to integrate into exisiting resident scanners. It doesn't seem like that type of technique would be very reliable if used by itself. Maybe the headline should have been: "A program that watches other programs spots a potential problem in advance!"

Re:Death of? (1)

wo1verin3 (473094) | more than 8 years ago | (#13400642)

You hit it right on...

People use a condom but it's not 100% effective on its own.... but more effective when used in conjunction with about birth control method (such as reading slashdot).

Hotmail is doing this already? (5, Informative)

Thunderstruck (210399) | more than 8 years ago | (#13400610)

I think, based on my personal experience, that Hotmail is already moving away from virus definitions to a more general measure of "traits." In the case of Hotmail, the primary trait used in determining whether a file contains a virus is whether or not it has a really long name and more than one "." (dot) in it.

I base this on the fact that, after exporting a document from StarOffice 7 directly to a .pdf file, and using a filename with two "dots." I send this document to a Hotmail user, who wrote me back that Hotmail had declared the file to contain an incurable virus. Reasonably sure that my Xandros linux box had no virii on it, I renamed the file something more Microsoft friendly. The file was received with no problems.

So there you have it, any file with a suspicious name must contain a virus. Easy, reliable detection.

Re:Hotmail is doing this already? (1)

fr1kk (810571) | more than 8 years ago | (#13400635)

This happened to me as well. I had a document for my sister's term paper that I exported as a PDF, and hotmail told me it was a virus. It was named something like 'summer.pdf'. I didn't understand, because PDFs should not have viruses, right?

Re:Hotmail is doing this already? (2, Informative)

Rude Turnip (49495) | more than 8 years ago | (#13400703)

"I didn't understand, because PDFs should not have viruses, right?"

Getting a virus by opening an email was just a myth until Microsoft made it a realtiy. Adobe is doing the same with PDF now, by introducing a bunch of javascript/multimedia BS that can be integrated in PDFs.

Re:Hotmail is doing this already? (0)

Anonymous Coward | more than 8 years ago | (#13400914)

Thats becuase noone in their sane mind would pay US$449.00 just for a virtual paper printout.

Re:Hotmail is doing this already? (2, Interesting)

Anonymous Coward | more than 8 years ago | (#13400688)

In the case of Hotmail, the primary trait used in determining whether a file contains a virus is whether or not it has a really long name and more than one "."

<conspiracy>

Interesting, as a significant number of linux apps are distributed in the form APPNAME.V.R.S.tar.gz.

</conspiracy>

Re:Hotmail is doing this already? (1)

Tim C (15259) | more than 8 years ago | (#13400802)

A significant number of viruses are distributed with names along the lines of "cute picture of puppies.jpg.pif" too.

How do you flag one as potentially dodgy (which it is) without getting false positives for the other?

Re:Hotmail is doing this already? (1)

yuriismaster (776296) | more than 8 years ago | (#13400882)

A significant number of viruses are distributed with names along the lines of "cute picture of puppies.jpg.pif" too.

How do you flag one as potentially dodgy (which it is) without getting false positives for the other?


Simple. By scanning the contents of the file. Sure it may take a little time, but seriously, look at the contents of the file. Never assume the file-extension is right. Also, mime-types are good things to check.

Re:Hotmail is doing this already? (1)

yodaj007 (775974) | more than 8 years ago | (#13400930)

Reliable? While its true that a lot of stuff uses multiple periods to disguise the true nature of the file, you just gave an example of a false positive.
Not a good criteria to use for detecting malware. But it is a good rule of thumb.

Re:Hotmail is doing this already? (0)

Anonymous Coward | more than 8 years ago | (#13400946)

Well. I know GMail is doing something for sure. I had some socket code (chat server) I had programmed in C# which I had zipped up and e-mailed myself. Gmail kept rejecting the e-mail attachment until I renamed the file to have a different extension than ZIP. I tried a simple ZIP of a text file and it went thru fine. So Gmail had to look inside my attachment, seen something in the EXE which was part of the ZIP and rejected it.

Had To Be Done (-1, Offtopic)

weilawei (897823) | more than 8 years ago | (#13400647)

All Your Signatures Are Belong To Us

Re:Had To Be Done (0)

Anonymous Coward | more than 8 years ago | (#13400691)

You did it wrong. The formula is this:

All Your [fill in the blank with a SINGULAR noun] Are Belong To Us

Re:Had To Be Done (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13400998)

You set him up the bomb!

Re:Had To Be Done (1)

fury88 (905473) | more than 8 years ago | (#13400928)

CLASSIC!

Signature is the only way to scan on entry (4, Insightful)

m50d (797211) | more than 8 years ago | (#13400659)

This kind of thing can only work if it's on the machines that will be running the viruses. If you want to scan everything coming in, or at your mail gateway, signature is still the way to go. There's a place for both methods, as has been the case for a long time.

I don't know about you, but I saw this coming. (4, Funny)

Bnderan (801928) | more than 8 years ago | (#13400671)

Sheesh...This should be obvious to anyone that MS05-039 totally outclasses MS05-038 in proactive detection test response time. NTIKWTFIATA

Missing end of summary (2, Informative)

Tx (96709) | more than 8 years ago | (#13400679)

...using heuristic detection rules that generate a high number of false positives as well, if scanned files are simply runtime-compressed.

Thanks, but I prefer not to throw the baby out with the bathwater.

Re:Missing end of summary (1)

youknowmewell (754551) | more than 8 years ago | (#13400721)

That only counts for 3 of the 11 anti-viruses, and that doesn't include BitDefender which get all 6 viruses without signatures.

beyond detection to action (1)

pohl (872) | more than 8 years ago | (#13400690)

I was surprised that this article [yahoo.com] was not in the writeup since it seems at least tangential to the subject: this product claims to actually slow the propagation of worms that have no known signature...which strikes me as being one louder than detecting a virus without a signature. I realize I'm conflating worms with viruses here, but nevertheless...

Windows Worms (1, Insightful)

hey (83763) | more than 8 years ago | (#13400701)

Nice to see them called "Windows Worms" instead of computer viruses as usual. These are all Windows problems.

Heuristics (4, Interesting)

Cally (10873) | more than 8 years ago | (#13400711)

Most of the major AV programs have incorporated some sort of heuristics capability for years now. The problem with these (and the reason they're not usually turned on by default) is that they tend to false positive all over the place. So the corrolary to these test results is: how many false positives did these product generate using the same config?

Disclaimer: I worked for a household-name antivirus sw firm in the past and now work for one that does filters network-based viruses as a network service.

Virus proliferation (5, Insightful)

QangMartoq (614688) | more than 8 years ago | (#13400717)

It is almost amazing to me that most viruses (and other various forms of malware) continue to flourish in a computer culture where using a virus scanner is so common nowadays.

Why is that? From personal experience, most people I know run some form of AV software, which is good. They do not however, keep it updated! Let's examine why this is.

Average Joe buys a Dell. It comes with AV software, such as Norton or McAfee preloaded.

The software has a finite length of time (usually 3 to 6 months) before the user must pay to continue getting updates.

Average Joe doesn't see why they should have to pay to keep their AV software updated. ("I paid $XXX for this machine, and they want more? Heck no.")

While that may be a valid objection, it doesn't help to stop the spread of viruses. So what is the solution?

In my personal opinion , the solution is to make basic AV software, and any required updates, free of charge for the user. Software that fits this desription Example: Grisoft AVG Free Edition [grisoft.com] is already available.

What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?

Re:Virus proliferation (2, Interesting)

Carrot007 (37198) | more than 8 years ago | (#13400753)

> What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?

Which stone are you hiding under?

Putting free stuff on gets them nothing, where as something people may pay for in the future will.

The company will give them incentives, maybe pay them a small ammount to bunbdle, give them concessions on other software to budle etc.

Furthermore, yes I use AVG free edition on my windows box's however I can see why it doesn'y get bundled.

Re:Virus proliferation (1)

dreamer-of-rules (794070) | more than 8 years ago | (#13400842)

No. He has a point. Dell spends a lot of time (equals money) on virus/trojan related support calls. They either fork out the bucks for customer service, or not. And so the quality of customer support goes down, and so does their reputation. (Dell customer service is almost as bad as HP's desktop support.)

It would make "good business sense" for Dell to include free AV, with automatic updates for the life of the warranty. Then.. you can abandon your customer and step 3-- profit!

Re:Virus proliferation (0)

Anonymous Coward | more than 8 years ago | (#13400898)

Actually, you're missing the true reason it's included.

1) the companies who provide the AV sw to Dell and other manufacturers are compensated by the AV companies for the free advertising/install base,

and 2) Virus/Spyware calls are handled by Fee-based phone queues now...so either direction, the computer company makes money!

Re:Virus proliferation (1)

BaudKarma (868193) | more than 8 years ago | (#13400962)

You've still got the customer calling the free line first, and the phone tech having to determine that the support issue is indeed virus/worm related. Sometimes it's obvious, sometimes not so. Either way, there's still a support cost before the call can be handed off to the fee line.

Re:Virus proliferation (1)

QangMartoq (614688) | more than 8 years ago | (#13400985)

> What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?

Which stone are you hiding under?

Putting free stuff on gets them nothing, where as something people may pay for in the future will.

The company will give them incentives, maybe pay them a small ammount to bunbdle, give them concessions on other software to budle etc.

Furthermore, yes I use AVG free edition on my windows box's however I can see why it doesn'y get bundled.

Not hiding under a stone here, just wondering why is all.

Free software, such as AVG, may very well get them something. AVG does make a more advanced version, for which they charge money. It is conceivable that as the users learn more about how to use their systems, they may want more control than the free edition offers, and upgrade to the paid version. This could easily be made into a commission for the PC maker.

As for the paid software companies giving them incentives, which would you consider more important if you were in charge at that PC company? Lower support costs from less viruses and malware, or a (very likely) ridiculously small amount from software makers? The first option also has the added benefit of giving customers a better impression of the PC maker. If Joe's Dell gets a lot less virus infections than his friend's Compaq, one of them is bound to notice that eventually. This would hopefully lead to increased repeat sales and referrals.

While I'm pleased to see that you use AVG on your Windows boxes, I am curious as to why you says you can see that it doesn't get bundled. (If not for one of the above reasons already stated.)

Re:Virus proliferation (1)

ceswiedler (165311) | more than 8 years ago | (#13400996)

That's because most of the problems we have these days aren't viruses. They're worms. Viruses (and trojans) are transmitted slowly, via a user's actions. Worms spread proactively, and do so quickly enough that there isn't time for a virus company to put out a signature. Generally, the effect of a worm isn't anything it does to your computer, but what it does to the network. The only way to stop worms is to make sure there are no security holes in your operating system.

Virus scanning for anything other than emails is a waste of time. And even email viruses aren't very hard to avoid; it's much easier to secure an email client than a network-connected operating system.

Re:Virus proliferation (1)

Nethead (1563) | more than 8 years ago | (#13401038)

QangMartoq: "What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?"

That's because the suits that put together the co-packaging deal aren't the suits that run tech support. Sales/Marketing vs Operations.

wait a second ... (3, Insightful)

Anonymous Coward | more than 8 years ago | (#13400731)

How about a proper security & permissions architecture and non-exploitable system & application sw? Wouldn't that be better than having to burn CPU cycles looking for this crap?

Not any time soon. (2, Interesting)

Telastyn (206146) | more than 8 years ago | (#13400739)

This sort of technology isn't new. Intrusion Detection systems have used it for 5 years or so, though their targets are better tailored to the setup. Anyways, most of those systems needed modified to include signatures.

Why? Because the systems couldn't be guaranteed to win 'bake off' tests versus their signature based competators. Competators that often only had signatures for the often ancient and arcane vulnerabilites used in the tests.

Such shiny statistics are like catnip for executives it seems.

Anyways, this sort of setup is wonderful that not only does it detect new attacks, it's also usually an order of magnitude faster than the signature scanners.

I don't use an antivirus and don't suffer at all (2, Informative)

zlogic (892404) | more than 8 years ago | (#13400762)

Just follow the simple rules:
1) Never install stuff from the browser (like ActiveX etc.)
2) Never open email attachments that are executable (most mailer warn about it)
3) Never download software from third-party sites, only from the vendor's site
4) Scan all suspicious files with an online scanner (or send them through a virus-protected mailbox)
5) Configure your firewall properly (close all ports you don't need)
If you follow these rules you aren't likely to get any infection at all. I didn't have ANY anti-virus software when I had Windows and didn't get ANY infection in about ten years.
Antivirus software on the other hand requires constant updates, slows down PCs (I can determine if an antivirus is running without pressing Ctrl-Alt-Del or looking at the taskbar) and eats your money. What's more, if a virus is new and the user doesn't have the latest updates, he can be easily infected. The only users of antivirus software should be Windows users with relatively no computer experience. This way, the antivirus will probably protect evil from happening when a user doesn't understand what's happening to his PC.
Oh, and some (but not all) antivirus programs are simply a waste of time and money. This applies to most mobile device software. I remember a Norton Antivirus For PalmOS which had an impressive database of FOUR variations of ONE virus. That's all. And yet it cost something like $30 and required yearly subscription in order to receive updates.

Would have been more impressive... (1)

bad_outlook (868902) | more than 8 years ago | (#13400791)

>What's really impresive, besides the huge difference between response times among antivirus
>companies, is that two products succeeded to proactively detect all 6 attacks without any
>signature update. "

This would have been more impressive if they had signatures that said "all your base belong to me!" or "in soviet russia, grits pour down portman!" or "/* place sig here */" or the like.

About time. (1)

Vitriol+Angst (458300) | more than 8 years ago | (#13400820)

On the Macintosh, there was an application called "Gatekeeper" (not positive on the name) that was round at least 10 years ago. It basically looked at actions that a virus might take and alerted a user. You had to allow for actions like writing to another application or such.

I have been waiting for this to catch on. I've also been waiting for virus makers to become more sophisticated, but I'm amazed none have learned to use compression and randomize their own signature. My point is, that the clock has been ticking on virus patterns being useful for detecting viruses for years. It's pretty equivalent to blocking email with certain words because that was the title given to a previous email with a trojan horse in it.

Yep, it's the end (0)

Anonymous Coward | more than 8 years ago | (#13400825)

Just like this selected quote from one of the links says:

Of course, we know that the problem related to MS05-039 is not primary an AV problem, but something for (Personal) Firewalls, IDS/IPS systems and a better patch management. :-)

Hmmm... (1)

bad_outlook (868902) | more than 8 years ago | (#13400827)

I'm using Mailscanner on my mail server, it passes mail through ClamAV (which scored 1/6 on this test) and then BitDefender - the command line version for FreeBSD (which scored 6/6). Perhaps I don't need both...

not just in reference to anti-virus software (1)

meatbridge (443871) | more than 8 years ago | (#13400856)

why is every third post on technology sites, the end of the old way, and the ushering in of something untested. i understand the need to write eye grabbing headlines, but wouldn't saying something threatens the old way, be more accurate?

Antivirus is basically bunkum (1, Interesting)

rufusdufus (450462) | more than 8 years ago | (#13400880)

The real story here is that new malware are not normally caught by antivirus programs until they are discovered and updated in the patch file. What percentage of malware have never been discovered before? How many of those are on your computer right now?

Nobody knows.

The only trustworthy solution to malware is a read-only system: the system and application partitions must not be modifiable without rigorous user-initiated discipline including disconnecting from the network and rebooting to a known-clean state.

This sounds crazy, but it is practicable. It requires some technology and some resetting of expectations. One way to think of it is how game systems like the PS/2 operate: you boot the system and save the data to removable media. There are no PS/2 viruses.

What I do today is re-dump my system partition image every couple of days. The image is highly compressed and the dump actually is actually faster than a virus scan. Now my system partition is perfectly organized. Whenever I want to install some new software, I disconnect from internet, re-dump, install the new software, and then re-image. Keeps the harddrive nice and organized. I put data files on removable media. Its remarkable how well this system works; and its great to have piece of mind that my system is not growing crufty over time.

Switch A/V S/W from a blacklists to whitelists? (5, Interesting)

Anonymous Coward | more than 8 years ago | (#13400906)

Wouldn't it be safer to switch from blacklists to whitelists? i.e. Only known safe applications are permitted to run. If some shiny-new-app isn't added to your current A/V whitelist for 48 hours, all that means is you can't run the program for a while. That's an inconvenience. If shiny-new-malware isn't added to an A/V blacklist for 48 hours, major damage can ensue. I'd prefer the former, personally.

Users don't add new apps to their computers that often, and corporations wouild welcome the chance to ensure only approved and paid-for programs can run on their systems.

When you uploaded free software to a reputable FTP site, getting a suitable signature so that people could download it and use it would become a routine part of the upload procedure, and certainly one that the sort of geeks who use those services can handle.

It's true that a comprehensive whitelist database would be a big file, but why does that matter? No-one runs /every/ piece of software; so the whitelist for the stuff that one particular person uses should be of a manageable size, shouldn't it?

If you use whitelists, the only time code needs to be checked is when new exectuable code files arrive on a system; given a competent gatekeeper program, all pre-existing stuff will be known-approved and won't need to be checked. That would provide a significant speed-up too.

Is this feasible? Where's the downside?

Polymorphous, anyone? (2, Interesting)

wumpus188 (657540) | more than 8 years ago | (#13400922)

Aren't they wrinting polymorphous viruses these days? They were pretty common back in DOS era... pretty hard for AV to catch coz there is *no* signatire.

REAL Antivirus! (2, Insightful)

rcbarnes (875915) | more than 8 years ago | (#13401042)

Honestly...

I haven't needed signature-based AV for over a year, and I've never gotten a virus. What's my AV? POSIX. Look at the safety record of POSIX OSs. Only about 40 known viruses for Linux (yes, technically, it's not officially tested, but it does comply with the Single Unix Specification) or MacOS X (I know, it does not quite comply, and has also not been approved either), about 6 for commercial UNIXs. Almost all of these viruses were proof-of-concepts, and none have been seen in the wild (largely because the concept they proved was promptly secured).
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...