The End of Signature-Based Antivirus Software? 290
nosig writes "PCMagazine is running a story around the latest AV-TEST response time and proactive detection test for the latest MS05-039 vulnerability related attacks. The test results were announced by the author to the focus-virus discussion list.
What's really impresive, besides the huge difference between response times among antivirus companies, is that two products succeeded to proactively detect all 6 attacks without any signature update.
"
Excel sheet Zip file???? (Score:5, Funny)
From the referred posting: You can find the information how fast the AV companies have reacted with a solution against Bozari.A/B, Drudgebot.B, IRCBot!Var and Zotob.A/B in an Excel sheet (18 KB ZIP file) which is available at http://www.av-test.org./ [www.av-test.org]
At first glance this looks like a clever variation on "important document attached" e-mails we all get every day...
Re:Excel sheet Zip file???? (Score:2)
I just updated my virus scanner and I want to see how effective it was according to the tests. But I'm not just going to open that zip just to found out that virus scanner apperently didn't do that well afterall.
Re:Excel sheet Zip file???? (Score:2, Insightful)
Go ahead. It's safe.
(You are using OpenOffice under Linux or BSD, right?)
Re:Excel sheet Zip file???? (Score:2, Funny)
Yeah, but they're running it as root.
Re:Excel sheet Zip file???? (Score:2, Funny)
Re:Excel sheet Zip file???? (Score:3, Insightful)
Perhaps. But unless you are on windows, and with the additional £300 MS Office, you are not going to see a lot?
Straight away any creditabilty to a study group issuing information in a non open standard application leaves doubt.
Re:Excel sheet Zip file???? (Score:5, Funny)
The death of X (Score:5, Funny)
Re:The death of X (Score:3, Funny)
Not my X!
*sob* *hugs monitor running X session*
NGSCB/Palladium (Score:3, Insightful)
Re:NGSCB/Palladium (Score:2)
Re:NGSCB/Palladium (Score:2)
In other words... (Score:3, Funny)
I love the world of GNU/Linux.
Data from the article (Score:5, Informative)
BitDefender 6/6
Fortinet 6/6
Nod32 5/6
eSafe 3/6
F-Prot 3/6
Panda 3/6
QuickHeal 3/6
McAfee 2/6
Norman 2/6
AntiVir 1/6
ClamAV 1/6
Proventia-VPS 3/6
Panda TruPrevent 6/6
Re:Data from the article (Score:2)
is that two products succeeded to proactively detect all 6 attacks without any signature update
Note that the listis NOT ordered, there are 3 products that scored 6/6.
.
Re:Data from the article (Score:5, Insightful)
Why not Grisoft AVG? (Score:3, Informative)
Panda TruVent found 3/6 (Score:4, Informative)
Sandbox (Score:5, Interesting)
Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.
So a worm or virus would begin to make calls out to the various sub-systems to hide itself and open up ports, then the AV would nip it in the bud.
Re:Sandbox (Score:2)
Build an AV system that creates a VM sandbox that would then allow the a program to run to see what it would do, and if determind to work normally, then to pass the IO requests directly to the system.
Do you mean for a limited time so that it does not hurt performance (in which case worms/viruses can get around it by sleeping for a predefined time) or do you mean running in a VM all the time, which is actually just good ACLs for userland applications (something I have been preaching along with an easy UI
Re:Sandbox (Score:2)
So your copy of Word (okay, bad choice) would run normally, but anything that you download from the net would run inside of a VM.
Re:Sandbox (Score:4, Interesting)
I apologise in advance for not having a link or a referrence. I did a quick read on a paper from SANS [sans.org], wherein they commented on an exploit referred to as "the red pill". IIRC the gist of the exploit is that it tests for the memory segment it is run in. A VM sandbox runs in a higher memory segment. If the exploit tests and finds itself being run in a higher memory segment it becomes dormant, if, OTOH, it tests and finds it's being run in a lower memory area it releases its payload.
Sorry I can't link to the pdf. I have the file but haven't the time to search for it at the moment.
cheers
Re:Sandbox (Score:3, Interesting)
How does it find that out honestly? It's running in a sandbox.
Unless it's running in a really crappy sandbox. The point of this protection mechanism is to dupe the virus into running normally....
how long do you quarantine? (Score:2)
Re:how long do you quarantine? (Score:2)
If the program is from an unknown, non trusted site, then you can never fully trust it, now can you?
Re:Sandbox (Score:2)
There's your problem right there. How do you differentiate between work normally and not? Viruses aren't doing anything that the HARDWARE of the system wasn't designed to do... they're just subverting the software.
You say:
So a worm or virus would begin to make calls out to the various sub-systems to hide itself and open up ports, then the AV would nip it in the bud.
Well first off a program has to go to extra lengths to make itself visible; a hidden task is the default runn
Re:Sandbox (Score:2)
Re:Sandbox (Score:2)
Re:Sandbox - No, this doesn't work (Score:2)
Is it possible that you are confused? The Halting Problem DOES guarantee that no virtual sandbox can be created which will review any program and verify that it never engages in virus-like behavior. But I fail to see how it proves anything ab
The problem isn't the software... (Score:4, Insightful)
People here always clamor about how poorly Windows is designed and how it leaves people so open to attack. The truth is, even if everyone in the world used Linux, the hackers would still write viruses to exploit the same vulnerabilities stemming from the ignorant masses.
Re:The problem isn't the software... (Score:2)
A-men! I used to work for a company that used MS Exchange for e-mail among a handful of offices scattered around the US. Thankfully I was in an office made up mostly of tech-savvy people. Whenever word got out of a new virus/worm e-mail message our IT department would send out a warning message like "Don't open any e-mail with a subject line of 'foo'". Nobody in our office ever did, but throughout
Re:The problem isn't the software... (Score:3, Informative)
very non-technical idiot in the other offices opened up multiple copies of those e-mails anyway.
You're confusing idiocy, with reasonable expectations. I expect that my e-mail program will read e-mail. I expect that when I open an e-mail it will display the text, included images, and, if I request it, it will display remote images. My e-mail client does that, and so did my last 3 or 4 e-mail clients over the last 10 years. What I do not, and should not expect, is for my e-mail program to run a virus, i
Re:The problem isn't the software... (Score:2, Insightful)
Linux would not get this many viruses if it was as popular as Windows because Linux doesn't have these "same vulnerabilities". For one thing, while a default Windows install has countless "services" enabled that would allow a malicious user or program to gain access to the system, a typical Linux install would have absolutely no point of entry for these types of attacks unless the user choses to enable them.
Other types of problems such
Re:The problem isn't the software... (Score:5, Insightful)
Your post reads like you've never thought to question any of the rhetoric associated with OSS. Have you ever heard of social engineering? How about the fact that you wouldn't need root privileges to install a keylogger on a user's account if you can get them to run a malicious program?
Are you going to try and suggest that if we all ran Linux that an exploit for MySQL wouldn't be just as bad as SQL slammer? There are plenty of applications which are installed on the vast majority of Linux systems, like the kernel, bash, XFree86, etc.. If one of those had a major security vulnerability how is the lack of a "monoculture" going to help you?
Just about everyone who posts something like what you did points out that most Linux users do not run under root. Guess what? That's because most of them are computer geeks like me, and I would assume you. I don't run Windows under my admin account and I don't run Linux under root. If the average user moves to Linux, they will probably end up running everything under root, because the average user doesn't want to deal with two logins and having to move from one to the other to do certain tasks. If you think somehow it will magically solve that problem because it's Linux, you're fooling yourself.
Re:The problem isn't the software... (Score:5, Insightful)
Re:The problem isn't the software... (Score:2)
Re:The problem isn't the software... (Score:2)
Except worms propogate on their own, not by clueless users opening random attachments. The only thing the clueless user is guilty of in this case is not patching their software.
I don't doubt the number of viruses for Linux (Or OS X, or FreeBSD, or any other non-Windows OS) wou
Re:The problem isn't the software... (Score:2)
Linux, Mac OSX, and Windows all run programs as the user, there is no way to run an untrusted application, that that is the heart of the problem. You can talk all you want about Windows vs Linux, but you need to step back and look at the big picture.
ACL based security is fine if you never need new code, and manage to kill all the bugs in the existing code... but of course that's impossible.
Capability based security models make it
Re:The problem isn't the software... (Score:2)
&etc.
The issue is the same whether or not Windows, Linux, or another OS is concerned.
Note that a lot of Unix mailers probably fail these tests.
B
Except for MS05-39, of course (Score:3, Informative)
However, what this article is about is worms. Specifically, "flash" worms that spread faster than AV vendors can respond with signature updates. Worms don't spread through user interaction, they spread through vulnerabilities in the OS/application suite, and they spread FAST. Most places were hit with Zobot hours before users had much if anything to do with it, and in some cases days before virus signatures were out.
even if everyone in the world used Linux, t
Re:The problem isn't the software... (Score:2)
Re:The problem isn't the software... (Score:4, Insightful)
Windows viruses usually don't propogate by modifying system files and whatnot. They do it just through the user's own account.
If a UNIX user opened what was advertised as a pr0n screensaver, and it wound up infecting his
The problem is the culture that Windows has engendered, which says "everything should be automagic -- don't think! -- just click and the world will be yours!" It was caused by Windows, but bringing users of the same mentality to UNIX will just cause the problem to exist on UNIX, too.
Re:The problem isn't the software... (Score:5, Insightful)
The problem is the culture that Windows has engendered, which says "everything should be automagic -- don't think! -- just click and the world will be yours!"
I call this the "OK/Cancel" problem. Users get into the mindset that if they just click OK all the time things will work. You have to click OK a dozen times a day to keep your computer working, just like adding gas to a car. After a little while they don't even pay attention to what is being asked.
Part of the solution is simply to use better dialogue windows and part of it is to give the user better choices. I remember in Word (back in the day) I would get a dialogue box that said, "Warning, this word file contains macros that may be viruses, open it anyway? OK/Cancel" Talk about useless. What it needed was a button that said, "open the file, but don't run any macros." I know people who would have paid $500 bucks for that option. Aside from all the viruses that autorun (which are pretty much MS's fault) e-mail should never run executables when clicked without attaching a warning that says, this is a program, not a file. it may be a virus (Don't run)/(Run but don't allow access to my files of the internet)/(Run and let it access my files and the internet.)" That would stop most viruses right there. If Linux was the market leader it would have some of the same problems, but I bet someone would include that dialogue box and make all our lives easier. This is partially a problem with users, but mostly it is a problem with functionality. Users need fine grained control, good default settings, and a good user interface that lets them know what it is they are doing. I haven't seen all three of those yet, anywhere but it is very possible. The only reason it does not exist is because MS doesn't care because it has a monopoly and Apple/Linux developers don't have a problem yet and are thus not motivated to solve it.
Re:The problem isn't the software... (Score:2, Interesting)
No, users need to know what the heck they are doing. The problem with Windows is that it was selling people the idea that you could do complex tasks with a computer without actually knowing what you are doing. That idea is plain false. You either have to have tasks which are simple in reality, or have tasks that are complex in reality. That doesn't mean that they have to be h
Re:The problem isn't the software... (Score:3, Interesting)
predict all of the needed options. The fact that you know of an option or two that everyone needs does not mean that all needed options are known.
You're mistaken. There is no reason to predict all possible options. You need merely provide a few, easy to understand template ACLs and let the programs request additional resources. If Windows did this two things would happen very quickly. First developers would write programs to match up with the templates to minimize user support costs. Two users would be
Re:The problem isn't the software... (Score:2, Insightful)
For the average joe that's the way it should be. Just like the TV, microwave, car, etc. They're not buying a Heathkit. They want a working appliance. The thing should be every bit as trustworthy and reliable and durable as a typewriter and an adding machine and an old sytle desk phone. When defects show up in these things, we usually take it to the sho
Re:The problem isn't the software... (Score:2)
Yes, if the process is truly simple. However, in the cases where the processes aren't truly simple, the facade of simplicity should be removed. This would include most Windows applications.
If you want a Windows application that actually _is_ simple, I have an example, but can't remember the name. Basically, it had a bunch of templates that you HAD to follow the template. It didn't allow you to screw around and total
Re:The problem isn't the software... (Score:4, Insightful)
Re:The problem isn't the software... (Score:2)
Tell me, what is it about Unix and other similar systems that prevents a malicious executable from wreaking havoc on the machine when run by a user in possession of the root password?
Don't tell me about having to use chmod, or file system permissions, or anything like that; I know all that. I am talking about a user, with the root password, a desire to run this cool-sounding app he's just downloaded, and enough knowledge to chmod +x file && sudo
Re:The problem isn't the software... (Score:5, Informative)
He might. I am wondering just how much you know about it though...
From what I have read, many (but not all) trojans , viruses and spyware can operate just find in the user space, without needing to be root. It all depends on what the vx'er wanted to achieve. Sure, if they want to 0wn j00, they want root access. But you would not need root access to:
There are lots of malevolent things that could be done without being root. Fortunately, the vx'ers want the most bang for the buck and target windows users.
The pp's point was entirely valid. It has just as much to do with user education as it does with securing your boxen.
Re:The problem isn't the software... (Score:2)
Re:The problem isn't the software... (Score:2, Informative)
I can easily lock my Window's machine down as tight as Linux. The problem is that half the software won't install in such a restricted account, and even if it does, it's likely to fall down later on.
Linux/UNIX users are used to avoid running as root. Most Windows users never give it a thought and those that do often give up when the software won't install or won't run under a restricted account
I guess Microsoft could create a default us
Re:The problem isn't the software... (Score:2)
To follow up and expand on this point:
Re:The problem isn't the software... (Score:2)
It's fscking vaporware that won't be out until 2007!!!
Let's have this discussion again in 2 years, 'kay?
Death of? (Score:5, Insightful)
Hotmail is doing this already? (Score:5, Informative)
I base this on the fact that, after exporting a document from StarOffice 7 directly to a
So there you have it, any file with a suspicious name must contain a virus. Easy, reliable detection.
Re:Hotmail is doing this already? (Score:2, Interesting)
In the case of Hotmail, the primary trait used in determining whether a file contains a virus is whether or not it has a really long name and more than one "."
<conspiracy>
Interesting, as a significant number of linux apps are distributed in the form APPNAME.V.R.S.tar.gz.
</conspiracy>
Re:Hotmail is doing this already? (Score:2)
How do you flag one as potentially dodgy (which it is) without getting false positives for the other?
Re:Hotmail is doing this already? (Score:2)
Simple. By scanning the contents of the file. Sure it may take a little time, but seriously, look at the contents of the file. Never assume the file-extension is right. Also, mime-types are good things to check.
Re:Hotmail is doing this already? (Score:2, Informative)
Getting a virus by opening an email was just a myth until Microsoft made it a realtiy. Adobe is doing the same with PDF now, by introducing a bunch of javascript/multimedia BS that can be integrated in PDFs.
Signature is the only way to scan on entry (Score:5, Insightful)
I don't know about you, but I saw this coming. (Score:4, Funny)
Missing end of summary (Score:3, Informative)
Thanks, but I prefer not to throw the baby out with the bathwater.
Re:Missing end of summary (Score:2)
Windows Worms (Score:2, Insightful)
Heuristics (Score:5, Interesting)
Disclaimer: I worked for a household-name antivirus sw firm in the past and now work for one that does filters network-based viruses as a network service.
Virus proliferation (Score:5, Insightful)
Why is that? From personal experience, most people I know run some form of AV software, which is good. They do not however, keep it updated! Let's examine why this is.
Average Joe buys a Dell. It comes with AV software, such as Norton or McAfee preloaded.
The software has a finite length of time (usually 3 to 6 months) before the user must pay to continue getting updates.
Average Joe doesn't see why they should have to pay to keep their AV software updated. ("I paid $XXX for this machine, and they want more? Heck no.")
While that may be a valid objection, it doesn't help to stop the spread of viruses. So what is the solution?
In my personal opinion , the solution is to make basic AV software, and any required updates, free of charge for the user. Software that fits this desription Example: Grisoft AVG Free Edition [grisoft.com] is already available.
What I cannot understand is why PC manufacturers do not use something like the above instead of "pay for updates" products. It would reduce their support calls dramatically, would it not?
Re:Virus proliferation (Score:3, Interesting)
Which stone are you hiding under?
Putting free stuff on gets them nothing, where as something people may pay for in the future will.
The company will give them incentives, maybe pay them a small ammount to bunbdle, give them concessions on other software to budle etc.
Furthermore, yes I use AVG free edition on my windows
Re:Virus proliferation (Score:2)
Re:Virus proliferation (Score:2)
Virus scanning for anything other than
Re:Virus proliferation (Score:2)
That's because the suits that put together the co-packaging deal aren't the suits that run tech support. Sales/Marketing vs Operations.
off-warranty service calls and kickbacks (Score:2)
Faster than updates (Score:2)
Re:Virus proliferation (Score:5, Funny)
Understandable. $30 was a lot of money in ancient Roman times.
Re:Virus proliferation (Score:2)
AVG Free Edition is available free-of-charge to home users! AVG Free Edition is for private, non-commercial, single home computer use only.
Use of AVG Free Edition within any organization or for commercial purposes is strictly prohibited.
wait a second ... (Score:3, Insightful)
Re:wait a second ... (Score:2)
Re:wait a second ... (Score:4, Insightful)
Building a secure OS (where the user can still install their own s/w) is pretty-much agreed to be nowhere near doable these days, so we "burn CPU cycles" dealing with the problems that the developers missed. Seems like an intelligent response to me.
Not any time soon. (Score:3, Interesting)
Why? Because the systems couldn't be guaranteed to win 'bake off' tests versus their signature based competators. Competators that often only had signatures for the often ancient and arcane vulnerabilites used in the tests.
Such shiny statistics are like catnip for executives it seems.
Anyways, this sort of setup is wonderful that not only does it detect new attacks, it's also usually an order of magnitude faster than the signature scanners.
I don't use an antivirus and don't suffer at all (Score:2, Informative)
1) Never install stuff from the browser (like ActiveX etc.)
2) Never open email attachments that are executable (most mailer warn about it)
3) Never download software from third-party sites, only from the vendor's site
4) Scan all suspicious files with an online scanner (or send them through a virus-protected mailbox)
5) Configure your firewall properly (close all ports you don't need)
If you follow these rules you aren't likely to get any infection at all. I didn't have ANY anti-vir
Re:I don't use an antivirus and don't suffer at al (Score:2)
Would have been more impressive... (Score:2)
>companies, is that two products succeeded to proactively detect all 6 attacks without any
>signature update. "
This would have been more impressive if they had signatures that said "all your base belong to me!" or "in soviet russia, grits pour down portman!" or "/* place sig here */" or the like.
About time. (Score:2)
I have been waiting for this to catch on. I've also been waiting for virus makers to become more sophisticated, but I'm amazed none have learned to use compression and randomize their own signature. My point is, that the clock has been
Hmmm... (Score:2)
Antivirus is basically bunkum (Score:2, Interesting)
Nobody knows.
The only trustworthy solution to malware is a read-only system: the system and application partitions must not be modifiable without rigorous user-initiated discipline including disconnecting from the network and rebooting to a known-clean state
Re:Antivirus is basically bunkum (Score:2)
First(directed at hollywood), drop the idea that media which is PLAYED by the customer can be restricted. Anything I can see or hear can be recorded.
Second, look at trusted computing as a form of way to secure a computer to KNOW FOR SURE there's no easy way for unauthorized programs to enter. Data and executable parts of memory can be seperated, a hardware encryption chip can be integrated, and many small ram banks on devices could be
Switch A/V S/W from a blacklists to whitelists? (Score:5, Interesting)
Users don't add new apps to their computers that often, and corporations wouild welcome the chance to ensure only approved and paid-for programs can run on their systems.
When you uploaded free software to a reputable FTP site, getting a suitable signature so that people could download it and use it would become a routine part of the upload procedure, and certainly one that the sort of geeks who use those services can handle.
It's true that a comprehensive whitelist database would be a big file, but why does that matter? No-one runs
If you use whitelists, the only time code needs to be checked is when new exectuable code files arrive on a system; given a competent gatekeeper program, all pre-existing stuff will be known-approved and won't need to be checked. That would provide a significant speed-up too.
Is this feasible? Where's the downside?
Re:Switch A/V S/W from a blacklists to whitelists? (Score:2)
Servers are another matter entirely, and I think your ideas have merit in that environment. Server software tends to updated infrquently, and are usually maintained by intelligent people.
The downside is that it still requires the whitelist to be updated. It would probably work in a corporate environment, as you mentioned, where most normal users are only allowed to r
Polymorphous, anyone? (Score:2, Interesting)
not really (Score:2)
Re:Polymorphous, anyone? (Score:2)
REAL Antivirus! (Score:2, Insightful)
I haven't needed signature-based AV for over a year, and I've never gotten a virus. What's my AV? POSIX. Look at the safety record of POSIX OSs. Only about 40 known viruses for Linux (yes, technically, it's not officially tested, but it does comply with the Single Unix Specification) or MacOS X (I know, it does not quite comply, and has also not been approved either), about 6 for commercial UNIXs. Almost all of these viruses were proof-of-concepts, and none have been seen in the wild (largel
Re:REAL Antivirus! (Score:3, Insightful)
You did mean to say *NIX, didn't you?
I'm avid Linux user, but I couldn't say that safety is the problem here. Install application as normal user in userland and this application is virus prone.
Same goes for OSX. Almost all applications are d'n'd-ed to Application folder. Only installable applications are installed wit higher user. You can simply modify
#!/bin/sh
rm -y
appl
Re:well (Score:5, Informative)
It just means that they already had the signature.
No, it means that the AV program was using "proactive virus protection."
That simply means that the AV program monitors the behavior of programs and makes sure they don't violate security policy. If they do, the AV software assumes it is a virus.
Re:well (Score:3, Informative)
A policy approach is practically an AI problem. We can describe it in terms of patterns, but it should be very easy to find a loophole in the logic (or too many false positives). Most importantly, the problem frequently begs for intrinsic knowledge of a system - but the whole goal is to find a general solution to specific problem
Re:well (Score:2, Funny)
Mod parent down. The properly shoddy example would have had something to do with cars.
Slashdot: News for Nerds, Stuff that Matters, Bad Car Analogies.
Re:well (Score:3, Informative)
Unfortunately, according TFA, the programs that did the best "proactive" virus detection also tend to catch a lot of false positives.
Kinda like shooting squirrels with cruise missiles. Effective....yes. But was it worth taking out the tree/yard/half a house the squirrel was next to?
Re:well (Score:2)
Re:well (Score:4, Funny)
I might suggest that, but I don't want a sudden string of viruses to attack my computer...
Re:well (Score:2)
It is interesting to look at how the AV companies(large ones) stocks are performing the previous 6 months before a sudden and major virus release.
But that is coincidental.