Effective
Telecoms people have been using a very similar thing for years to control revenue leakage. It works very well. I hope it works as well for this.
Signature-based malware identification has been around since the dawn of the computer security industry, but McAfee has said it's dumping the system – or rather, adapting it – in an upgraded security suite which will (it claims) virtually eliminate susceptibility to botnets. McAfee's malware signature database has grown to …
But in the last review of anti-virus products by a web magazine, McAfee rated DEAD LAST with largest number of allowed intrusions. Which is disconcerting as a friend I know uses McAfee, and I must therefore get him to switch away from it. More likely, do the switch for him.
Kaspersky got the top rating in the test results.
"But in the last review of anti-virus products by a web magazine, McAfee rated DEAD LAST with largest number of allowed intrusions"
"Ah, but that was the last version", said the sales rep looking nervous and sweaty, "the next version will be the best ever and will stop all botnets!"
Note though, that they're only claiming success for botnets, not every other type of virus out there.
Let's not be judgmental, now. McAfee's doing pretty well for a bunch of junior guys in a converted warehouse in Bangalore.
Oh. You mean that's not what they are? You say INTEL owns them??!! Odd, that. To their customers, they certainly seem like a bunch of junior guys in a converted warehouse in Bangalore.
McAfee says it has ... integrated its various modules much more tightly with each other.
McAfee, like so many other tech companies, has made a business out of targeted acquisitions. They have a number of products that do a number of things, most of which are complementary to each other. What they do not have is good integration. See how well multiple admins can set up rules in the DCM/DLP module at one time within ePO for an example of this (hint: only one at a time, per ePO server). Heck, they don't even have internal consistency for some products. Menus and permission sets are pretty much in the same condition they were found in when when the various products were acquired. Data is sent to databases but cannot be accessed from within the application's reporting system. Not what I would call good integration.
I look forward to seeing this promised improvement, at which point I will believe it.
I can't wait to see what entirely innocent programs just happen to meet McAfee's half-tested heuristics and get sidelined. Probably on someone's main cloud server framework.
It would almost be funny, except that our corporate IT policy is to run McAfee, and I can't connect to the company network if I dont :(
I'm not even sure I understand their marketing message.
A botnet is a collection of computers carrying out tasks (such as spam, DDOS, web proxying and sometimes even hosting) on behalf of the bad guy. It isn't something a computer can be susceptible to. Perhaps they mean that it prevents them from being infected with an item of Malware which turns the computer into a Bot. Interesting... bots can be installed by mass mailers, targeted trojans, malware hosted on compromised websites, malware on USB sticks and even by idiot users who decide to become part of a hacking collective and voluntarily install a bot onto their machine.
So perhaps what they are trying to say is that their new improved protection NOW prevents computers from being infected with malware (unlike before)? Or, perhaps what they are saying is that they have realised that reactive, signature based, malware detection is no longer sufficient to protect computers in the modern era now malware has the ability to spread globally before the AV companies have a chance to create and distribute a signature and if this is the case then WTF do they think that they have been doing since Bubbleboy was released in 1999???
No, No, I think I've got it... What they are really trying to say is "BUY OUR STUFF, It's less bad than it use to be"
Please note, I am not specifically anti-macafee, I am anti-marketing bull.
AC as the views of the voices in my head may not be acceptable to my employer.
Read that part very carefully, I have quoted it below:
As for rootkits – a particular Intel bugbear – McAfee touted a recent test by AVLabs that it sponsored that highlighted the effectiveness of part of its suite at cutting this attack vector short (although it did not specify testing criteria). The tests give McAfee a 100 per cent rating at killing rootkits, compared to 83 per cent for Microsoft and 67 per cent for Symantec.
Did you note the emphasized words?
So, I agree, Suspicious figures or paid for lies? You decide.
Read that part very carefully, I [am foaming at the mouth] below...
Yes, thanks, no one else reading the article noticed that McAfee sponsored that study, or has ever considered the possibility that research might be affected by its funding source, sometimes to the point of being completely compromised. Had you not pointed that out, we all would have taken the McAfee statement as gospel.
But, hey, you wouldn't want to miss yet another opportunity to accuse someone of shilling.
Really, please, grow up. Even if a single reader here is likely to base their opinion of that "test" - about which we have so little information as to render it meaningless - on the question of whether the outcome was influenced by McAfee sponsorship, your pointing that question out will come as a surprise to exactly no one. Boldfacing some words in the quote, then pointing out to your readers that you'd boldfaced them, is childish and inane.
Obtain multiple Linux distributions.
Select apps and kernel source code you want to run. Avoid ones that require a virtual machine running on top of the hardware.
Cross reference across versions to locate any changes between them IE potential trap doors. Do this with 2 different comparison tools to avoid one that's fixed to ignore trapdoor code if it receives a specific marker, or code your own. You'll do this for any future apps you load.
Define new processor architecture with opcode bit patterns chosen at random (to prevent guessing if samples of your object code fall into the wrong hands) and implement it. For extra obfuscation make it a stack architecture running an unusual bit length.
Hack code generators for the apps and kernel languages you're going to compile.
Re-build kernel & apps to new architecture & install on system.
Change delete any default accounts/passwords. Set up low privilege working account(s) where you do most of your work, view your p0rn etc.
Change default router password and set router to ignore all calls from the internet to your address (so you're invisible except to your ISP). Disable universal plug and play (and most other things).
Congratulations. You should be malware free and anything that gets into your system (infected email attachment?) will have no way to execute. Like a border post backed by a 1000 Km of desert. Anything that gets in will die.
Now how many of you are paranoid enough to actually implement this strategy?
Actually, the probability that your v1.0 of all that will be bug free is low enough that it would be safe to bet the rent there's a vulnerability there somewhere. Your actual protection stems not from all the mucking about, but from the fact that you created a one-off configuration and nobody can be bothered to crack it.
>the fact that you created a one-off configuration and nobody can be bothered to crack it.
Which would also completely embody the discredited idea of security through obscurity.
As there is going to be a vulnerability somewhere in your configuration, given the right motivation someone will eventually crack it. There is nothing which is completely secure, you just have to figure out a way to make the amount of time, money and work it would take to breach your configuration large enough to deter an aggressor.
Having done all that, of course, I'd run my target OS inside a VM which itself is inside a VM which itself etc to maybe a depth of 12.
Each VM (different implementations of course) is running separate virus detection / fire walls / etc, so only incoming data that passes all of one VM's sniff tests makes it to the next level.
For an infecting virus that is trying to reach my app in the target OS, the effect would be like running the gauntlet in a very-hard-to-win first-person shooter with no ability to save at crucial points.
With a 12-core processor, my nicely snuggled app would not even notice the latency in handling incoming data.
There is some research going on into assisted proof of software.
Essentially whenever you write a piece of code you need to proof that it works correctly. This proof will be checked by the compiler. (just like some compilers can already check for array boundaries, etc) The current research is about how to make a language which integrates code and proof in a good fashion so it's not to much overhead.
In the end you can for example proof that data marked "private" will never reach the network card driver. And that you will never overwrite your stack. Some people even go further and add types to the memory so your CPU can check for types. Those types can include features like "private" or "local" or whatever you want to.
This is of course a long term goal, but it's being worked on. And ideally you don't loose any/much speed.
... the ability to deinstall them, quickly, easily, completely, and cleanly.
Seriously, this crap comes preinstalled on many big-name Windows boxes, and getting rid of it takes most of a day -- it's quicker to wipe the drive and reinstall.
If more than one vendor exhibits this behavior, perhaps the issue is in the OS and not the app.
Not that the app maker should be excused mind you. I find this more annoying with Java than the two mentioned pieces. At least those will partially uninstall whereas Java on Windows is just completely buggered if something gets corrupted with the install.
"Taking bets on how long that will take to bite him in the ass. I reckon less than 6 months."
I bid 6 weeks, but I think that's generous, but when it's discovered is another matter
For the successful cracker (who keeps it secret) this is the perfect target.
The sense of smug complacency that will set in could allow them to establish the biggest botnet the internet has ever seen. OK that's a bit of hype but certainly quite large.
I've heard this "It's uncrackable" spiel a few times. A classic was the SKy digital TV encryption system.
The channel coding remains (AFAIK) unbroken with a 2048bit PKA key.
The cards were not. Giving free TV channels to those in the know.
is that if you get it really right ... you don't get to sell regular updates to the software.
I know of several different AV providers who went out of business for that reason back in the day. The technology was quietly bought up by Symantec and allegedly merged in with Nortons.
To be fair, the change to 64bit windows would have killed their product anyway without some significant rewrites, but it worked brilliantly for 7-8 years without an update.
Another thing is operating system itself may behave like a virus. It is in nature of operating systems.
Unlike mcafee who seems to have "invented" heuristics after decades of use, that is the main reason why companies do crazy things like virtual machines, cloud based white listing, machines left open to internet on purpose etc.
Poor Intel wasted their billions.
In a world which companies and even end users expect a common security suite which will work similar on all their devices from a cheap Huawei to top of the line i7 workstation, they ship software which will work fine only on Intel cpu.
If someone at Kaspersky or Sophos came up with such an idea,he would be fired.
Also, heuristics and behaviour analysis are old news in real security scene. Signatures are only a first line in defense. It has been same since IBM&F-Prot.
Signature-based malware identification has been around since the dawn of the computer security industry
Bollocks.
Stiller's Integrity Master, a profile-based virus detector, existed before John McAfee sold a cheap and lazy media on Virusscan:
I love it! I have been a fan of integrity checking (IC) ever since my first big software conflict trashed small parts of a few files of the 2,000 + files on my disk in … 1986
(Sadly, that article is only on Google's cache now.)
CERT formed before McAfee did, in 1988, to combat the Morris Internet Worm. McAfee opened his doors in 1989.
Signature-based malware identification has been around since the dawn of the computer security industry
Bollocks.
I am baffled how anything you posted is a refutation of the statement you quoted. In fact, your evidence appears to support it: if "the computer security industry" is defined as software companies selling security tools for PCs (a dubious definition, but we'll get to that in a moment), then the statement is clearly true, since signature-based identification in fact clearly predates that "industry", and thus "has been around since" (and indeed before) it began.
If we define "the computer security industry" in the rather more useful sense of organized work to improve security in IT, then Integrity Master and its predecessors would be a part of that "industry" (in the sense of "work", not necessarily "commercial product'), so they wouldn't be counterexamples to the statement either.
However, IM isn't relevant to the statement at all, because it's not a signature detection system. Signature detection systems scan data for sequences that may indicate malicious code. IM is a change detection system; it computes hashes of existing files (at least originally CRCs; the article doesn't indicate if it later used stronger hashes) to see if they match the hashes from the previous pass.
So a complete miss then. But really I can't see what you're all worked up about. Thomson isn't claiming McAfee (or anyone else) invented signature detection, just that it's been around for a long time.
As the argument rages about this OS being safer than that OS with respect to nasties does anybody have any figures on how many viruses actually use windows as the directly attacked platform as opposed to using some third party program (Adobe & Java - looking at you) as the attack vector which then goes on to compromise the OS.
I suspect that 'modern' windows, say Versions 7 & 8, are actually very robust and the vast majority of the infections are due to third party applications.
I can see this as being a major flaw in 'phone and tablet OS'es where they request, and are inevitably given, permissions far in excess of those required for purely operational needs in the same manner as many windows programs have "needed" administrative permissions in the past and thus provided an easy foothold into the OS.
You're a douchebag ... deal with it !
Go flame some other forum.
The most epically failed statement ever:
100% of all viruses are for windows
... riiiiight ... I know of at least 3 for mac and i've read somewhere on here recently that some hackers are chucking together android viruses ...
http://www.bbc.co.uk/news/science-environment-17623422
http://www.bbc.co.uk/news/technology-20768996
And those are just in the top 2 results for some basic google searching ...
What a total tard!
Anyone else fancy confirming what a tool Eadon is ... upvote this comment!
As for McAfee ...
I generally hear good things about them, but me personally, I wipe my machine clean and restore from an image (network stored) every few weeks so I don't bother with AV.
I'm also very careful about where I download and run executable code from.
Have I ever had a virus?
yeh once ... when I used to use AV, and it's solution was to destroy my OS install.
"We can catch things that no one else can in the industry."
Well that's certainly my experience - our PCs running McAfee catch things that users of other vendors don't seem to get. Whenever I submit a sample to virustotal.com McAfee consistently does not detect anything but 90% of the other vendors do.
Windows itself is the virus, and needs to be eliminated. It just keeps morphing every few years and changing a number (3.1, 95, 98, 98SE, Me, NT, 2000, XP, Vista, 7, and 8 to name a few) and re-infecting systems.
Of course, they need a platform to run on, and they chose the absolute worse processor (the X86 family) to do the job, also counting the viral effect.
(*SIGH*) One of these days.....
I do wish the moderators here would stop all this personalised bashing of individual posters that is being targetted against specific individuals who post here.
Seriously. If you don't like what he says, the prove him wrong. If you can't do that, then don't bother commenting, about what he says. Your personal thoughts about him are irrelevant. All this ridiculous name calling just makes you all look like children.
"I do wish the moderators here would stop all this personalised bashing of individual posters"
The trouble with deleting comments that bash individuals is that it spirals into a "he started it!" nightmare. The general rule I like to see people follow is "play the ball, not the man". So if people stick to that then things work out.
C.
You can try, but people who reject all evidence or utilize irrelevant technicalities to make themselves fell right will never change their mind. When you combine that with a strong desire to evangelize everywhere people will naturally get tired of constantly bring forth the same evidence proving them wrong over and over again. Ignoring them doesn't really work because then they could possibly convince someone new that they are correct. Over time the will eventually piss someone off enough to respond to them with an attack of some kind and with the number of readers hear there will always be someone new being pushed over the edge.
@Dave Dowell - imagine, if you will, a fly buzzing round your head. You try to shoo it away, but it keeps coming back. You can either keep trying to just brush it aside, or become increasingly more annoyed trying to swat it.
This is what has happened here.
You're absolutely right about trying to counter-argue posts you don't agree with - however, I can understand some posters getting frustrated when faced with a continual barrage of provocative posts that usually lack any form of evidence or back-up, especially when the poster in question (I think we all know who we mean here) refuses to acknowledge any counter-argument that does not fit in with his own philosophy and just continues to "buzz around our heads" - to use the earlier analogy.
It's why I think a "report complaint" facility - similar to "report abuse", but for more general use - would be a good idea.
a few rules to avoid the malware would be better than AV software that bungs up your system/network/entire internet
1. Phone chargers for all staff : stops them plugging their phones into those handy usb ports on the front of the PC
2. remove Java and flash from the browsers
3. Anyone caught with a USB stick is fired.
4. Anyone opening an e.mail attatchment is set on fire.
And lastly for those really serious about stopping malware from seizing vital data
Install Linux
I've visited companies where to enter the campus, everyone sends their belongings through a metal detector, phones are checked to make sure cameras are taped over, sd cards or flash drives are banned, etc. etc. In the government sector too, there are some pretty extreme measures taken for security (e.g. supercomputers that are physically partitioned so that confidential simulations can't possibly be spied on by other code).
Generally though, I assume the powers that be look at the relative cost of preventing malware via draconian measures (quality of employee, worker happiness, inefficiency in working with clients who want to use e-mail attachments) and decide that it's much better to employ a handful of smart people to setup firewalls, IDSes, monitor developments in the security field, etc. and basically hope that the risk is reduced sufficiently.
Similar considerations apply to safety from muggers-- if you wanted to make sure you'd never get mugged, you could hole up in an underground bunker with 80 years worth of non-perishable food, cases of ammunition and high powered weapons, hopped up on methamphetamines monitoring your CCTV, and you'd have a pretty high confidence in your personal safety. On the other hand, it might not be a very happy existence.