back to article 14 antivirus apps found to have security problems

Organisations should get their antivirus products security tested before deployment because the technology across the board dangerously elevates attack surfaces, COSEINC researcher Joxean Koret says. COSEINC is a Singapore security outfit that has run a critical eye about 17 major antivirus engines and products and found 14 …

  1. This post has been deleted by its author

    1. This post has been deleted by its author

      1. Phil O'Sophical Silver badge
        Thumb Down

        Re: Problems with virus?

        Well, if you will click on random irrelevant links from a forum post...

        1. Shaha Alam

          Re: Problems with virus?

          "Well, if you will click on random irrelevant links from a forum post..."

          on the contrary. aren't the links intended to appear to be specific and relevant? how else would spoofing work if it wasn't geared to the mark's interests?

  2. Anonymous Coward
    Anonymous Coward

    Point of Issue

    Don't blame the C language please. Despite its age it is still an excellent language, it still has relevancy and it is the language of choice for most safety critical systems. The issue here is poor developers and/or their pointy-haired managers.

    Its true that C does contain some (few) functions that are inherantly unsafe (and impossible to make safe - see 'gets') however these should be well known to all developers for these applications and are also easily caught with analysis tools. Most of these functions are also deprecated and obsolete under the ANSI C standard too. Just dont use these functions.

    1. Paul Crawford Silver badge

      Re: Point of Issue

      That is why various guidelines and standards have been developed to make coding safer:

      http://en.wikipedia.org/wiki/MISRA_C

      www.stroustrup.com/JSF-AV-rules.pdf

      Whatever language you use, you can screw up, but C/C++ just gives you a more direct way of doing so. Safe code is hard to do and needs some skill and the willingness to stick to the above guidelines and to USE the tools already out there to check for errors and bad practice.

    2. DF118

      Re: Point of Issue

      Not sure if 'relevancy' is better or worse than 'expiration' on the scale of weird things North Americans do to the English language.

      1. Ben Rose

        Re: Point of Issue

        Far worse than "expiration", I have it equal with "compliancy".

        1. garden-snail
          Go

          Re: Point of Issue

          I don't think any of these rank quite as highly as "burglarize".

          1. Robert Helpmann??
            Childcatcher

            Re: Point of Issue

            Hmm... Next thing, you'll be burning Noah Webster in effigy.

          2. Ben Bonsall

            Re: Point of Issue

            Buggerate is the one that gets me. Admittedly, from Urpeons who learned English from American TV.

            When I first encountered the use of the verb 'to bugger' instead of 'to bug', I corrected them... But having a senior colleague stick their head in a meeting and ask if they can buggerate someone for five minutes had me banging my head on the table, and said someone replying that the meeting was nearly done and could they bugger them when they were free almost had me on the floor.

    3. Down not across

      Re: Point of Issue

      Don't blame the C language please. Despite its age it is still an excellent language, it still has relevancy and it is the language of choice for most safety critical systems. The issue here is poor developers and/or their pointy-haired managers.

      Quite.

      "AV engines were often built in C which led to vulnerabilities like..." suggests the flaws are caused by the chosen language. The language used doesn't directly lead to vulnerabilities. Sure it doesn't hold your hand and it will let you you stupid things. You're expected to be able write decent code. Shouldn't be unreasonable to expent competent coding from company providing security software.

    4. DrXym

      Re: Point of Issue

      I think there is plenty of blame to go around. C/C++ for having some inherently dangerous constructs and doing very little to discourage their use "for legacy reasons". AV companies for writing sloppy spaghetti like code, a lot of which is bound to be very low level and very fragile. OS manufacturers for still needing AV software even in a day and age when a lot of checking could be pushed into the cloud and mitigated by virtualization and other tricks to prevent malicious code doing bad things. And users for doing dumb things that require AV software in the first place.

      1. the spectacularly refined chap

        Re: Point of Issue

        C/C++ for having some inherently dangerous constructs and doing very little to discourage their use "for legacy reasons"

        I can do dangerous things with a knife or chainsaw - that doesn't make them bad or dangerous when used in a responsible manner.

        This reports reads to me more as advocacy of certain approaches rather than anything substantial and completely ignores some key parameters. A/V is low level software and needs low level control - you are not going to write an A/V in VB after all. The second point conveniently ignored is the size of the runtime system. For C it's pretty minimal and interactions with the OS occur at defined points in the execution - easy to analyze, relatively easy to defend. With higher level languages you never really know - when anything at all could trigger e.g. IPC or a memory allocation.

        That's without even considering external library issues: I see the inclusion of large external libraries has already indirectly been advocated below with the crap UI point - creating a fancy UI with e.g bare win32 API calls is a lot of work. The lack of those support libs is key to being able to validate code - for example any MFC based app leaks memory, as does any.NET app - it is unavoidable because the support libraries themselves do. If they can't even get that right who knows what security issues are lurking in them?

        A keep it lean, keep it mean approach is the best approach and that is what really limits the exposure surface of the app, not following the whims of someone who has never written security software and has fallen for the marketing bullshit of the latest buzzword technologies.

        1. Franklin

          Re: Point of Issue

          "I can do dangerous things with a knife or chainsaw - that doesn't make them bad or dangerous when used in a responsible manner."

          Sure. But plain old-fashioned C is a bit like a chainsaw with no chain guard. It's a capable tool, but you gotta watch where you put your hands...

          Frankly, though, I think the responsibility lies with the AV vendors, not the tools they use. It's a poor workman who blames his tools. These folks are supposed to know about security, that's what they do.

    5. Keith Langmead

      Re: Point of Issue

      I suspect the reality is that the "insecurity" of C has less to do with the language itself, and more to do with the underlying application code being written 10/15/20 years ago and not being looked at since. Even the best programmer back then couldn't be expected to foresee every security eventuality, and would have no knowledge of much of what is now considered best practice.

      This kind of thing is always the risk you take when you focus on simply adding bits to existing applications and making it look pretty, rather than starting from scratch and writing the entire thing based on current best practice from the ground up. You might not be able to polish a turd, but some companies really will try! :-)

      1. AndrueC Silver badge
        Go

        Re: Point of Issue

        I suspect the reality is that the "insecurity" of C has less to do with the language itself, and more to do with the underlying application code being written 10/15/20 years ago and not being looked at since

        I'd say it's mostly due to the code age but a fair amount is also down to the language. Although it's true that C/C++ code is not inherently unsafe it's also true that there's not a great deal of pressure within the language to dissuade you from unsafe practice and even less to encourage you to good practice. You can improve things a bit if your compiler supports 'treat all warnings as errors' but that's a choice you have to make and reliant on the verbosity of your compiler.

        The good thing about both those languages (and I'll always have a soft spot for C++) is that they trust the programmer and allow them total control.

        The bad thing about both those languages is that they trust the programmer and allow them total control.

    6. Christian Berger

      Re: Point of Issue

      C is a powerful tool in the hand of capable people. It's natural environment is UNIX and simple systems.

      One should notice that good C programmers don't program complex things in C. This may sound paradoxical, but what they actually do is writing a small "interpreter" which interprets data structures containing the actual logic. Thus creating something like a domain specific language. C with its data and function pointers makes this very simple. This is the true strength of C.

      Apparently that is not what people have been doing here, they literally programmed complicated things directly in C, making both their life unnecessarily hard and risking serious problems if they mess it up.

  3. James 100

    Bad AV

    They do have a bad track record. I seem to recall one of the first bits of OS X malware actually targeted one of the first AV engines itself, rather than the platform it was supposed to protect.

    Back on Windows, I was developing a system utility a few years ago. On the low level, you can either open files by filename (the usual way), or by file number - except doing the latter would cause a BSOD every time once the file was closed again, which I eventually tracked to a bug in the on-access scanner component of the AV product I was using. I didn't investigate much further at the time, but as I recall it was allocating a buffer *when files were opened by name*, then freeing that buffer when files were closed - whether that buffer had been allocated in the first place or not. There was probably something exploitable in there if I'd looked hard enough.

    Then there was the time McAfee decided that Windows itself was malware and needed to be deleted, which made for a "fun" departmental cleanup day...

    1. Mark #255

      Re: Bad AV

      Back when I was green and running Win98SE (but I repeat myself) I installed McAfee's firewall, which was a separate product to the AV program at the time. It ate memory and brought the PC to its knees.

      Prejudice, n: Sometimes synonymous with bitterly-won experience.

    2. DrXym

      Re: Bad AV

      What I find incredible about AV software is how bad the UI is in most of it. If an AV company can't even write a decent UI, then what does that say for the state of the code you can't see?

  4. PurpleMoneky

    Java Exploit in Callous Cat Does Not Care" website

    After a few random images, it prompts you to update java via pop up that takes you to a lookie-likey page. Not sure if the links to download are broken or what, but they point to: 'hXXp://secure.15-pn-installer.com which is not Oracle. so be aware!

    (tweaked by mod to break the link so the hard-of-thinking don't go clicking it)

    1. Destroy All Monsters Silver badge

      Re: Java Exploit in Callous Cat Does Not Care" website

      No having NoScript?

    2. earl grey
      Trollface

      Re: Java Exploit in Callous Cat Does Not Care" website

      Strange, that link doesn't work.

  5. Anonymous Coward
    Anonymous Coward

    Wait? So running AV software makes me more vulnerable to attack??

    Christ on a bike!

  6. chivo243 Silver badge
    Stop

    4 of 14 fingered

    I personally would like to know who are the other 10 vendors. I do a bit of moonlighting sorting out Windows issues for friends and would like to recommend AV that is not worse than the attacks it's protecting against. You get better odds in 3 card monty!

    1. monkeyfish

      Re: 4 of 14 fingered

      Or better still, a list of the ones that didn't fail so hard.

  7. Novex

    I did a quick scan of the pdf file and found no mention of Microsoft Security Essentials. Bearing in mind that it's likely to be used by quite a few Windows users, and I didn't get the feeling the article was aimed at only non-Windows AV, that seems to be a serious omission. Coupled with the pdf not having a decent structure, not listing all AV software tested, and not giving a properly laid out set of results for each AV product, and I'm afraid this whole examination starts to look woefully inadequate. Which is a shame, as it appears to be attempting to highlight valid shortcomings in AV products.

    1. Anonymous Coward
      WTF?

      May of been something to do with this line....which TBH I think is a bit lame.

      "The largest vendors weren't notified as they should be already dedicating their sizable resources to vulnerability research."

      Phew thank goodness Oracle and Adobe are only little companies, because with that attitude, users of a bigger company's software could be in real trouble.

      1. Anonymous Dutch Coward
        Flame

        @Lost all faith: notifying vendors

        Indeed. Or should that part read as:

        "The largest vendors weren't notified as we couldn't be bothered making the effort and had to get the PDF out of the door with the minimum amount of costs and time in order to get the most bang for our PR buck"

    2. Marcus Aurelius

      MS Security Essentials going downhill?

      Just recently I've had to use other products the family computers as it seems that MS Security Essentials is getting less effective. I used to like the product as it was the only thing that didn't cripple the PC, and now I feel I should find another AV tool

  8. William Donelson

    I have *both* PCs and Macs. It's been 20 yrs since I had a virus on my Mac, and that took 10 mins to remove.

    For PCs: Kaspersky Lab is detecting 315,000 new malicious files EVERY DAY.

    1. Anonymous Coward
      Anonymous Coward

      @W Donelson

      For PCs: Kaspersky Lab is detecting 315,000 new malicious files EVERY DAY.

      I think it's safe to say that that's pretty much a fully compromised system!

    2. Goldmember

      "For PCs: Kaspersky Lab is detecting 315,000 new malicious files EVERY DAY."

      You may wish to stop downloading torrents/ cracks/ porn/ "video codecs" then.

      Just a thought.

    3. Captain Scarlet
      Trollface

      and that took 10 mins to remove

      Let me guess, you brought a new one

      /me runs from flaming Mac Users

    4. Anonymous Coward
      Anonymous Coward

      Was this the one...

      You sold 5 (or 6, or 7, or 8) years after you bought it for nearly $400 (or $450, or $500, or $350)??

      Enquiring minds want to know which figures you're using today.

  9. Truth4u

    AV Software is the biggest attack vector on any PC

    I keep my PCs clean by not running AV software. You need to disable all the random scripting languages and crap using tools like NoScript and then your PC is more or less safe if you understand your operating system well enough to know the difference between something that is executable and something that isn't. The idea is to scrutinize the executables which you can do by finding online reviews etc and seeing what kind of people wrote them. Some tools are recognised in the industry as being very good so guess what I use them and my PC doesn't have any toolbars on it like yours does.

    1. steve 124

      Re: AV Software is the biggest attack vector on any PC

      That's the craziest damn advice I've ever seen someone give. There are lots of non-excutable files that carry infection. Even a simple .rtf file can be a vector of infection (per CVE-2014-1761). Anything that gets loaded into another program (word, excel, index files, heck even .nfo files) can exploit buffer overflows and dozens of other vulnerabilities of their parent programs.

      Nay, I would not abandon my A/V just yet.

      My best advice for A/V these days is Webroot. I used to use ESET (and I'm a little upset to see them on "the list") but Webroot is solid like a rock.

      Just my 2 cents.

      1. mark jacobs
        Thumb Up

        Re: AV Software is the biggest attack vector on any PC

        Our company is a recent convert to Webroot and, I must say, it is an excellent way of ensuring your end users do not turn off AV ever, using tray icons and such. Also, it provides an easy central repository for monitoring all PCs protected under any given set of licences, and seeing infections and how they were dealt with. It picks up stuff Kaspersky never ever spotted too.

        1. Truth4u

          Re: AV Software is the biggest attack vector on any PC

          well most viruses are written by developers who just wanted to turn off AV on their work PC so...

      2. Anonymous Coward
        Anonymous Coward

        Re: AV Software is the biggest attack vector on any PC

        +1 for Webroot.

        I've tried just about everything out there over the years but Webroot is by far the best in terms of what it does, how it does it and sheer lack of any resource impact on even older laptops.

  10. Anonymous Coward
    Anonymous Coward

    The Illusion of Security...

    This topic has been boiling away for some time now. It was heightened recently when the CEO of Symantec / Norton admitted his products only worked some of the time.. So what are we to do?

    I dedicate at least one or two legacy XP machines to banking and nothing else and place them on an isolated network. Same goes for critical work with a couple of boxes dedicated to running Win7... The remaining hardware, I save for YouTube / Flash crap and put them on their own branch to blow up without costing me a packet i.e. CryptoLocker...

    But who has time for all of this really? What a waste, and a joy killer.... Still, what else can one do, retreat from the net entirely when you add in all the spying and tracking?

    1. Anonymous Coward
      Anonymous Coward

      Re: The Illusion of Security...

      "I dedicate at least one or two legacy XP machines to banking"

      You did what?! XP is secure?! ROFL

  11. Arctic fox
    WTF?

    Not being a professional techIe I wonder if you guys could help me with a question.

    "Organisations should get their antivirus products security tested before deployment"

    In my innocence not to say ignorance I had imagined that that would be standard practice and if it is not I confess myself astonished. My question is - if it is not regarded as best/standard practice, then why not?

    1. jason 7
      Meh

      Re: Not being a professional techIe I wonder if you guys could help me with a question.

      Humans are lazy.

      Testing ...is a drag and it costs money.

      Worry about it if and when it goes wrong.

      "It worked last time so it should still work this time I guess!"

      etc. etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not being a professional techIe I wonder if you guys could help me with a question.

        Shoddy Quality... When it comes to software suddenly quality isn't important... The 'we can always patch it later' attitude....

        WTF?

        We should be able to sue software companies for shoddy releases... After all, hands up, who wants to buy a washing machine that leaks every other patch Tuesday.... Or a car that reboots during driving on the highway. Or a pacemaker or other critical medical device made by a software firm?

    2. Anonymous Coward
      Anonymous Coward

      Re: Not being a professional techIe I wonder if you guys could help me with a question.

      "Innocence?" - you have actually worked at an organisation!? Or got lucky ;-)

      In my 30 years of experience, 95% of all organisations are incurably dysfunctional - in the "Lets take off an nuke the site from orbit. It's the only way to be sure"-way.

      Organisations generally grow into caring only about themselves, the feral staff will smell this and adapt by producing those metrics that will generate Bonuses, Promotions (and Harming the Competition a.k.a. Colleagues.

      So, "Anti-virus Installed on all PC's before random deadline" is perhaps a Metric, "Testing said anti-virus suite to see if it works and is secure" is "useless time wasting and procrastination for the IT-geeks own benefit", Rescuing the organisation from a virus attack is "Stepping up in a crisis", not having a virus attack in the first place becomes: "Lets outsource IT, those people are not doing any work that I can see"!

      1. jason 7
        Facepalm

        Re: Not being a professional techIe I wonder if you guys could help me with a question.

        I did some work at a big chemical factory a while ago. During my safety training that was carried out by the on-site fire/emergency team (yep they had their own private fire station just in case) they told us that they had just been bought up by a venture capital group.

        Apparently when the Venture Group's accountants went over the books they said -

        "Hmm it seems since you've had your own on-site Fire/Emergency team, that you haven't had any major incidents or fires! So why exactly do we need you?"

  12. Rabbit80

    More information needed..

    Any links to the source of these allegations? What other AV systems are on the "naughty" list - the article names and shames only 4 out of a headline 14!

  13. Conrad Longmore

    Which is why..

    Which is why you shouldn't answer about the products you use when you received a cold call from someone claiming to be an AV vendor.

  14. Ugotta B. Kiddingme

    link to source

    many false leads but, I found this - which appears to be the source document. Kinda long at 108 pages.

    http://mincore.c9x.org/breaking_av_software.pdf

    or, if you prefer:

    http://www.slideshare.net/JoxeanKoret/breaking-av-software-33153490

  15. stucs201

    At least part of the problem seems to be when they're run...

    ...i.e. all the time in the background. It used to be that the advice was that the only truely reliable virus scan was one done after booting from and then running the software from a known clean, write-protected floppy disk (such as a disk made by booting from and copying the write-protected master disk that came in the box).

    These days of course we'd probably need a different boot device and doing the scan with no internet connection active might also be advisable.

    Somehow though I don't think most people would accept the inconvinience of going back to that style of scan, even if software that could be run that way was still available.

    1. Truth4u

      Re: At least part of the problem seems to be when they're run...

      on access AV is a bottleneck what you need is a hardware version that streams the serial ATA data out of the drive into the CPU and a separate FPGA running the AV software that can hault the main CPU when it sees a string of dodgy intructions. Then you would get the "benefit" with no performance impact. But in reality there is no benefit to on access scanning so no one is going to build that hardware.

      1. Truth4u

        Re: At least part of the problem seems to be when they're run...

        If you want to know how well blacklists work just remember the NSA has never caught a terrorist and how many millions of people have they inconvenienced now?

        1. Truth4u

          Re: At least part of the problem seems to be when they're run...

          I meant to say TSA but it's all the same. In my above (patent pending) invention the FPGA or ASIC is able to rewrite the payload with no-ops on its way into the CPU Maybe plus an instruction to trigger its software component to open up and say "hey you're fucked" but I'm selling to the server market so we don't need that shit just the iron. It would probably store its database in some nice quick graphics DDR or something. mmmmm. But I will charge more for an ECC model its less likely to randomly nuke your server.

  16. Gis Bun

    hmmm

    Interesting how I don't think the report mentioned the big three [and I don't suggest the best]: Kaspersky, Symantec/Norton, and McAfee.

    Just remember, there is no verification of the report.

  17. John Smith 19 Gold badge
    Black Helicopters

    Found by *how* big a team? 1 you say?

    So what's the betting the TLA's have been using this approach for at least the last 20 years?

  18. Christian Berger

    Well it should be obvious

    AV companies started their products in the 1990s, back when nobody was good at programming, at least not the people who programmed for Windows.

    Then they keep putting layer on layer of complexity. First they only scanned files, then they scanned archives. They continue to mess around with more and more complex programs. If a team implementing a compression algorithm cannot get it right, why should a team also responsible for lots of other things, get a whole bunch of compression algorithms right.

    Among security people, AV is seen as snake-oil. It cannot work in principle therefore they won't work on such projects.

    Lastly to answer the question why browsers are harder to exploit and AV software: Browsers have been mostly open source for more than a decade now. Browsers are actively researched and exploited by a large variety of people. Compare that to AV software nobody who knows about security cares about.

    1. Toastan Buttar

      Re: Well it should be obvious

      "AV companies started their products in the 1990s, back when nobody was good at programming, at least not the people who programmed for Windows."

      Oh, give over.

      Mac programmers were crap back in the day, too. "Hey, pointers are 32-bit, but we can only access 24 bits of memory space. Let's employ that top byte for something useful, like flags."

      http://en.wikipedia.org/wiki/Mac_OS_memory_management#32-bit_clean

  19. synonymous cowherd

    Illusory

    This is all so depressing, yet at the same time is totally unsurprising. Sheeple buy shiny looking AV, it has a big green tick, everything MUST be safe. Think again.

    As an aside, does anyone here have OS expertise? , only this DARPA drone OS goes open source caught my eye recently. Could the legend Tanenbaum be right in his assertion that micro-kernel based OS's are the way to go? What are the chances of this being forked and another class of OS coming to the fore. Just curious

    1. Christian Berger

      Re: Illusory

      Well the point about that new OS is that the code has been proven not to suffer from certain kinds of bugs. Since such a proof is very hard to do, they only did it with very little code, hence a microkernel. It is then hoped that a "secure" microkernel will be able to secure the rest of the system... which is not necessarily true.

      However it is a big step towards security.

      1. synonymous cowherd
        Happy

        Re: Illusory

        Seems so, had a quick decko at the FAQ and there do seem to be quite a few caveats. Gave you a thumbs up thnx

  20. channel extended

    Parents know best.

    This reminds me of my parents, "Do as I say, Not as I do" type of programming! Face it nobody writes AV software any more, they just license the engine.

  21. Steve Graham

    Android

    Ironic that the anti-virus companies were whining recently that the sandboxing in Android made it impossible for them to do what they'd like to.

    1. Anonymous Coward
      Anonymous Coward

      Re: Android

      What they like to do is to sell user's data and their own exploits to the NSA for profit!

      1. Cryo
        Terminator

        Re: Android

        Yeah, why should Google get all the money for that?!

  22. Unicornpiss

    @MS software going downhill

    Has anyone but me noticed that the least compatible, flakiest, most prone to not interoperate, software on MS Windows systems is the software written by MS themselves? (Office comes to mind first)

    1. Toastan Buttar

      Re: @MS software going downhill

      No, I've seen a shedload of non-MS software which is 100 times flakier than Office. Interoperability of Office is also stronger than it has ever been. And MSE is the best free (as in beer) AV tool I've ever used on Windows.

      Not an MS shill, nor an open-source hater (used Open / Libre Office for yeeeears). I've been a Windows user since the late '80s, PC/DOS user since the mid-80s. I've been through the hell of Windows 9x, where you HAD to install third-party AV and firewall to protect yourself from the simplest of script attacks. Then I switched to XP, where you could get by with running without protection as a Limited User Account.

      Oh yes, you could!

      http://blogs.msdn.com/b/aaron_margosis/archive/2004/06/17/157866.aspx

      Now, Windows 7 offers all the benefits of active LUA and Firewall by default. And MSE is just a free download away.

      Nope sorry, I don't buy your assertions on any level.

  23. ecofeco Silver badge

    Quality control?

    "Quality control? What's that? Are you some kind of damn commie?!"

    - CEO, Giant Corp

  24. ratonbox

    A few things to clarify:

    - he did notify AV vendors trying to get money out of them (I've seen this document in my Inbox a few months ago).

    - almost all the vulnerabilities are in old versions of the software (at least in my case), which is like saying: "I've found a vulnerability in Windows 98SE"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like