BOFH: SOOO... You want to sell us some antivirus software? "Yes, but with our antivirus software you can be guaranteed that we will track and locate 98.97 per cent of all known viruses," the caller says. "Tell me, where did you get the 98.97 per cent from?" "What do you mean?" "Well you say 98.97 per cent - not 99 and not something like 96, so you've obviously got a reason for it …
For example, Symantec blocks the installation of some of our software.
We've reported it several times, we've sent them the installers, we've sent them logs from our customers, and they refuse to acknowledge that there just might possibly be an issue with their software.
So we've simply had to advise those customers to drop Symantec. Which they have, because our software is genuinely useful while theirs is...
Saved them a lot of money as well.
You do know regedit.exe, do you not ? There is a almost useless "Find" option in there, what it does does help in getting <whatever_the_kids_installed> off of the computer.
I use two combinations:
Find <folder_name>|<program_name>
while (! EOF)
{
if (keyname.isHighlighted)
{ hit(DEL);}
else if (Value.isHighted)
{ //some uid
hit("<-"); //left arrow key
hit("<-");
hit(DEL);
}
hit("F3");
}
Delete folders on FS.
Works for me - takes time, though :-(
On Mac, I throw /Applications/<application_folder> into the bin, search for plists and throw them in the bin.
On linunx, it is just "apt-get remove --purge <program_name>", but I digress.
So, fellow BOFH's a few questions if I may.
1) Who thinks AV is even slightly effective? (When Symantec says AV only protects against an attack 45% of the time I think we can all agree theres a problem?)
2) Who drops any email attachments that are vaguely executable at the firewall/before it reaches the lusers?
2B) Have you figured out a way to open a zip/rar/oddarchivetype, and then drop the ones containing executable code?
3) Who has SRP's set up to prevent the users from running a virus imported by CD/USB/SOMEHOW?
4) How do you deal with PDF's? My personal bugbear, you can't just drop them because about 5% are actually legitimate, but the other 95% are exploiting the swiss chese security in Adobe. So far EMET5 appears marginally effective at mitigation when the users open them. I did try replacing Adobe reader with foxit reader, however foxit reader appears to be substantially less stable than adobe.
The answer to 2,2b and 4 is use something like MailScanner on your edge mail transport, drop all exes and zips, the AV scan it does on the rest should take care of the rest including PDFs but you could drop them to if you want since MailScanner will notify the users when it's blocked their attachments, so they can ask you to release it if it's a false positive.
The answer to 1 and 3 are the same. Who cares? Put the most acceptable AV of your choice on end user machines for some protection but have them keep all their work on a file server. If their PC gets infected nuke it, re-image and away you go.
In a well managed and backed up environment viruses and malware are rarely more than a bit of a nuisance. The bigger security problem is educating and preventing your users for falling for phishing mails and the like.
Yes, by all means just drop all ZIP files, also drop DOC(X), PDF,... because you never know it might be an unknown attack vector.
You sound like the IT guys at a customer site I work right now.
We're running around with USB sticks to move files around because that's the only thing that seems to work (*). Personal USB sticks, of course.
Yes, what could possibly go wrong?
(*) given that contractors are not allowed on the customer network, I have to do with a separate ADSL for my connectivity (which is a blessing because there's no firewall).
"As an office shouldn't have any legitimate programs delivered by email"
Eh ?
Maybe an accountants office, or something equally pointless. But most offices contain at least a smattering of actual workers, who like most people need to communicate arbitrary files. We don't appreciate you taking out all the useful bits.
You'd be one for swapping all forms of cutting tool for plastic scissors, wouldn't you ?
The useful bits are files for word, excel and PDF's, with assorted images etc. I can't see any legitimate reason why an office worker would need to receive binaries via email as a part of their work. Care to share?
Personally, I think 100% of incoming binaries are unsolicited malware of some description, and dropping them is a perfectly rational way of reducing the number that make it through to the end users.
I love your sweeping generalisation that all exe's are bad. I work as a sysadmin, and trolls like you are why I have to first zip exe's using weird compression, rename them to .tiff, open with a hex editor and insert 1029 bytes of tiff file information at the top, just so I can transfer a file, remove the 1029 bytes, rename to whatever zip format and uncompress them and do my job. Pray to whatever gods you believe in that I never discover what kind of car you drive, where you eat, or where you sleep. Revenge is a dish best served totally unbeknownst to the target.
Personal experience-
I've had a few appliances over the years (UPS/generator monitoring cards, environmental sensors on the raised floor, upstart company's wizbang gizmo) where for whatever reason the catastrophic error reporting was an email to us and the vendor with a zipped log/crash file.
Our policy was to nuke any zip file in inbound or outbound email, and at least one vendor nuked them inbound so those logs never saw the light of day when the magic blue smoke escaped the appliance.
Well guess what - in the corporate environment I work at the damned AV monstrosity is set to full paranoia mode - it filters out even Unix shell scripts. And no attachment releasing option either. If I want a file delivered by a HW vendor (it happens fairly often in fact), I'm out of luck. And chaotic as it is, I'm not even sure which team do I have to talk to to ask for some tweaking (well, theoretically I could try the helldesk, but no, thanks, I'd rather shoot myself in the foot). And don't even get me started on the enterprise AV policy they pushed out regarding "unwanted programs" (e.g. those idiots have included even stuff like bash.exe, which renders Cygwin unusable on the machines running the AV i.e. every corporate machine)......
Here is the thing . . .
Security is a matter of balancing protection with convenience and usability (and cost). Always has been, always will be.
There is no one-size-fits-all solution here and different scenarios and businesses will warrant accepting some additional risk for the sake of productivity or vice-versa.
It is my experience that if you make things too restrictive, users will get around the system in order to do what they want/need to do. If you set your password policy too strictly, requiring 20+ character passwords changed every month, most users will end up using weak, easily-remembered passwords, thus negating the benefits of a strong password policy in the first place.
Just so with AV restrictions as users will send files via personal e-mail, bring in CDs and USB sticks, use services like Dropbox and generally side-step the problem. What this often leads to is company data being handled by and stored in non-company systems, which is not a great situation.
Sure, you can try banning all (say) webmail URLs but then what happens when you instructed to allow Gmail so the CFO can view and synchronise an external calendar. And so it goes.
The important part in all this is to make sure the users are well-informed and understand why things are the way they are. Teach them good practices and keep them educated about any current trends or dangers because no matter how good your precautions, the best defence is a well-educated user.
"have them keep all their work on a file server."
That's been the policy at almost every company I've worked for. Along with the policy of giving staff terabytes of unusable storage on their local machines, while refusing to invest in disk space on the file servers. And the network hasn't got the capacity to cope with more than one person at a time moving data about.
Has anyone invented network RAID yet? If every desktop in my office could contribute 1TB to a massively mirrored and striped array, I'd be delighted, even if the resulting shared drive was only 1TB. Although the network would still be a bottleneck.
Exactly, I do not get all this non-sense.
I think you could do with Linux, remove the hard drives from the workstations as they arrive, setup boot from LAN, use Linux, see slax for an amazing example ... 180Mb of read-only joy, complete with office suite, browser etc. Customize your image[s] with apps you need. Build a massive RAID with the hard drives to house docs, home folders, your 4/5/6 images, and their respective backups ... remember, you do not need an image per hardware combination, more an image per target audience.
The home folder would be a network share, ideally sshfs. You have an issue, reboot ... takes 1 minute, including download/loading of image, and the beast is clean again. If you have over 2Gb RAM in the clients, use copy-to-ram for exceptional performance ... only uses like 512Mb RAM.
Alternative:
FreeBSD or Solaris and a distributed ZFS file system, using all drives in all machines for storage of documents.
These days, I mostly use the PDF readers built into Firefox, Chrome, and Safari. Sometimes I use (Apple) Preview. This is on a Mac, obviously.
What I'd like to do is banish them to an untrusted AppVM, as in Qubes OS, but I'm rather addicted to my computer having performance. Maybe next time I build a computer.
I keep hearing people say it is unstable, but here is the thing, I have been using it since the dark ages and NEVER had a single issue; ADOBE on the other hand, - which I have installed because some government websites INSIST only Adobe can open their pdf attachments - buggers up every other time I try to use it.
As for AV programs, yes, they slow everything down to a crawl; almost as bad as installing realplayer (which I foolishly did again last night).
I have never seen a simple EULA screen effectively lock up my machine for several minutes before.
You installed RealPlayer last night? Is this posted through some strange time wormhole? I haven't installed RealPlayer since...must be pre-2006 as that's my oldest still-working box, and it's never had it.
Do you mind me asking, genuinely, what for? Can VLC not play the .rm files you need?
I know, I was delusional, I blame the head cold and sinus irritation - the medication made it seem like a good idea.
As for how many PCs, only a dozen, but they are all old, patched together systems made out of left-over parts and spare XP licences (+1 Win7 machine) that originally ran WinME and uses Rambus Ram); actually THREE of them originally came with WinME.
I have managed to use Foxity even with those god awful government PDF forms most of the time. I save the form - using an old version sometimes and then FOXIT that saved one. If the )(*&^%$£"! fools think I am going to print out their un-savable forms and write on them, well they have not seen the state of my writing; still I may get the hand operated on soon. I guess they do have someone who can read, though I am not sure that is always the case judging by the number of errors they manage to make processing the stuff I send them.
Perhaps I should just write out the entries using my feet?
This BOFH rant would be very funny, but it isn;t, 'coz it's very very true. Usually we laugh at the BOFH 'coz he exaggerates real life so cruelly and accurately, but this time it's pure and simple truth.
On an off-topic note, Foxit used to be good. Used to be. Now it's just another slab of marketing-riddled bloatware with a screen-robbing Sinofsky-inspired UI from Bedlam. Despite having used and recommended it for quite a while, I stopped installing it a couple of years ago and switched to one of the three or four excellent little free no-BS alternatives. (My favourite is PDFExchange but there are several others which seem pretty nice too.)
SPAM and Virii exist because THEY WORK. Most of the attack vectors are in email (click here to win $$$) and these function because idiots will click them. Yes, to those who know better they are a scam, but for some percentage (probably the left over of 1.03%, 100% - 98.97%) they get through. With the small cost (if any) of email, this is acceptable to the scammers.
Moral: Don't click on email attachments unless you are VERY SURE of the source, and are expecting the attachment. Gotta be careful!
Of course it would be easier if operating system companies didn't do most of the work for the virus makers by "helping".
I remember about 9 years ago a place I worked IT in we had a nasty outlook e-mail virus going around. We spent almost a solid week removing it from the network (we had over 2k computers) right after we finished Our IT director sent out an e-mail to all users saying DO NOT OPEN ANY LINKS IN E-MAILS YOU ARE NOT EXPECTING OR KNOW THE SENDER to all the users.
5 minutes later the idiot opens an e-mail attachment marked IMPORTANT OPEN IMMEDIATELY, and reinfected the entire network... We only know this as the admins installed tracking software, and were actively monitoring who was infecting the network, and it all pointed at the IT directors computer...
Back when the first email virus infections came out, I was doing tech support for a major ISP. Both Melissa and the Love Bug went through the company like a dose of salts. I, of course, was immune because I was almost the only person in the company who hadn't switched over to Outlook, and was still using a non-Microsoft email client that wasn't vulnerable to that kind of thing. I must admit, though, it was very entertaining watching everybody else sending out (infected) emails warning people about the virus, not realizing what they were doing. Now, of course, I have no idea what AV software works, what brands don't and which are actually malware because I only run Linux.
I no longer use Windows, but in my dying years with it I gave up using AV, for exactly the reasons BOFH so engagingly cites. For about two years a small group of machines went commando, relying simply on common sense (and threat of an unpleasant death for wayward users). There were no problems. Perhaps we were just lucky. Perhaps the whole thing is just a massive exercise in inflating a real, but relatively minor and manageable, risk into a massive source of fear and paranoia that has as its sole purpose the repeated emptying of wallets for all eternity. Rather like the whole Windows ecosystem upgrade cycle actually.
You make an important point, considering how practically useless and excruciatingly unpleasant the "cure" for viruses is.
What matters most is you have some off-line backup & restore strategy and actually use it.
Then you are probably better to run Windows without AV and just be willing to nuke it and restore the backup when t gets infected. This has the added bonus of getting rid of general crap and bloat (aka "windows entropy") as well.
Didn't Peter Norton sell off everything long before there was a 'Norton Antivirus'?
And I seem to remember that when Symantec introduced NAV 1.0 they set up stand at a computer show and advertised that people could come and have their diskettes scanned for free...
And that reporters from PC Plus took them up on it, and brought diskettes that really should be tored in lead-lined containers...
NAV didn't find a single virus, and when pressed, the booth-drones admitted that they were using a non-working 'pre-release' version.
I wonder how many visitors went home with virus-infected diskettes that day...
Unfortunately, we're using the current version at the office, and it can't even protect against browser hijackers...
Peter Norton & John McAfee are both professional cheque cashers. McAfee sold it all years ago, and I think Norton still gets money every time Symantec sells a yellow box with his name on it.
As the founders / creators / perpetrators / benefactors of this industry, I am sure the BOFH would have an interesting conversation with them. Probably something that ends with a stack of royalty cheques signed over to "BOFH Retirement Fund".
The reporter was from PC Business World. I remember it well; as I recollect there were 11 viruses on that diskette. And the Symantec excuse was, "Well, those are European viruses". And we all fell about laughing, because, hey, guess what, this is Europe. No, it wasn't a non-working pre-release version, it was a working version. Well, sort of.
The reason I remember it so well, is that Symantec spent £250,000 on the launch of Norton AV, and after the headline in PCBW of "Norton fails", they unlaunched it. But the distributors had everytning set up for pushing it out to dealers, and needed an AV.
So along came Dr Solomon's with a product that actually worked (and in those days, it was possible to write an AV that worked) and we replaced the NAV product in the launch with ours, and that's what got DSAV into the distribution channel. And so that £250,000 ended benefiting us, not Symantec.
I haven't run an antivirus for about 20 years, mostly because I use Linux, partly because the threat today isn't viruses.
drsolly
all of it. Then some years ago switched to NOD32 (based on comments from the more intelligent posters on acv when it was the AV place to be). I don't understand why people still froth at the mouth about antivirus products. None of the above complaints apply to NOD32 nor have I seen complaints about how NOD32 failed to detect this or that - and I've been using it close to a decade now. One might worry that it is so cheap one day Eset'll go bust, but maybe a mass migration to it would prompt a change in the alleged competition and AV would become generally non-bloat, non-system crippling, resource-friendly, prompt and effective? Or is it that one of the joys of running Windows is a good moan about anti-malware?
Good, and prompt, tech support too. Of course we know that those of us providing online support work 24/7, but it still pleases me to ask something by email at 3 AM and get a response by 4 AM (a bit like when I emailed the vet on a bank holiday and he responded almost immediately). I have my Mint partitions visible from Windows - thanks to Ext2fsd (which is great for editing, e.g. boot files, as well as backing up Linux along with everything else from Windows with Acronis WD Edition. And works in Windows from XP to 10, if from 8-on ran in compatibility mode for 7). Doing a full scan - which takes a lot longer with the visible Linux partitions - I wondered if the Windows version had, say, the definitions for detecting Linux malware; not that I'm worried about Linux malware, but if I can scan it from time to time, why not; while if it couldn't detect anything it's a hell of a time to wait to no purpose. Apparently quote: "The database in all versions of eset is the same, so Eset for windows will detect threats that are linux threats". It takes longer, as indeed does restoring the Acronis back-up, which I only actually tested a few days ago. Takes longer but works perfectly.
You'd almost think I worked for Eset. In a way I do, since I switch most of my customers to it, provide the license and charge a small amount for the service, with which I throw in free email support. In the several years I've been doing this I have never had to provide email support for NOD32.
Run Clam on the Debian box because it mounts M$ OS partitions. Also, there are browser based attacks that hit most OS. Some chance of notification may help. I have amused myself when really bored by booting Linux and scanning my NT and FAT32 partitions and noting what is found lurking in the $DISK$\System Volume Information or a temp dir fifty directories down somewhere. Rebooting to windows and running one of the more recommended AV products which rarely spot the same suspect binary. So this BOFH is reality, not satire. None the less, a beer to Simon, because his monologue was well expressed. What I loathe about these free products is how, despite BigSwamps attempts to prevent infection by throttling the network, I still get massive download size claims for a mere 200 MB binary. In contrast, usable freebies like VLC updates are about the size stated on tin.
The reporter was from PC Business World. I remember it well; as I recollect there were 11 viruses on that diskette. And the Symantec excuse was, "Well, those are European viruses". And we all fell about laughing, because, hey, guess what, this is Europe. No, it wasn't a non-working pre-release version, it was a working version. Well, sort of.
The reason I remember it so well, is that Symantec spent £250,000 on the launch of Norton AV, and after the headline in PCBW of "Norton fails", they unlaunched it. But the distributors had everytning set up for pushing it out to dealers, and needed an AV.
So along came Dr Solomon's with a product that actually worked (and in those days, it was possible to write an AV that worked) and we replaced the product in the launch with ours, and that's what got DSAV into the distribution channel. And so that £250,000 ended benefiting us, not Symantec.
I haven't run an antivirus for about 20 years, mostly because I use Linux, partly because the threat today isn't viruses.
drsolly
I've been running Avast on the Windows computers I need to keep running Windows on. Avast used to prove the old adage: "The best things in life are free." I've felt for a long time that free software is generally more functional, less bloated, and more stable overall than "professionally" developed software.
Avast used to shame Symantec AV and most everything else in detection and cleaning of viruses, and probably still does. I used to recommend it to everyone needing an AV solution for a home computer. Now that they've become mainstream, they seem to be all about ad revenue. Perhaps I need to stop being a freetard when it comes to AV, but when I get frequent pop-ups from my AV saying "Your computer could run faster.", etc., the solution has become nearly as bad as the problem. I understand that they're not exactly making money on a freeware product, and ad revenue is a logical choice, but it just makes me sad, really. Like a pop star that used to make good music until they sold out.
At work we use Symantec's products for 'protection'. The only good thing I can say about Symantec is that at least they're not McAfee.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
