back to article Antivirus tools are a useless box-ticking exercise says Google security chap

Google senior security engineer Darren Bilby has asked fellow hackers to expend less effort on tools like antivirus and intrusion detection to instead research more meaningful defences such as whitelisting applications. The incident responder from Google's Sydney office, who is charged with researching very advanced attacks …

  1. veti Silver badge

    About time

    ... someone called out the antivirus industry for the waste of space it is. I almost said "scam", but that wouldn't be fair: they're not malicious, particularly, just - useless.

    I'd love to see a whitelist-based approach to antivirus. It's good enough for firewalling, and that already works way better than any antivirus package I've seen.

    1. AlbertH

      Re: About time

      AV is a scam. I have never seen any AV product actually do anything useful. When it's trivially easy to build and disseminate a Windows virus in minutes, the AV vendors are - at best - playing "catch up" and at worst are just shipping bogus products that just use up machine resources for no return whatsoever.

      Since MS don't understand the basic principles of security - they used to, but abandoned it in favour of "ease of use" - if you want any real kind of "cybersecurity", you cannot use MS products. When the business world catches on to this basic truth, MS will be (finally) done for, unless they abandon their entire product range and start again, much as Apple did with OSX.

      Even Chrome and Android have better fundamental, underlying security than any version of Windows!

      1. patrickstar

        Re: About time

        Uhm, for your information, Windows has exactly the same type of permissions/user model. (In fact it's more powerful than the traditional *ix permissions model, but the benefit of that is in doubt...)

        1. Warm Braw

          Re: About time

          the benefit of that is in doubt

          Well you're right in everything you say, which probably explains the downvote.

          User-based permissions are not terribly useful when there is effectively only one user on the machine. Application whitelisting is a step in the right direction, but of course that's just an invitation to compromise whitelisted applications.

          Each application should have a set of authorisations to do just enough to accomplish its job and it needs to get those authorisations transparently and, for the most part, explicitly - for example a user clicking "open" in a file dialog provided by the operating system would authorise access to a specific file - rather than by implicitly inheriting a user's authority and later using it against him. While too much user annoyance could be avoided by sensible defaults (specific locations where preferences, temporary files, etc, can be accessed), better security does depend to some extent on a bit more user inconvenience and I'm not sure this is something users will ultimately accept.

          1. Anonymous Coward
            Anonymous Coward

            Re: About time

            "Application whitelisting is a step in the right direction"

            Can someone kindly explain *why* it's a step in the right direction?

            Why can't the *OS itself* provide (ideally, impregnable) protection on *data*, regardless of what particular application is trying to access it? By all means add whitelisting on top, but when almost anything can turn into code whether it's authorised or not, whitelisting is not a sensible rock on which to build, surely?

            And why the ridiculour trend (on both Android and Window boxes) for the false assumption that allowing any access to a data item means allowing total access to that item (ie why is it suddenly no longer considered necessary to distinguish between read-only access, and read/write (or even delete) access?)

            E.g. "Do you want xxx to be able to make changes to your system"

            Has everything from the world of multi-user multi-tasking computers+OSes got to be re-invented from scratch by bright young things and "security researchers", before today's multi-user multi-tasking devices+networks are moderately safe to use? It would appear that way.

            1. Warm Braw

              Re: About time

              Can someone kindly explain *why* it's a step in the right direction?

              Because you have to get there from here. Adding application-whitelisting to an existing operating system is a lot easier than redesigning the entire system and hence can be delivered more quickly without potentially also requiring changes to the applications themselves.

              Has everything from the world of multi-user multi-tasking computers+OSes got to be re-invented from scratch

              Actually, pretty much. Security on those systems was intended to protect users from each other, not to protect users from rogue applications. Although the mechanisms used to implement that protection can probably be used to advantage, they may not on their own be enough.

              1. Anonymous Coward
                Anonymous Coward

                Re: About time

                "Adding application-whitelisting to an existing operating system is a lot easier than redesigning the entire system and hence can be delivered more quickly without potentially also requiring changes to the applications themselves."

                OK, it keeps IT departments and whitelist-tool vendors busy. What real benefit does it provide, unless the underlying OS is also reasonably secure against "unauthorised code execution"?

                "Security on those systems was intended to protect users from each other, not to protect users from rogue applications"

                So close and yet so far.

                Back in the day, there was data (files, memory, other objects), which generally had access protection, and code, which generally inherited the access rights of the user. Variations on this theme also existed.

                Back in the day, the "application" concept didn't come into it much, except in certain special circumstances (e.g. involving a handful of known+trusted applications being granted SETUID to gain extra rights in particular circumstances, and similar such).

                Back then, if Joe Public wants to 'run' a script, he gets to run a script, no whitelist needed, no damage possible (in most cases). The OS built in mechanisms prevent, protect, audit-log (etc) access (including failed access) to the data. The application is only allowed to access data the user can access (exceptions apply, see above).

                Move forward two or three decades and that largely seems to have got lost somewhere.

                The whitelist concept attempts to provide a figleaf for the IT manager and their department, whereas in actual fact it does nothing to prevent unauthorised code execution, let alone unauthorised elevation of privilege.

                Authorisation and audit of who's using specific applications can, if necessary, be done a different way without being dependent on blanket whitelisting. E.g. by using the OSes security mechanisms to protect the executables/scripts/etc involved.

                But hey, let's repeat the same learning process from thirty years ago and see how wrong we can get it this time. Looking pretty good so far, especially as we've got nice shiny GUIs and "management tools" to hide the underlying can of worms.

                Windows NT 3.1 had most of this in 1993, btw. UNIXes (including Linux) too. And then along came "one computer = one user".

            2. patrickstar

              Re: About time

              All current general purpose OS's are horribly broken for many reasons, security being one of them. I am, by the way, personally pissed at Apple for screwing up the last chance to do it right for the next 20 years or so.

              Windows has several ways to keep things from writing to the system or user data - separate user accounts, integrity levels (running with low integrity basically means you can't affect anything with a higher integrity level - even if you're the owner - like writing to files or injecting code into processes), etc. Problem is that there is still a huge attack surface to escalate privileges from that.

        2. oldcoder

          Re: About time

          Actually not. That is part of the reason it is so vulnerable. There are so many ways around any security Windows actually gained from NT when NT really was a microkernel design.

          1. patrickstar

            Re: About time

            The NT/Windows kernel has never been a true microkernel - all runs in the same address space with the same privileges. Time to change that, perhaps... the architecture certainly would allow it.

        3. Anonymous Coward
          Anonymous Coward

          Re: About time

          Uh, no. . . The one thing that is broken by design in Windows is the RBAC user permission model.

          As root on an *IX box you can override permissions and fix things, leaving them as they are.

          As Administrator on a Windows system there are things you don't own and can't change. You can take ownership, there by FKing the whole system up to change one tiny thing, but that's a clusterfk if you ever attempt it.

      2. Patrician
        Facepalm

        Re: About time

        And the Microsoft bashing begins; didn't think it would take many posts before we saw this.

      3. TAJW

        Re: About time

        "...I have never seen any AV product actually do anything useful..."

        You should see my wife browse the Internet or read email. Despite my over 40 years in IT and past 10 in Security, I still can't get her to be careful. Malwarebytes and Security Essentials are always popping up warnings, blocking sites and removing junk from her clicking on anything and everything. User training is probably the most useful thing we can do for security, but there are folks out there that will *NEVER* learn.

    2. Mikel

      Re: About time

      Where have I read this before?

      1. Anonymous Coward
        Linux

        Re: About time

        I've been saying this for 20 years. And I haven't seen (other people's) AV catch a single genuine threat the whole time.

        icon --> Smug (Linux Weenie)

        1. Destroy All Monsters Silver badge
          Mushroom

          Re: About time

          And I haven't seen (other people's) AV catch a single genuine threat the whole time.

          I call rank bullshit!!!

          AV may not be the solution to everything and there sure are threats slipping through, but given the current paltry state of the "industry" (more like a bunch of idiot people that should be Godwin'd by fast track to terminal reeducation camps and that really should have decided to start a career in creative fantasy writing or "modern" painting instead of going into IT) they take on the role of necessary seat belts. Won't protect from a car mugging or an encounter with a trucvk, but protects against the usual vagaries (and I get warning about these in my mailbox every week as someone has again decided to CLICK ON SOMETHING!!)

    3. Roo
      Windows

      Re: About time

      "I'd love to see a whitelist-based approach to antivirus. It's good enough for firewalling, and that already works way better than any antivirus package I've seen."

      AFAICT SELinux delivers that - and more, without the disk thrashing. Labelled IPSEC + SELinux goes a bit further - giving you a way to identify remote processes and decide if you trust them or not too. I am surprised no one else has mentioned it yet.

  2. Ole Juul

    less effort indeed

    I haven't used antivirus since the days of scanning floppies. The amount of time and aggravation I've saved is considerable.

    1. Anonymous Coward
      Anonymous Coward

      Re: less effort indeed

      but for those being spammed by your bot-net host are constantly fighting fires.

      1. Ole Juul

        Re: less effort indeed

        but for those being spammed by your bot-net host are constantly fighting fires.

        That's a bit of an assumption isn't it? I watch all the machines like a hawk and do a frequent sockstat and related. You're just being rude.

        1. IsJustabloke
          Trollface

          Re: less effort indeed

          "You're just being rude."

          new to the internet eh? ;)

    2. Mage Silver badge

      Re: less effort indeed

      NoScript is more protection and less damage than AV. Whitelist a minimum of scripts.

      1. Infernoz Bronze badge
        Holmes

        Re: less effort indeed

        Use of NoScript, Request Policy Continued and other Browser security extensions in Firefox (expensive in Chrome, SRWare Iron or Opera because webkit uses a very memory expensive process for each!) are probably why I have very very rarely seen an anti-virus hit. I'd argue that a lot of commercial JavaScript scripts, inline content, links and cookies, are significant anti-privacy threats, so switching to HTML5 from Flash doesn't fix all the security issues!

        I only run the light weight Avira anti-virus because bloated shit like McAfee can make an SSD machine seem nearly as slow as a spinning disk machine, this is especially curse inducing on I/O bandwidth crippled machines like even a 'decent' i5 ultrabook!

        All the f'ing retarded websites, including corporate intranets, which /still/ haven't migrated to HTML5 from damned insecure Flash should have just be told to just die already by /all/ the browser providers!

        The Java plugin will disappear when Oracle finally releases Java 9, assuming the released doesn't get delayed again past summer 2017, and it will probably be /much/ more secure due project Jigsaw, so all the anti-Java trolls can just STFU then.

  3. Anonymous Coward
    Anonymous Coward

    Probably the best "antivirus" you can have…

    … is running Windows instances in a VM.

    1. Malware these days is coded to detect such things on the off-chance that it's a whitehat's sandbox environment for reverse engineering, so shuts down when it detects a virtualised environment.

    2. Provided you know how to use the snapshotting feature of your VM software, you can roll back in mere seconds. The malware doesn't stand a chance.

    The elephants in the room here are of course the security of the VM implementation, overheads and hardware access. (e.g. anything that makes heavy use of 3D graphics won't perform so well in a VM)

    1. Anonymous Coward
      Anonymous Coward

      Re: Probably the best "antivirus" you can have…

      and without an AV how do you know to roll back because you've been infected by something silently watching keystrokes, siphoning data or using you as a node to the rest of the infrastructure or a DDOS point?

      And that's you, never mind the average user.

      I'm not pro AV, but I do wear a bicycle helmet whilst riding.

      1. Anonymous Coward
        Anonymous Coward

        Re: Probably the best "antivirus" you can have…

        >I'm not pro AV, but I do wear a bicycle helmet whilst riding.

        No defence against when you're head or torso is sandwiched between an articulated lorry wheel and the tarmac, same false sense of security. Gruesome but true.

      2. Aitor 1

        Re: Probably the best "antivirus" you can have…

        I also wear a helmet, and doing that saved my life (I broke it with my head and got unconscious plus broken bones).

        That said, riding in the city or on a road the helmet is almost useless, as the real danger are car, trucks and white vans (in particular, construction workers vans.. they seem to hate cyclists for some reason). The helmet does nothing here.

        1. This post has been deleted by its author

      3. patrickstar

        Re: Probably the best "antivirus" you can have…

        Why are you assuming an attacker didn't take 5 minutes to check his toolkit against AVs? There are even services to do this for you automatically. Hell, there are even services to fix any AV detections automatically...

        Why are you assuming bugs in the AV (there are lots...) wasn't how he gained access in the first place?

        1. Anonymous Coward
          Anonymous Coward

          Re: Probably the best "antivirus" you can have…

          @patrickstar I wasn't, hence the cycling analogy which others seemed to have misinterpreted.

          The point being, I'm aware of the shortcomings of my helmet, I'm very aware of it's cons vs it's pros, but I still wear it, because, in some instances, however small the likelihood, it serves a purpose.

          And I'd rather my helmet perform it's intended purpose, then take the hit myself.

          1. patrickstar

            Re: Probably the best "antivirus" you can have…

            AV presents a (real, if you're subjected to targeted attacks) risk that you get owned through your AV. That would be akin to getting strangled by your helmet strap, or something.

            If you're not subjected to target attacks ,just make sure your software is up-to-date (most mass malware infections happens through old if not ancient vulnerabilities) and that your configuration is non-standard enough that there isn't any financial incentive for mass exploits to work against it.

        2. Seajay#

          Re: Probably the best "antivirus" you can have…

          If you're going to be the first infection perhaps because the virus has been written specifically for you, AV won't help you. As you say, the attacker will have checked his virus against the major AV suites. However, if you would have been the 10,000th but in that time, new virus database updates have come out, your AV has saved you.

          Darren is primarily involved in security for Google who are easily a big enough target that it is well worthwhile crafting viruses specifically for them. That means that although his advice is correct, it only really applies to him and to other similarly big targets. Not necessarily to me.

          1. Charles 9

            Re: Probably the best "antivirus" you can have…

            Thing is, virii have gotten sophisticated enough to reach Captain Trips levels where no two infections are alike enough for an AV to catch.

  4. Anonymous Coward
    Anonymous Coward

    "He illustrated his point by referring to the 314 remote code execution holes disclosed in Adobe Flash last year alone, saying the strategy to patch those holes is like a car yard which sells vehicles that catch on fire every other week."

    Which sounds great until you realize many people and firms are pretty much held hostage to Flash. Like being stuck in the middle of a shark-infested ocean with a leaky boat. What option do you have other than to keep bailing?

    "I'd love to see a whitelist-based approach to antivirus. It's good enough for firewalling, and that already works way better than any antivirus package I've seen."

    But then you have to whitelist browsers or you can't go on any Net, Inter or Intra. Malware simply targets the whitelisted apps and employs things like privilege escalation if needed (which can also target apps that require the privileges, collect separated privileges, etc.) to get past any safeguards.

    "The elephants in the room here are of course the security of the VM implementation, overheads and hardware access. (e.g. anything that makes heavy use of 3D graphics won't perform so well in a VM)"

    Plus there's always the threat of a Red Pill: a hypervisor attack that can escape the VM.

    1. Sampler

      You mean like the one disclosed earlier this week?

    2. RealFred

      Having a whitelist means putting your security in someone else's hands while you can't do anything about it. Its exactly like using antivirus software

    3. roselan

      Flash? Try Word macros...

      We have been hit by a cryptosystem through a remoteapp ( or more precisely through the vpn used by the remote app). Our legacy email system doesnt know what an antivirus is (and stores attachements in a database).

      Yes antivirus we are an issue, but most of us in the real world face earthier challenges.

    4. Sandtitz Silver badge

      "He illustrated his point by referring to the 314 remote code execution holes disclosed in Adobe Flash last year alone, saying the strategy to patch those holes is like a car yard which sells vehicles that catch on fire every other week."

      <pedant> That was actually the total number of vulns for Flash last year, not everyone of them necessarily being remote code execution holes. </pedant>

      I wonder why he didn't point to the 187 vulns Chrome had last year...?

  5. Winkypop Silver badge
    Devil

    Whitelists?

    Oh, I thought he was discussing the new Trump Regime.

    Praise be to glorious leader!

    1. Destroy All Monsters Silver badge

      Re: Whitelists?

      ENOUGH!

      You know how to get to Portland for a protest meetup with the other liberal arts students and state dripfeed survivors.

      1. Roo
        Windows

        Re: Whitelists?

        "Portland for a protest meetup"

        Dunno about protesting, but the beer's great there (or at least it was the last time I visited). :)

  6. Pompous Git Silver badge

    Telling users not to click on phishing links
    Network Solutions started sending out emails telling its clients that they have to "click on the red button" to confirm your email address or we terminate your service. I emailed back and pointed out to support that NetSol had issued an advisory telling users not to click on red buttons in emails as they were likely phishing attacks.

    Support emailed me back that it was an ICANN requirement that domain registrants confirm their email and the only way to confirm my email was to click on the red button. I pointed out that we were conversing via the email address concerned and was told that was not evidence the email address existed; only clicking the red button would do that.

    I no longer use NetSol.

    1. DryBones

      Good move. Did anyone notify the local zoo that their monkeys had gotten on the internet again?

    2. Roger Greenwood

      " . . was not evidence . . "

      Sounds like trying to argue with bomb 20

    3. h4rm0ny

      I contacted my hosting company over a similar thing, asking if it were actually a phishing attack. They confirmed that no, it wasn't and yes, the domain name ICANN was using was legitimate even though it sounded like a scam. I was unimpressed.

      I'll be holding on to my AV for a while longer. Did Google say who should be in charge of whitelisting? Was it them, by any chance?

      1. Mephistro
        Thumb Up

        "Did Google say who should be in charge of whitelisting? Was it them, by any chance?"

        I came here to say that same thing. Thanks for saving me the effort!.

        Also, I seem to recall MS trying the same trick many moons ago, though a fast search didn't find anything.

        Whitelisting performed by an interested party that is creating/trying to create several monopolies. What could possibly go wrong?

      2. Charles 9

        "I'll be holding on to my AV for a while longer. Did Google say who should be in charge of whitelisting? Was it them, by any chance?"

        Whitelisting is only practical in a business setting where there's a boss to dictate terms. In this case, it's the boss who manages the whitelist.

        In a home setting, no whitelist can be considered safe except one curated by the user him/herself, only most users lack the aptitude to correctly curate a whitelist. And placing it in someone else's hands essentially places your trust in a Trent who could really be Mallory.

  7. DerekCurrie
    Unhappy

    If Only Google Could Get A Handle On Their Own Security Problems

    Fragmentation: The impossibility of keeping Android OS up-to-date on OEM manufactured devices.

    Google Play Store Malware: The impossibility of knowing that apps downloaded from Google's own app store for Android aren't malware, despite Google's 'efforts' to stop the problem.

    Headlines such as:

    "1 in 5 Android Apps Is Malware" - Yahoo

    "97 percent of mobile malware is on Android" - Forbes

    "F-Secure says 99% of mobile malware targets Android" - GreenBot

    "Android Malware Removed From Google Play Store After Millions of Downloads" - Wall Street Journal

    "More Google Play apps infected with Brain Test malware ..." - ZDNet

    "Over 400 instances of Dresscode malware found on Google Play store, say researchers" - ZDNet

    ...Ad Nauseam...

    1. king of foo

      Re: If Only Google Could Get A Handle On Their Own Security Problems

      Might that correlate more strongly with size? Android has 80%+ of the market :. it makes sense that it would have 9x% of the attention. Windows suffers in the same way on the desktop.

      If traditional PCs continue to be replaced by "non windows" devices in the home then perhaps even more attention will be given to the likes of android, chromeos and iOS, and one day windows could be quite secure... then both users can give themselves high fives...

      1. h4rm0ny
        Happy

        Re: If Only Google Could Get A Handle On Their Own Security Problems

        >>"Might that correlate more strongly with size? Android has 80%+ of the market :. it makes sense that it would have 9x% of the attention. Windows suffers in the same way on the desktop."

        Yes. Though that does give me ironic flashbacks to arguments in the mid-2000's when people here would hold up the quantity of Windows malware against the quantity of GNU/Linux malware and when I'd point out the difference in userbase size and user sectors (server vs. home), they'd go "nuh-uh. It's nothing to do with how many people use it".

        1. Teiwaz

          Re: If Only Google Could Get A Handle On Their Own Security Problems

          There's your solution right there.

          Have the OS market totally fragmented to under 2% market share with s/w binaries totally unable to run on other systems. No takers? Didn't think so.

          Back in the 2000's the primary way of getting s/w onto linux was compilation yourself (a lot of that decade I was still on dial-up for a start, less fuss to pick up a Original DVD every six months) plus the userbase was generally more IT aware, still is, compared to the Windows user base, but there are more non-techies using it than there used to be.

          The vast majority was the userbase, but how convenient an OS is to use plays a large part too, and 'Linux in the 2000's was rather inconvenient to use as a desktop OS. Didn't put me off one iota.

        2. oldcoder

          Re: If Only Google Could Get A Handle On Their Own Security Problems

          There is still a big difference. Under 2% of the Android phones have a problem... where 30+% of the Windows desktops have a problem, even WITH anti-virus protection.

          A rather large difference.

          1. You aint sin me, roit

            Re: If Only Google Could Get A Handle On Their Own Security Problems

            And "those who manufactured hardware and software that is not secure enough to be used online".

            So if I use Chrome and Gmail then I'm bombproof?

    2. Guus Leeuw

      Re: If Only Google Could Get A Handle On Their Own Security Problems

      Dear Sir,

      this is what a company gets when having a senior security engineer what appears to need to hold his crotch in public, for reasons of comfort or security...

      Or am I being too sarcastic now?

      Regards,

      Guus

    3. Mark 110

      Re: If Only Google Could Get A Handle On Their Own Security Problems

      I thought the Android malware was mostly apps users are tricked into installing tthat come with bonus malware.

      I'd like Android to give me a bit more info on whats going on. What network connecctions its opening to what IP addresses (and where those IPs are registered and to who)? What Apps are accessing what data actively at any time?

      Then I can whitelist, blackliist, uninstall as needed. Shouldn't be too difficult should it?

      1. Phil Koenig

        Re: If Only Google Could Get A Handle On Their Own Security Problems

        Re: paragraph 2 - various third party apps can do all of that.

        Some of them may require the device to be rooted.

      2. Charles 9

        Re: If Only Google Could Get A Handle On Their Own Security Problems

        "I'd like Android to give me a bit more info on whats going on. What network connecctions its opening to what IP addresses (and where those IPs are registered and to who)? What Apps are accessing what data actively at any time?"

        But most users would see this info as Information Overload, and they're also the most likely to be victimized. So what do you do? The most likely victims are also the least likely to know how to avoid being victims.

  8. Adam 1

    > Telling users not to click on phishing links

    Surely that's phushing lunks

    /ah, my coat. Thanks.

    1. Pompous Git Silver badge

      Surely that's phushing lunks
      Ah, a New Zealander. Met any attractive sheep lately? ;-)

      1. MonkeyCee

        All the same

        "Ah, a New Zealander. Met any attractive sheep lately?"

        Wouldn't know, it's all cows there now.

        Given the relative rates of bestiality in the population (OZ >> NZ) and convictions* for said nastiness (NZ > OZ), I'd be a bit careful about those insults.

        Then again, it's those accusing others who are always a bit more suspect.

        * the trend is to use animal welfare laws rather than bestiality laws, since it gets a lot less press that way.

        1. WolfFan Silver badge

          Re: All the same

          * the trend is to use animal welfare laws rather than bestiality laws, since it gets a lot less press that way.

          Spoil-sports.

      2. WolfFan Silver badge

        Ah, a New Zealander. Met any attractive sheep lately? ;-)

        Dang. I thought that it was Scotland where men were men, women were men too, and sheep were nervous. Kinda like the Internet, were men are men, women are men, and children are FBI agents.

        1. Pompous Git Silver badge

          Dang. I thought that it was Scotland where men were men...
          The accent was the giveaway :-) "phushing lunks". Mind you, an awful lot of them are descended from Scotsmen...

  9. Lee D Silver badge

    We're still just designing systems wrong.

    Programs running against your consent:

    Whitelisting (available on Windows, by the way, if you run domains... it's called Software Restrictions Policy). Task managers that cannot be overrode, and which INSTANTLY KILL PROCESSES WITHOUT GIVING THEM A CHANCE TO RESPOND. A single, solitary lists of programs that run at startup / specified times, that is definitive and none of this "Is it in all users? Is it a scheduled task? Does it run from the registry entries? Is it a service?" nonsense. You want a program to run other than when a user executes it? You need to be in the list, saying when - startup, every hour, all the time in the background, etc. - and then we ask the user about that, And, no, programs do NOT get to modify the list. And users can just delete your entry from that list at any time. P.S. One entry per executable.

    Programs encrypting all your files:

    Containerisation, overlay filesystems and copy-on-write to files they use (and why is your game trying to open your work email folder?) rather than just blanket filesystem access for everything. Permissioning stops this but nobody uses it properly. And why are programs given access to everything that isn't permissioned off by default? Literally, every program running as it's own user (application_program_name) who has ZERO ACCESS until it's granted. And No To All, or "Uninstall this application" on all related permission request dialogs.

    Programs deleting data:

    Shadow copies / snapshots. Why are they not enabled by default on all computers, and why are they deletable? Literally just set every machine to fill up its disk with "backups" and only remove them when there's no space left (and count them as "free space" in all statistics so users don't panic). The average user would be able to have months of automatic backups, literally every time the PC was turned on or logged into, rather than the occasional System Restore from when they last installed updates.

    Programs running without your consent:

    Stop the ability to replace task managers, etc. One-click kill of program (Task manager is inherently inferior to, say, Comodo KillSwitch or SysInternals Process Explorer in this regard, too.). A "kill and don't allow children to spawn" option, too. No hiding of program names. No running as "system". A safe mode that damn well works and isn't just a cut-down version of the exact same OS with the same system paths, programs isntalled, etc. Hell, what's wrong with a "System Maintenance Mode" in which you can install programs but not run them, and a "System Operation Mode" in which you can run installed programs but not install them?

    Programs being difficult to remove:

    One-click removal of entire container for each program. Every file, every setting, every hidden DLL, gone. Literally, nothing gets installed as a "program", they are all just containers that fake access via overlays and layers to make each program think it's installed in C:\OldProgram, accessing the main registry or whatever and actually it's just a mini-copy that gets overlaid. Windows registry pretty much already has this functionality. When you delete the container, all its effects - including startup entries and registry entries and filesystem modifications are gone.

    We just don't know how to make an OS for the modern world where things aren't trusted. Even Linux makes you set up the above manually for the most part.

    Rather than design a system that lets users run riot but makes administration almost impossible, and tells the users to never set a foot wrong, lets jump to the assumption that the user is an idiot and will do dangerous things all the time, and give them - and admins - a way to undo their actions and contain them. And give admins an easy way to stop anything they like. Literally "That's it, that's the list of programs I will allow. Nothing else can ever run.". Yes, we have bits and bobs of that functionality but it's NOWHERE NEAR the default.

    1. Anonymous Coward
      Anonymous Coward

      Everything can be a program, if the OS is a PoS

      These "programs" of which you speak, and the whitelists in which you place your faith: how does (e.g.) a cross site scripting attack get blocked by your approach?

      How does it stop a scripting/macro attack in general; y'know, Word/Excel macros etc in an environment where "macros have to be allowed or we can't run the business"?

      "A safe mode that damn well works and isn't just a cut-down version of the exact same OS with the same system paths, programs isntalled, etc"

      How about an OS that knows how to work right when booted off trusted read-only media (and a return to media which can be swapped between read/write and read-only. In hardware.)

      1. Dave 126 Silver badge

        Re: Everything can be a program, if the OS is a PoS

        >Programs deleting data:

        >Shadow copies / snapshots. Why are they not enabled by default on all computers, and why are they deletable?

        Yes. I've made a comments here before about how every PC sold to Joe Punter should come with redundant storage and an OS configured to use it by default. It would save their IT-literate friends a lot of faffing about. Not only could the machine be rolled back to known good state, but a known clean state could be loaded at every startup, if desired.

        Incremental backups don't require too much bandwidth after the initial backup, so a network solution is fine when at home - most of the time. For laptops, being semi-permanently attached to an external HDD by cable is less than ideal, but we're getting to the point where a small SSD array could be left in a USB-C port (either USB 3 or ThunderBolt) all the time. I can't see laptops including XQD card ports in a hurry (unlike SD cards, XQD uses PCIe) - oops, I'm straying away from Joe Punter to professional considerations.

        1. Charles 9

          Re: Everything can be a program, if the OS is a PoS

          And then when Peter Packet stuffs his drives full of stuff such that there's no room for a shadow copy and a larger drive would jack the sale price past affordability?

    2. Adam 1

      > Shadow copies / snapshots. Why are they not enabled by default on all computers, and why are they deletable? Literally just set every machine to fill up its disk with "backups" and only remove them when there's no space left

      Enabled by default yes, but it hardly solves the ransomware problem. If the ransomware sees 250GB free, it just has to overwrite the files enough times that the oldest shadow copy must be from after the infection. As the files are encrypted, there is very little potential for deduping compared with more typical shadow copy use cases.

    3. Norman Nescio Silver badge

      Re: Antivirus tools are a useless box-ticking exercise says Google security chap

      Your list of proposals makes a lot of sense, but it is also worthwhile being aware that you will also need control over your own hardware. You mentioned hardware read/write switches on storage media, but the same would helpful on EEPROMs used to store firmware, and indeed control over the firmware itself. When the hardware you buy will only boot from a signed encrypted binary, with the key embedded in the silicon, to which you have no easy* access, then you have no control over the software that somebody else (who does know the encryption key) can have run by the hardware you bought.

      Your security is then dependent on the security of the keys managed by someone else - and it is likely that (possibly state-sponsored) hacker groups will get hold of them before you, at which point the hardware you have bought will trust malware more than any software you try and run on it. Which will be an interesting turn of events.

      *Reverse engineering keys from silicon is hard work, especially when obfuscation techniques are used by the manufacturer.

  10. Phil Koenig

    Trendy targets

    It's trendy to bash antivirus (especially when you have your own axe to grind), but it reminds me of all the dimwits who breezily proclaimed on January 1, 2000 that the Y2K computer problem was obviously a big hoax because the world didn't come to an end that day. (Conveniently forgetting that the world had spent decades and billions of dollars/pounds updating everything precisely so that would NOT happen.)

    Oftentimes when a security measure is this ubiquitous people in ivory towers who have enough advanced knowledge and skills that they don't personally need to rely upon such measures make dumb sweeping proclamations about everyone else.

    I haven't used A/V on most of my personal boxes for decades (except Android where eg the available web browsers are too unsophisticated to be capable of being configured securely and Google has a lousy track-record of letting malware/spyware into its appstore), but I would never dream of advising one of my clients to do the same.

  11. herman

    314/365

    Cars that catch fire almost every day actually.

  12. Version 1.0 Silver badge

    Real life testing

    I run a mail server and quarantine any attachments that I don't trust - most of the time these are obvious infection attempts but every now and then something comes along that seems to be worth a closer look - the first thing I do is load it on virustotal, a site that tests the submission against 50+ AV packages.

    Generally, if it's a new virus, only half a dozen scanners will detect it - and almost always the scanners that do flag it are not the big players.

    1. Phil Koenig

      Re: Real life testing

      And yanno what's funny about using VirusTotal to do your malware check?

      Google owns it. :D

      1. Anonymous Coward
        Anonymous Coward

        Re: Real life testing

        "Google owns it."

        I didn't know that, my spider senses told me there is value in the content of the uploaded "clean" submissions so the service probably pays for itself.

        I'm sure google would not be mining the data from non virus submissions any more than they would be mapping WiFi data with streetview!

  13. Avatar of They
    FAIL

    Pot.. Kettle?

    "....effectively shifts blame to them and away from those who manufactured hardware and software that is not secure enough to be used online."

    Like all those dodgy apps in the play store that are happily uploading and downloading viruses to anyone because Google don't care.

    Oh.. that's Malware... Ahhh I see... Got it. virus bad, malware different thing so good. Not Googles fault for helping ship the stuff.

    Until the world all has a working OS and well designed software, AV and anti malware is here to stay. And when Google lead the world in a perfect OS and set of software that isn't "Beta", I will listen. Until then sadly I will continue to make sure family and colleagues have an AV installed and don't stupidly click on links they don't need to.

    1. Pascal Monett Silver badge
      Trollface

      Re: Until the world all has a working OS and well designed software...

      I think there is malware out there that is particularly well designed, moreso than some "professional" products I have already used.

      1. Destroy All Monsters Silver badge

        Re: Until the world all has a working OS and well designed software...

        Self-managing teams of skilled people FTW!

        So different from downtrodden, report-filling office drones that can't even get the resources or time they need for the task.

  14. Anonymous Coward
    Anonymous Coward

    Finally agree with Googhoul on something...

    * The AV industry called itself out & said products only perform 50% of the time.

    * Wonder what assurance AV offered to the other 50%. Anyone ever seen stats?

  15. Anonymous Coward
    Anonymous Coward

    Dead-on! ... Blame The User Culture...

    ~ And judging by the indifference below, I don't see anything changing much.

    ~ As always, we're responsible for our own health whether medical or technical...

    http://www.theregister.co.uk/2016/11/16/experts_to_congress_you_must_act_on_iot_security_congress_encourage_industry_to_develop_best_practices_you_say/

  16. Jimmy.Reload

    Google chap hasn't used his grey matter before opening his mouth.

    For AV to detect it needs to know about something. Generic detection methods work some of the time, but malware authors are pretty smart and invest heavily in avoiding detection. So how do we get around this problem? We blacklist everything we don't trust. Nice, OK... Let's consider 2 issues:

    Mozilla wants to release version 5000 of their popular firefox browser

    1) Security product X hasn't yet whitelisted it. Perhaps it's only at an OS level, but security team at OS A don't think it's secure enough so won't white list it until something is changed. Product product launch is now delayed. Repeat for every single piece of software you use. Maybe they just blindly whitelist which brings me to issue 2.

    2) Software is whitelisted which shouldn't be. The 3 letter agencies all over the world are a prime example of software authors who could submit software for whitelisting, but what is that software, should it really be trusted? What if malware authors manage to get their malware whitelisted? It's not impossible and it already happens. Are governments in different countries going to agree on what should be whitelisted? The NSA want their secret spy app whitelisted, but then so do the Chinese, Iran and so on. Who's in charge of the whitelisting?

    It's easy to stand on the outside and say it's all rubbish, throw it away, but no one is offering any acceptable solutions to the problems. Blanket statements like "we should whitelist known software" aren't helping. And FYI - AV companies already whitelist most of the known good software anyway.

    Google chap in this instance can simply just do one.

    1. Charles 9

      Re: Google chap hasn't used his grey matter before opening his mouth.

      "It's easy to stand on the outside and say it's all rubbish, throw it away, but no one is offering any acceptable solutions to the problems."

      Because none exists. You can connect this problem to the First Contact Problem: an intractable problem in security which basically goes, "Without a known point of trust, there's no way to verify a new contact is legitimate. But to reach a known point of trust, you need to verify someone." Catch-22 for any situation where you have nothing in common, like downloading a new app from someone you've never met before.

      IOW, the only way to know is to open the door, by which point it's way too late if it's someone out to get you.

    2. Seajay#

      Re: Google chap hasn't used his grey matter before opening his mouth.

      National / International whitelists would have the problems you describe. But I don't think he was proposing that. He's a corporate IT guy talking to other corporate IT guys and in that environment, you certainly can whitelist.

  17. Alan Bourke

    'Everything should be whitelisted'

    i.e. everything must come from our monetised app store.

  18. Updraft102

    "Telling users not to click on phishing links and to download strange executables effectively shifts blame to them and away from those who manufactured hardware and software that is not secure enough to be used online."

    Right. Just like telling people not to run into other cars and telephone poles effectively shifts blame to the driver and away from car manufacturers who manufactured cars that are not safe enough to be used on the road.

    1. Charles 9

      But that's out on government-controlled roads. Computers are used in the privacy of one's home: whole different kettle of regulations. Put it this way. The only way you can control the Internet enough to stop this would be to take a Big Brother approach. Anything less and the jungle creeps back in.

  19. Dodgy Geezer Silver badge

    This has been said many times before...

    ...Advice on safe internet use is "horrible", he added. Telling users not to click on phishing links and to download strange executables effectively shifts blame to them and away from those who manufactured hardware and software that is not secure enough to be used online.

    "We are giving people systems that are not safe for the internet and we are blaming the user."...

    The misunderstanding here is that people expect 'security' to be 100%.

    It can't be. It's a continuous process. At any one time there are threats and defences appropriate to that period. AV scanners are actually still quite useful, but if they become less useful and people go for white-lists, then the black hats will attack white-list technology. If we go for physical defences then they will examine how to overcome these (usually by social engineering).

    There will ALWAYS be SOME level of risk attached to doing anything - or, indeed, not doing anything, and computing is no exception. Adequate security involves knowing something about what you have to protect, knowing something about the risks, and taking appropriate levels of precaution - which will almost always involve some defensive measures, some impact-minimising measures and some recovery measures.

    Trying to get people to realise this, rather than asking for the best product to provide total protection, is a major job for security professionals...

    1. Charles 9

      Re: This has been said many times before...

      They expect and demand 100% because nothing less will work. It's all or nothing because just ONE slip and it's Game Over.

      1. Destroy All Monsters Silver badge
        Mushroom

        Re: This has been said many times before...

        So personal computing is like doing tightrope walking?

        IT SHOULDN'T BE AND YOU SHOULD DEMAND THAT IT NOT BE!

  20. Big_Boomer Silver badge

    State of mind

    Security is a state of mind, but unfortunately most end users just don't think (State of mind = NULL) and can be conned/phished/bamboozled into doing whatever a good manipulator wants. On the other hand security is a royal PITA as needed access is often blocked.

    I understand it better than many as I ride motorcycles. To most people they are a death trap, and while I have had my fair share of accidents I feel that the trade off is worthwhile. Being stuck in a traffic jam for hours every day is boring and soul-destroying.

    So, reasonable security is the way to go but be aware that you will never be fully secure, even on an air-gapped PC. As for securing the mindless,..... <rotflmao>

  21. 0laf
    Thumb Up

    Great idea ruined by real life

    White listing is a fine idea, right up there with many many other fine ideas.

    But it falls down when you have to try to do it on a network that is really a 20yr old series of fudges and bodges running thousands of applications of all ages many bespoke weird kludges themselves.

    So you could still sort out those 10000 executables but your IT has been pared to the bone and can hardly managed to keep the business critical systems running. Then you need to put in and tune white-listing with managers that won't give any additional resource for that.

    Nice idea, ruined by reality

  22. Chris Evans

    Whitelists don't work.

    Well not as they are at present for most people. Some Schools I know adopt a whitelist approach, that just about works for pupils but I often hear teachers complaining it blocks x, y or z! In my work I often visit half dozen new sites each day many are small and I doubt would be on whitelists.

  23. adam payne

    Google please clean house before commenting on how AV is useless.

    Malware links through your ad servers, malware through the Play store etc.

  24. azaks

    in the real world....

    where does all of this stupid binary thinking come from?

    AV = bad, whitelisting = good...

    AV definitely has its uses protecting users from commodity malware. The only problem is people thinking it will protect them from ALL malware. Doesn't make it useless though.

    Whitelisting is a better approach, but unrealistic except in tightly regulated environments. Want to implement it in a large, diverse organization with finite support budget? - good luck with that.

    1. IT Poser
      Coat

      Re: where does all of this stupid binary thinking come from?

      Isn't it obvious?

      For anyone that actually works with a computer the logic is always in 1's and 0's. What more should be expected when security experts are trained from an early age to only think in black and white?

      Note: This is the primary reason why I am just a poser. Give me a proper analog system any day and I am happy.

      (The one with vacuum tubes in the pockets)

  25. Mahhn

    Modern AV

    Darren Bilby is talking out his ass 'cause his mouth knows betters.

    While white listing is okay. Locked/read only images are too, but that still doesn't prevent OS Exploits, updates to whitelisted software that enabling exploits, software that sends data out without you knowing it (Shanghai Adups, Superfish, and so on) that you think is okay.

    Anitivirus does much more that just definition matching these days.

    USB device blocking, advanced Firewall, Behavior analysis, Encryption, Web filtering, Application Privilege Control.

    Maybe he's just using AV from 1996 and doesn't know better....

    1. ecofeco Silver badge

      Re: Modern AV

      Glad to see I'm not the only one who sees this for the insanity it.

  26. James 36

    Optional

    is there a security bolt on that hasn't been compromised or shown to have vulns ?

    So the OS is insecure and the tools we add on to add security are also insecure.

    Governments pay for vulns to not be released as they are equiv to weapons in cyber warfare

    products are pushed out the door with security as an after thought, users/consumers don't understand, don't care until they are bleating about losing money or being blackmailed

    sounds like I need to change career to something with cybersec in the job title and ride the gravy train to retirement

    Richard Hollis "Dance band on the titanic" sums it up nicely, a summary of his points is below

    http://espirian.co.uk/digital-2016/#riskfactory

  27. Hans Neeson-Bumpsadese Silver badge

    Stats....

    I'd like to see a statistical comparison of amount of time/money saved by having AV software installed versus time/money lost to things like AV software admin, machines borked by dodgy AV updates, trying to get legitimate software to work after AV softwar ehas falsely declared it as unsafe, etc...

    1. ecofeco Silver badge

      Re: Stats....

      While I don't have national or international stats, I do have experience with some of the largest companies in the world, tops in the industry actually, and A/V works.

      I've also rescued and saved a few small business with AV.

      So while my experience may be anecdotal, it is anecdotal on a very large scale. Literally a few hundred thousand users and machine.

      AV works. To propose getting rid of it is fucking criminal insanity

  28. Kevin McMurtrie Silver badge
    Terminator

    Duopolies offer you a whitelist

    I wouldn't trust a whitelist from Google because their interest is purely profits. If the Play Store is Google's idea of a whitelist, it's already an epic failure. Most apps contain malware imported from 3rd party ad managers and cloud tools. Flagging an app as abusive doesn't seem to do anything. Apple's store is cleaner but any device locked into it is crippled by Apple blocking anything that competes with inferior Apple offerings.

    This will probably have to work like network blacklists. You subscribe to the ones you like and it's purely voluntary.

  29. Anonymous Coward
    Anonymous Coward

    System Administrators

    System Administrators who lack the skills to do their job and call their Server Hardware vendor to ask config questions, leave security holes big enough to drive a truck through.

    1. tfewster
      Facepalm

      Re: System Administrators

      System Administrators who lack the skills to do their job and DON'T call their Server Hardware vendor to ask config questions, leave security holes big enough to drive a truck through.

      FTFY. The ones smart enough to ask questions are on their way to learning & achieving a secure environment

      1. Charles 9

        Re: System Administrators

        Unless the hardware vendor doesn't know what they're talking about, either (what the OP was implying), in which case you're BOTH right, and you're screwed either way.

  30. Gis Bun

    AV may or may not be a scam. But maybe this guy should concentrate on cleaning up the Android OS before whining.

  31. ecofeco Silver badge

    Are you effing kidding?!

    Sorry, but this guy is a moron and so is anyone who agrees with him, like many of comments here.

    Besides being irresponsible advice, it is borderline criminal and I will not play nice regarding this incredibly fucking stupid idea.

    Anti virus works. If yours isn't working, you're doing it wrong or using the wrong product.

    Don't use anti virus? You have lost your goddamn fucking mind so fuck right off.

    1. Pompous Git Silver badge

      Re: Are you effing kidding?!

      Don't use anti virus? You have lost your goddamn fucking mind so fuck right off.....

      AV works. To propose getting rid of it is fucking criminal insanity

      It is possible to run a computer safely without AV. I have been told, and am willing to stand corrected, that there is no need for AV on Linux. Dunno how my Win7 VM is going to be infected when it's not connected to any network.

      FWIW, I have been infected by virus exactly twice. First time was the original Word macro virus that came home from The Gitling's primary school on a floppy disk nearly 30 years ago. Second time was when he held his first (and last) LAN party when he was in secondary school. Neither virus was detected by the AV software running at the time.

  32. Swiss Anton

    Catch 22

    You're an honest to good start-up but you're not on the list. How are you supposed to get on the list when you're constantly being blocked (for no good reason). Seems to be a classic Catch 22 situation to me. Would Google be where they are now if there had been extensive use of whitelists when they burst onto the scene. Could this really be an underhanded attempt by Google to stifle future competitors?

  33. steve 124

    Nonsense I tell you, nonsense...

    Ok, I only read down about 1/3 of the comments (it's getting heated up in this one) but why all the AV hate? I don't know how many of you are actually security guys (I'm the HIPAA security officer for my organization and have been in IT longer than viruses have), but do any of you remember the late 90s? When viruses ran wild and nary a thing you could do about it? Because, I do.

    Sasser and Blaster and Donner and Blitzen...

    So, I've ran the gambit over the years and have to say that the big names, Symantec, Norton, McAfee and even nowadays ESET... complete rubbish. I found Webroot about 5 years ago and THAT is a good AV product. It's not bloated, it's fast and it catches everything my users try to infect. So I don't know about the Bilby angle here (maybe Google is about to roll out Google White Lists (GWL) or something) but it sounds like most of you guys have been using the wrong A/V.

    We have around 350 endpoints over 11 geographical locations and I've had to re-image no computers in the past 3 years. I monitor our network closely (we even use Wireshark) and have no leaks. I'm not saying my network is invincible but I'm saying with the right AV, perimeter security, IDS and some good old fashion user education, you can sure do a decent job of the old "best effort" protection model.

    Anyways, hope this helps some of you admins commenting.

    I just don't get the point in trying to tell the industry AV is dead... Viruses sure aren't and I don't have time to Whitelist every application being used on our network (maybe you guys aren't as busy as me, don't know).

    1. Charles 9

      Re: Nonsense I tell you, nonsense...

      Virii are getting too smart for AV to deal with them. We're talking Captain Trips levels, where each copy changes itself to avoid detection, so no two infections are alike, so there's no common point for the AV to analyze. You need defense, yes, but a different kind of defense than signature matching. Port locking, intrusion detection, etc. are usually NOT what's considered to be Anti-Virus but rather collected into the more-generic term "cybersecurity software".

  34. hmas

    Box ticking exercise

    Exactly as the man says. So, choose a product that involves the least administration effort, has the smallest overhead and pay as little as possible and focus your efforts on proper security, like, behavioural analytics.

  35. Sarev

    Whitelist == censorship == dictatorship

    Why is it when I read this article, all I hear is Google saying "all your programs need to be authorised by us"? Then, later they will be saying, "oh, and by the way, we need a cut of your revenue".

  36. Cloud Sleuth

    What do google know about security??

    What do google know about security? Not much in the world of corporate IT outside SaaS based apps by the looks of it. Incredibly short sighted IMO, but I understand where they are coming from. AV is a legacy security technique but needed in the stack of other components to protect both enterprise IT and future cloud IT.

    App white listing I agree is a good approach but it doesn't fit all scenarios when BYOD or allowing users the ability to have some freedom. AV vendors have a place but its not what they focus on these days, AV is an integral part of control for 70-80% of known threats but machine based learning techniques and signatureless based techniques are becoming important in controlling APTs and targeted attacks. An endpoint with a security agent is the most important sensor in any enterprise. Couple the endpoint sensor with network, edge, IPS, web, and SIEM you have a pretty tight yet flexible security posture that allows the business to grow whilst giving availability. My 2p

  37. Captain DaFt

    Back in my Windows days

    I always used anti-virus (mostly Clam) malware guard, and Startup Guard.

    If the AV didn't catch something, the malware guard usually would.

    if all else failed, SG would usually stop it from running.

    The one time I was pwned and had to install and restore from scratch?

    My sister sent me a CD of Trappist hymns she thought I'd like.

    Put it in, hit play, system collapsed like a house of cards.

    Seems the CD had a rootkit on it... Thanks Sony! >:P

  38. Anonymous Coward
    Anonymous Coward

    Should be easy enough to get data...but would they publish?

    In road traffic analysis there is a metric called accidents per million miles traveled. Let's see what the equivalent is for AV. Virus intercepts per million hours say?

    Pretty sure that all the AV vendors have this data since they all phone home to the mother ship when a virus is detected. I posit that the number of intercepts per million hours is very low. I imagine Reg readers exhibit better PC hygiene than most so we probably have an anecdotal feeling that this is true, but data would be really interesting. It might also sink their business.

  39. HRThomann

    No security without security management

    Security requires security management. That's a pain and a cost. Therefore it's usually avoided. E.g. before installing a software the signature of the manufacturer is verified. But too often the certificate is expired, or does not match the manufacturer's name's exact spelling. Other example: Internet protocols and operating systems have lots of security options. But they are usually turned down to minimum. Still most websites use http only. Those using https have server certificates that are not really securely managed by the certificate authorities.

    What CA's are doing is an example of whitelisting. Whitelisting is a need, but only effective if done thoroughly, and that's a pain!

    1. Charles 9

      Re: No security without security management

      So you're basically saying the average user is incapable of keeping his/her computer secure because the needed effort is too much for people in pursuit of turnkey solutions?

  40. Anonymous Coward
    Anonymous Coward

    Kaspersky - More invasive the the problem it's trying to solve.

    The amount of wasted time from Kaspersky here in our organisation, is more than the problem it's trying to fix.

    It didn't help than some drongo in our IT department turned on heuristics, where most of our problems (but not all) are originating from.

  41. GrapeBunch

    There needs to be a secure protocol for what we now do with email, including checking origins. Gov'ts don't like this because it means that communications will be private.

    I had a funny thought about whitelist implementation. Instead of on/off, your security software will give you a probabilistic choice. For example, say you want to install Microsoft Word (which comes with the old-fashioned baggage of Word macro viruses, ETC.). Instead of saying "No", the security software would say "Pay me $5" (which might be the average cost of defending the vulnerabilities). This is not just "funny", but it might have good effects on app writers to reduce or eliminate the vulns in their opera. "That's not a $5 bill, it's just a jpeg of a mall statue!"

    Finally, would a setup much like Virtual computing improve security for computers that access the internet? You have a nice powerful computer, but you expose to the world only a known good configuration, a sandbox if you like. During coffee break, the system compares with the known good configuration, shuttles away anything that's been changed, restores the known good configuration, and after automated examination of the shuttled stuff, makes available the non-executable portions, maybe not at the same terminal. The known good configuration and the software which manages the sessions would be in "ROM", perhaps even literally. Loss of the "cache" would be annoying, but might improve work habits. Readers who are old enough or who travel may remember there was such a thing as an "Internet Cafe", which evolved to use a similar schema between customers. In my own town we have Internet at the Library, run on a similar basis. Too crude, too obvious, too cold? For most of the people I help, the ability "seamlessly" to go back to a known good configuration would solve most of their computer problems. Yesterday, one of them was typing a reply in gmail and apparently in trying to type the character "+" (which is Shift-+=) her finger slipped and she accidentally typed Ctrl-Shift-+=, which is a command to gmail to increase the font size. gmail is mostly OK with vertical scrolling, but not so good with horizontal scrolling and the interface soon became impossible because she couldn't read what she was typing. It required a house call. OK, maybe turning off gmail keyboard shortcuts would solve this particular problem. And maybe being able to go back to a known good config would not help in this case because the font size is stored in google's cloud rather than on the user computer. But you get the drift.

    1. Charles 9

      To do what you want would require a stateful Internet, where no endpoint can work in anonymity. Hello, Big Brother.

      As for virtual computing, it's just waiting for a hypervisor (Red Pill) attack to break that veil of security.

  42. Infernoz Bronze badge
    Facepalm

    Windows is insecure because it doesn't have a lean Micro Kernel

    Having a bloated macro kernel with loads of legacy cruft like in Windows is a major reason why it is so hard to make and keep secure.

    The Android model looked promising initially, but is seriously compromised by Google conflicts of interests, sloppy coarse permissions, lack of roles and lack of user choice/limits on permissions. Microsoft has also further compromised the security of Windows leading up to and in Windows 10 with it's own conflicts of interest!

    1. Anonymous Coward
      Anonymous Coward

      Re: Windows is insecure because it doesn't have a lean Micro Kernel

      Problem is users demand performance, and that's one thing you CAN'T expect from a microkernel because EVERYTHING has to go through context switching and so on, causing performance penalties. Put it this way. High-performance 3D graphics and/or low-latency networking have deadlines in the nanosecond range. And the speed of electricity is pretty much a hard limit, so you need to be able to get things done as quickly as possible, and at those speeds, you pretty much have to get close to the metal. Guess what microkernels typically don't allow for security reasons?

      PS. And that's why Windows isn't a microkernel. In the early days of NT, graphics performance chugged, and clients weren't willing to go along until graphics drivers were moved into the kernel to cut on the context switching. Same with networking.

      PSS. A real-world analogy. A port can be secure enough with the gate closed, but when you have trucks rushing in and out all day long, you pretty much can't keep opening and closing the gate for each truck; movement would slow to a crawl. So you have a problem: security and throughput are directly at odds; same here.

  43. shovelDriver

    The Other Side Of The . . .

    A flip of the coin; either the Goog is right in saying no one ever needs anti-virus, or - just maybe - the Goog is trying to psych us into lowering our defenses so even more info-and-financial data can be collected at lesser cost.

  44. TimChuma

    Use a combination of tools

    Anti-malware and anti-virus tools work best together.

    I have used Malwarebytes to rid someone else's computer of ransomware and it still blocks sites better than Chrome.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like