Re: The reality is all too real @Danny 14 @RICHTO
Oh, and if you want some actual per OS exploit counts, try
(similar aged 'mature' server products)
A study released in December by US security outfit Imperva has tipped a bucket on the multi-billion-dollar anti-virus industry, claiming that initial detection rates are as low as five percent, and concluding that enterprise and consumer anti-virus spend “is not proportional to its effectiveness”. Working in conjunction with …
Oh, and if you want some actual per OS exploit counts, try
(similar aged 'mature' server products)
It's about time OS defence techniques were tightly integrated into the OS.
Hard to resist the idiocy of the comments here.
1) Viruses for Linux are fewer in number because linux users are fewer in number, where's the incentive.
2) Tightly integrating malware protection into the OS is something MS are trying to do but there is massive resistance from the software devs. A trusted platform methodology would never fly with the FOSS brigade because they want to run what they want when they want with no protection.
> Hard to resist the idiocy of the comments here.
Well, thank you for really adding to it.
Yeah, because the FOSS brigade are exactly who dictate the direction of Microsoft's security policy...
I've misappropriated the Sherlock icon, as I'll have some of what you're smoking, cheers.
"2) Tightly integrating malware protection into the OS is something MS are trying to do but there is massive resistance from the software devs"
No, it's not the software devs and certainly not the FOSS lunatic fringe. It's the core userbase, who are used to having it easy (at the expense of security). MS made a botched attempt at locking down root with Vista's invasive UAC, and finally got it right in Windows 7's more subtle UAC. Remember, this is a feature that *nix users take for granted, not running with superuser rights without specific necessity to do so. But suddenly it's an annoyance that Windows users, installing from day 1 with Administrator accounts, never had to get used to. It's as much in the end-users' resistance to change as anything else. I'm by no means a Microsoft fanboi, but you can't say they aren't at least trying, and it isn't all their fault.
Additionally, I do use Microsoft Security Essentials on many of my Windows machines - it's lightweight, relatively effective, and does pretty well when partnered with a competent hardware firewall. However, although I agree with other posters that making security more an integral part of the OS is an essential goal, how many anti-trust suits do you think the AV market and the anti-MS brigade will bring if Microsoft started bundling their AV solution with their OS? It would be the IE browser wars all over again, but this time in a bad way. Choice is fine, but not at the expense of security.
"...how many anti-trust suits do you think the AV market and the anti-MS brigade will bring if Microsoft started bundling their AV solution with their OS?"
Don't tell anyone else but they're doing this already and so far no one is kicking up a fuss. Windows 8 has a new version of Windows defender that includes the functionality from MSE.
On internet facing servers, the number of linux machines is around the same or a bit higher than the number of windows machines. If you are a botnet operator, those sorts of machines are much more valuable than desktops.
Since when does linux not let externally sourced code execute - I have no problems runing downloaded binaries on a Linux box.
Actually in terms of identifying downoaded files and the appication security model such as ap signing ands app locker, Windows is a long way ahead of the Linux model.
Remote exploits are actually more common on Linux than windows - you have a higer number of critical vulnerabilities that take on average lobnger ot be patched (more days at risk).
Linux is far less safe than Windows as a webserver - the hacking figures prove it: http://www.zone-h.org/news/id/4737
There have been plenty of worms that exploit the 'most of the web' that runs on Linux.
"Since when does linux not let externally sourced code execute"
Let's see - browse to a page with link to a Linux executable - click on link - need to download then make executable and then run
Let's try a shell script link -oh, it still doesn't let it run automatically.
Mind your browser may be set-up in a less-secure manner.
Why do I start to get the impression that your Linux opinion is based on a serious lack of expertise? You can bork any OS if you're incompetent and don't patch properly..
Just look at the Linux based wesite exploit statistics above. Its 3-4 times as great as Windows based servers even allowing for market share. And those are all systems where the exploit is unlikely to be due to user interaction (i.e. the exploit used must have been a true remote exploit).
And if you look at the security vulnerabilities for comercial Linux distributions (even when package adjusted to match Windows Server) they have much higher vulnerability counts than Windows. I suspect that these two facts are not unrelated. (Microsoft OSs have had fewer vulnerabilities than the major commercial Linux distributions every year since 2003 - which is a year after Bill Gates set security as the #1 priority)
imo there are likely just as many set it and forget it Windows users as Linux users - if not more - so whilst agreeing that you can bork any OS - i dont see the point you are making?. Or are you claiming Linux is less secure than Windows by default and expert knowledge is required to make it not so?
I have a good basic knowledge of Linux and can certainly use it, but if I had to take the risk of deploying Linux in an internet facing environment, I would get a reduce feature set build deployed, have it locked down by an expert admin and make sure it was protected by an IDS and use tripwire, etc.. I make it a priority to retire such systems where possible as the basis that they are far more likely to be attacked and compromised all other things being equal.
...it's hardly surprising that AV publishers want to sew a little FUD around the place from time to time.
The balance lies in knowing what's a real threat and what's just smoke and mirrors. I suspect most El Registas know the difference and can make up their own minds about the right course of action for themselves.
The real problem arises when Joe Public/Auntie Myrtle/Your brother-in-law clicks on a dodgy web page or opens the You've-won-a-squillion-dollars email and wonders why their PC has turned into an IT version of Typhoid Mary.
The AV industry probably protects at least some of them from themselves. The rest are a profit centre for home visit, fix-your-PC types.
occasional use of Silent Runners (Windows) and Root Kit Detection etc to check the education.
Almost all infections in my experience of cleaning others messes are self inflicted. Mindless opening of mindless attachments or stupid installs. Mindless clinking on "OK".
That's not always the case though, which is why it winds me up when people say "just don't visit dodgy websites'. Non-dodgy websites can still be compromised, for example Lenovo's website has infected visitors with trojans in the past, a couple of days ago it was the Council on Foreign Relations, I've even seen a live ebay listing in the motors and vehicles section compromised by overlaying on top of the original listing.
I know a lot of people don't help themselves, but others shouldn't be under any illusions that they're above it all just because they don't open email attachments or visit 'dodgy' sites (whichever ones they are).
Not all are self inflected, but when you see a user with 3 or more toolbars on IE there is a good chance that running Malwarebytes will find something nasty as well.
That's apart from IE?
It doesn't help anyone that some corporate applications depend on notoriously old and insecure versions of IE.
Thing is, a single defence method is never going to be reliable. Avoiding the dodgy sites doesn't avoid infected sites. An AV scanner will never detect everything. There are ways to subvert firewalls. No OS is free of exploitable bugs, even if it is designed to be secure. But using several of these techniques makes it much harder for the virus/malware writer.
So the average Resgistard may not be as safe as he thinks. And the UI of Windows 7 does rather tend to encourage people to click on "OK", because you get the same dire warning for so many different things. I have not used a modern Mac, but I would be unsurprised if it had the same problem. My AV software does go for a spectacularly different pop-up warning box. Multiple layers of defence, again.
Remember, moats don't stop alligators.
poisoned adverts have appeared on many "normal" sites before now. Granted these tend to use "less than zero day exploits" or toolkits so should be detected with AV
So-called cure is *literally* worse than the disease.
MS-SE seems tolerable.
I'll stick with using an AV suite ta very much. I've used unprotected machines, admittedly back in the dark days of XP / IE6 so maybe things have moved on, but they were riddled with viri very quickly. (I use viri as a generic term for viruses, worms , trojans, adwere, spyware, whatever else the latest term de joure is)
I use Eset Small Business Security, cost something Like £15-20 per machine per year which seems a worthwhile investment and I've never had a virus slip past it. Maybe I'm lucky, maybe I'm not the target of this report, but for the money it costs me I'll stick with it.
In English, it translates more properly to "viruses".
The correct term for what you describe as "viri" is "malware", short for "malevolent software".
So, what they're really talking about is the so-called Heuristic scanning that's supposed to nip infection in the bud, and the responsiveness of the vendors to update signatures when a virus is found. Everything else works pretty well by the sound of it...
Given some of the problems we've seen with rouge scanner updates trashing legitimate OS components, I'd rather they took a little time to do the testing to make sure it's not going to brick my OS. I try to be careful in what and where I visit, so I hope there's not too large a window of opportunity.
As for the heuristic rubbish, did anyone really believe that worked in anything but the simplest cases?
If you're going to get a virus infection then it's most likely to be one of the more common viruses. Therefore any anti-virus program is going to be reasonably effective on average in terms of protecting you. Any brand new virus can take time for AV software to receive an update to detect and resolve the infection; there will always be casualties to begin with, much like any human viral outbreak. Sad but true.
I have used AVG Free for well over a decade on many personal PCs and it's been fantastic, and certainly lets machines run smoother than the more bloaty and costly products. I pay for AVG for use on servers and it's very cheap so the value is excellent. (No infections in 6 years)
In my view enterprises should spend less on AV licences and more on implementing and policing better IT security policies for staff. Most infections are down to the ignorance or risk taking of staff - which can be avoided if staff were better trained on the subject and IT was better policed (physical and network). That sounds a bit draconian but what do you expect if staff bring in files on a USB stick to print off on the office printer, or download executable files at work, or open emails that most of us would find suspecious, or access Facebook (clicking on links), etc. This stuff should be done on computers at home or personal smartphones.
When I was younger I hated these sort of rules and I was a risk taker. But 15 years on I'm more experienced and have bigger responsibilities so this "draconian" approach helps safeguard the business, jobs and reputation. Damn, I sound l like my old boss. I'll be wearing the same sort of clothes as my dad soon too probably.
In an enterprise, you need more than just 'Free AV' - you need to be sure that your devices have up to date AV software and definiation - and you need to be able to report on exceptions. You also need central control of AV policies and exceptions. If there is a free product that does this well, then I havnt found it yet.
Also many vendor enterprise AV solutions are part of a suite that includes full endpoint control (e.g. access control to CDs, USB, etc, and control of encryption on portable media, configurable IPS and firewall, etc, etc.)
indeed. Lockdown of installation rights to stop drive by installers (rather than injection) also helps. Central web filtering to minimise exposure to known naughty websites etc. Fairly common sense stuff for enterprise.
... the study revealed that virus writers** improve their chance of evading detection by keeping a low profile."
**Also works for spies, tax evaders, love cheats, burglars, Santa, stealth bombers, the Higgs boson, etc, etc, etc.
The DotBO is sponsoring some cracking studies lately...
Full disclosure: I sell anti-virus software and do a little research on viruses and related security areas.
I was surprised at the small sample set Imperva used - just 82 samples, collected from honey pots, google and hacker forums. Can this really reflect on effectiveness against the millions of malware samples known to exist?
In comparison, AV-Test uses two test sets in its Protection tests:
* All malicious files they discovered in the last 6 - 8 weeks: around 100,000 – 150,000 files.
* Extremely widespread malicious files they discovered in the last 6 – 8 weeks: around 2,000 – 2,500 files.
Looking at the full study, there is another surprise - Imperva do not do their own testing, they threw the samples at VirusTotal. VirusTotal is a useful website, but they are quite explicit that it is unsuitable for product testing. Imperva takes the short form of VirusTotal's advice, "not designed as a tool to perform antivirus comparative analyses", and counter it in their 'Limitations' section saying that they are not doing a comparison. They ignore the longer advice, that details why VirusTotal is unsuitable for both comparative and effectiveness testing.
Anti-virus testing is notoriously difficult, and competent researchers put a lot of work into making sure they use methodologies that will produce relevant, reliable results. Did Imperva?
Excellent points, Alan! (Hi there, BTW. Long time, no see. Yes, I'm still alive.) Here are a few more:
1) If Imperva are selling a security product, then it is highly unethical for them to test (or even comment on the quality of) other people's security products. They are obviously biased. As the following points demonstrate, they are incompetent, as well.
2) They don't seem to distinguish between viruses and malware in general. Most of what they have used in the tests were not viruses but various kinds of Trojans. Trojans don't "spread"; only viruses are able to replicate themselves. It is because of this lack of self-replication that the spread is low and the AV vendors haven't got samples or got around to implementing detection of them. With thousands of new malware variants appearing every day, the AV vendors are forced to concentrate on handling the more widespread threats first.
3) They don't seem to understand how AV works. There are two main kinds of AV solutions - malware-specific ones and generic ones. The malware-specific ones (commonly known as "scanners") is what most people think of when they talk about AV products. As their name suggests, such products detect KNOWN malware - known to their producers, that is. If it is not known to them, they won't detect it. Revealing the "troubling" fact that such products are not very good at detecting unknown malware is like saying that a screwdriver isn't a very efficient tool for nailing nails. It's true, but it is a completely pointless statement and only reveals the incompetence of the person saying it.
The generic AV products (of which there various kinds - heuristic analyzers, behavior blockers, integrity checkers, etc.) try to detect malware not known to them by using some generic knowledge about its structure or behavior (like "if an executable file tries to modify another executable file, this is suspicious" or "if a set of executable files have one and the same code at the end and this code receives control when the file is executed, then they might be infected"). Unfortunately, it is mathematically provable that it is impossible to detect all possible viruses without causing false positives. (The proof is constructive - i.e., if you claim to have an algorithm that does it, the proof shows how to construct a virus for which the algorithm will fail.) In the above examples, the "executable modifying other executables" could be a compiler or a linker, and the files having common executable code at the end might be compressed and executing the decompressor at runtime. So, most AV products of the generic kind try to strike some kind of balance between detection and false positives.
Most AV packages nowadays try to combine products of both kinds. However, VirusTotal uses only the known-malware scanner part of them. Testing it with unknown malware is simply wrong.
Finally, even if Imperva's claim were true (which, I contend, it is not), would you rather use something that gives you a 5% chance of protection or nothing at all?
Yes, a strict AV product is not going to work against a zero-day virus attack, because there is no signature. However, most AV products now have embedded features like heuristics to help steer you away from phishing sites and identify processes that are trying to perform suspicious changes or unauthorized traffic within your system.
Chucking AV (which protects you from known-viruses/worms/etc.) is pretty irresponsible, considering the "installed base" of malware that can infect your systems. And AV firms do make a major investment in honey-pot and sensor-based detection networks to make sure that unknown malware doesn't stay unknown for very long.
And who wants to put their job on the line by going in front of company management and saying "Yeah, really sorry about the worm that infected our storage, but Imperva notified me that we didn't need to spend on AV anymore".
"And who wants to put their job on the line by going in front of company management and saying "Yeah, really sorry about the worm that infected our storage, but Imperva notified me that we didn't need to spend on AV anymore"."
In 1988, the Morris Worm affected the Sun3 systems at work. It did NOT affect my personal DEC system under Bryant Street in Palo Alto. Why not? Because I didn't really trust remotely available software being made available to all and sundry, and had all that stuff turned off on the internet-facing gear. In modern terminology, I was using the DEC kit as an early version of what we now would call a "stateful firewall" (behind it was an AT&T PC7300 "UNIX PC", running the actual server code).
I had warned my company of the potential vulnerability. TCP/IP wasn't perfect, was still a research platform, and those of us in the trenches knew it (the same applies today, BTW!). I got to say "I told you so!" to the Board. It was fun to see the red faces of the VPs, & watch 'em wriggle ... the big grins from my Boss (the Senior Member of the Technical Staff), and from the CEO (who was the tech who started the company) were just gravy ...
I got a largish raise and larger packet of stock options for proving to management that I really did know what I was doing, a good reputation in my chosen field ... and was allowed to keep the pilot-build Dual-Pedestal Sun 3/470 "Pegasus" that I was testing, complete with source, from a grateful Sun Microsystems for cleaning up their Internet facing gear.
The Sun replaced the DEC kit under Bryant Street two years later. She's still there, happily supervising the friends&family private network in what is probably the world's oldest colo :-)
Uh, no, AC. The Morris Worm exploited holes in the network code itself. It had no need of 1d10t wetware to assist in propagation.
Oh my god. This is probably the most stupid thing I've ever read, I mean seriously? Did a Microsoft employee run over your cat or something?
First off - there is only one way to completely secure your system, and that's unplug it from your network and never install anything on it.
Second - greed is a motivator. The larger audience share a system has, the more appealing it is as a target, and the more effort will be put into finding an exploit to work round whatever security it has. I'll agree that Windows has lousy security, but the fact remains it has the lion's share of the desktop market, and thus is the biggest target. Same with Android in the mobile market.
The attitude of "I don't use Windows, therefore I'm okay" like a child sitting in a corner with their eyes shut, their ears covered and screaming "I don't wanna!" Personally, I'd like to see non-Windows systems starting to get a bigger slice of the desktop action, but it's obvious that if this happens, they are going to be targetted.
And for the record, the only machine I've ever had a virus on on was my Atari ST, circa 1992, spread by bootsector from a dodgy PD disk. A sense of caution about what I install/download/open and maintaining AV software has yet to let me down on my Windows box.
A company that sells non-"anti-virus" computer security kit performs a study that concludes "anti-virus" products are rubbish.
So, so shocking.
I think it's a bit like driving: act reckless for long enough and you will crash, it's just a matter of time. With that said being as careful as you like doesn't mean you won't crash.
Also, I thought a fair few of these guys now do this 'keep you safe while shopping or banking' lark as well as firewalling, anti-spam etc. Do we know how good any of that stuff is? I see the AV side get talked and bashed and all that but I rarely see those bits mentioned.
And why the hell am I posting comments at 2am...
It's designed to mitigate the unknowns by forcing all apps (or those that you choose) to run with DEP/ASLR and SEHOP. It acts as an extra defence along side your current AV.
Anything nasty or unknown just gets stopped dead in its tracks and you get informed as to why.
Been using it with MSE for several months now and I install it on all new machines I rollout with the 'All' apps profile (stored in the EMET file in Program Files) at maximum settings. I then add in any other .EXE files that may go near the web.
'Bankers also don't push pencils through screens "just to see what would happen".'
Of course, they are too busy crashing the economy and see who'll pick up the pieces.
"Tightly integrating malware protection into the OS is something MS are trying to do"
I read that as "Tightly integrating malware into the OS", which is something MS has been doing since forever.
Oh, that's right Sophos probably don't qualify because they now do 'Endpoint Security' rather than 'Anti Virus' products.
Why do we still try to blacklist?
Surely we can use some ditributed system (DNSSEC maybe) to allow for companies (large and small) to distribute md5 checksums for "approved" releases.
@ John Beat me to it... ;-)
Black list and Heuristic Algorithms are great for catching stuff you already know about and they will catch what they know and a few things they shouldn't based on the patterns that have already been established. As a pen tester I can say none of the exploits I have used (ahem only with signed authorization or on my own boxes that is..) have ever tripped off an AV client, there are plenty of repackagers that are way too easy to use out there not to mention toolkits like SET that will do it for you from a menu option.
It dosn't mean they are worthless or you can safely surf naked (e.g. running with no AV/firewall) it just is what it is, a filter to catch know bad stuff. Think of it as getting a flu shot, it works against the bugs you predict you'll be exposed to but not everything that makes you sick.
White listing is a great solution, and I personally think it IS the best one, basically it only allows you to run what the system admins have "pre-blessed" is ok to run on your system. It works, it works very well when implemented properly....
Which is the problem. Most companies who sell white listing applications out there do not tell you the effort involved in maintaining that white-list. One security researcher I know once commented a corporation will need to hire 4 times the number of staff needed to run a proper AV and patch management implementation in the same environment. I mention patch management since that now has to be tied into the process since the patches themselves need to pass though the white-listing process as well, which can add delays in implementing patches which may cause friction for management who have been pushing for ever shortening patch cycles, of course white listing actually prevents the risks driving these demands in the first place it typically comes up in the discussion.
The other issue I see most commonly is delays or frustration due to over-complex white listing processes for new applications can cause users to rebel against corporate systems and you will see a surge in BYOD (Bring Your Own Device) or copying data to portable storage to use on personal laptops outside of the company's control. USB sticks get lost, personal laptops get hacked or stolen, it can be a nightmare if you do not have controls in place to enforce policies against it.
When all's said and done, a properly funded, managed, and implemented white-listing program offers the best defense against all exploits. Sadly, it's just too damn expensive for most organizations to do properly. :-(
Hence my comment about vendor provision of md5 via something like dnssec.
Most people would trust MS not to be virus (jokes aside), so they would simply sign/hash their patches/versions and provide the requisite authentication via dnssec-alike...
Smaller organisations need to sign fewer releases, that's OK.
Then you start explicitly trusting organisations, not testing all software you run. Revocation would be important.
Thought would be needed for offline devices (although they are typically easier to secure via "normal" means...)
Well done. You just re-invented code signing.
I wouldn't bother trying to patent it, though.
@AC - Actually no it's not code signing, it's basically hash enforcement at the os level - if the app and hash you have stored on PC when you try to save/execute dosn't match the version on the white-list on the server it is blocked. It's been a feature of windows server for years as well as several 3rd party tools.
This goes well beyond malware protection to address what users can and cannot load on their systems, if your group dosn't have permission to say run firefox you cannot install or run it period, weather it's a "trusted" source and code signed or not dosn't make a difference. if it's not on the list it's not going to run on your PC period.
I stand by my comments before, it's highly effective when done right, but it can take a lot more effort and money to implement properly than AV amd IPS devices like Imperva.
Other than the state generated virii for "their" purposes, does anyone wonder if many of the anti-virus companies actually write the bloody things to self perpetuate their income?
Thankfully my PDP8 isn't affected by these Windows/XML/HMTL/FLASH/etc.. critters. Though it did all go horribly wrong when some numpty used an A4 Hole Punch on one of my paper tapes the other week by mistake.
Biting the hand that feeds IT © 1998–2018