well, I'm doing decent
avast! seemed to do decently, though they didn't mention how kubuntu does...
Antivirus software is getting worse at protecting users from new threats, according to two reports which found malware authors are getting better at disguising their creations. German computer magazine c't studied 17 antivirus programs and exposed them to completely new samples of malware. What they found wasn't encouraging. …
While the discoveries in the report might sound omnious at first glance the might not be as bad in reality.
Common AV software is inherently flawed because they act upon know patterns for detection. Its the never ending story of being one step behind. This is why companies have invented the heuristic scan to compensate for having to update definitions with every discovery of a new viral pattern.
Ordinary users have little to nothing to fear from the spearhead virus programmers though, because the chance of getting struck by a completely new virus is little to none. The majority of PC users should fear the large epidemics that occurs once in a while, most of can thus rest assured that as soon as a threat arises that can affect many us, its already being delt with, because the more a virus spreads the faster it gets detected and delt with.
Users with extreme security needs have whole different meassures in place to secure their data, and should be safe behind their hardware firewalls and whatever custom measures in place.
The survey tells us that up to 40% of patterns can go unnoticed. But what we dont hear is how many infections they account for over all. The 40% could account for only 5% of all infections. Second, what is the response time from the AV companies with efficient detection and cleaning. I´d say that major threats often issues an immediate virus definitions update on a day to day basis, thus dimminshing risk even further.
"The c't researchers also created variants of known viruses"
This is enough to discredit them as "researchers". There are proper ways of testing how well an AV product handles viruses unknown to it - but this isn't one of them. Yet another meaningless "test" by ignorant morons.
Unfortunately there are some flaws in your comment.
With most modern viruses taking steps to actively disable anti virus software, once someone is infected by a new vuln then their av is unlikely to work in its normal manner and perform updates and detect and remove viruses the way it used to.
In some cases the malware authors specifically prevent it detecting their specific malware in others they just stop it working totally.
This then leaves the person open to infection by any of the old vulns that have been known for years as well.
As for the damage that 40% does you only have to look back at old headlines to see how much damage they do before the av companies do add updates for them.
With more and more people becoming web2.0 addicts with blog and social network dependency problems we are seeing the spread and reach of new vulns picking up at a fair old whack.
Whilst we have finally got many of the great unwashed masses of end users used to no longer installing files they get by email the whole malware industry (and yes believe me it is an industry and not just a couple of rebel teenagers haxoring to be 1337) has moved on and will by the very nature of the beast, continue to move on at a faster pace than the av industry.
Nowadays you can get infected just by visiting some of the best known sites on the net where the adverts they carry contain carefully crafted exploits, without thinking about the number of infections from myspace and other social network sites.
This is something we cant really educate against. After all its not like email attachments where you can say just dont do it. What is the web without websites and if you cant even trust the bigger players to screen the adverts they run then you cant expect anyone to.
Huh? Your statements beggar belief!
So how, exactly, are they meant to test the detection of viruses? By writing "hello world" programs and seeing if the AV applications detect these? A virus is just a program that performs certain tasks, if the "test" program you write doesn't perform these then it isn't a virus and therefore *shouldn't* be picked up by an AV scanner.
I suppose you also disapprove of Vulnerability Scanners and and other tools used by security professionals to verify the security levels of the systems/infrastructures they are trying to secure? After all, some of the tools were created by unethical hackers for malicious purposes...!
There's plenty of anti-virus for Linux - many of the proprietary people produce a version for Linux servers, and there's a few open source packages (like ClamAv).
The difference is that AV on Linux is largely aimed at reducing the propagation of viruses by Linux servers, rather than preventing infection of the Linux machines themselves.
My company mail server has a pretty aggressive AV set-up to scan incoming mail, thus reducing the risk to my co-workers who might be using the OS which the virus is actually targetting. Same goes for the Web Servers, especially where file uploads are permitted...
There are a few viruses, trojans and rootkits that specifically target Linux servers, especially the common LAMP stack - it's foolish to assume that Linux is safe, especially if it is exposed to the Net.
There is a quite simple test if a virus is created ethically: is it released into the "wild" or not? If it is, then we have cybercrime only if the release was intentional (i.e. the creators are criminals, not necessarily idiots). If the release is unintentional we may in full justification speak of idiots, morons. etc. If the virus stays in the lab it is a controlled experiment. Controlled experiments were part of good scientific procedure when I last checked, as anyone with a PhD would appreciate.
"This is enough to discredit them as "researchers". There are proper ways of testing how well an AV product handles viruses unknown to it - but this isn't one of them. Yet another meaningless "test" by ignorant morons."
This statement is enough to discredit you. For some reason, you seem to have a pretty solid reputation in the field of AV research, but comments like this make me wonder how that came about.
RELEASING a virus may be unethical, but creating one to discredit the claims of the snake-oil industry, sorry AV industry, cannot be considered to be even remotely comparable.
That aside ethics are, by definition, highly subjective, and posting on a public forum to decry academics as unethical just makes you sounds like a fundamentalist twat.
This industry you work in seems to be staffed exclusively by self-serving capitalistic crooks. AV software has failed us, and has been doing so for years. I think its about time you lot admit this and give up trying to dupe your customers. Design effective software to control unwanted code execition or fuck off out of the IT industry.
Did they test how many of those viruses managed to infect:
A) A Windows XP installation with the logged in user NOT being and administrator
B) A Windows Vista installation with UAC enabled.
I'm especially curious about point B, especially if the user did NOT agree to grant administrative rights to the executable. Such a test would in fact test how much decent user behaviour blocks against viruses, as it is this behavious that is the primary barrier against brand new viruses.
And please, don't start the regular "Vista Sucks" topics, they're getting tiresome, especially if they're accompanied with the regular Church of Jobs gospel.
. . don't click.
Education is better than shelling out for the bloated stuff that usually comes with a machine. It doesn't help that many users never even click on 'update' on their anti-virus S/W as the icon in the system tray says 'Norton' or similar so the 'must' be protected.
It also doesn't help when testosterone gets in the way and the thought of a surreptitious peek at the crotch of some celeb silences any warning bells in the head.
Oh yes, and how are you supposed to test for variants - e-mail the virus writers for the next Spring collection or knock up a few of your own with the available kits?
It beggars belief that an AV company's representative (whether in personal or professional capacity is irrelevant) claims that creating more variants of computer virii to test for 'unknown' threats is unethical.
If anything, it mirrors the real world, where such new threats are generated weekly, if not daily! The difference is that these variants do not leave the lab where these tests occur, that they give the researchers a solid test bed to work with, whereas you'd have to honeypot some machine for weeks to get some sort of unknown virus, which doesn't help since by that time those variants are caught by the updated signatures, which ruins the test in the first place.
Yes, so it leaves your organisation on the back foot Dr Bontchev, but it does the same for your colleagues at McAfee, Symantec, Sophos, Eset, Panda, Trend Micro and God only knows which other AV companies. Do you for one second think that your competitors are happy about that? No, they're not. But they don't sound like cry-babies. They fix their software to be more accurate.
Creating new variants is no different from bio-virus researchers at Fort Detrick (AMRIID) or CDC in Atlanta, who do this to ensure that their vaccines are broad-spectrum enough for the purpose they were designed for. Does that make these researchers unethical too?
I'd guess that if someone with that name has a good reputation, that post was not by them.
Effectively (unless I'm missing something really obvious) there are only two ways to test the scanner's behaviour to "unknown viruses":
1. Analyse the code, work out what it will do with every possible input, work out how effective this is.
2. Chuck random code at it, and see what happens.
The first is inpractical under most circumstances for the majority of tests - since there's no source available, and reverse engineering is not only illegal (at least in some countries) but also very difficult considering the amount of code involved.
If "new variants" are created under controlled conditions, it sounds like (at the very least) a sensible part of a multi-faceted test - and possibly even enough of a test (if enough variations are generated) to rate the efficacy of the scanner.
... Anyone who creates new computer virii to cause damage, or anyone releasing testbed data (such as the set c't Magazine created) into the wild irrespective of reasoning behind it, earns my condemnation as being unethical. In that respect I am in agreement with Dr Bontchev.
Sigh... The crowd of ignoramuses who drool reading ElReg's stupid articles is again demonstrating its collective ignorance. OK, lecture time.
Nick Ryan: I am not sure what you mean exactly. What you're saying is very true - using non-viruses to test an AV program is utter idiocy but, alas, some AV testers do that too. :-( I see no evidence that this is what c't has done, though. If you are objecting to my comment, then I fail to see where the objection is - please bother to explain your thoughts in a more literate manner. I never said that they shouldn't be using viruses to test AV products. In fact, I didn't even say that they shouldn't be using viruses unknown to the AV products they are testing - a fact, which many of the half-wits here clearly missed. What I said is that it is unethical to *create* viruses (no matter for what reason but especially for the purposes of an AV test).
Joskyn Jones: Your supposition is false. My comment covers only self-replicating malware, i.e., viruses.
Gerrit Tijhof: It's quite trivial, really, and the respectable testers do it regularly. Simply, they use viruses that have appeared *after* the AV products they are testing have been released. They don't create these viruses, of course - that would be unethical. They simply use older products - usually 6 months old. Given that 5000+ new malware programs appear every month, there is plenty of test material without the need to create any new one. By conducting such tests regularly, one can eliminate flukes (e.g., under-performance because of an one-off bug in a particular old version of the AV product). Google for Andreas Marx - he is one of those who have performed such tests.
steve: Get a clue. The testers had no way of knowing what exactly the heuristics are looking for, in order to "simulate" it. Besides, the different AV products use different heuristics. Using non-viruses ("simulated" viruses) to test AV products is *wrong* - but this isn't what c't did.
Geoff Mackenzie: If your comment is a joke, it's a good one. :-) If it's a genuine misunderstanding, "c't" is the name of a German computer magazine.
Michael H.F. Wilkinson: There is a much simpler test - is the program you created capable of self-replication, or not - and was this property implemented intentionally? If yes, then your act is unethical, regardless of your intentions. First of all, there is *NOTHING* that can be performed with the help of self-replicating code that cannot be performed without (although that might be at the cost of increased efforts from your part). NOTHING. Second, a virus replicates. It *will* get out. Third, you have to submit the non-detected samples to the companies making the products that didn't detect them - so that the products can be improved or your test is meaningless. But you have no way of ensuring that the products will really "improve" if they start detecting the viruses created by you. Their heuristics might stay the same and they might add just virus-specific detection of them. So, you end up creating work for the AV companies without any benefit for the user. Worse, the "benefit" is not just zero - it's negative. Who do you think will have to pay for the increased workload of the AV companies? That's right - the users. So, virus creation always ends up costing the users money and is unethical.
Anonymous Coward: Get a grip. All industries are staffed exclusively by "capitalistic crooks". That's the definition of "industry" - capitalism. Or does your food and clothing come from charities? Or maybe you truly believe that "Product X" washes whiter than "Product Y"? The AV industry is no different. We, the anti-virus producers, have to eat - just like everybody else. For that, we have to sell the products we make. If you don't like it - don't buy them. Most people find that they like it even less when their computer gets infected due to the lack of protection - but maybe you're different.
Keith T: If user education was ever going to work, don't you think that it would have worked by now?! For every user you manage to educate, a hundred others appear. As for your "how to test" question, your supposition, despite being sarcastic, is not far from the truth. You just have to reverse it - instead of asking the virus writers for their next Spring creations (that would be stimulating virus creation - which is also unethical), wait till the next Spring to test the AV programs of today. Or test with today's viruses the AV programs released this summer. Simple, really - one would have thought that even somebody with a room-temperature IQ would be able to figure it out.
Stefan Paetow: It doesn't "mirror" anything. You don't have the slightest clue how heuristics work, do you? There are two main approaches. First approach (and the one I personally prefer) is "follow the definition". By definition, a computer virus is a program that replicates itself. So, examine the piece of code you're scanning and attempt to determine whether it contains instructions that copy it elsewhere. (Of course, it could simply be an installer - in which case your heuristic is causing a false positive - but that's why it's a heuristic and not a strict algorithm.) How does c't's approach "test" these? They don't know exactly what properties the author of the AV program is looking for in order to determine that the code is copying itself. If they create programs that have these properties, the "test" will say "this AV product is great" while in reality it might miss the majority of viruses created by the virus writers. If they create programs that don't have these properties, the "test" will say "this AV product sucks" even if it actually manages to detect the vast majority (albeit not all) of the viruses produced by the virus authors. Ergo, the "test" results are meaningless.
The second way to implement heuristics is to examine a "bloodline" of malware - i.e., many different but closely related variants of a virus family. The AV producer then determines what seems to remain relatively constant in this family and what seems to change a lot and implements detection of the constant thing. In a way, the AV producer is trying to read the mind of the virus writer and to guess how his future viruses will look like. But this approach is useless for the kind of viruses that are specifically created for test purposes - because there is no "bloodline" to examine. So, the "test" is again meaningless - many AV products that succeed very well to detect unknown viruses might fail it.
Graham Wood: It's me, the genuine article. Google me and you'll see that I'm a rather outspoken opponent of virus creation for WHATEVER purposes. Look up my papers "The Pros and Cons of Macro Virus Upconversion" and "Solving the VBA Upconversion Problem" to see to what lengths I am prepared to go, in order to avoid even trivial virus creation while still protecting the users.
And, yes, you're missing the obvious - there is a third, much better approach; see above.
Oh, and reverse-engineering OF VIRUSES is *not* illegal anywhere. In fact, even reverse-engineering of commercial products is explicitly allowed for specific purposes even in the countries that have laws against reverse-engineering.
Only a person who has no clue how AV programs work can call such "tests" a "sensible approach". It doesn't test *anything*. It's results are *meaningless*. They give absolutely no reliable information whether the tested AV programs are really good or bad.
"Controlled experiments were part of good scientific procedure when I last checked, as anyone with a PhD would appreciate."
Ah, but that would be assuming he's a real doctor, and not just some MD...
Anyway, people who feel the need to put "Dr." in front of their screen names for websites have suspicious psychology... Should I change mine to Dr. J too, since it took me years and quite some work to get my PhD, therefore I must advertise it? Do the chicks dig it, at least? Hmm...
Well, it's not worth refuting point by point, but you're quite simply wrong. For test purposes, there's nothing inherently evil or wrong with creating viruses. Releasing them in the wild is the wrong thing.
And, no, just because you have a self-replicating program does NOT mean it's going to magically get into the wild. It's quite easy to avoid in fact. After all, this is not like biological viruses, they aren't going to fly through the air to nearby computers; if the infected machine is offline and you're not sticking writeable media into it, there's nowhere for viruses to go. Wipe the hard drive with a CD when you're done and the machine is virus free. Simple as that.
I don't expect that c't is hiring some hax0rs to custom write brand new viruses, I expect they are just making simple alterations to existing ones to see if the virus scanners will catch them or not. That's the very essence of testing if the virus scanner's heuristics are good or not.
As for the poor detection rate -- I bet one reason it's so poor is quite a few antivirus companies continued view that viruses and spyware are two totally seperate things that need two seperate products to detect. There is of course historical precedent behind this, (and practical precedent) but when you have both replicating by themselves and spreading it does blur the lines for sure. I expect some of c'ts test items, the virus scanners that didn't detect them didn't because the company considers it to be a piece of spyware rather than an actual virus.
>Well, it's not worth refuting point by point, but you're quite simply wrong. For test purposes, there's nothing inherently evil or wrong with creating viruses. Releasing them in the wild is the wrong thing.
Historically AV industry takes very firm stance on that, and clear separation from those who create malware has served us well so far, so don't expect it to change anytime soon.
Before times of industrial virus writers there were a lot of crackpots accusing AV companies of creating viruses by themselves. And one of the defences of the industry was to have a very clear ethical guidelines.
>And, no, just because you have a self-replicating program does NOT mean it's going to magically get into the wild. It's quite easy to avoid in fact.
Yeah right, in these days of ubiquitous WLAN and Bluetooth TCP/IP, I would be a bit careful with such statements.
Couple years ago US nuclear power station got infected by Blaster worm, I'd guess that they tried to secure their environment. And still there was one T1 installed by contractor that security did not know about.
>I don't expect that c't is hiring some hax0rs to custom write brand new viruses, I expect they are just making simple alterations to existing ones to see if the virus scanners will catch them or not. That's the very essence of testing if the virus scanner's heuristics are good or not.
Just how do you make simple alterations to existing malware and still have test set that is in any way relevant?
Even if we skip the ethical issues, such test is still invalid for many reasons.
1. Are the modified variants still viable?
You could easily make something that flips one instruction here and one there, and result might even execute, but would it still be malicious? Who cares if some AV product cannot catch a damaged sample.
2. Are the modifications similar that have and will be created by malware writers?
Even if we assume that magazine reviewers are capable of creating new functional malware, are their creations anything like that will be seen in the wild?
What use there is to create more work for AV companies to make them catch modifications that will never occur outside c't labs?
3. Who cares if signature based detection or static heuristics cannot catch a new sample, they are only a fraction of modern toolkit.
The days of simple AV scanner have been over for many years, modern AV packages use a lot of different techniques, from simple heuristics, to emulation, to runtime behavioral analysis. Testing that all is very complicated work, and taking shortcuts in the simple part of process is frankly very stupid.
As Vesselin said, the best and ethical approach is:
1. Install AV product with 3-6 month old updates.
2. Test it against malware that has appeared after that.
Far easier to accomplish, and the results are actually usable.
J: I *am* a real doctor (Ph.D.) - not some MD. As you would have doubtlessly discovered, had to used an ounce of common sense and had you googled me. My Ph.D. thesis, "Methodology of Computer Anti-Virus Research", is used as a textbook for educating new anti-virus researchers at several anti-virus companies. Whether you put your scientific title in front of your name or not, I guess, depends on how much confidence you have that you deserve it.
Henry Wertz: I never said it was evil. I'm pretty sure that the people at c't had the best intentions in mind. But it is still unethical and wrong (technically wrong - not just ethically). Creating new viruses does *NOT* give meaningful results in tests. And these viruses *DO* get out, increasing the workload of the AV companies and, in the long run, costing the users money.
I am not saying that they will get out and start infecting your hard disk. But they *have* to be provided to the producers of the AV programs that did not detect them - so that these programs can be improved. (If this is not done, the "test" is even more meaningless. Like you know, "gee, I created a bunch of new viruses that your product didn't detect and I won't even let you figure out why".) And, the way malware is shared among the AV industry these days (we get 5-7 Gb collections of new malware every month just from Microsoft!), it is guaranteed that just about everyone (every AV company, I mean) will have them within a month. And will have to implement detection of them. Which, I assure you, is not free. And the costs of which will be eventually paid by the users.
So, to summarize, such "tests" do not give a meaningful indication of whether an AV product is good or not, and they end up costing the users money. Not to mention that they enforce the myth that "AV people make viruses". In other words, they are a very bad idea. Any AV tester who does not know and understand this is at best incompetent.
On the ethical side, an AV person creating a new computer virus is similar to a medical person creating a new deadly biological virus. Yes, I'm quite aware that quite a few people with a medical education do just that (e.g., for bioweapons research) - but for someone who has sworn to "do no harm", it is still unethical, no matter how it is rationalized as "necessary".
Finally, it is true that many AV companies treat viruses and spyware/adware differently. The reason is mostly technical. Viruses are easy to define formally - if a program replicates, then it's a virus. And a program either replicates itself (in some real-life environment, of course, because for any given sequence of symbols it is possible to construct an environment in which it will self-replicate) or it does not. Simple. But Trojans, adware, spyware, etc. are difficult to define objectively. Their definition requires such subjective terms as "malicious" and "damage". But what is "damage" for one person might not be for another.
Let me give you an example. Is a program that formats your hard disk malicious? What if it's the program FORMAT.COM? Does it become malicious if somebody renames it to SEXYGIRLS.COM? Despite that it has the same content? Ah, but it asks before proceeding. What if the question is in Swahili? And the default answer is "yes"? Is it a malicious program - or just a badly designed one?
In any case, I don't see how you have made the conclusion that this dichotomy (AV companies treat viruses differently from adware/spyware) is what has lead to under-performance of some products in these so-called "tests". Whether the newly created viruses would be detected depends only on what heuristics the AV products used and whether the viruses were created in a way that would avoid these heuristics or not.
"J: I *am* a real doctor (Ph.D.) - not some MD. As you would have doubtlessly discovered, had to used an ounce of common sense and had you googled me."
Hmm, you seem to have missed the "joke alert" icon there...
And, by the way: why would I be bothered to "google" you at all to begin with? To my person, you have no relevance at all.
Well, thinking again, the "psychology" part of my first post doesn't seem to have been really a joke after all...
Only 8 days left in the poll.
Symantec software makes Vista look like perfection.
NIS'07 (for example) is so poorly designed, so poorly coded, so much evidence of poor decision making, zero QA, etc. - you actually need to question the intelligence of the people involved with its creation.
And the blog is primarily concerned with the visible (self-evident) errors and bugs. There are probably many times as many errors that are not visible.
Honestly. If Symantec would simply go through my blog and fix everything, then their product would be significantly improved. Some guy with a blog could be their entire QA department. Geesh.
Is it ever ethical to create viruses? Obviously not for Dr Bontchev, or for many other people in the industry. Equally obviously, a lot of people outside the industry disagree, and a short comment here probably isn't going to change the mind of anyone who thinks that the industry is populated entirely by crooks and incompetents. So let's try a slightly different set of questions.
* Is it ethical to conduct a misleading test?
* Ethics aside, is this a competent test? Is it based on sound methodology? (Hint: if you don't have a pretty good idea of exactly how it was done, that's a bad sign.)
* Is it ethical to conduct a test with the intention of proving the AV industry is incompetent by using methods that you are fully aware are considered by that industry to be inappropriate, not only ethically but technically?
* Is it rational to judge the competence of a test by the degree to which it winds up the anti-virus industry?
* If testing is so easy that everyone knows more about it than the antimalware industry or the people who do regular, professional testing, why does every test outside those groups come up with an entirely different result?
Hello, anybody remember when Consumer Reports did the same thing last year?? Similar results, too, then.
Heuristics is always a headache. Honestly, what do you want in an anti-virus program on an x86 platform? The processor model itself had security flaws from the beginning, so everything else is going to be a patch on that.
Let's see, c't, Consumers Reports, the NSA, and I don't know who else have played the "create some new stuff and see how they do" game. Linux isn't the answer, and neither is Vista. These are just different platforms. Everything is a risk factor, so just get to it and back up your data.
"Full speed forward and damn the torpedoes!"
Perhaps some of the more informed/enlightened posters could divert their intellect into the study of biological viruses and their role in the food chain.
When they've completely eradicated the "nuisance" they cause to us good people, they can "cure" the electronic world too
Viruses are simply sculpting the IT industry towards a perfect (if possible) method of computing.
My current plan is to do banking and other sensitive work on a trusted computing platform, and the rest on whatever comes to hand.
Here's my trusted platform: an old Pentium III @930 MHz with 384 MB of RAM running Knoppix 5.1.1. Every boot is clean off either a CD, DVD or an iso image of same on the hard disk, though I plan to re-md5sum the hard disk image periodically to ensure that it hasn't been tampered with.
I do have persistent storage on a USB key integrated with the Knoppix image filesystem via AUFS which could preserve contamination across boots, but I hope to limit its usage to personal data storage as opposed to extensive system software and configuration file changes. (I still need some way to compare configuration and software updates with the static iso image just to make sure that only my changes have been made.)
If I'm feeling especially paranoid, I can still boot straight off the CD or DVD without the persistent USB storage and do my banking etc. with zero possibility of software and/or configuration contamination assuming that
1) I downloaded and burned a clean copy of Knoppix,
2) Klaus Knopper has put together a clean distro, and
3) nobody has hidden a hardware keylogger in my keyboard or desktop system.
(As for privacy, I plan to do whole-disk encryption with loop-AES since the dm stuff doesn't seem cooked quite yet. I'm already running encrypted swap on a separate disk volume.)
Although the DVD edition of Knoppix has some nice software development tools, I will probably do development and general web browsing in less austere surroundings.
But can anybody poke any holes in my trusted computing platform as far as virus resistance is concerned?
Biting the hand that feeds IT © 1998–2019