Telecoms people have been using a very similar thing for years to control revenue leakage. It works very well. I hope it works as well for this.
Signature-based malware identification has been around since the dawn of the computer security industry, but McAfee has said it's dumping the system – or rather, adapting it – in an upgraded security suite which will (it claims) virtually eliminate susceptibility to botnets. McAfee's malware signature database has grown to …
But in the last review of anti-virus products by a web magazine, McAfee rated DEAD LAST with largest number of allowed intrusions. Which is disconcerting as a friend I know uses McAfee, and I must therefore get him to switch away from it. More likely, do the switch for him.
Kaspersky got the top rating in the test results.
"But in the last review of anti-virus products by a web magazine, McAfee rated DEAD LAST with largest number of allowed intrusions"
"Ah, but that was the last version", said the sales rep looking nervous and sweaty, "the next version will be the best ever and will stop all botnets!"
Note though, that they're only claiming success for botnets, not every other type of virus out there.
Let's not be judgmental, now. McAfee's doing pretty well for a bunch of junior guys in a converted warehouse in Bangalore.
Oh. You mean that's not what they are? You say INTEL owns them??!! Odd, that. To their customers, they certainly seem like a bunch of junior guys in a converted warehouse in Bangalore.
McAfee says it has ... integrated its various modules much more tightly with each other.
McAfee, like so many other tech companies, has made a business out of targeted acquisitions. They have a number of products that do a number of things, most of which are complementary to each other. What they do not have is good integration. See how well multiple admins can set up rules in the DCM/DLP module at one time within ePO for an example of this (hint: only one at a time, per ePO server). Heck, they don't even have internal consistency for some products. Menus and permission sets are pretty much in the same condition they were found in when when the various products were acquired. Data is sent to databases but cannot be accessed from within the application's reporting system. Not what I would call good integration.
I look forward to seeing this promised improvement, at which point I will believe it.
If you have important data, you need AV in MacOS, Linux, Android, Ios...
The problem with windows is that it is the most used, easy and OPEN (for the user and simple programs), and it used to be very vulnerable. Therefore, it is the most attacked.
As much as I despise M$, now it is as secure as others (i.e: full of not so easy to find holes).
Oh, i cant not respond to this hogwash.
Eadon, i see the repeat machine is firing on all 3 cyclinders.
Give it a rest mate...
Your tiresome rheotoric, coupled with your propensity to post and give a rallying war shout to all the linux-tards on anti MS sites to up your post/comments ratio is really past its use by date....
Besides, as i and countless others have said, you're talking tripe if you believe your own dribble about viruses not being an issue on unix, linux, iOS etc etc. Have OS, will infect.
"Besides, as i and countless others have said, you're talking tripe if you believe your own dribble about viruses not being an issue on unix, linux, iOS etc etc. Have OS, will infect."
While he may be overstating his case, I'd be interested in seeing a comparison of the number of linux/unix web servers running Apache with anti virus compared with the number of windows servers running IIS with it. Given , you know, that Apache on linux is the most popular web server combination and the so old no-one-runs-linux-so-virus-writers-wont-bother argument that MS apologists always come up with doesn't hold water.
If you have an FTP Server, shared network resources etc then you can potentially "surrogate" the virus within the files that you host.
Virus are generally OS specific and even though your system might not be targeted you would be helping everyone by not "sharing" the virus any further. In such a case the AV is not protecting your system but it is helping protect others, which in turn is good for you also.
quote: "Windows has 85% of the desktop market (and still falling). Yet, it has 100% of the viruses out there. *think about it*."
Absolutely. I'd even go so far as to say that of the last 100 infections on Windows I have had to deal with, none were viruses. It's very rare to see a virus these days, what with the completely staggering number of trojans and ransomware built from kits out there.
Do you know if anyone has built a crimeware kit for OSX yet?
I once was working at for a government IT department called the NHS where there was an opportunity to save a small amount of money and get *nix a foot in the door by putting in a linux server for a particular service, which it would have been uniquely well placed to deliver (better than a windows server would have been)
It was a sensible, well through out idea that would have worked, and allowed the staff there to gain some familarity with *nix servers which one day could have resulted in there being a lot more of them on the network, further saving a lot of money.
However, the look on the chaps face who had to sign off on it when I mentioned *nix immediately told me that there had been zealots in before who had preached the point without understanding basic professionalism. In my view those people have forever blown away any possibility of having *nix servers installed at that location through their zealotry, and worse they resulted in me being tarred with the same brush for actually mentioning it.
Your zealotry does not help the situation. Far from the point, it's actively harmful to getting any form of *nix installed anywhere and you would really help the cause by shutting up. You make anybody using or proposing the use of any form of *nix look alike a unprofessional teenaged twit and surely you must realise that your misinformed rantings are the best dream because of the negative advertising of *nix that Microsoft could ever possibly wish for.
"- I didn't know the NHS was a govt dept, AC, thanks for this enlightening post. >HEADDESK<"
NHS falls under the Department for Health, glad you're enlightened.
You can rant on about the difference between viruses vs trojans all you like, but I challenge you to find a reference in the article to "AV", "antivirus" or even "virus". McAfee and the likes refer to themselves as Security products, which every OS needs to some extent or another.
But don't let that stop you turning this into an opportunity for you to vent against a different company/arena that you don't like.
@Eadon: Please, please, please for the love of Tux stop making all of us Linux geeks look bad with your ignorant prattle.
There are many viruses in the wild for OSX (unless you're stupid enough to believe Apple over every credible security firm in the world) and even a few in the wild for Linux (which, incidentally, can also infect BSD systems in theory). You need virus scanners on all three, and not just to protect any Windows systems that connect to them.
A *lot* of IT professionals visit el reg because of the fact that you can often get more information about what really causes national problems with infrastructure (and the resolution times expected) from el reg than you can do from the companies involved.
So yes, your constant inane, unprofessional and stupid comments which are being read by those IT professionals elicit a instinctive reaction of "FFS, another moron" when FOSS is mentioned and sadly this impression is constantly reinforced.
This causes obvious barriers to introducing FOSS as the more moderate and knowledgable people instantly and immediately get stereotyped as moronic idiots for suggesting that FOSS can be a solution to any problem on a previously windows only network.
If the stereotype of FOSS advocates was professional and knowledgable instead of ignorant and stupid, this would help adoption as there would be some risk of the people being taken seriously. So if you want to help the cause please stop making us all look like idiots and prevail upon your friends to do the same.
@Eadon: I would refute your claim of not having any influence, but I would simply be repeating what the AC has already said.
As for Linux viruses, I personally saw a Badbunny infection on a friend's Mint machine just a couple weeks ago. I have no idea how he got it, but the system itself isn't that old. Certainly not old enough for it to have come in through a 'long patched remote vuln'.
As for OSX, not even Apple makes the claim that it's immune anymore (which I didn't realize until last night - early this morning in Britain - when I stumbled across an article about it). I could name some examples, but why don't you just go look at F-Secure's or Sophos' list?
You're splitting hairs on the difference between Trojans and viruses. They are equally dangerous and you need some sort of anti-malware, which most people still call antivirus, for either. If you're too dense to realize that then you truly should not be talking about security on any platform. If you do realize it and are just trying to make your systems of choice look better, then you should realize it's not going to work. No real IT professional is going to fall for that idiocy.
Learn some basic security chowder brains!
I know the difference between a virus, a worm, and a trojan. When it comes to protecting the network if you're only protecting against viruses and everybody in the org gets an email with a trojan, it doesn't make a rat's ass worth of difference, the network is still down. That's why somewhere back in the early 1990s we stopped worrying about what minutely specific type of compromise was occurring and just wrapped it all up in a nice bow and called it 'malware'.
"I would be jolly nice if people with, say, more than twice as many downvotes as upvotes were greyed out or hidden by default."
Well, that would certainly take care of Eadon and Obviously! at a stroke (and be less tiring than individually moderating the latter's posts for all the homophobia and generally abusive ranting that they contain).
The idea isn't terrible, actually.. hmm.
..............and her asking for more."
I say old chap, steady on. I am sure that your good lady mother would not have touched him with the thin end of very long bargepole. I mean, who would? It is bad enough have to debate with him never mind - oh god no, the image in my mind it too horrible. I can't go there, not even in the most theoretical sense.
I thought those little silver icons were because these people were special in some way and knew what there were talking about. Now I realise they are just post count awards handed out to trolls.
I do hope you don't have any customer computers to look after with that blinkered attitude.
Read the article, idiot. It's about malware of all kinds, not just viruses. In fact, the word "virus" is not even mentioned in the text.
El Reg, please can we have a "report irrelevance" (or better yet "report idiocy" or "report biggotry") link next to the "report abuse" one please for these sort of rantings?
So what is your point, even if your assertion were correct, which I'm pretty sure it isn't. That a Linux box is simply "safe"? Yeah right. I run an Ubuntu Linux server and it is being hit by port scans and attempted logins by script kiddies 24x7. It was fairly secure "out of the box", but it wasn't locked down as tight as I wanted it. I had to go to some extra trouble to research and install some monitoring software to detect intrusion attempts and block the offending IP addresses. I replaced the mail server with a professional product, and I still had to give up on using my original e-mail address @ my domain name because it was just too much work to deal with the spam (and why bother when you get free e-mail from Google, Hotmail, Yahoo, etc.). I had to just take down my forums, and remove the registration module from my Wiki completely, in order to stop spammers from registering fake accounts in order to post ads (or worse, links to websites with exploits), wasting my time removing said accounts. If Linux were so safe, then I wouldn't be suffering incessant attempts by hackers to get any foothold on the system in the hope of escalating that to root privilege and adding my box to a bot army. As things stand, in spite of my attempts, I wouldn't bet a nickel that a real hacker couldn't find a hole and hi-jack the server.
Since I use the server as a server and not as a desktop machine, it might not need a typical AV software.
But, again, so what? The only reason most botnets consist of Windows boxes is that 90% or so of the PCs in the world are running Windows. Most of the *servers* getting rooted ARE Linux boxes. If your grannie could figure out how to install Ubuntu, she'd doubtless have no more clue how to avoid getting her PC rooted than she does when using Windows.
"If Linux were so safe, then I wouldn't be suffering incessant attempts by hackers to get any foothold on the system"
So hackers constantly attempting to get on your system - but not apparently managing it - means Linux isn't secure? Uh , what? So if a burglar tries the lock on my front door but can't open it the lock still somehow isn't good enough. What do you want it to do - scare the burglar off first? Wtf are you talking about man?
Oh , and FYI - spam isn't hacking. HTH.
"Most of the *servers* getting rooted ARE Linux boxes. "
This portion of your comment:
I replaced the mail server with a professional product, and I still had to give up on using my original e-mail address @ my domain name because it was just too much work to deal with the spam (and why bother when you get free e-mail from Google, Hotmail, Yahoo, etc.). I had to just take down my forums, and remove the registration module from my Wiki completely, in order to stop spammers from registering fake accounts in order to post ads (or worse, links to websites with exploits), wasting my time removing said accounts.
contains an argument that is not platform (Linux) specific. Spammers can create fake accounts on forums hosted by Windows also. Also the argument concerns application software, not O/S software. Therefore it is REJECTED.
I run 4 Macs and 2 Linux desktops at home for my family, after 25 years in IT I still don't believe all that utter bollocks you're spouting! 15 years of DOS and Windows taught me to be utterly paranoid as I know there are enough shitbags out there who would kill for my personal info and trash my machines for shits'n'giggles!
The computers that need AV are the ones poorly secured by the user.
Put Linux on as many machines as there are Windows machines. Let the average user configure security them-self. See how many Linux viruses there will be. The average user won't lock their machine down very tightly and will install any old crap a website tells them to. "You want my root password to install the pink pony screen saver? Lucky I set it to something simple to make it easy to remember"
Well, in my world, which appears to be a different version of reality to yours, when someone has an infected machine here they don't care too hoots about the semantics as to whether it's a trojan, a virus or whatever.
It's infected and that's all that matters to them.
"There's only ONE operating system that needs AV. Windows."
Not true. My Linux server hosting email lists for various community and charitable groups needs AV for good reason. Not because the digital diseases of end users who subscribe to these (all confirmed opt in) lists are likely to infect my Linux host. They aren't. My server needs AV to detect viruses present in email attachments which end users send each other through my server. My server is designed to replicate these messages but not emails attached to them.
From the end user point of view, the distinction between the viruses replicating because my server is infected, and the viruses replicating because my server is designed to replicate email is academic and moot.
I can't wait to see what entirely innocent programs just happen to meet McAfee's half-tested heuristics and get sidelined. Probably on someone's main cloud server framework.
It would almost be funny, except that our corporate IT policy is to run McAfee, and I can't connect to the company network if I dont :(
I'm not even sure I understand their marketing message.
A botnet is a collection of computers carrying out tasks (such as spam, DDOS, web proxying and sometimes even hosting) on behalf of the bad guy. It isn't something a computer can be susceptible to. Perhaps they mean that it prevents them from being infected with an item of Malware which turns the computer into a Bot. Interesting... bots can be installed by mass mailers, targeted trojans, malware hosted on compromised websites, malware on USB sticks and even by idiot users who decide to become part of a hacking collective and voluntarily install a bot onto their machine.
So perhaps what they are trying to say is that their new improved protection NOW prevents computers from being infected with malware (unlike before)? Or, perhaps what they are saying is that they have realised that reactive, signature based, malware detection is no longer sufficient to protect computers in the modern era now malware has the ability to spread globally before the AV companies have a chance to create and distribute a signature and if this is the case then WTF do they think that they have been doing since Bubbleboy was released in 1999???
No, No, I think I've got it... What they are really trying to say is "BUY OUR STUFF, It's less bad than it use to be"
Please note, I am not specifically anti-macafee, I am anti-marketing bull.
AC as the views of the voices in my head may not be acceptable to my employer.
Read that part very carefully, I have quoted it below:
As for rootkits – a particular Intel bugbear – McAfee touted a recent test by AVLabs that it sponsored that highlighted the effectiveness of part of its suite at cutting this attack vector short (although it did not specify testing criteria). The tests give McAfee a 100 per cent rating at killing rootkits, compared to 83 per cent for Microsoft and 67 per cent for Symantec.
Did you note the emphasized words?
So, I agree, Suspicious figures or paid for lies? You decide.
Read that part very carefully, I [am foaming at the mouth] below...
Yes, thanks, no one else reading the article noticed that McAfee sponsored that study, or has ever considered the possibility that research might be affected by its funding source, sometimes to the point of being completely compromised. Had you not pointed that out, we all would have taken the McAfee statement as gospel.
But, hey, you wouldn't want to miss yet another opportunity to accuse someone of shilling.
Really, please, grow up. Even if a single reader here is likely to base their opinion of that "test" - about which we have so little information as to render it meaningless - on the question of whether the outcome was influenced by McAfee sponsorship, your pointing that question out will come as a surprise to exactly no one. Boldfacing some words in the quote, then pointing out to your readers that you'd boldfaced them, is childish and inane.
Obtain multiple Linux distributions.
Select apps and kernel source code you want to run. Avoid ones that require a virtual machine running on top of the hardware.
Cross reference across versions to locate any changes between them IE potential trap doors. Do this with 2 different comparison tools to avoid one that's fixed to ignore trapdoor code if it receives a specific marker, or code your own. You'll do this for any future apps you load.
Define new processor architecture with opcode bit patterns chosen at random (to prevent guessing if samples of your object code fall into the wrong hands) and implement it. For extra obfuscation make it a stack architecture running an unusual bit length.
Hack code generators for the apps and kernel languages you're going to compile.
Re-build kernel & apps to new architecture & install on system.
Change delete any default accounts/passwords. Set up low privilege working account(s) where you do most of your work, view your p0rn etc.
Change default router password and set router to ignore all calls from the internet to your address (so you're invisible except to your ISP). Disable universal plug and play (and most other things).
Congratulations. You should be malware free and anything that gets into your system (infected email attachment?) will have no way to execute. Like a border post backed by a 1000 Km of desert. Anything that gets in will die.
Now how many of you are paranoid enough to actually implement this strategy?
Actually, the probability that your v1.0 of all that will be bug free is low enough that it would be safe to bet the rent there's a vulnerability there somewhere. Your actual protection stems not from all the mucking about, but from the fact that you created a one-off configuration and nobody can be bothered to crack it.
>the fact that you created a one-off configuration and nobody can be bothered to crack it.
Which would also completely embody the discredited idea of security through obscurity.
As there is going to be a vulnerability somewhere in your configuration, given the right motivation someone will eventually crack it. There is nothing which is completely secure, you just have to figure out a way to make the amount of time, money and work it would take to breach your configuration large enough to deter an aggressor.
Having done all that, of course, I'd run my target OS inside a VM which itself is inside a VM which itself etc to maybe a depth of 12.
Each VM (different implementations of course) is running separate virus detection / fire walls / etc, so only incoming data that passes all of one VM's sniff tests makes it to the next level.
For an infecting virus that is trying to reach my app in the target OS, the effect would be like running the gauntlet in a very-hard-to-win first-person shooter with no ability to save at crucial points.
With a 12-core processor, my nicely snuggled app would not even notice the latency in handling incoming data.
There is some research going on into assisted proof of software.
Essentially whenever you write a piece of code you need to proof that it works correctly. This proof will be checked by the compiler. (just like some compilers can already check for array boundaries, etc) The current research is about how to make a language which integrates code and proof in a good fashion so it's not to much overhead.
In the end you can for example proof that data marked "private" will never reach the network card driver. And that you will never overwrite your stack. Some people even go further and add types to the memory so your CPU can check for types. Those types can include features like "private" or "local" or whatever you want to.
This is of course a long term goal, but it's being worked on. And ideally you don't loose any/much speed.
... the ability to deinstall them, quickly, easily, completely, and cleanly.
Seriously, this crap comes preinstalled on many big-name Windows boxes, and getting rid of it takes most of a day -- it's quicker to wipe the drive and reinstall.
If more than one vendor exhibits this behavior, perhaps the issue is in the OS and not the app.
Not that the app maker should be excused mind you. I find this more annoying with Java than the two mentioned pieces. At least those will partially uninstall whereas Java on Windows is just completely buggered if something gets corrupted with the install.
"Taking bets on how long that will take to bite him in the ass. I reckon less than 6 months."
I bid 6 weeks, but I think that's generous, but when it's discovered is another matter
For the successful cracker (who keeps it secret) this is the perfect target.
The sense of smug complacency that will set in could allow them to establish the biggest botnet the internet has ever seen. OK that's a bit of hype but certainly quite large.
I've heard this "It's uncrackable" spiel a few times. A classic was the SKy digital TV encryption system.
The channel coding remains (AFAIK) unbroken with a 2048bit PKA key.
The cards were not. Giving free TV channels to those in the know.
is that if you get it really right ... you don't get to sell regular updates to the software.
I know of several different AV providers who went out of business for that reason back in the day. The technology was quietly bought up by Symantec and allegedly merged in with Nortons.
To be fair, the change to 64bit windows would have killed their product anyway without some significant rewrites, but it worked brilliantly for 7-8 years without an update.
Another thing is operating system itself may behave like a virus. It is in nature of operating systems.
Unlike mcafee who seems to have "invented" heuristics after decades of use, that is the main reason why companies do crazy things like virtual machines, cloud based white listing, machines left open to internet on purpose etc.
Poor Intel wasted their billions.
In a world which companies and even end users expect a common security suite which will work similar on all their devices from a cheap Huawei to top of the line i7 workstation, they ship software which will work fine only on Intel cpu.
If someone at Kaspersky or Sophos came up with such an idea,he would be fired.
Also, heuristics and behaviour analysis are old news in real security scene. Signatures are only a first line in defense. It has been same since IBM&F-Prot.
Signature-based malware identification has been around since the dawn of the computer security industry
Stiller's Integrity Master, a profile-based virus detector, existed before John McAfee sold a cheap and lazy media on Virusscan:
I love it! I have been a fan of integrity checking (IC) ever since my first big software conflict trashed small parts of a few files of the 2,000 + files on my disk in … 1986
(Sadly, that article is only on Google's cache now.)
Signature-based malware identification has been around since the dawn of the computer security industry
I am baffled how anything you posted is a refutation of the statement you quoted. In fact, your evidence appears to support it: if "the computer security industry" is defined as software companies selling security tools for PCs (a dubious definition, but we'll get to that in a moment), then the statement is clearly true, since signature-based identification in fact clearly predates that "industry", and thus "has been around since" (and indeed before) it began.
If we define "the computer security industry" in the rather more useful sense of organized work to improve security in IT, then Integrity Master and its predecessors would be a part of that "industry" (in the sense of "work", not necessarily "commercial product'), so they wouldn't be counterexamples to the statement either.
However, IM isn't relevant to the statement at all, because it's not a signature detection system. Signature detection systems scan data for sequences that may indicate malicious code. IM is a change detection system; it computes hashes of existing files (at least originally CRCs; the article doesn't indicate if it later used stronger hashes) to see if they match the hashes from the previous pass.
So a complete miss then. But really I can't see what you're all worked up about. Thomson isn't claiming McAfee (or anyone else) invented signature detection, just that it's been around for a long time.
As the argument rages about this OS being safer than that OS with respect to nasties does anybody have any figures on how many viruses actually use windows as the directly attacked platform as opposed to using some third party program (Adobe & Java - looking at you) as the attack vector which then goes on to compromise the OS.
I suspect that 'modern' windows, say Versions 7 & 8, are actually very robust and the vast majority of the infections are due to third party applications.
I can see this as being a major flaw in 'phone and tablet OS'es where they request, and are inevitably given, permissions far in excess of those required for purely operational needs in the same manner as many windows programs have "needed" administrative permissions in the past and thus provided an easy foothold into the OS.
You're a douchebag ... deal with it !
Go flame some other forum.
The most epically failed statement ever:
100% of all viruses are for windows
... riiiiight ... I know of at least 3 for mac and i've read somewhere on here recently that some hackers are chucking together android viruses ...
And those are just in the top 2 results for some basic google searching ...
What a total tard!
Anyone else fancy confirming what a tool Eadon is ... upvote this comment!
As for McAfee ...
I generally hear good things about them, but me personally, I wipe my machine clean and restore from an image (network stored) every few weeks so I don't bother with AV.
I'm also very careful about where I download and run executable code from.
Have I ever had a virus?
yeh once ... when I used to use AV, and it's solution was to destroy my OS install.
"We can catch things that no one else can in the industry."
Well that's certainly my experience - our PCs running McAfee catch things that users of other vendors don't seem to get. Whenever I submit a sample to virustotal.com McAfee consistently does not detect anything but 90% of the other vendors do.
Windows itself is the virus, and needs to be eliminated. It just keeps morphing every few years and changing a number (3.1, 95, 98, 98SE, Me, NT, 2000, XP, Vista, 7, and 8 to name a few) and re-infecting systems.
Of course, they need a platform to run on, and they chose the absolute worse processor (the X86 family) to do the job, also counting the viral effect.
(*SIGH*) One of these days.....
I do wish the moderators here would stop all this personalised bashing of individual posters that is being targetted against specific individuals who post here.
Seriously. If you don't like what he says, the prove him wrong. If you can't do that, then don't bother commenting, about what he says. Your personal thoughts about him are irrelevant. All this ridiculous name calling just makes you all look like children.
"I do wish the moderators here would stop all this personalised bashing of individual posters"
The trouble with deleting comments that bash individuals is that it spirals into a "he started it!" nightmare. The general rule I like to see people follow is "play the ball, not the man". So if people stick to that then things work out.
You can try, but people who reject all evidence or utilize irrelevant technicalities to make themselves fell right will never change their mind. When you combine that with a strong desire to evangelize everywhere people will naturally get tired of constantly bring forth the same evidence proving them wrong over and over again. Ignoring them doesn't really work because then they could possibly convince someone new that they are correct. Over time the will eventually piss someone off enough to respond to them with an attack of some kind and with the number of readers hear there will always be someone new being pushed over the edge.
@Dave Dowell - imagine, if you will, a fly buzzing round your head. You try to shoo it away, but it keeps coming back. You can either keep trying to just brush it aside, or become increasingly more annoyed trying to swat it.
This is what has happened here.
You're absolutely right about trying to counter-argue posts you don't agree with - however, I can understand some posters getting frustrated when faced with a continual barrage of provocative posts that usually lack any form of evidence or back-up, especially when the poster in question (I think we all know who we mean here) refuses to acknowledge any counter-argument that does not fit in with his own philosophy and just continues to "buzz around our heads" - to use the earlier analogy.
It's why I think a "report complaint" facility - similar to "report abuse", but for more general use - would be a good idea.
a few rules to avoid the malware would be better than AV software that bungs up your system/network/entire internet
1. Phone chargers for all staff : stops them plugging their phones into those handy usb ports on the front of the PC
2. remove Java and flash from the browsers
3. Anyone caught with a USB stick is fired.
4. Anyone opening an e.mail attatchment is set on fire.
And lastly for those really serious about stopping malware from seizing vital data
I've visited companies where to enter the campus, everyone sends their belongings through a metal detector, phones are checked to make sure cameras are taped over, sd cards or flash drives are banned, etc. etc. In the government sector too, there are some pretty extreme measures taken for security (e.g. supercomputers that are physically partitioned so that confidential simulations can't possibly be spied on by other code).
Generally though, I assume the powers that be look at the relative cost of preventing malware via draconian measures (quality of employee, worker happiness, inefficiency in working with clients who want to use e-mail attachments) and decide that it's much better to employ a handful of smart people to setup firewalls, IDSes, monitor developments in the security field, etc. and basically hope that the risk is reduced sufficiently.
Similar considerations apply to safety from muggers-- if you wanted to make sure you'd never get mugged, you could hole up in an underground bunker with 80 years worth of non-perishable food, cases of ammunition and high powered weapons, hopped up on methamphetamines monitoring your CCTV, and you'd have a pretty high confidence in your personal safety. On the other hand, it might not be a very happy existence.
Biting the hand that feeds IT © 1998–2019