{QUOTE-> MOSCOW—Clickety, clack. Clickety, clack. The rhythmic sounds of fingers tapping away at keyboards are coming from Eugene Kaspersky's "woodpeckers," who make up a virus-hunting crew responsible for tracking computer threats in real time and who work around the clock to write and ship virus definition updates to millions of computer users. <-QUOTE}Article (http://www.eweek.com/article2/0,1759,2074772,00.asp)

Really good article. Thanks for posting it.

Cheers

Jlo

{QUOTE-> Really good article. Thanks for posting it.

Cheers

Jlo <-QUOTE}
intersting read,
nothing we didnt know already though,

but to me, the article sounded as though kaspersky are worried, maybe they know something we dont.

Thanks for the article :)

{QUOTE-> but to me, the article sounded as though kaspersky are worried, maybe they know something we dont. <-QUOTE}
they are at the limit of their capacity. Tons of malware repacked and tweaked sent to the net each minute.

{QUOTE-> they are at the limit of their capacity. Tons of malware repacked and tweaked sent to the net each minute. <-QUOTE}
true true, but its the same with every other company, so why sound sooo worried, yes its a hard job, but it is for everyone else.

{QUOTE-> true true, but its the same with every other company, so why sound sooo worried, yes its a hard job, but it is for everyone else. <-QUOTE}
it´s harder for the small companies. Symantec, for example, can make 100,000 signatures each day.

{QUOTE-> they are at the limit of their capacity. Tons of malware repacked and tweaked sent to the net each minute. <-QUOTE}
They are certainly not nearer to the limit than any other vendor.

{QUOTE-> they are at the limit of their capacity. Tons of malware repacked and tweaked sent to the net each minute. <-QUOTE}

I agree totally here. They know that the signature based detection is reaching it's limits. The only hope is to get 'heuristics' up high enough to ease the congestion and pressure. And even the very best 'Heuristics', aren't even in the ballpark yet to achieve this. And while i can't say for certain, i could of sworn 4000 or so of my av's sigs were deleted not long ago to make room for new ones i guess.

{QUOTE-> . And while i can't say for certain, i could of sworn 4000 or so of my av's sigs were deleted not long ago to make room for new ones i guess. <-QUOTE}

I think it's quite common for AV's to delete old single sigs and tidy-up/replace them with a smaller number of generic signatures, you would still have the same detection if this is what's happened.

{QUOTE-> it´s harder for the small companies. Symantec, for example, can make 100,000 signatures each day. <-QUOTE}That's where good heuristic detection can be an aid to smaller companies without mentioning any names. ;)

It's far from merely a load of extra signatures - it's the fact the bad guys are well organized and paid by now, creating perfect new sorts of malware. For that reason Jevgeny Kaspersky is more then worried all AV/AT's will useless within a short period time, meaning a few years from now.

Perfect rootkits are being developed, in use and more to come. No AV/AT (Kaspersky, NOD32, Symantec, you name them) can proactively handle those.

The future is preventive antirootkits - at least as a needed addition. Helios and GMER as well as RKU come to mind here.

{QUOTE-> it´s harder for the small companies. Symantec, for example, can make 100,000 signatures each day. <-QUOTE}
if they do it properly, the highest amount is probably 100 times smaller than the amount you posted.

{QUOTE-> nothing we didnt know already though <-QUOTE}

Nice to know somebody's speaking on our behalf. Or did I fail to detect the pluralis majestatis?

People seem to age rather quickly in the AV industry. Here are some intriguing before/after pictures:

http://www.avast.com/eng/interesting_pictures.html

{QUOTE-> if they do it properly, the highest amount is probably 100 times smaller than the amount you posted. <-QUOTE}
I´ve extracted that info from here (http://www.securityelf.org/html/software_misuse/index.html)
{QUOTE->
That's where good heuristic detection can be an aid to smaller companies without mentioning any names
<-QUOTE}
Of course. This was discussed in the AV-Comparatives thread. Stefan Kurtzhals said that heuristics helps to make better signatures(fewer FP, more detection, etc) without leaving you unprotected.

I extracted the info from conversations with Symantec last summer when I did the test about signatures and release rates :P.

Surely you´re more close to the truth than me. I can´t imagine the quality of 100,000 signatures released each day.

{QUOTE-> I can´t imagine the quality of 100,000 signatures released each day. <-QUOTE}
I can......;D

{QUOTE-> I can......;D <-QUOTE}but I guess we really don't want to go down that road... :)

Blue

If the outlook is as bad as some posters in this thread seem to think,don't you think its time we scrapped PC's and went back to the abacus:-that'd give the malware writers a real headache,think they would be pretty immune from attack(except by hammer!)

{QUOTE-> but I guess we really don't want to go down that road... :)

Blue <-QUOTE}
No, not at all.:)

{QUOTE-> If the outlook is as bad as some posters in this thread seem to think,don't you think its time we scrapped PC's and went back to the abacus:-that'd give the malware writers a real headache,think they would be pretty immune from attack(except by hammer!) <-QUOTE}
If it really was bad as some doomsday worshippers say, then already now would we all be infected with an undetectable rootkit and running an anti-virus which was knocked out by stealth malware capable of doing that................etc etc yada yada yada, every year it's the same.

Signatures will be around for quite some time yet & and contrary to what some think heuristics will not save us, it is just one layer in our defenses. All AV's will merge into much more "All-in-one" type programs and i do not mean just AV/FW/AS, but "all" will have to develop other proactive defenses, the approach will be different, but if you do not move forward you die................of course i could be wrong and i'm certainly not saying next year will be easier. ;) :)

{QUOTE-> Nice to know somebody's speaking on our behalf. Or did I fail to detect the pluralis majestatis?

People seem to age rather quickly in the AV industry. Here are some intriguing before/after pictures:

http://www.avast.com/eng/interesting_pictures.html <-QUOTE}

Those are hilarious! Especially the one of Vesselin Bontchev with his head on the guillotine. And that of Eugene Kaspersky with his yellow and red umbrella "hat" contraption...:D

I wish the pics were labeled better as I was looking for a particular person but not knowing what he looks like...well...even when a pic said "Eset fellows" because there were several I didn't who was who.

{QUOTE-> All AV's will merge into much more "All-in-one" type programs and i do not mean just AV/FW/AS, but "all" will have to develop other proactive defenses, the approach will be different, but if you do not move forward you die................of course i could be wrong and i'm certainly not saying next year will be easier. ;) :) <-QUOTE}

Agreed and this trend has already been taking place for the past 3-4 years. The discussion about "end of signatures" is even older than that. Even "end of heuristics" (particular to AV) is probably fairly old (I'm not up to date on that).

To add fuel to the flame:

If security is not a product, then what kind of security is an "add-on after the fact patch"?

As we well know, many a security software are PATCHING issues deep down in the operating system itself.

It's like a theory which is being "fixed" on-the-fly ad hoc style.

The real issues lie deeper down:

Basic design and implementation flaws.

Errors in fundamental software engineering and testing practices.

And this is something that is very hard (or excruciatingly slow) to fix through patching. MS is acutely aware of this.

This is why I don't believe will see any magical solutions with integration of AV/malware/FW/sandbox/whatever combos, as long as they are deployed on top of WindowsXP/2003/Vista. At least as long as we are talking about combos, that are still usable on an average machine (resources) and with the skills of an average user.

Once we start deploying security engineered OSes that has been designed and engineered from ground up to be secure, we may fare much better. At least for some time.

So I for one am seriously considering moving over to Mac OS X. Not because it's necessarily any more secure inherently, but because the absolute amount it's being targeted for security breaches is so much smaller than on Win32 platforms...

I'm just too old (and busy) to spend hours / week in forums/bulletin sites trying to keep my main working machine fairly tight and secure. The process has just become too time consuming on Windows (for me).

No amount of woodpeckers or Kasperskys (as much as I commend them for their efforts) is going to bring a quick fix to this situation.

There's a lot of food for though in the article and discussion.

{QUOTE-> Agreed and this trend has already been taking place for the past 3-4 years. The discussion about "end of signatures" is even older than that. Even "end of heuristics" (particular to AV) is probably fairly old (I'm not up to date on that). <-QUOTE}In days gone past, there were far more good programs than bad and the appearance rate of the bad was low as well. In that situation, the use of signatures to identify the bad is sensible. The circumstance has been somewhat turned on its head these days, and that should drive a reassessment of the approaches pursued. Based on typical user expertise, some style of signature based approach seems all but assured. However, whether it is a blacklist, whitelist, or combined approach is less clear.
{QUOTE-> To add fuel to the flame:

If security is not a product, then what kind of security is an "add-on after the fact patch"? <-QUOTE}Security is not a product for the security aware, however, it is largely a product in the mass market. That product could be a security add-on or and alternate OS (which addresses only a part of the issue). Security products are not the end goal, but they do provide a working framework backed by expert advice which assist a user in implementing the process.

For some reason, metaphors are lambasted in discussions of computer security, but metaphors are useful. Fitness isn't a product either, and you don't need to purchase any products to achieve fitness. Yet, a simple reality is that many folks profitably purchase products to assist themselves in achieving their goal of physical fitness for a variety of reasons. That is the path that works for them, but like the dusty running shoes sitting in the closet, the same approach does not work for all and all approaches seem to fail for some since they don't embrace the product/approach/framework that they've selected. The product is not entirely the end goal, but it does provide a structured framework through which the necessary process (fitness or security) can be realized. However, as long as some style of signature recognition is a part of a security product, that very aspect of it is, in fact, "security" as a product.
{QUOTE-> As we well know, many a security software are PATCHING issues deep down in the operating system itself.

It's like a theory which is being "fixed" on-the-fly ad hoc style. <-QUOTE}This is not always a bad thing. New information, new insights, a recast theory. Patching can be due to either the fixing of newly uncovered problems or adjusting to a new operational reality.
{QUOTE-> The real issues lie deeper down:

Basic design and implementation flaws.

Errors in fundamental software engineering and testing practices. <-QUOTE}While these points are true, let's not forget that many security holes are the unintended consequence of functionality and convenience being built into the OS. Many of the design steps taken to render a richer and more fluid user experience have unintended consequences and open a Pandora's box of possibilities if the programmer's intentions are malicious.
{QUOTE-> And this is something that is very hard (or excruciatingly slow) to fix through patching. MS is acutely aware of this.

This is why I don't believe will see any magical solutions with integration of AV/malware/FW/sandbox/whatever combos, as long as they are deployed on top of WindowsXP/2003/Vista. At least as long as we are talking about combos, that are still usable on an average machine (resources) and with the skills of an average user. <-QUOTE}Quite true, these solutions will not be a panacea, but for many they are the best first step to take.
{QUOTE-> Once we start deploying security engineered OSes that has been designed and engineered from ground up to be secure, we may fare much better. At least for some time. <-QUOTE}Personally, I believe that will simply move the target of opportunity. Computers are now tools widely used for mass commerce. Wherever there is source of cash or other assets, there will be people figuring out ways to grab it. The online world is no different than the physical world in this regard.
{QUOTE-> So I for one am seriously considering moving over to Mac OS X. Not because it's necessarily any more secure inherently, but because the absolute amount it's being targeted for security breaches is so much smaller than on Win32 platforms...

I'm just too old (and busy) to spend hours / week in forums/bulletin sites trying to keep my main working machine fairly tight and secure. The process has just become too time consuming on Windows (for me).

No amount of woodpeckers or Kasperskys (as much as I commend them for their efforts) is going to bring a quick fix to this situation. <-QUOTE}It is in this context that it is useful to consider security as a product, or perhaps more correctly, a process significantly assisted by a product. Like many things in life, we contract with experts to perform certain services. I really don't see why computer security should be viewed as fundamentally any different. Find an expert you can trust, rely on the expertise that they have, and make a periodic check that their credentials are current and performance remains acceptable to you, and embrace the framework they provide. I realize this is only a part of the solution, but it is a very big part of it in the current climate and it really doesn't require a constant level of attention.

Blue

Woodpeckers :blink: Now you need to leave wildlife outta this, those are some damn fine and protected birds :dry: