Antivirus is DEAD! [Archive] - Wilders Security Forums

Inspector Clouseau

June 10th, 2007, 09:14 AM

Folks, u should keep in mind that not everyone is willing to learn additional things. For most of the users is the computer just a daily work equipment!
That they use internet for searching something doesn't mean that they spend hours in improving their computer software setup and learning how to use it!
Just walk out on the street and ask a few womans how many can fix a engine problem in their cars. You know the answer when they ask "What's an engine?"
Still they are driving cars. You don't need to be a mechanic to do so. You have the god given right ( i mean the "other god" ;) ) to use something without being an expert or even without having to learn more things than really needed. Because if it would be like this that everyone would know exactly what's going on we wouldn't even need a virtual system! Or AV Software or firewall - you name it.

solcroft

June 10th, 2007, 09:14 AM

-{ Quote: "Macros yes, but how about exploits? ;) Besides, most of the (real) office documents containing macros. Even if it's only to automate office contact data and the like" }-
Exploits wouldn't require whitelisting, I think. Their end aim is to download and execute code, and whitelisting works against that very well.

Or am I missing something here?

Inspector Clouseau

June 10th, 2007, 09:17 AM

-{ Quote: "Exploits wouldn't require whitelisting, I think. Their end aim is to download and execute code, and whitelisting works against that very well.

Or am I missing something here?" }-

Yes you do. Because in that way you would have to whitelist *EVERY* document, regardingles if it contains macros or not! Remember: You do the opposite with whitelisting as what AV does: You have to state that a document is CLEAN. You can only do that if you KNOW the document and SAW it. AV states that something is infected BECAUSE WE SAW the virus and we KNOW it's in there.

solcroft

June 10th, 2007, 09:21 AM

-{ Quote: "Yes you do. Because in that way you would have to whitelist *EVERY* document, regardingles if it contains macros or not! Remember: You do the opposite with whitelisting as what AV does: You have to state that a document is CLEAN. You can only do that if you KNOW the document and SAW it. AV states that something is infected BECAUSE WE SAW the virus and we KNOW it's in there." }-
Another silly question.

Why would we need to whitelist macro-less documents? Is there some kind of hostile exploit in Office that does bad stuff even without macros? Obviously if something is going to do no harm, you leave it alone (plaintext documents come to mind...).

I've been an OpenOffice user for almost 2 years, so I'm pretty out of touch with MS Office.

Franklin

June 10th, 2007, 09:27 AM

-{ Quote: "Good to kow! I tried that with my wife too since i got sick cleaning her machine every week. Guess what? She refuses now to use that machine and jumps for my laptop!" }-
Sandboxie and PS are on my three daughter's computers and yep, not a single infection in months.They did ring every now and then for some instructions at first.

The odd online AV scan confirms.

They love those apps and say they are the best.And guess what, I agree with them.;)

Inspector Clouseau

June 10th, 2007, 09:28 AM

-{ Quote: "Another silly question.

Why would we need to whitelist macro-less documents? Is there some kind of hostile exploit in Office that does bad stuff even without macros? Obviously if something is going to do no harm, you leave it alone (plaintext documents come to mind...).

I've been an OpenOffice user for almost 2 years, so I'm pretty out of touch with MS Office." }-

We can also continue with JPG Pictures if you like.... Please tell me how the hell you will detect for example "jpg" exploits with only whitelisting? Or... maybe in 2 years a jpg2009 exploit? you have the following options:

Option 1: ALL JPG PICTURES (of course including porn pictures - i can imagine that would be a nice job profile, something like "Reverse Engineer Porn Pictures") would have to be whitelisted.

Option 2: You add something that detects the exploit itself - THEN YOU ARE ALREADY AN AV-"SOLUTION"! Since you're looking for "bad" code (blacklisted)

solcroft

June 10th, 2007, 09:34 AM

-{ Quote: "We can also continue with JPG Pictures if you like.... Please tell me how the hell you will detect for example "jpg" exploits with only whitelisting? Or... maybe in 2 years a jpg2009 exploit? you have the following options:

Option 1: ALL JPG PICTURES (of course including porn pictures - i can imagine that would be a nice job profile, something like "Reverse Engineer Porn Pictures") would have to be whitelisted.

Option 2: You add something that detects the exploit itself - THEN YOU ARE ALREADY AN AV-"SOLUTION"! Since you're looking for "bad" code (blacklisted)" }-
Well...

The way I see it, you leave the jpgs alone, ignore them entirely, and focus on whacking dead whatever the jpgs try to download. Because in the end it's not the jpgs that are going to do anything bad to your system, it's what they download that will.

When a blacklist scanner is concerned obviously the better strategy is to try to kill the jpg. For whitelists I think the opposite applies.

Inspector Clouseau

June 10th, 2007, 09:39 AM

-{ Quote: "Because in the end it's not the jpgs that are going to do anything bad to your system, it's what they download that will.
" }-

Do you actually know what an exploit is? Seems not. You can basically do *EVERY* thing and not only downloading and executing files! For instance just crashing the system by previewing a picture. Would you call that "Nice"? At least i don't. Because you can lose all your work in the background.

solcroft

June 10th, 2007, 09:42 AM

I see. Thanks for the explanation.

Inspector Clouseau

June 10th, 2007, 09:48 AM

To give a overview about the problems with only whitelisting:

* Much more stuff to whitelist than to blacklist (Remember: The problem for the av is the workload! How will they manage to whitelist even much more?!)

* The problem with "this files we can ignore": You have always to expect that a specific file format gets exploitable! What will you do then? Starting whitelisting when you have a problem?! Then you notice you'll have to whitelist millions of things?! (for instance pictures...) As AV you just have to make sure that you scan this fileformat and that you detect this maybe ONLY ONE(!) Exploit. That takes maybe 1 day and then you protect successful against this exploit. Guess how long it will take to whitelist all that you can tell that something doesn't contain the exploit? Years?

* The "already whitelisted" problem: When a problem occurs later that applies to already whitelisted things then what?! As AV we just add a detection and we don't care about "older versions of types" because we simply detect it then in it. As Whitelist you would have to verify again the whole archiv, searching for this "problem" (exploit comes into mind) I don't think users will be very happy with the response times...

Conclusion: As i said before it is a nice "addition" to existing AV software. But it NEVER EVER solves all problems without AV in a real world environment. (What you tell your investors as whitelist company is however another story...)

WSFuser

June 10th, 2007, 09:55 AM

-{ Quote: "http://weblog.vircop.org/?p=25" }-
Thanks for the reading material. Quite informative.

Mrkvonic

June 10th, 2007, 10:16 AM

Hello,

Entire two generations of people have been educated to work by default allow. And switching to default deny will be almost impossible. Because people are lazy and inert.

Whitelisting in software is not needed if you have whitelisting in your head. But that's the same as default deny education.

Inspector, I think people should have to pass a test to use computers. Just like cars. They don't know anything about engines, but they still must pass a theoretical and practical driving tests / exams...

Mrk

Inspector Clouseau

June 10th, 2007, 10:26 AM

-{ Quote: "Inspector, I think people should have to pass a test to use computers. Just like cars." }-

That is indeed not a bad idea. HOWEVER. Without cheating my wife wouldn't pass this test. (And NO, she is NOT stupid. She simply doesn't care and doesn't see any need to learn something with computers! Believe me, i've tried that since years!) And i do need her email, because otherwise how should i know during work what dinner awaits me? :o

Mrkvonic

June 10th, 2007, 10:29 AM

Just don't let her see your Wilders posts ... because you might end up with no dinner, or thalium-flavored roast pork cutlets.
Mrk

Inspector Clouseau

June 10th, 2007, 10:34 AM

-{ Quote: "Just don't let her see your Wilders posts ... because you might end up with no dinner, or thalium-flavored roast pork cutlets.
Mrk" }-

In case she does: I LOVE YOU ;D
But seriously, that is exactly the problem. She can use a browser, a email client and some yahoo chat. And that is according to her own words all she wants. And i do accept this. And i don't blame her for not knowing what a registry key is. And i think exactly this "profile" applies for MANY MANY other people, not only for my wife.

flinchlock

June 10th, 2007, 10:37 AM

-{ Quote: "And i think exactly this "profile" applies for MANY MANY other people, not only for my wife." }-YES, be the IT support person for a spouse is like trying to walk a tight rope over the Grand Canyon! :wacko:

Mike

Mrkvonic

June 10th, 2007, 10:42 AM

Hello,

The thing is: she does not need Windows then!

Computers today are made for a WHOLE range of things. And such, they require good knowledge to utilize effectively.

Just like you have cars that transport people, you have cars that transport heavy machines, cars that collect garbage etc.

Computers should also have categories:

- For newbs (running the basic of basic Linuxes)
- For moderate users (running some nice Linux or Mac)
- For advanced users (running Linux)

Joking aside, most computers, especially Windowsy ones, are made capable of everything. Which is exactly what most people do NOT need.

Why have ftp and telnet on a standard Windows machine? Most people do not use these. Why have command line? And so on.

In particular, Windows is made open to be as compatible as possible, but this is the real problem - not everyone needs or should need or be able to use all of the options, since they require skill and knowledge.

If computers had categories, you would not need anti-virus.

Imagine a machine that has no downloads available, only a tiny browser for games and a tiny browser-based email. Simple.

BUT ... if people are using fully capable tools, they should be fully capable too. That's why Windows users must know what registry is - because they can find it and tamper with it.

In cars, you are limited. You need tools to cause damage to your engine. You need quite a bit of effort to do stuff. And because it is expensive and can also be dangerous for users, they do not do it.

Computers, no physical pain, no physical effort, quite cheap, so they afford to mess around.

Imagine you get ticket for getting infected with virus, just like running red light? Not so many people would be so quick-handed on the double click, eh?

I can go on and on, but I have a basketball game to go to.

So ... The main idea is there, not phrases as well as I wanted, but I'm in a kind of a hurry ...

Cheers,
Mrk

flinchlock

June 10th, 2007, 10:47 AM

-{ Quote: "Why have command line?" }-Now you have done it, you sure do .iss me off! ::) ;D ;) :) :D :-*

Click on my "DOS user" link in my signature. ;)

Mike

Rmus

June 10th, 2007, 11:01 AM

-{ Quote: "http://weblog.vircop.org/?p=25

Whitelisting is probably a nice feature for ADVANCED computer users,
but it will confuse the normal, ordinary home user FOR SURE." }-The term WhiteListing has become a term that has lost its meaning without referring to specific situations.
Blanket statements such as the above are misleading to the uninformed.

For nothing could be further from the truth.

In its most basic application, White Listing is denying by default the execution of malicious code.
The initial setting up of a White List solution assumes a clean system. I have successfully used
such a solution on my own system and other home users' systems for many years.
It's essentially a Set-and-Forget solution.

Taking your examples:

-{ Quote: "Guess how many people working world wide in an office and writing documents/sheets?" }-190713
_________________________________________________

190714
_________________________________________________

Many of my academic colleagues -- dealing weekly with dozens of other user's Office documents -- effectively protect
against the above type of exploit with a White List solution.
Students at college with a White List solution on their laptop are protected against this type of exploit.

-{ Quote: "We can also continue with JPG Pictures if you like....
Please tell me how the hell you will detect for example "jpg" exploits with only whitelisting? " }-Someone may receive a photograph by email:

190715
_________________________________________________

190716
_________________________________________________

The effectiveness of such a solution becomes apparent in Zero-day attacks,
the .wmf exploit from 2005 being one of the most notorious and sensational:

190720
_________________________________________________

http://www.urs2.net/rsj/computing/imgs/scan_wmf.gif
_________________________________________________

Many users employ White List solutions exclusively. Many combine with an AV.
There is no single setup that works for everyone.

The important thing is for the user to develop a Strategy which takes into account her/his specific needs
and situations.

To completely dismiss any solution out of hand doesn't serve any purpose.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Inspector Clouseau

June 10th, 2007, 11:52 AM

We are speaking about whitelisting ONLY and the claim that "Antivirus is dead". Nothing more, nothing less. So your whole post above is obsolete. Because there is no question if whitelisting makes "sense". The question was if this ALONE can replace antivirus.

Edit: Just to add one more thing: What do you want to prove with your first screenshot? Netsky.Q is a BINARY executable malware. The fact that you rename it into .DOC doesn't prove that your application blocks word documents. Or whom did u try to fool with this? Not me ;-) Same for the 2nd screenshot. Renaming files has ABSOLUTELY nothing to do with that!

bontchev

June 10th, 2007, 12:19 PM

-{ Quote: "The term WhiteListing has become a term that has lost its meaning without referring to specific situations.
Blanket statements such as the above are misleading to the uninformed.

For nothing could be further from the truth." }-
I think you have misunderstood what Mike was trying to say in his blog. You see, there have been people predicting that at some point of time the malicious programs will become so numerous, that it will be easier to scan for known good programs instead of for known malicious ones - simply because the latter would be fewer.

However, at the AV testing workshop in Iceland, there was a presentation from some guy from Bit9. This company tries to build a database of all known good software. They noted that just sources like Microsoft, SourceForge and Netscape produce something like quarter a million new legitimate executables ever day each. Just the hash table used to access Bit9's database is currently 100 Gb and keeps increasing.

In other words, there is no hope scanning for that.

-{ Quote: "In its most basic application, White Listing is denying by default the execution of malicious code." }-
Mike's point is that it's too difficult to determine what exactly is malcious and what is not - so that you know whether to deny its execution or not.

-{ Quote: "The initial setting up of a White List solution assumes a clean system." }-
In my experience, most users resort to an AV product after they suspect that their system is already infected.8)

-{ Quote: "Many of my academic colleagues -- dealing weekly with dozens of other user's Office documents -- effectively protect
against the above type of exploit with a White List solution." }-
Either I don't understand what exactly you are doing, or you are deeply mistaken. The possible alternatives I see are the following:

You deny access to unknown documents. This would work - but it would make the system unusable.
You deny access to EXE files that have the DOC extension. This, of course, won't protect against real documents that contain an exploit.
You deny access to the executable that it usually dropped and executed by the exploit. This is fine, but some exploits might not drop anything and execute the malicious action in memory only.

-{ Quote: "Someone may receive a photograph by email:" }-
This is the second alternative - it's actually an EXE file with a JPG extension. The example doesn't demonstrate that your system would protect from a real JPG file containing an unknown exploit.

-{ Quote: "The effectiveness of such a solution becomes apparent in Zero-day attacks,
the .wmf exploit from 2005 being one of the most notorious and sensational:" }-
This is the third alternative - you deny the execution of the dropped executable but not of the shellcode in the exploit.

-{ Quote: "To completely dismiss any solution out of hand doesn't serve any purpose." }-
I don't think that this is what Mike was trying to do - although he was perhaps a bit sensationalistic in his message.:dry: I'm sure that there are advanced solutions that work reasonably well for some experienced users - integrity checking (whitelisting is a kind of integrity checking is one of them). However, the majority of users are far from competent enough to use such solutions.

That is why we're making scanners, folks - because this is what sells. Many companies have tried to market better solutions in the past - including ones based on integrity checking. For instance, Dr. Fred Cohen had a product he was calling "integrity shell" (essentially an on-access integrity checker), there was a product called Integrity Master, and many others. They all have failed. Without an insignificantly small number of exceptions, people simply don't buy them.

Regards,
Vesselin

TonyW

June 10th, 2007, 12:51 PM

-{ Quote: "Sandboxing/Virtualisation has replaced an AV here!" }-The average Joe doesn't know anything about sandboxing or virtualisation. The point of IC's article is mainly aimed at that core of computer users. The best they can be protected is with some form of AV protection and a good dose of educating about safe computing practices.

solcroft

June 10th, 2007, 12:55 PM

What about other non-signature-based approaches, such as virtualization and behavior blocking?

I think products like SandboxIE, Cyberhawk and Micropoint have been an excellent example of how these "new-generation" technologies can be effectively put to use even by the most technically uninclined, so to speak. Do security vendors think it's a greater benefit to continue playing the catchup race against malware writers, or to invest in and educate users about these new technologies?

An additional point: Why is it that popular consensus that the public CANNOT use sandboxing/behavior blocking with any degree of success? Has there ever been any scientific studies carried out? Why do people continue to tout the blacklist scanner as THE solution for the average Joe, when it appears that average Joes continue to get infected anyway while using this very solution?

Inspector Clouseau

June 10th, 2007, 12:56 PM

-{ Quote: "The average Joe doesn't know anything about sandboxing or virtualisation. The point of IC's article is mainly aimed at that core of computer users. The best they can be protected is with some form of AV protection and a good dose of educating about safe computing practices." }-

AMEN.

Inspector Clouseau

June 10th, 2007, 01:01 PM

-{ Quote: "What about other non-signature-based approaches, such as virtualization and behavior blocking?

I think products like SandboxIE, Cyberhawk and Micropoint have been an excellent example of how these "new-generation" technologies can be effectively put to use even by the most technically uninclined, so to speak. Do security vendors think it's a greater benefit to continue playing the catchup race against malware writers, or to invest in and educate users about these new technologies?" }-

Once again: A user want to know if something is bad. He wants to know that FOR SURE. And that is very difficult (if even possible) with such solutions to provide. Not everyone knows what the hooking of specific API calls means, or what a "hidden" file means etc. They want something that tells you straight away "That's bad, it has a name and is called trojan.whatever and i do delete it now for you". They don't want to research themselfs based on some "strange" report if something is now really malware or not. Before they do that they let pass *everything* including malware.

solcroft

June 10th, 2007, 01:06 PM

Unfortunately, it is also a common situation that the blacklist scanner does not so much as squeak, and lets the malware execute unchallenged.

Perhaps the desire of users for their systems to remain safe can overcome their desire of having a dumb software package (try to, with varying degrees of success) do everything for them. What say you?

TonyW

June 10th, 2007, 01:08 PM

-{ Quote: "Do security vendors think it's a greater benefit to continue playing the catchup race against malware writers, or to invest in and educate users about these new technologies?" }-The frequency of delivering signatures has increased over the years. One time signatures were received monthly then weekly, and now daily in most cases. Some even deliver hourly now. I guess it depends if the AV company in question has the infrastructure, workforce and finances secured to allow for such rapid releases of virus definitions.

Inspector Clouseau

June 10th, 2007, 01:09 PM

And for all those who still don't understand what i mean:

If you can read that here (or if you even replied here!) you're not an average computer user! 50% of average computer users don't even know what a forum is! They never visited one! You have to see this worldwide and not only based on your neighbors or people here in this forum! If you visit a security forums that shows that you CARE about your computer. Now please forgive me, but there starts already the problem: It even takes *TODAY* a drama to explain to some people why they should use at least a antivirus program! Let alone Virtual Systems or Behavior-Blocker. Congrats to all who are using them, but as i said you cannot force people to use it - no matter how big your marketing budget is. If it's to complicated (remember: it doesn't count if *YOU* think it's not) they simply don't want to use it. (See Vesselin Bontchev's Last part in his previous post)

C.S.J

June 10th, 2007, 01:12 PM

you make it pretty clear to me IC,

calm down and have a drink :)

if people dont understand, who cares... its sunday 8)

TonyW

June 10th, 2007, 01:14 PM

-{ Quote: "Why do people continue to tout the blacklist scanner as THE solution for the average Joe, when it appears that average Joes continue to get infected anyway while using this very solution?" }-I think it boils down to education. I remember reading once about a guy who phoned Tech. Support because he had a problem with his computer, which turned out to be virus-related. The thing is he had an anti-virus product on his machine, but he just hadn't updated it for years - he believed once installed, it did its job without understanding it needed to be constantly updated against newer threats.

Then there have been cases where people don't have the real-time monitor enabled, and they wonder why they get infected!

How we educate this group of computer users is a discussion all of its own.

Inspector Clouseau

June 10th, 2007, 01:18 PM

-{ Quote: "Then there have been cases where people don't have the real-time monitor enabled, and they wonder why they get infected!
" }-

Even that's nothing. I was witness of a support case when the guy on the other phone end couldn't find the Windows Start Button... Guess what? The Monitor wasn't connected to the computer but he was trying to find the windows start button!!!

Inspector Clouseau

June 10th, 2007, 01:20 PM

-{ Quote: "

How we educate this group of computer users is a discussion all of its own." }-

If user education was ever going to work, don't you think it would have worked by now? :o

TonyW

June 10th, 2007, 01:21 PM

-{ Quote: "
Then there have been cases where people don't have the real-time monitor enabled, and they wonder why they get infected!" }-A good example of this is shown in the Kaspersky article regarding Gpcode - http://www.viruslist.com/en/analysis?pubid=189678219 - where they say under the heading 'Protect your data':-{ Quote: "One of the most surprising aspects of the Gpcode story is that a large percentage of the victims who contacted Kaspersky Lab during the June attacks had Kaspersky Anti-Virus installed. It’s surprising because Kaspersky Anti-Virus blocks the attacks 3 times. First, the infected attachment is detected as Trojan-Dropper.MSWord.Tored.a. Next, the downloader that loaded Gpcode was detected as Trojan-Downloader.Win32.Small.crb. Finally, Gpcode itself was detected. Even users whose antivirus databases were not up to date should have been protected, as detection for most Gpcode modifications has been available since January 2006.

Obviously, the victims had either turned their antivirus solution off, or chose to ignore the warnings it showed. Kaspersky Lab virus analysts did issue decryption and disinfection along with antivirus database updates. We even created special tools for restoring mail databases which were damaged when mail clients were unable to recognize the format of encrypted files. However, some users did lose critical data." }-

solcroft

June 10th, 2007, 01:27 PM

I think the stories here have a very significant point to them. Namely: For those who are determined to not care about computer security, the blacklist scanner does nothing to help them. For the rest of us, non-signature-based solutions are beginning to look more and more like the better choice.

Londonbeat

June 10th, 2007, 01:35 PM

-{ Quote: "For the rest of us, non-signature-based solutions are beginning to look more and more like the better choice." }-

While that may be the case for advanced users, the idea that antivirus software will become obsolete due to *everyone* switching to whitelisting software, is ridiculous, IMHO. I would say more but IC and Bontchev's posts above sum it all up.

Londonbeat

solcroft

June 10th, 2007, 01:40 PM

Londonbeat,

I do not use whitelisting software.

Thank you.

Inspector Clouseau

June 10th, 2007, 01:43 PM

Why do i have the feeling that this discussion will go off-topic soon?

To make it clear: We're discussing if whitelisting can FULLY replace a Antivirus Solution. That means you wouldn't have any antivirus. We're not discussing if it makes sense to add a whitelisting app to your existing av! Because *assuming you know how whitelist works* that indeed might make sense!

mercurie

June 10th, 2007, 01:50 PM

-{ Quote: "AV isnt dead to me and I wont be saying goodbye for some time..." }-Same here.

However, I do believe that it will slowly become less of a need as other apps. become more advanced. They are walking all over each others security zones as it is now even today. This is in my view is a very positive development as pure signature based products would become so burdened by billions signatures. Just think what PC useage would become. :wacko: I beleive and I am no expert for sure, that behavior based when done well will be the best option. This is based only on observation and reading postings here at the Wilders and other places, again I am no expert.

bontchev

June 10th, 2007, 01:56 PM

-{ Quote: "I think the stories here have a very significant point to them. Namely: For those who are determined to not care about computer security, the blacklist scanner does nothing to help them. For the rest of us, non-signature-based solutions are beginning to look more and more like the better choice." }-
You are forgetting that there is a third group of users - and it's the majority. Those are people who are not competent enough to use generic protections like integrity checkers - but who do care about protection from malware for one reason or another (e.g., because their computer is already infected and doesn't work properly). These are precisely the people who buy and use scanners.

Face it, folks. It's a free market. The "death of signature-based scanners" was predicted two decades ago. Alternative, more secure kinds of protection have been available for all this time, too. Nobody is forcing the users what to use for virus protection. They use what they want. They vote with their wallets. All AV products that did not include any kind of virus scanner are no longer around - because the companies that used to make them went out of business. Scanners are still selling like hot cakes. What does that tell you?

If you can make a generic kind of protection work for you - great! I use several myself. I'd be the first to admit that known-malware scanners are the weakest kind of protection against malware. Yet this is what the vast majority of users understand and this is what they are going to use. Do not expect that to go away any time soon.

Regards,
Vesselin

Londonbeat

June 10th, 2007, 02:01 PM

-{ Quote: "Londonbeat,

I do not use whitelisting software.

Thank you." }-

I have edited my post, I did not read your prior post where you brought in question of the effectiveness of behavior blocking/sandboxing/virtualisation. Although IMO, these, along with whitelisting, are still not an effective solution for the average inexperienced user, and won't cause the 'death' of signature-based antivirus software.

bontchev

June 10th, 2007, 02:08 PM

-{ Quote: "Did you know that even *OPENING* a word document makes changes without having anything typed in? In case you didn't you know now." }-
Ah, no, in general this is not true for Word documents. (Unless, say, the document contains some self-updating fields - but even then Word will ask you whether to save the changed document.)

What you're thinking here of is Excel. That one changes the AUTHOR record in the Book/Workbook stream when you open a spreadsheet - even if you don't enter anything in it. And it doesn't tell you that anything has changed, either - it saves the change immediately without giving you a choice.

Regards,
Vesselin

bontchev

June 10th, 2007, 02:10 PM

-{ Quote: "Besides, most of the (real) office documents containing macros." }-
Again, this is not true. Most Office documents do not contain any macros. The most you can say is that Excel documents contain macros much too often to make "deny all macros" a comfortable policy.

Regards,
Vesselin

Inspector Clouseau

June 10th, 2007, 02:14 PM

Then it's XLS ;D Doesn't really matter, but people using this too ;D

bontchev

June 10th, 2007, 02:14 PM

-{ Quote: "Exploits wouldn't require whitelisting, I think. Their end aim is to download and execute code, and whitelisting works against that very well.

Or am I missing something here?" }-
Yes, you are. Indeed, this is what most exploits do - because it's easier to do it this way. But don't forget that before the executable is downloaded and executed, there is some other code (the shellcode) that runs - it is the code that does the downloading and executing of the main malicious executable. The shellcode runs only in memory. You can't stop it from running my preventing unknown EXE files from running. And although it's more difficult, it's entirely possible to do a lot of nasty things just with the shell code - without downloading and executing anything else.

Also, think about the CodeRed virus. This thing doesn't exist as a file at all! It spreads memory-to-memory between computers on the Internet. What are you going to whitelist/blacklist in order to stop that? TCP/IP packets?

Regards,
Vesselin

bontchev

June 10th, 2007, 02:15 PM

-{ Quote: "Is there some kind of hostile exploit in Office that does bad stuff even without macros?" }-
Yes, several.

Regards,
Vesselin

solcroft

June 10th, 2007, 02:29 PM

Thank you for the explanations; they've been very helpful.

EASTER.2010

June 10th, 2007, 04:17 PM

I agree, most helpful. And although those of us privaleged enough to have conditioned our systems customarily with many advances that make us less dependent on AV's, as noted above, there will always remain a great majority of global users who either don't have the luxury of specially configuring security or simply are new to the internet and MUST depend on the AV solutions to be safe.

Great replies and comparisons. :thumb:

flyrfan111

June 10th, 2007, 05:24 PM

-{ Quote: "At DSLR my post simply got deleted. "deleted by moderator". Nice to know that they don't care about my opinion. Time to cancel my DSLR membership." }-

You have got to be kidding Mike, did they give you a reason? Do they know who you are? How the hell could they just a delete a post from such a well respected and knowledgeable person??

Canceling mine as well. Thanks for letting us know. Sorry, some people are just beyond help.

lucas1985

June 10th, 2007, 05:30 PM

With this thread (http://www.wilderssecurity.com/showthread.php?t=176969) in mind, I have to ask:
Is there a quick and reliable procedure to find executable code in a file? Because all exploits contain executable code, right?

FRug

June 10th, 2007, 05:52 PM

No to both of your questions. There are also exploits that do not contain executable code, and it is not easy to find executable code in arbitrary files. It largely depends on the file type and on the morphology of the code. It could attempt to look like normal contents of a file or simply seem quite random with trash instructions which can be quite hard to spot in binary formats.

lucas1985

June 10th, 2007, 06:07 PM

So, looking for the MZ header with a text editor is unreliable?
Another subscribed thread :thumb:

Inspector Clouseau

June 10th, 2007, 06:15 PM

-{ Quote: "So, looking for the MZ header with a text editor is unreliable?
Another subscribed thread :thumb:" }-

Yes. Because you can have shellcode in jpg pictures and they don't have a MZ Signature at the start.

lucas1985

June 10th, 2007, 06:47 PM

Is there a way to find such shellcode in a given file?
Thanks.

Rmus

June 10th, 2007, 06:48 PM

My statement from previous post:

-{ Quote: "In its most basic application, White Listing is denying by default the execution of malicious code.
" }--{ Quote: "Mike's point is that it's too difficult to determine what exactly is malcious and what is not - so that you know whether to deny its execution or not." }-A better statement would have been: White Listing is denying by default the running of *any* executable not on the White List. It's sole purpose for me and those I help is to prevent the unexpected.

Every one of my examples is a real live exploit either received by email, or via drive-by download. Again, I realize that my examples address just certain types of exploits, yet these are the most common in the wild, and hence, of most concern to the home user.

bontchev - Your comment about not blocking the shell code of the .wmf file is a valid one. As you state, it could also apply to an MSWord exploit which ran shell code.

In fact, this was discussed in another forum during the period of the .wmf exploit, and someone crafted a .wmf file with shell code which, when allowed to run, launched calc.exe.

However, I am not aware that this technique ever surfaced in a real exploit. Everyone I saw reported, launched a trojan executable.

In practice, many of the faculty and students I referred to have both a White List solution which will prevent the dropping|extracting|launching of any executable code not already on the computer; and an AV which hopefully will take care of other situations.

My concern is with the home|education user, and I watch for real exploits that they might encounter. I realize that much of this discussion is about Enterprise situations, but s simple Default-Deny program is not beyond the capabilities of anyone. AV may be helpful. However, from my experience with the above -- especially with real drive-by downloads, I am not optimistic about their effectiveness.

As I conlcuded my previous post, the important thing in security is to develop a strategy. What products a user chooses is less important than the effectiveness of the solution according to the needs and situation of the user.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Inspector Clouseau

June 10th, 2007, 06:50 PM

-{ Quote: "Is there a way to find such shellcode in a given file?
Thanks." }-

That's not that easy to explain it in a "universal" usable manner.
The "easy" exploits you can "detect" if you find a few of 0x90 (NOP's)
Otherwise u have to search for encryption loops aka xor, rol, sub, add etc.
Basically you have to detect valid assembly code.

lucas1985

June 10th, 2007, 07:03 PM

Can that be done with a simple text/hex editor (such as this one (http://www.mh-nexus.de/hxd/)) or a tool like FileAlyzer (http://www.safer-networking.org/en/filealyzer/index.html)?
Thanks again.

Inspector Clouseau

June 10th, 2007, 07:09 PM

-{ Quote: "Can that be done with a simple text/hex editor (such as this one (http://www.mh-nexus.de/hxd/)) or a tool like FileAlyzer (http://www.safer-networking.org/en/filealyzer/index.html)?
Thanks again." }-

YES! If you can read (and understand) assembly directly out of hex bytes (including on-the-fly offset recalculations for addresses, EXX Register tracing) It's basically very easy to learn. Took me around 15 years.

flyrfan111

June 10th, 2007, 07:10 PM

Rmus, the problem is that for YOU, Yes it doens't seem confusing, complicated or stupid. For most of the people here, it doesn't seem overly complicated. However, for the MAJORITY of users, they don't want or NEED a frequent parade of pop-ups telling them that this action may be dangerous, they just want to mindlessly continue surfing, emailing, looking at porn or whatever it was that they would be doing when a pop-up jumps up at them. They will merely click "Yes" or "OK" just to go back to their blissfull life. Those are the people that need protection the most, simply because they do not posses the knowledge to protect themselves. It is those very people that the makers of AV/AS/Anti whatever else comes along, must provide protection for. Because, when those people get infected or hacked or whatever, they will email the Inspector (or his counterpart at their chosen AV) and whine about why their computer got infected and how do they get back to cruising porn or whatever they were doing when they got infected.

Rmus

June 10th, 2007, 07:22 PM

-{ Quote: "Rmus, the problem is that for YOU, Yes it doens't seem confusing, complicated or stupid." }-I would add that I've never encounted any difficulty in setting up on "average" user's systems what I described

I agree with the rest of your statement with the qualification that those who "do not posses the knowledge to protect themselves" can effectively be taught *how* to protect themselves, which is something I and my colleagues demonstrate regularly.

Just because the "majority" seem to be helpless does not mean that something can't be done to correct this situation. A daunting task, I realize, but sitting and doing nothing accomplishes nothing.

regards,

-rich

_____________________________________________________
Just because someone's shoes are too tight, why should my feet hurt?

coolbluewater

June 10th, 2007, 07:34 PM

Most "common" end-users (those without knowledge of Wilders or any other security-related forum) will need an AV solution, with M$ being the dominant end-user OS provider. Not to mention those same end-users who will disable/shut-down an AV if they think their surfing is being slowed down while going after that favorite recipe, trolling MySpace, or downloading/installing other apps ("always turn off that AV first!"), etc. It's never ceased to amaze me during my previous support years how many end-users were afflicted with PEBCAK issues when it came to what we here deem as common security practices... and I'm talking *really* bone-headed, Darwin Award in-the-making scenarios.

Pedro

June 10th, 2007, 07:42 PM

-{ Quote: " However, for the MAJORITY of users, they don't want or NEED a frequent parade of pop-ups telling them that this action may be dangerous, they just want to mindlessly continue surfing, emailing, looking at porn or whatever it was that they would be doing when a pop-up jumps up at them. " }-
To complete Rmus reply, AE (from the screenshots) does not ask questions, it informs. I'm sure that you can turn that off too.

What i'd like to be expanded is what then does the Execution prevention fails to stop. What can be achieved without executing (what danger), and if HIPS like SSM detect and block such actions. I'd like a real life example, but i'm not as rigid as Rich :) , you can draw a scenario for me. But that's just me, i don't know that much.

No, the AV is not dead. A trojan found is a trojan found.

flyrfan111

June 10th, 2007, 07:52 PM

I agree that doing nothing is not helping either. But on the other side of the coin, the majority of computer users have other occupations, Doctors, nurses, cops, contractors, lawyers, sales people, raising children and maintaining a household , etc., the last thing most of them want to do is come home and have MORE to do, ie learning how to secure their computer, they just want to use it, so security solutions need to be as simple as possible for the masses. Or at least that's my opinion. I have neither the time nor the energy to delve into designing anti-malware/security programs for my computer. Do I realize the need for such things? Of course I do, or chances are I wouldn't be here.

My own view is that a whitelisting approach, while good in theory, is impractical in implementation, to accurately do it would require even more work than the current solutions already require. All that would be accomplished would be to say that the list was clean at the time of it's creation, there is no assurance that it is currently clean as a site may have become compromised and it's files are now infected, so bascially every document/picture/program or whatever would need to be checked and verified EVERYTIME the list would be put out, and it's veracity would not be assured for any long period of time.

Bob D

June 10th, 2007, 08:11 PM

-{ Quote: "
.....Inspector, I think people should have to pass a test to use computers.... Mrk" }-
Yes, and people that own televisions/monitors should have an oscilloscope, and be able to diagnose crt problems.
Homeowners should all be well versed in the plumbing, electrical, carpentry skills.
Own a car? You should be able to rebuild your transmission.
Please.
The computer is a tool, like a toaster oven or a coffee maker. Most users don't need/want to understand it's inner workings, they just want it to work (just as IC's wife).
I use my puter's programs in my business to make money.
Not ONE of my many security app.s has ever made me a cent.

(Apologies being OT here)

flyrfan111

June 10th, 2007, 08:47 PM

While we are still at least relating to the topic, we have drifted from a technical discussion to a more philosphical angle, I apologize for the distracting sideline.

WSFuser

June 10th, 2007, 08:52 PM

-{ Quote: "Yes, and people that own televisions/monitors should have an oscilloscope, and be able to diagnose crt problems.
Homeowners should all be well versed in the plumbing, electrical, carpentry skills.
Own a car? You should be able to rebuild your transmission.
Please.
The computer is a tool, like a toaster oven or a coffee maker. Most users don't need/want to understand it's inner workings, they just want it to work (just as IC's wife).
I use my puter's programs in my business to make money.
Not ONE of my many security app.s has ever made me a cent.

(Apologies being OT here)" }-
Mrkvonic's suggestion applied to using a computer not owning it.

To get a driver license, you need to pass a written and behind the wheel test. Similarly to get a "computer license" you should pass some test. It would probably deal with internet security not the hardware itself.

flyrfan111

June 10th, 2007, 08:58 PM

Yes, but the test for a driver's license relates to being able to operate a vehicle. What to do when it breaks or even how to maintain it is not covered. The rules of the road are all that is required. People are doing the same, just using/operating a computer, getting a driver's license does nothing to even educate you for the need to get an alarm system, how to change the oil or a tire. So to me, the comparison is weak at best.

FanJ

June 10th, 2007, 09:38 PM

A few comments

I like Blue's posting (reply # 29).

I agree with Mike (IC).

AV's are NOT dead !

Is white/black listing new? No.
For example in RegRun you can use it for a long time now (application database).
No, I am not saying it is perfect !

As Rich already mentioned elsewhere:
You might already use some white/black listing for quite some time in some way.
How?
Well, in your software firewall.
(Program X is allowed by you to have certain outbound traffic; program Y not; etc.).
(I'd better not start again about the importance of safe storing of MD5 checksums of those programs).

Vesselin mentioned integrity checkers.

Years ago the file-integrity-checker NISFileCheck was made by Albert based on ideas from Joseph. (Thanks again Paul for giving us here its (now archived) dedicated forum).
There are/were other file-integrity-checkers (ADinf32 comes to mind or FileChecker from Javacool, etc.).

Why do I mention your software firewall and file-integrity-checkers?
Somehow you might look at the way they work, as white/black listing.
But: the moment they warn you about any change (be it a changed file, new added file or deleted file) you have to take a closer look at that file.
We always have warned about that: it is you, the user, who has to decide whether such a change is legitimate or not.
And it is at that moment that AV's (and AT's etc) come into play. And if you are completely unsure about it, check that file as much as you can, etc.
Even Wayne agreed once here about ProcessGuard when I posted the analogy with file-integrity-checkers: it is you the user who has to decide about a change/warning.

myNetWatchman and Philip Sloss have made a few years ago SecCheck:
http://www.mynetwatchman.com/tools/sc/
At the early stage of their project both Joseph and me have warned that lots of details have to be considered (like for example: language versions of files, OS versions, etc etc).

Well, I know, lots of things I have said here might now be outdated; I do know that very well. And I know that it might be a little off topic. It was just only to give a little other look at the history here.

I don't consider AV's as dead.
Time will tell what the future will bring.

Doc Serenity

June 10th, 2007, 09:43 PM

-{ Quote: "And for all those who still don't understand what i mean:

If you can read that here (or if you even replied here!) you're not an average computer user! 50% of average computer users don't even know what a forum is! They never visited one! You have to see this worldwide and not only based on your neighbors or people here in this forum! If you visit a security forums that shows that you CARE about your computer. Now please forgive me, but there starts already the problem: It even takes *TODAY* a drama to explain to some people why they should use at least a antivirus program! Let alone Virtual Systems or Behavior-Blocker. Congrats to all who are using them, but as i said you cannot force people to use it - no matter how big your marketing budget is. If it's to complicated (remember: it doesn't count if *YOU* think it's not) they simply don't want to use it. (See Vesselin Bontchev's Last part in his previous post)" }-

I agree.
But whether I choose to learn about pc security or not, the programs that are sold need to be kept easy to use and set up. And even in their easiest to use mode, we should be able to maximize the level of protection.
As an example, my av comes out of the box with an 'acceptable' medium setting for the novice.
To get maximum protection requires fiddling around with a bunch of different settings.
I was able to do it. But it would have been better to be able to set it to max and then if I'm so inclined, fine tune everything.
I hope more companies look into this.
Regards.
Doc

solcroft

June 11th, 2007, 12:30 AM

Rmus,

The point Inspector Clouseau was trying to make: WAS THAT WHAT IF THOSE FILES WERE REAL GIF OR DOCUMENT FILES, not executable files with a fake extension.

How does whitelisting work against them?

While I have not seen what malicious actions such files may do other than downloading and executing code, whitelisting is clearly impractical in this case, against this type of file format if what they say is true. Would you mind explaining how do you expect to default-deny image files in this case?

lucas1985

June 11th, 2007, 12:51 AM

-{ Quote: "It's basically very easy to learn. Took me around 15 years." }-
I give up ;D ;D
A quick recap:
- Most executables are identified by the MZ header, usually at the beginning of the file.
- Encrypted executables and files containing shellcode can not be identified without a Ph.D in assembler ;)

Spurs 2 - Cavaliers 0. Go Ginóbili and Oberto :D

FRug

June 11th, 2007, 01:19 AM

Executable code or shell code in general does not have anything to do with MZ or PE Headers or any other file type for that matter. It's simply assembly instructions in binary form, which even in form of directly executable files may have some header data (EXE, ELF, etc...) or not (COM files....).

Shell Code is simply a blob of data that can be interpreted as valid instructions (or sometimes even undocumented invalid instructions that don't happen to crash the cpu), with all the issues that entails: encryption or trash code which can make it extra hard to spot, since even to the assembly-affine the bytecode may not look like valid code at first glance.

Rmus: you need to dig deeper into exploits if you want to understand the point bontchev and IC are trying to make. There is no need for a downloaded file, there is no need for an extra execution of any executable. The exploit can simply take over control within the exploited process, whether it's your Internet Explorer, your Winamp or your Office. They could do so by creating new threads, or simply by not returning control to the affected application. Your examples are something entirely different, an exploit had a downloader shellcode that happened to download a file with a executable file with a fake extension (GIF/JPG). That does have nothing whatsoever to do with a real JPG, PNG or GIF exploit.

Also keep in mind that shellcode doesn't have to be complicated to do real damage. The code to download a file is not less complex than what would be required to delete your My Documents Folder, or to search your PC for banking data and send it to a server. Or it doesn't download anything at all and simply uses already whitelisted standard applications to do all the dirty work, like FTPing your My Documents folder to some webserver on the net, or starting some distributed denial of service using multiple instances of the certainly whitelisted ping command.

Rmus

June 11th, 2007, 02:07 AM

-{ Quote: "Also keep in mind that shellcode doesn't have to be complicated to do real damage." }-Hello FRug,

I am aware of this, and I did make a statement about shell code in Word and wmf, and the example someone created to show how it could work. However, as I mentioned, no real-world exploits surfaced at that time.

I did mention that in my academic environment, both white list protection (for the exmples I gave) and black list (AV) are used. Whether any such exploit as you mention would be caught or not by AV would have to be proven when a real exploit surfaces. Regarding common exploits, I have shown that White List protection has blocked where AV did not.

Having said that: I have decided to wave the white flag in this discussion with the Inspector and bontchev.

White Listing encompasses many things, and they are looking at the bigger picture with all its complications, and so they are correct. I am focussing on a very narrow use of White List protection: Default-Deny of running unauthorized executables, which is very relevant to home|education evnironments, so I stand by my assertion of its effectiveness.

regards,

-rich

Rmus

June 11th, 2007, 02:32 AM

-{ Quote: "Would you mind explaining how do you expect to default-deny image files in this case?" }-Hello, solcroft,

The product I use, Anti-Executable, analyzes code sample in a file. If it detects binary executable code, it blocks, if the file is not on the White List.

As I mentioned in a previous post, exploiting image files was discussed on another forum, and I never saw any real-world exploit using this technique.

If the image file contained binary code, AE would block it. If not, it wouldn't, and you would hope your AV catches it.

I will wait to see a real-world working example

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

solcroft

June 11th, 2007, 04:00 AM

-{ Quote: "Hello, solcroft,

The product I use, Anti-Executable, analyzes code sample in a file. If it detects binary executable code, it blocks, if the file is not on the White List.

As I mentioned in a previous post, exploiting image files was discussed on another forum, and I never saw any real-world exploit using this technique.

If the image file contained binary code, AE would block it. If not, it wouldn't, and you would hope your AV catches it.

Until seeing a working example, I cannot know any more than this.

regards,

-rich" }-
Hello,

If the claims in this thread are true, then that means exploits that bypass AE certainly do exist. Perhaps you've been lucky enough to not run across them.

Rmus

June 11th, 2007, 04:23 AM

-{ Quote: "If the claims in this thread are true, then that means exploits that bypass AE certainly do exist." }-Well, of course they do! AE does not analyze scripts, for example. People concerned about that will employ other means.

I've done nothing more than show how AE using a White List effectively blocks attempts to download|install any file that has executable code. That is its sole purpose in life, nothing more. These comprise the majority of the exploits people are likely to encounter.

Those concerned about other types of exploits will use other preventative measures.

-{ Quote: "Perhaps you've been lucky enough to not run across them." }-Well, I've never had an infection, and I don't attribute it to luck.

regards,

-rich

ErikAlbert

June 11th, 2007, 04:39 AM

Hi guys,
I don't want a whitelist of objects of any existing legitimate software, that is only possible in theory, not in practice.
I only want a whitelist of objects of legitimate softwares on MY computer and I mean ANY object : files, registry, ...

Once the whitelist is created, any unauthorized object is REFUSED IMMEDIATELY (not on reboot) and what is not installed, can't be executed and doesn't need to be removed either.
Faronics Anti-Executable already works that way, unfortunately only for unauthorized executable objects.
I want an Anti-Malware that blocks ANY unauthorized object immediately, not just executable objects.
Faronics' idea was brilliant, they just didn't think far enough.

Blocking objects doesn't mean you have to bombard the user with numerous popups, this can be done in absolute silence. If users want to see these popups, they only have to change a setting to see them.

Does that cover everything ? Probably not, so what ? When something doesn't cover everything, you create another security software that covers the rest. :)

solcroft

June 11th, 2007, 04:44 AM

Rmus,

What you have said so far is very well-understood by the rest of us already, no point reiterating what's already known. What you have yet to explain is how whitelisting protects you from jpg exploits that do NOT involve executable code.

Inspector Clouseau

June 11th, 2007, 04:48 AM

Rmus

June 11th, 2007, 05:04 AM

Bonjour, Inspector,

Yes, you were looking at White Listing as the sole solution, and I was considering just a specific use of the principle.

-{ Quote: " What you have yet to explain is how whitelisting protects you from jpg exploits that do NOT involve executable code." }-Speaking only for AE, which is my only White List software there is nothing to explain - I would not be concerned with that scenario because AE doesn't deal with it. White Listing would not be my solution for it.

When a real-world exploit shows up, then there will be something to consider: method of delivery, for example. Then, preventative measures can be taken.

regards,

-rich

Inspector Clouseau

June 11th, 2007, 05:16 AM

-{ Quote: "Bonjour, Inspector,
" }-

;D That reminds me to the part when Frank (Jason Stathem) in the movie TT2 said: "Oh no, he's not a friend, he's french." ;D

The real problem boils down to "user education". And that this would be possible (successfully) the users must be willing to understand and to do something. (I don't want to sound too pessimistic, but that's not gonna happen.)

Next problem is how exactly will you "perform" user education? In a classroom? Online via PHP Forms? In a forum? Via Email? In case you pick via email the next moron has the idea to create a real worm who will send itself as "Lesson Number 12: How to prevent Internet worms from spreading" BEFORE YOU REACH THAT CHAPTER in your lessons.

Franklin

June 11th, 2007, 05:16 AM

-{ Quote: "Rmus,
What you have said so far is very well-understood by the rest of us already, no point reiterating what's already known. What you have yet to explain is how whitelisting protects you from jpg exploits that do NOT involve executable code." }-
Does an AV need a sig to detect as such and are there Zero day exploits?

Would such a jpg exploit cause probs from within a sandbox?

-{ Quote: "Sep 15 2004
On September 14, 2004, Microsoft released details and patches for a newly discovered vulnerability involving JPG files, widely used for photographs and online images. The exploit can be engineered from a malicious website or via email.

The vulnerability revolves around a buffer overrun condition that occurs when processing deliberately malformed JPG files. A successful exploit would allow the attacker full control of the system, operating with the full privileges of the user currently logged in. " }-

ErikAlbert

June 11th, 2007, 05:21 AM

-{ Quote: "Bonjour, Inspector,
When a real-world exploit shows up, then there will be something to consider: method of delivery, for example. Then, preventative measures can be taken.
" }-
AFAIK an exploit takes advantage of a legitimate executable to do its evil job. So there must be another evil object to make that possible and such evil object can be stopped also as an unauthorized object.
AE is limited to unauthorized EXECUTABLE objects, that's not good enough. AE should block any unauthorized object in the system partition (Windows + Applications).

Rmus

June 11th, 2007, 05:26 AM

-{ Quote: "On September 14, 2004, Microsoft released details and patches for a newly discovered vulnerability involving JPG files," }-I considered that a non-issue because

-{ Quote: "By default, Windows 98, Windows 98 SE, Windows Me, Windows NT 4.0, Windows 2000, and Windows XP Service Pack 2 are not vulnerable to this issue." }-And I was not using any of the other affected MS software.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Inspector Clouseau

June 11th, 2007, 05:29 AM

-{ Quote: "AE should block any unauthorized object in the system partition (Windows + Applications)." }-

That confirms you have also no idea how exploits are working. YOU DON'T NEED *ANY* Executable for a exploit!

The exploit "sleeps" for example in a JPG picture. Now if you display via preview this jpg picture in the windows dekstop (via open folder and windows creates a preview for example) the exploit already starts! And this exploit DOESN'T NEED TO LOAD ANY OTHER EXECUTABLES! It simply runs already in memory! It can just format your harddrive without that you have any chance to prevent this other than turning your machine of the nanosecond before it starts this.

Rmus

June 11th, 2007, 05:34 AM

-{ Quote: "The real problem boils down to "user education". And that this would be possible (successfully) the users must be willing to understand and to do something. (I don't want to sound too pessimistic, but that's not gonna happen.) " }-Actually, I've found that many *are* willing. Often they are embarrassed to say anything about their computing problems, or just don't know what to ask.

-{ Quote: "Next problem is how exactly will you "perform" user education? " }-There certainly are many possibilities.

The small group I work with prefer to go to people's home. We do this normally on weekends, and during the week by email. Granted, we find people we know through our own socializing, so it is a harmonious working environment.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

ErikAlbert

June 11th, 2007, 05:38 AM

-{ Quote: "That confirms you have also no idea how exploits are working. YOU DON'T NEED *ANY* Executable for a exploit!

The exploit "sleeps" for example in a JPG picture. Now if you display via preview this jpg picture in the windows dekstop (via open folder and windows creates a preview for example) the exploit already starts! And this exploit DOESN'T NEED TO LOAD ANY OTHER EXECUTABLES! It simply runs already in memory! It can just format your harddrive without that you have any chance to prevent this other than turning your machine of the nanosecond before it starts this." }-
I admit I'm not an expert. If those exploits can't be stopped in any possible way you have to accept them until you find a way to stop them.
Are there so many existing exploits, that they are a constant problem or are we talking about a minority of infections ?

Stefan Kurtzhals

June 11th, 2007, 05:50 AM

User education won't solve the problem either.

Just have a look at Zlob. The user is tricked into *wanting* to execute the file with social engineering. No whitelisting will stop her/him from doing that.

On an end user system, a whitelist solution will constantly pop up because there are so many unknown applications and users update/install new things every day. After getting > 5 warnings on a day, the user will simply disable the security program. Every "normal" user I know that is using Vista has disabled the UAC because it is too much hassle for them! And you really believe you can convince them to endure even more warnings AND let them propperly decide what to execute and what not? Sorry, but that is just plain naive.

Antivirus scanning puts the work and expertise on the side of the AV company. The user must do nothing, if a warning pops up (s)he just deletes/cleans the file and the user is happy.
White listing, (simple designed) behaviour blocking, sandboxing, anything that forces the user to make decissions if it's ok to execute the file or not puts the responsibility on the user side. Good idea, really... Just shift the blame. :)

It is beyond my understand why people come up all the time with 20 years old ideas that have been tried again and again AND AGAIN and never worked out - and claimed they found the holy grail and the solution to all security problems. Only thing missing is that they name their product "42".
Where did I hear that slogan "will protect you against all malware, past, present and future!" again?

RejZoR

June 11th, 2007, 06:23 AM

However behavior blockers are imo the way to go right now. Sure they also popup warning on legit files from time (av's do that too with fp's) to time but in general they don't bother users unless something really bad is executed (takin Cyberhawk/KAV6 PDM as example). And have extremelly high detection rate with very low update requirements.

Inspector Clouseau

June 11th, 2007, 08:43 AM

In practice that looks like that:

TonyW

June 11th, 2007, 08:51 AM

-{ Quote: "
Just have a look at Zlob. The user is tricked into *wanting* to execute the file with social engineering." }-Herein lies the problem. I've seen emails from people I've never heard of with unusual subject headings, some quite enticing and in quite a few cases grammar can be poor, but commonsense tells me not to even bother with it. I even have the preview pane disabled in my email client so the mail cannot be viewed lest there be web bugs contained therein.

ErikAlbert

June 11th, 2007, 09:04 AM

-{ Quote: "User education won't solve the problem either.

Just have a look at Zlob. The user is tricked into *wanting* to execute the file with social engineering. No whitelisting will stop her/him from doing that.

On an end user system, a whitelist solution will constantly pop up because there are so many unknown applications and users update/install new things every day. After getting > 5 warnings on a day, the user will simply disable the security program. Every "normal" user I know that is using Vista has disabled the UAC because it is too much hassle for them! And you really believe you can convince them to endure even more warnings AND let them propperly decide what to execute and what not? Sorry, but that is just plain naive.

Antivirus scanning puts the work and expertise on the side of the AV company. The user must do nothing, if a warning pops up (s)he just deletes/cleans the file and the user is happy.
White listing, (simple designed) behaviour blocking, sandboxing, anything that forces the user to make decissions if it's ok to execute the file or not puts the responsibility on the user side. Good idea, really... Just shift the blame. :)

It is beyond my understand why people come up all the time with 20 years old ideas that have been tried again and again AND AGAIN and never worked out - and claimed they found the holy grail and the solution to all security problems. Only thing missing is that they name their product "42".
Where did I hear that slogan "will protect you against all malware, past, present and future!" again?" }-
Of course users are happy with a system that allows everything, because they don't want a strong security, while other users want such a security.
Scanners are a good way to keep users comfortable by giving them a fake message "Congrats, system is clean." Once they install another scanner, they find out their system was infected already during months, because their first scanner, didn't remove it, very good security. ::)
False/positives deleted by average users, who damage their own computer, very safe solution. ::)
It's obvious and logical, that an AV expert is pro AV-scanners.

I already told you what I want and what I want does NOT exist, because the security industry keeps on re-inventing new AV/AS/AT/AK/AR/...scanners, new HIPS, new sandboxes, ..., while the whitelist approach has been
neglected during all these years and that's why we have BAD whitelist softwares.
That's why I have to use softwares like FirstDefense-ISR and Anti-Executable, which are both NOT good enough, but there is nothing else out there.

Why is there always a test of AV's and nothing else than that. Is that a 20-year-old tradition or something ? I find these AV-tests pretty boring : always another winner and a bunch of losers.
I never saw a test of FirstDefense-ISR, DeepFreeze, ShadowUser, ... isn't that interesting enough for experts to try something else FOR A CHANGE, than repeating the same old tests over and over again, again and AGAIN ?

solcroft

June 11th, 2007, 09:47 AM

-{ Quote: "Of course users are happy with a system that allows everything, because they don't want a strong security, while other users want such a security." }-
What are their failings, specifically?

ErikAlbert

June 11th, 2007, 10:02 AM

-{ Quote: "What are their failings, specifically?" }-
What failings : users or scanners ?
Users fail all the time, they are the weakest link in security, because they can't control their curiosity.

Mele20

June 11th, 2007, 10:33 AM

-{ Quote: "http://weblog.vircop.org/?p=25" }-

Could you please consider using conventional black text on white background? Fx and nVidia don't like your black background and white text. I can't use auto scroll there as the screen flickers and the text becomes too tiny to read in addition to flickering in and out. Besides, I never use websites that have black backgrounds (except BlackViper) because it is so tiring for the eyes.

As for your getting your post deleted at dslr Security forum...I missed that because I was, out of the blue, banned for three days there. Ban was just lifted. I was given no reason for the ban other than that I somehow violated the TOS for the site. The offending post was not given to me but I suspect what angered Mary (WCB) was that I had posted in a thread there and mentioned that I was waiting to see if anyone would post the topic which I had posted here several days earlier when it was first news and that the discussion here was quite interesting contrary to the discussion at dslr which was juvenile. The implication that Wilders just might have the better membership now is a no-no that I had to be punished for. ::) Mary probably deleted your post because you represent a vendor and she doesn't want vendors posting there.

I find all the comments about how most users refuse to learn anything about security puzzling. When I got my first computer in 1999, I was older than most computer users. Yet, I knew one thing: an always updated antivirus was essential. I had an awful time trying to understand McAfee 4.2 that came on the computer...I read the definition for "heuristics" about a dozen times and it was like reading a foreign language that I had no knowledge of. But I persisted and learned as much as I could about Mcafee. I also don't understand how these average users get all these viruses or why people even need AVs. All one needs is to have good judgement and be practicing safe computing. One does need something like a software firewall or ProcessGuard...that is much more important than an AV. Everyone needs a program to control what calls out! That is the main reason I use PG.

I have only had one virus in all these years (and I got it on a blank, new store bought floppy that I didn't know could be infected so I didn't scan it). I've never had spyware. And I knew nothing about computers until 1998 when I went to a county sponsored program to teach folks 55+ about computers. We didn't learn a thing about security but some about privacy. So, when I got my own computer a year later, I knew nothing about how to use the computer except how to surf. But I learned and I just can't understand how anyone could get a computer and refuse to learn how to use it properly which includes how to use the AV, the firewall, and basics about the OS and the File System. I think everyone should have to be licensed to use a computer and should be required to take security courses prior to being allowed to purchase a computer. I think the courses should be sponsored (at least in the USA) by Microsoft and the US government.

I certainly don't think AV's are "dead" nor do I think a ridiculous solution like white listing is practical or even useful. Users who insist on surfing to any site, clicking on every thing in sight, deserve what they get. First thing I learned was to be very careful what sites I visited and to never read email in HTML, or use the preview pane or open attachments without first downloading to disk and scanning with my updated AV. I also learned to never open an email from any source I did not recognize and if in doubt to read it via properties where it was never opened. All of this was very simple, very easy to learn and abide by so I don't understand users who can't learn such simple precautions that would eliminate most risk. If you insist on visiting porn/gambling sites, downloading P2P stuff, accepting files from strangers via instant messaging, etc. then you deserve a wrecked computer. A computer is not a toaster and won't be for another generation. Users have to be realistic and if they don't want to be then they should not get computers. Since they seem to have no common sense, licensing is the only realistic answer with demonstrable proof of ability to properly use a computer.

trjam

June 11th, 2007, 10:45 AM

That is a very good post Mele.:)

solcroft

June 11th, 2007, 10:50 AM

-{ Quote: "What failings : users or scanners ?
Users fail all the time, they are the weakest link in security, because they can't control their curiosity." }-
My apologies; I quoted the wrong part of your post by accident. To correct my previous question: what do you find insufficient with F-DISR and AE?

walking paradox

June 11th, 2007, 11:09 AM

I think a lot of this comes down to the fact that individuals with substantial know-how regarding computer security tend to assume that everyone else must have some level of competency in this area. Many individuals with that type of know-how such as those that frequent Wilders might acknowledge that everyone else (the masses) don't have the same level of know-how as them, but many still assume, perhaps because of the prevalence of computers or perhaps because it seems so basic to them, that most people in general have the capacity and motivation to acquire the necessary know-how to secure their computer. As should be obvious, this is a false assumption. Vast amounts of people, constituting a majority of people world-wide are computer illiterate and lack the willingness and ability to secure their computers.

For those whose personal experiences don't necessarily align with this notion, perhaps consider that the sample (people you've observed and/or helped in this area) that you're basing your perspective on might be skewed for various reasons. It could simply be that you have too small of a sample size to generalize with any meaning, or it could be that your sample, even if substantial in size, is unrepresentative of the larger population (say if you are working within academia or your sample consists mostly of younger individuals who tend to be more familiar and comfortable with computers then their older counterparts).

Lastly, the solution to this problem isn't some sort of systematic education for the masses, as that is impractical at best. Perhaps the only reasonable solution involving systematic education would be to educate younger students in a more comprehensive manner, teaching them the basics of how to use and secure ones computer. This could be made standard curriculum in middle and high schools (and their equivalents internationally). While even this task would be difficult and convoluted, it is at least practicable (in some countries).

All the nonsense about requiring licenses to operate a computer is absurd. Its implementation is impractical at best, perhaps even impracticable altogether. It would be a logistical nightmare, and would require an international governing entity to regulate and enforce. Even if somehow it was implemented, it would put a halt to the global economy, and would be counterproductive in getting the masses connected and teaching them how to use and secure their computers as it would introduce unnecessary costs towards achieving that end.

Ilya Rabinovich

June 11th, 2007, 11:16 AM

OK, my 2 cents if you don't mind...

As I always say, there are four main defense walls. That are: firewall to control your Internet connections and traffic, HIPS to cope unknown by AV malware, anti-virus to prevent already known malware from execution and clean up unknown one when it will be known, backup hard drive in case your's one will die. Each solution covers other's back (weak points).

So, there is no "AV replacement" solution as AV's are THE MOST EASY IN USE! There is only one button "Scan now!" (mostly) and this is all simple user need. Firewalls and sandbox HIPS (as the simplest tool for HIPS) are not so simple for user.

Why "AVID"? The fact is that AV industry PR their scanners as front-line anti-malware solutions. But the fact is that nowadays its effectiveness in this role is about 50% and getting lower. But the can't stop their PR machine as this will show their lie. They can't stop, the can just add HIPS solutions into their products (Kaspersky), that is the only way for industry itself. So, yes, AV's are dying as first-line defense, but they are still effective as a second-line cleanup tools (malware response time is not important this case).

HIPS. Some of them are for geeks (classical), some are for advanced users (expert), some are for averages (sandbox). It is just the matter of core architecture. But, naturally, the weakest place for HIPS of any type are... their users! Social engineering will never die, it is thousands years old technique and will live to thousands years. It is harder to do this trick with AV scanner, but it is possible anyway.

"Teaching users" technique won't works, because there are a lot of people in the world why see no reasons for it and you can't make them.

ErikAlbert

June 11th, 2007, 12:04 PM

-{ Quote: "My apologies; I quoted the wrong part of your post by accident. To correct my previous question: what do you find insufficient with F-DISR and AE?" }-
FDISR does a good job in cleaning your computer, unfortunately this happens only on reboot and that is too late, because infections can install and execute themselves in the period between two reboots.
The freeze storage of a frozen snapshot = whitelist of ALL objects in my system partition and that's why FDISR is able to clean my system partition completely, but too late.

Anti-Executable acts IMMEDIATELY and that is excellent, unfortunately only for unauthorized EXECUTABLE objects and not for other unauthorized objects.

If Anti-Executable (= Anti-Malware) would act IMMEDIATELY for any unauthorized object, I wouldn't need FDISR anymore.
If AE (AM) would stop any unauthorized object, there is :
- no installation of infections possible
- no execution of infections possible, because there is no installation.
- no removal of infections anymore, because there is no installation.
If my system partition has that kind of protection, I don't need to protect my data partition anymore either.
My data partition can still be infected by downloading infected data files from an unknown source, but that's MY stupidity.

There are "exploits", that can't be detected and removed, because they operate in the memory.
So be it, in that case neither whitelists nor blacklists will remove these exploits.
Exploits prove only one thing to me : this time, the bad guys were smarter than the good guys. :)

Ilya Rabinovich

June 11th, 2007, 12:18 PM

-{ Quote: "Exploits prove only one thing to me " }-

Hardware DEP + ASLR enabled will stop it cold.

ErikAlbert

June 11th, 2007, 12:22 PM

-{ Quote: "Hardware DEP + ASLR enabled will stop it cold." }-
Thanks. I will look into this. This thread didn't mention anything about this. ;)

solcroft

June 11th, 2007, 12:27 PM

-{ Quote: "FDISR does a good job in cleaning your computer, unfortunately this happens only on reboot and that is too late, because infections can install and execute themselves in the period between two reboots." }-
The malware disappears when you reboot. Why is that "too late"?

CJsDad

June 11th, 2007, 12:27 PM

The Wilders Security world and the real world are two different things.
Try explaining things like behavior blockers, HIPS, and sandbox to a newbie, matter of fact if it wasnt for this forum I would have no idea what the hell any of those programs were.

For an example, as a newbie to software security, I know about AV's, AS, AT, software firewalls and routers, thats WITHOUT coming here and learning.
It's when you start mentioning behavior blockers and HIPS that I can almost guarantee you that the beginners or average users in the real world have no idea what the hell you're talking about, matter of fact when a discussion comes up about security programs for a computer either at work or at home why is the # 1 question "What AV do you use?"
How come no one says "What HIPS program do you use?" "Which behavior blocker do you prefer?"

I've logged onto Wilders from work a few times and you should hear the reactions/comments from some people.
They have no idea what so ever what I'm reading, cant understand alot of it and most of the time their only response to me is "WTH are you reading, how can you understand that?"
So when someone mentions AV's are dead, dead for who, the advanced users, because the newbies or average users such as myself rely on some type of protection and an AV is part of the solution.

This was just my 2 cents, thanks. :thumb:

walking paradox

June 11th, 2007, 12:32 PM

-{ Quote: "The malware disappears when you reboot. Why is that "too late"?" }-
Because the malware could have already done its job, such as steal and transfer personal info, before rebooting.

Erik explained this in the sentence you quoted. . .
-{ Quote: "because infections can install and execute themselves in the period between two reboots" }-

ErikAlbert

June 11th, 2007, 12:36 PM

-{ Quote: "Because the malware could have already done its job, such as steal and transfer personal info, before rebooting.
" }-
That is correct. FDISR doesn't recognize bad objects, because FDISR isn't a security software, it's an immediate system recovery software.

solcroft

June 11th, 2007, 01:02 PM

So why not add a firewall to your security setup, instead of praying that your one, single solution works against all kinds of threats?

ErikAlbert

June 11th, 2007, 01:07 PM

-{ Quote: "So why not add a firewall to your security setup, instead of praying that your one, single solution works against all kinds of threats?" }-
I have a router + firewall to control internet traffic, but that's not enough.
I want to get rid of my boot-to-restore solution and only an improved and bigger AE would make that possible.
Actual AE = whitelist of all executable objects.
I want AE = whitelist of all objects (like in FDISR).

Ilya Rabinovich

June 11th, 2007, 01:26 PM

-{ Quote: "The Wilders Security world and the real world are two different things." }-

No doubts!

-{ Quote: "
Try explaining things like behavior blockers, HIPS, and sandbox to a newbie, matter of fact if it wasnt for this forum I would have no idea what the hell any of those programs were." }-

It is not really hard to do.

-{ Quote: "
For an example, as a newbie to software security, I know about AV's, AS, AT, software firewalls and routers, thats WITHOUT coming here and learning." }-

That means that you've red it in computer magazines, that is why you know what is it. Right? So, it is just a question of PR. I may insure you- in case of massive PR campaign even simple users will know what HIPS are and why he/she need it. That is an average story - same was with firewalls. I remember those days when I haven't heard about it and how various journalists from magazines have explained me what is it and why I need buy it. I didn't, but the idea itself is very clear...

solcroft

June 11th, 2007, 01:52 PM

-{ Quote: "I have a router + firewall to control internet traffic, but that's not enough.
I want to get rid of my boot-to-restore solution and only an improved and bigger AE would make that possible.
Actual AE = whitelist of all executable objects.
I want AE = whitelist of all objects (like in FDISR)." }-
When I meant firewall, I meant as in "software firewall with outbound traffic control".

A "whitelist" of "all objects" is clearly unfeasible, for reasons that have been pointed out earlier in this thread.

CJsDad

June 11th, 2007, 02:15 PM

Ilya-

Explaining programs like HIPS or sandboxing may not be hard to explain for someone such as yourself (DefenseWall) but with someone like me (beginner) its quite complicated to understand, not so much with the sandbox programs but with a HIPS program I'm completely lost.
This is what I mean by the real world-people just do not understand certain security programs, yes it can be a PR issue but at the same time some of these programs are not beginner usable.
For instance SSM seems to be the HIPS of choice around here but for someone like me that's asking for trouble.
As I mentioned previously without this forum I have no idea what a HIPS program is or what it does or any other behavior blocker, sandbox.
I knew about AV's, FW's and such not from reading computer magazines but through word of mouth, matter of fact I have never read a computer magazine in my life, still haven't to this day.
I went through alot of trial and error but to be truthful it took one person to lead me in the right direction with the basics of security programs, from there I was basically self taught and to this day I'm still very much the beginner.
This is why when I ask questions about software I need as much detail as possible or I'm lost.
From my point of view everytime I read something posted here I'm doing it in newbie mode or I ask myself how would I explain that to someone who doesnt have a clue about a certain program.

walking paradox

June 11th, 2007, 02:15 PM

-{ Quote: "That means that you've red it in computer magazines, that is why you know what is it. Right? So, it is just a question of PR. I may insure you- in case of massive PR campaign even simple users will know what HIPS are and why he/she need it. That is an average story - same was with firewalls. I remember those days when I haven't heard about it and how various journalists from magazines have explained me what is it and why I need buy it. I didn't, but the idea itself is very clear..." }-
The notion that the masses acquire most of their information about computer security from public relations (PR) seems reasonable enough. However it does make the obvious assumption that most of the information the masses receive about computer security is somehow a derivative of PR, this I cannot confirm or refute as I simply don't know, I can only speculate about that. Your extension of this notion is that if the big computer security firms put forth a PR campaign for say HIPS that the masses would then 'know what HIPS are and why he/she need it'. This is where the argument becomes less straightforward.. I agree in part with the initial premise, but just because such PR worked that way with anti-virus and anti-spyware software, doesn't mean it will work the same way with other types of security software. Granted such PR would inform the masses about HIPS, but it wouldn't necessarily enlighten them about how HIPS actually work and the purpose behind it. Your example of firewalls reinforces this point. I made a similar observation in a different thread (see below) that posed a question that your notion addresses. The reason firewalls are the exception is because of the PR behind them, at least according to the notion. However, this doesn't reinforce your extension of the initial premise. Namely, just because there was significant PR for firewalls that informed the masses about them doesn't mean the masses understood what exactly a firewall is, how it works, what its purpose is, etc. To the contrary, from what I've gathered so far, most people don't really know what a firewall does or how to properly use it. What most people (the masses) know about firewalls, if they know of them at all, is that it is good to have a firewall and that it has something to do with 'controlling the internet', as I've heard several times. This hardly constitutes understanding what a firewall is and why one needs it. To an extent, HIPS are similar to firewalls (as elaborated below) and a PR about them would likely have a similar result.

-{ Quote: "...firewalls are somewhat similar to these 'other' types of security software (HIPS, sandbox, virtualization, etc) in terms of user-friendliness, or the lack thereof. Firewalls in general, and their outbound protection in particular, are user-intensive in a manner similar to many HIPS programs in that they both often require significant user input in order to work properly. Most people I know have no idea how to properly use a firewall (with the exception being windows firewall as that is simply inbound protection and doesn't require much if any user input) yet this type of security software is mainstream. So what gives? If the lack of user-friendliness is the factor preventing these 'other' types of security software from being adopted by the big computer security companies and from becoming mainstream, then why are firewalls the exception?" }-

EDIT: As a side note, when you said "I didn't" in the last part of your post, did you mean that you didn't buy a firewall and don't use one?

ErikAlbert

June 11th, 2007, 02:19 PM

-{ Quote: "When I meant firewall, I meant as in "software firewall with outbound traffic control".

A "whitelist" of "all objects" is clearly unfeasible, for reasons that have been pointed out earlier in this thread." }-
I suppose you didn't separate your data files from your system files, like I did.
I have a system partition [C:] = Windows + FDISR + Applications
and a data partition [D:] = personal word/excel files, downloaded files, email, email-address-book, ...
My system partition is protected by a frozen snapshot + Look'n'Stop + Anti-Executable + DefenseWall.
My data partition has nothing but folders and data files.

All objects = any object on my system partition, system files, registry, ... anything on my system partition.
What do you consider as "all objects" ?

Riverrun

June 11th, 2007, 02:27 PM

-{ Quote: "
If Anti-Executable (= Anti-Malware) would act IMMEDIATELY for any unauthorized object, I wouldn't need FDISR anymore." }-I'm following this thread with great interest and even though I don't understand everything, nonetheless, I do get the gist of the various posts. We've mentioned a couple of Erik's 'unauthorised objects' already and it's clear that malware doesn't need an executive extension to penetrate ones defences and do damage, as in the case of exploits and malicious .jpg items. Since whitelisting, useful and all as it is, has it's limitations and cannot be extended to cover these kind of threats, I'm wondering what the best way of dealing with them is.

I suppose possible solutions would lie in the realm of sandboxing, virtualisation and maybe behavior blockers like Cyberhawk.

One thing is clear, AV's themselves are likely to diminish in importance as the years go by and become redundant for the competant user.

Cheers folks.

solcroft

June 11th, 2007, 02:30 PM

-{ Quote: "I suppose you didn't separate your data files from your system files, like I did.
I have a system partition [C:] = Windows + FDISR + Applications
and a data partition [D:] = personal word/excel files, downloaded files, email, email-address-book, ...
My system partition is protected by a frozen snapshot + Look'n'Stop + Anti-Executable + DefenseWall.
My data partition has nothing but folders and data files.

All objects = any object on my system partition, system files, registry, ... anything on my system partition.
What do you consider as "all objects" ?" }-
Now you're confusing me.

If that's your definition of "all objects", then AE will work against them just fine. I thought you were referring to the type of exploits being discussed earlier.

So apparently AE's got you covered. I don't see the point of the fuss.

ErikAlbert

June 11th, 2007, 02:34 PM

-{ Quote: "
I'm following this thread with great interest and even though I don't understand everything, nonetheless, I do get the gist of the various posts. We've mentioned a couple of Erik's 'unauthorised objects' already and it's clear that malware doesn't need an executive extension to penetrate ones defences and do damage, as in the case of exploits and malicious .jpg items. Since whitelisting, useful and all as it is, has it's limitations and cannot be extended to cover these kind of threats, I'm wondering what the best way of dealing with them is.
" }-
Read Ilya's post, exploits can be killed too. :)

Riverrun

June 11th, 2007, 02:39 PM

Hi Erik, I saw Ilya's post but I don't understand it yet. I need to do some more research.

Cheers

Riverrun

June 11th, 2007, 02:40 PM

This thread is an example of what I like so much about Wilders. It educates.

ErikAlbert

June 11th, 2007, 02:49 PM

-{ Quote: "Hi Erik, I saw Ilya's post but I don't understand it yet. I need to do some more research.

Cheers" }-
I don't understand it either. ;D That doesn't matter, because I can learn about it. I learned so many things at Wilders.
I always think in big lines first, than the details. First the forrest and than the trees. :)

ErikAlbert

June 11th, 2007, 02:58 PM

-{ Quote: "Now you're confusing me.

If that's your definition of "all objects", then AE will work against them just fine. I thought you were referring to the type of exploits being discussed earlier.

So apparently AE's got you covered. I don't see the point of the fuss." }-
I mentioned exploits as a problem, but Ilya solved that problem. Case closed.
The rest is about whitelists or blacklists and I prefer whitelists.

Whitelists have a future because they are limited to your own computer.
Blacklists will end up in enormous blacklist databases of each scanner on your computer with a very long scan time.

Ilya Rabinovich

June 11th, 2007, 03:16 PM

-{ Quote: "
Explaining programs like HIPS or sandboxing may not be hard to explain for someone such as yourself (DefenseWall) but with someone like me (beginner) its quite complicated to understand, not so much with the sandbox programs but with a HIPS program I'm completely lost." }-

Yes, classical and expert HIPS are quite hard to explain. But I always thought that sandbox HIPS I produce is easier
to explain even in comparing with standard dual-bound traffic firewalls (no popups). Ie, sandbox HIPS model is for average users as the most simplest for HIPS itself (I hope).

-{ Quote: "
This is what I mean by the real world-people just do not understand certain security programs, yes it can be a PR issue but at the same time some of these programs are not beginner usable." }-

Agree. But, right now, it is, mostly, PR problem as there HIPS that are for average users.

-{ Quote: "
For instance SSM seems to be the HIPS of choice around here but for someone like me that's asking for trouble.
As I mentioned previously without this forum I have no idea what a HIPS program is or what it does or any other behavior blocker, sandbox." }-

SSM is a classical HIPS implementation, It is for geeks only (but not for me, I hate popups!).

-{ Quote: "
I went through alot of trial and error but to be truthful it took one person to lead me in the right direction with the basics of security programs, from there I was basically self taught and to this day I'm still very much the beginner.
" }-

But what is his source of information?

-{ Quote: "I agree in part with the initial premise, but just because such PR worked that way with anti-virus and anti-spyware software, doesn't mean it will work the same way with other types of security software." }-

Believe me (and in my 5-years shareware experience). No PR- no sells. Nobody will know that there are HIPS systems that average user can use. Also, according my experience- there is no difference if you sell AV, AS, firewall, HIPS, OCR, or PDF converter- the rules are the same.

-{ Quote: "Namely, just because there was significant PR for firewalls that informed the masses about them doesn't mean the masses understood what exactly a firewall is, how it works, what is purpose is, etc. " }-

You will be laughing, but the point is that normal users doesn't understand what is exactly anti-virus is, how it works, why it is impossible to cure malware modules if they are infected,... I've just red somewhere here, that some lady had Symantec AV installator icon on here desktop (it haven't been installed!) and thought she is protected because it is SYMANTEC! After installation process made by other person, she doesn't updated anti-virus databases (why? it is anti-virus by SYMANTEC!, it has to be catch all the viruses in the world!). So, my point is: any complex software is really hard for understanding for normal user, it rather remember all the steps somebody tell him to do (constantly update databases, for instance) that need to be done, but will never understand why he do this. This behavior reminds me just well-trained monkey in zoo. ;D

-{ Quote: "
To an extent, HIPS are similar to firewalls (as elaborated below) and a PR about them would likely have a similar result." }-

Yes, I agree. But if it is really bad? I assume that it is increase average defense level and malware production cost.

-{ Quote: "
EDIT: As a side note, when you said 'various journalists from magazines have explained me what is it and why I need buy it. I didn't. . .' did you mean that you didn't follow their advice and so don't use a firewall?" }-

I can't say I don't use firewall as it is with my new computer's NVIDIA motherboard installation kit, it is here and active (ActiveArmor), but I never simply follow PR- I need understand what is it, why is it, if I really need it, is it suitable for me, can I write it better,..... Until I had dial-up Internet connection, I had no need in firewall and I haven't used it.

Ilya Rabinovich

June 11th, 2007, 03:22 PM

-{ Quote: "I don't understand it either." }-

All is simple. Hardware DEP switch on NX/XD bit that marks data memory pages as non-executable. This prevents stack, data and heap exploits from proper execution. This scheme could be broken with return-into-libc attack, but ASLR will make this it really hard (need to guess new addresses for exploit data, system functions,...).

bellgamin

June 11th, 2007, 03:37 PM

-{ Quote: "SSM is a classical HIPS implementation, It is for geeks only (but not for me, I hate popups!)." }-Slamming a competitor's software is not right IMO. I hope this thread doesn't evolve into criticism & promotion of specific products.

Having said that, I cannot leave this misleading comment (i.e., "for geeks only") go unanswered. I am not a geek & I use SSM. Neither is my 9-year old great-granddaughter a geek, & she uses SSM. Neither are the high school students in my business math class geeks, yet they readily use & configure computers protected by SSM. As to pop-ups, they are rare (& VERY useful) after exiting SSM's learning mode.

walking paradox

June 11th, 2007, 03:47 PM

-{ Quote: "Believe me (and in my 5-years shareware experience). No PR- no sells. Nobody will know that there are HIPS systems that average user can use. Also, according my experience- there is no difference if you sell AV, AS, firewall, HIPS, OCR, or PDF converter- the rules are the same." }-I think you somewhat misunderstood what I was saying. As a general rule, PR drives sales, no PR = little or no sales. That's a given and is not in contention. One of my points was that a PR campaign about HIPS would have a similar result as the PR campaign for firewalls, as in the masses would be informed about the existence of such security software and that they should probably use it, but most wouldn't know how it works or how to use it properly. What matters here isn't that the masses know how security software works, but rather that they know how to use it properly. Granted to some extent learning how security software works is instrumental in learning how to use it properly, but when concerning the masses, informing them about the nature of security software such as HIPS, as in how it works on a technical level, is an act in futility.

-{ Quote: "So, my point is: any complex software is really hard for understanding for normal user, it rather remember all the steps somebody tell him to do (constantly update databases, for instance) that need to be done, but will never understand why he do this. This behavior reminds me just well-trained monkey in zoo." }-Sadly this is nature of the computer security market, at least with regards to the masses, and will continue to be so for at least several generations. As newer generations grow up surrounded by computers, they will increasingly be more familiar and comfortable with computers in general, and thus more capable and willing to acquire the necessary know-how to secure their computers.

-{ Quote: "Yes, I agree. But if it is really bad? I assume that it is increase average defense level and malware production cost." }-Not sure what you mean here. I never said or meant to imply that a PR campaign or its effects would be bad in any way.

walking paradox

June 11th, 2007, 03:51 PM

-{ Quote: "Slamming a competitor's software is not right IMO. I hope this thread doesn't evolve into criticism & promotion of specific products.

Having said that, I cannot leave this misleading comment (i.e., "for geeks only") go unanswered. I am not a geek & I use SSM." }-
I think you are reading too much into Ilya's comment. All he was trying to convey was that classical HIPS such as SSM require more user input and that proper use of such software requires relatively significant know-how regarding computers and computer security and that people that have said know-how are commonly referred to as 'geeks'.

bellgamin

June 11th, 2007, 04:19 PM

-{ Quote: "I think you are reading too much into Ilya's comment. All he was trying to convey was that classical HIPS such as SSM require more user input and that proper use of such software requires relatively significant know-how regarding computers and computer security and that people that have said know-how are commonly referred to as 'geeks'." }-"Geek" is a misleading & somewhat insulting term to use for computer enthusiasts. See Merriam-Webster Dictionary's definition HERE (http://www.webster.com/dictionary/geek).

Using such words as "only for geeks" in reference to a competing program can unfairly discourage purchase or trial.

ronjor

June 11th, 2007, 04:30 PM

Let's stick to the concept being discussed here in this thread rather than specific programs and what computer users should be named.

If anyone is offended by the terminology used by anyone in their posts, use the "report bad post feature" rather than drag this thread off topic.

Any off topic posts may be removed at anytime.

ccsito

June 11th, 2007, 06:27 PM

A lot of diverging opinions regarding AV, whitelisting, firewalls, and security programs. Each user is coming from a different background and level of expertise and I will offer my personal view of the original post based on my personal and corporate use history.

1) Personal - I read some computer magazines and have a Computer Science degree (before the age of the WWW). The first AV program (DOS based) that I used was something called SCAN.EXE (which I think is a precursor to McAfee VirusScan). I have used that and several other AV programs and then later added a Firewall based on computer articles and newspaper reviews. I have read much about antispyware programs but have used it sparingly. The vast majority of users will remain with AV and firewalls until PC vendors stop loading them into hard drives or they become abandoned enmasse (such like the Netscape browser).

2) Corporate - Security is determined by system adminstrators for all work stations. Right now, only AV resides on all corporate machines. Communication traffic is regulated by corporate servers. There is no antispyware applications used nor is there ever planned for it in the future. Most users are not expected to reply to "stupid alerts" and the thousands of users would not put up with it.

The security landscape can change drastically, but I am not going to hold my breath waiting for it to happen. :-X

ronjor

June 11th, 2007, 08:54 PM

Interesting blog by Kurt Wismer. He is quite active on the Usenet and Web.

the slow death of someone's credibility (http://anti-virus-rants.blogspot.com/2007/06/slow-death-of-someones-credibility.html)

Franklin

June 11th, 2007, 09:50 PM

Taken from Ronjor's link:
-{ Quote: "so should anyone take him seriously when he says whitelisting is better than av and that it's going to replace av? no, because whitelists are not going to replace blacklists, whitelists aren't better than blacklists, they're just different from blacklists... whitelists don't have the same weaknesses blacklists do just as blacklists don't have the same weaknesses that whitelists do... the notion that we would or should use only one type of technology to protect ourselves from malware is antiquated and fundamentally broken - there is no silver bullet, no panacea, and if you don't employ a multi-layered strategy (aka defense in depth) then you're just setting yourself up for unnecessary failure... i have to wonder, when av technology is still here 10 years from now, will robin bloor be eating crow or will he still be forecasting av's death like some inverted version of monty python's parrot skit..." }-
Whitelist/blacklisting seems to be the only things mentioned in the article.

Sandboxing/Virtualisation/Snapshots and imaging are viable additions to a security setup.

As for the magic silver bullet for a non Wilders visiting normal user, Defensewall would be my choice.

BlueZannetti

June 12th, 2007, 06:55 AM

-{ Quote: "Sandboxing/Virtualisation/Snapshots and imaging are viable additions to a security setup.

As for the magic silver bullet for a non Wilders visiting normal user, Defensewall would be my choice." }-Franklin,

Any user, casual or advanced, may still be faced with the question of whether downloaded content is potentially malicious or not. Given that malicious and non-malicious programs can exhibit similar behaviors, the control of behavior is not necessarily a panacea. Ultimately a user needs to be able to assess whether file X is malicious or not and there's really only three paths to that answer: Run it and observe over an extended timeframe. This is ambiguous if the malware is a sleeper.
Learn enough coding to reverse engineer the executable. Not practical.
Take advantage of the expertise of professionals who can reverse engineer the executable to make an independent assessment. In other words, use a classical blacklist AV as a screening tool.The last option is really the only one feasible in a large and heterogeneous user base and as long as content can be downloaded and used, my personal opinion is that this will always be true. Now, that classical blacklist may need to be augmented to reflect current challenges floating around, and that short list of viable additions you mention are certainly potential avenues for anyone to explore.

Proclamations such as that leading off this thread or the Robin Bloor piece, that the classical AV is effectively dead, are ludicrous and something that even extensive user education will not change.

Finally, there are no silver bullets now, and there never will be as long as the motivation to perform malicious deeds is present.

Blue

bigc73542

June 12th, 2007, 08:32 AM

BlueZannetti, I have to agree with you 100%. I don't believe that conventional AV's will just cease to be effective, But with the addition of new technologies will continue to be a valuable security tool.

bigc

Rmus

June 12th, 2007, 12:08 PM

-{ Quote: "

Take advantage of the expertise of professionals who can reverse engineer the executable to make an independent assessment. In other words, use a classical blacklist AV as a screening tool." }-I would add the option of using one of the on-line sites employing multiple scanners [my method when I'm not sure about a downloaded file]. Probably as uptodate as would be your own AV product.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Miyagi

June 12th, 2007, 10:47 PM

-{ Quote: "
Many companies have tried to market better solutions in the past - including ones based on integrity checking. For instance, Dr. Fred Cohen had a product he was calling "integrity shell" (essentially an on-access integrity checker), there was a product called Integrity Master, and many others." }-
If any of you have the book (http://www.amazon.com/exec/obidos/ASIN/0321304543/na8ayth4o-20) by Peter Szor - The Art of Computer Virus Research and Defense, look at page 484 about integrity checker. Peter too mentions the disadvantages...

Ilya Rabinovich

June 13th, 2007, 05:35 AM

-{ Quote: "Slamming a competitor's software is not right IMO. I hope this thread doesn't evolve into criticism & promotion of specific products." }-

I MEANT NO SLAMMING! In fact, I thing that SSM is really good in their niche! I just wanted to say that SSM and PG are still 2003-2004, but those types of product are still not mainstream. The reasons for that is that those types of products are requires a lot of technical knowledge from their user, so, this niche usually calls "for geeks".

-{ Quote: "One of my points was that a PR campaign about HIPS would have a similar result as the PR campaign for firewalls" }-

I agree.

-{ Quote: "As newer generations grow up surrounded by computers, they will increasingly be more familiar and comfortable with computers in general, and thus more capable and willing to acquire the necessary know-how to secure their computers." }-

There still will be some "technically idiotic" people who will be good in other fields of human activity (literature, music,...), but yes, common knowlege level will increase dramatically.

Ilya Rabinovich

June 13th, 2007, 05:39 AM

-{ Quote: "Ultimately a user needs to be able to assess whether file X is malicious or not and there's really only three paths to that answer" }-

You've missed one more point here: send it to anti-virus laboratory for human expertise. I don't believe in AV scanners too much (false positives, false negatives), but human expertise gives more reliable mark as you may send sample to many labs.

Peter2150

June 13th, 2007, 09:01 AM

Ilya

You and several other vendors are working hard to idiot proof security software, and I suppose that is a good thing. The only problem is the idoits don't or won't acknowledge the need and won't use them.

Same thing as backup. I had a friend who lost her disk drive, and she was complaining the machine was just out of warranty. She also lost her family photo's. I offered to help her learn to back up so it wouldn't happen again. Her response. "No, I don't need to, know that I have the new drive" Hello...

Pete

walking paradox

June 13th, 2007, 10:31 AM

-{ Quote: "The only problem is the idoits don't or won't acknowledge the need and won't use them." }-Well if by 'idiots' you mean the computer illiterate masses we've thus far been referring to, then I have to partially disagree with you. Obviously the vast majority of the so-called 'idiots' don't use HIPS, as such software is currently reserved for those with some interest and know-how in computer security. However, as Ilya has pointed out, a PR campaign by the computer security firms would raise awareness and usage of HIPS software, even if many of those 'idiots' would neglect or improperly use it. There will always be those among the 'idiots' that refuse to acknowledge the need for various security software and forgo using it, but that isn't any different between the various types of security software.

LUSHER

June 13th, 2007, 11:13 AM

Can someone address ErikAlbert's proposal. It seems to be fool-proof.

Don Pelotas

June 13th, 2007, 12:26 PM

-{ Quote: "Can someone address ErikAlbert's proposal. It seems to be fool-proof." }-
Why do you need it addressed if you believe it to be fool-proof?

walking paradox

June 13th, 2007, 12:45 PM

-{ Quote: "Why do you need it addressed if you believe it to be fool-proof?" }- He said it seems fool-proof, he didn't say whether he believes it is fool-proof, don't confuse the two. Regardless, that shouldn't really matter. He is interested in a particular subject somewhat related to the topic of this thread and is asking for others input on the matter so that he can gain a better understanding of it. I don't get why you are questioning his motive or reasoning for seeking further information about this.

Antarctica

June 13th, 2007, 12:47 PM

-{ Quote: "Can someone address ErikAlbert's proposal. It seems to be fool-proof." }-

I don't think there is anything like that a "fool-proof" Security Protection. Everybody would be using it if it exist.;)

walking paradox

June 13th, 2007, 01:12 PM

-{ Quote: "I don't think there is anything like that a "fool-proof" Security Protection. Everybody would be using it if it exist.;)" }-
While I agree that, as far as I know, there is currently no foolproof security setup, and agree that in principle when concerning computers it is highly unlikely for a entirely foolproof security setup to exist, there is still the possibility for one to emerge (would likely have to come in the form of an inherently secure OS rather that third-party programs). The idea presented by Erik is an attempt towards such a setup, whether it is viable or not has yet to be determined. But just because his goal (foolproof security setup) is implausible, doesn't mean its not possible and more importantly doesn't mean ideas toward that end, such as the one Erik suggested, shouldn't be discussed.

Antarctica

June 13th, 2007, 01:29 PM

-{ Quote: "But just because his goal (foolproof security setup) is implausible, doesn't mean its not possible and more importantly doesn't mean ideas toward that end, such as the one Erik suggested, shouldn't be discussed." }-

But I never said it shouldn't be discussed.;)

Don Pelotas

June 13th, 2007, 01:36 PM

-{ Quote: "He said it seems fool-proof, he didn't say whether he believes it is fool-proof, don't confuse the two. Regardless, that shouldn't really matter. He is interested in a particular subject somewhat related to the topic of this thread and is asking for others input on the matter so that he can gain a better understanding of it. I don't get why you are questioning his motive or reasoning for seeking further information about this." }-
I wan't questioning his motives, that your interpretation. Thanks for the english lecture though. :)
-{ Quote: "I don't think there is anything like that a "fool-proof" Security Protection. Everybody would be using it if it exist.;)" }-
No, of course there isn't, that would be next to impossible, but you can of course try to make it as difficult as possible, not many would be able to use the "Eric Albert method" even if he or even i don't think it's too difficult, most would not be interested in such a learningcurve which would be involved. Only when other tools (read suites, most ordinary users wants no more than 1 or 2 security tools on their pc............and that stretching it in some cases!) have become very easy to operate will these perhaps become more mainstream, but this will only happen when these technologies are mature enough regarding userfriendly operation and at that time it will be the same big companies taking the market like they own it now..............with a few exeptions of course, either by buying a existing program like for example Ilya's or developing it themselves. Like the Inspector, i really doubt this will happen anytime soon, but i think it will be more of a gradual transformation of the traditional anti-viruses.............and this has already started btw.

walking paradox

June 13th, 2007, 01:37 PM

-{ Quote: "But I never said it shouldn't be discussed.;)" }-
I never said or meant to imply that you said that. I meant it in a generalized sense. My apologies if I wasn't clear. Now let's stop with this side discussion about discussing a particular subject within this overall discussion and get back to discussing the substance of this overall discussion. ;D

Perman

June 13th, 2007, 01:38 PM

Hi,folks; The battle between traditional(blacklist-signature based)AV and revolutionary(white list-non signature)one is, in an average Joe's perspective, a one similar to this situation: Suppose I will throw a party, I will have two options to screen the guests who will appear at the door step. Method#1, keeping a guest list, and checking each arrival against the LIST or Method#2, sending out messengers to inform those whose names are not on the LIST, not bothering to come. With a grade school pupil's IQ, which method is more feasible? Just think, think and think. Of course, general public, I mean average joe/jane are needed to be reminded to unearth their logical(reasoning) ability. Just a loonie thought.

Escalader

June 13th, 2007, 02:44 PM

-{ Quote: "Hi,folks; The battle between traditional(blacklist-signature based)AV and revolutionary(white list-non signature)one is, in an average Joe's perspective, a one similar to this situation: Suppose I will throw a party, I will have two options to screen the guests who will appear at the door step. Method#1, keeping a guest list, and checking each arrival against the LIST or Method#2, sending out messengers to inform those whose names are not on the LIST, not bothering to come. With a grade school pupil's IQ, which method is more feasible? Just think, think and think. Of course, general public, I mean average joe/jane are needed to be reminded to unearth their logical(reasoning) ability. Just a loonie thought." }-

Hi there Perman!

I hit this thread and can see it is way more fun than mine on how to optimize various FW's.

On this loonie thought of yours, I get these as well, but yours may not be so loonie since it gets people thinking :thumb:

On 1st blush I was swayed by method 2 since it involved exploring on a grand scale, (only kidding). But if there was a way to set up a set of criteria that party comers would have to meet then in force it 100% the issue would be over. It reminds me of a story I heard describing the perfect job ad. It would written so only 1 person would respond, and that was the perfect candidate!

Problem is that people don't follow the rules and send in resumes anyway, some were poets and politicians but we wanted an assember programmer to work on OS development.

The bad guys don't and won't follow my filter rules and will send me their nasty packets anyway! Thus I need a gate keeper or better a mote, a draw bridge, and iron gate and boiling oil to pore on these parasites in packets should they survive the mote.

That brings us to method 1 the guest list... hmm this could be problematical as well, like say gate crashers wearing packet costumes. Even without them suppose some have come to the wrong address and have matching id's to the guest list. Who produced and maintained this list anyway? Is it accurate, complete. Let say you invite me but of get mugged by my evil twin who finds the invite, oh was there an invite sent out? Hope they didn't fall into the wrong hands.... problems problems will it never end?

I propose a layered defense, first the mote (HW FW) then the guard house SW FW where the guest (packet) has to pass a set of skill testing questions that only a valid guest would know, who invited them, prove they are who they say they are blood samples are good and then get strip searched for nasties hidden in their packets. (AV) If they pass that, then I put them in a fake guest waiting room just like the real party (but it isn't) and watch them with security cameras and subject them to tempting treats. If they misbehave as some will then I remove them from the fake party and either put them in the dungeon for later consumption by the castle beast or simply pore boiling oil over them. I would then ban all their relatives, friends and associates and any facilitators who helped them find there way to my castle. There home base would also be wiped out.

Then after proving their worth I let them in but have a shadow on them anyway. If they make 1 false move they join their friends in the dungeon.

QED

lucas1985

June 13th, 2007, 02:51 PM

-{ Quote: "You've missed one more point here: send it to anti-virus laboratory for human expertise. I don't believe in AV scanners too much (false positives, false negatives), but human expertise gives more reliable mark as you may send sample to many labs." }-
Well, people at viruslabs are always busy, so a quick response isn't always feasible. Jotti/Virustotal provide a good enough analysis to determine the nature of a given file.
-{ Quote: "You and several other vendors are working hard to idiot proof security software, and I suppose that is a good thing." }-
This is the technical challenge.
-{ Quote: "The only problem is the idoits don't or won't acknowledge the need and won't use them." }-
This is the PR/marketing challenge. Publicity sells necessities. It doesn't matter if they're real necessities or emotional/status necessities.

Perman

June 13th, 2007, 03:25 PM

Hi, folks; Marketing/PR in cyber space, especially in security sector, are more confined to targeting the right targets. You can conduct a survey asking any passerby on main street this question: do you ever read PC mag / or ever visit Wilders' ? I can bet you one loonie, over majority of respondents will say NAY. So who are going to convey this marketing messages to general public? The answer can be found on this day-to-day life style. Can I ask how many of you ( of course including our female friends here)have ever read Beauty/Hair Mag ? When you visit barber/beauty shop, do you have absolutely clear idea how to make your hairdo looking better? Probably not, therefore you rely on your Barber/hairstylist's suggestions entirely, and these professionals do read those trade mag. Therefore, for this new revolutionary approach to be successful, app dev needs to bring majority of computer experts(who has the opportunity meeting general public on frequent basis)onto their side. Anything short of that is just a day dream. Again just my loonie sense, eh?

Pedro

June 13th, 2007, 04:50 PM

FanJ

June 13th, 2007, 10:19 PM

Please allow me to ask what exactly is meant by white/black listing?
How does it work?

A few possibilities:

1.
Every time before any file is executed first a connection is made to a site to check whether it is white/black listed.

2.
Frequently a white/black list is downloaded to your PC (just like an AV updates its definitions onto your PC), and then every time before any file is executed first that file is checked whether it is white/black listed.

3.
You build your own "white/black list".
Possibilities for example (just only examples!): Process Guard or an on-demand file-integrity-checker.

4.
Any combination of the previous ones.

5.
Something else ?

=====

If it is about 1 or 2:

How are those files identified?
By name, MD5 checksum, full path ?

Are you aware that there are completely legitimate security programs that:

a.
by every update don't change the name of their main .exe file, while its checksum is changed.

b.
have a different name for their main .exe file for every user who bought it.

=====

Again, have you thought about all the different language versions, the version-numbers of the programs themselves, the Windows/other-OS versions for them, the path they are installed to?

=====

Have you thought about the Windows updates, the hotfix (un)installers, and about how CCleaner handles those hotfix (un)installers (if you checked that option in CCleaner)?

=====

I could go on ....
But I leave it for that for now.

I do believe that there is certainly a place for white/black lists (otherwise I wouldn't have posted in the past about NISFileCheck, ADinf32 Pro, the CRC32 feature in TDS-3).

It all depends what exactly is meant by white/black lists and how they work.

But I don't believe that AV's are "dead".

I still think that you yourself have to check whether a file-change or new file is legitimate or not. Blue posted already about that.

You are completely free to call my a guy from the past ;)

ErikAlbert

June 14th, 2007, 12:27 PM

Hi guys,
I could do two things :
1. A classical security setup like anybody else, but I know the pros and cons of such setup already.
2. Another security setup, based on whitelists and recovery, one that nobody has or doesn't want, except a few members.
The first one is well-known and the second one was as good as unknown and worth to try, so I choosed the second one because the first one was OLD news.
I only wanted to know how hard it was to work with the second setup.

One thing is sure : more and more members start using immediate recovery softwares, like FirstDefense-ISR, RollbackRx, Deep-freeze, ShadowUser, PowerShadow, Returnil, ..., not as a security software, but MAINLY as a recovery software to keep their computer clean and trouble-free. AFAIK most of these users are still using a classical security setup, including blacklist scanners.

I'm using an extreme form of FDISR, called frozen snapshot and I ditched all my blacklist scanners, because I don't need them to REMOVE infections.
Only the real-time shield of a main scanner could be still usefull for me, because it prevents installation of infections.

All scanners on demand are completely useless, because my frozen snapshot does a
1. faster job, because it takes less than 2 minutes to clean my system partition.
2. complete job, because it removes all infections as harddisk-changes, which means no missing signatures and no false/positives.

The main problem with such a security setup is keeping also the GOOD changes. A minor problem is that you have to change your habits and procedures, because they are different from a classical security setup and who wants to change his habits ? :)

Pedro

June 14th, 2007, 01:05 PM

FanJ, i'm refering to building your own whitelist. With NoScript and SSM for instance. Or AE in Erik's case.
I've asked in a thread what can go through execution prevention, some of that is answered here, exploits. Good answers, but they seem incomplete to someone like me who wants to get the big picture.
It also seems to take a thread "Antivirus is DEAD" to summon the experts. heh

But, note, i did not through away my AV. The computer is not a disco club, so the "guest list" comparison falls short of course.
I do not know when/if i can make a mistake, or if i even have to.

nicM

June 17th, 2007, 10:14 AM

Another input on that matter : http://ssta.over-blog.fr/article-10389932.html

KAV is the one to follow, so far, in the implementation of HIPS/behaviour blocker into a "traditional" blacklist AV.

Comming from the other side (HIPS, which integrated later an AV engine), Online Armor 2 is taking the same way : To give users a "second chance" whenever the blacklist part of the program doesn't actually protect (none of the blacklist programs are 100% in detection at a given moment).

As for the statement "AV are dead", I do not think so : They're just one part of the layered defense strategy, discussed many times on this forum.

bontchev

June 27th, 2007, 01:46 AM

Another crappy article on the same subject, by the same author:

The decline of antivirus and the rise of whitelisting (http://www.theregister.co.uk/2007/06/27/whitelisting_v_antivirus/)

I've already sent them my comments.

Regards,
Vesselin

bontchev

June 27th, 2007, 02:03 AM

-{ Quote: "All scanners on demand are completely useless, because my frozen snapshot does a
1. faster job, because it takes less than 2 minutes to clean my system partition.
2. complete job, because it removes all infections as harddisk-changes, which means no missing signatures and no false/positives." }-
Removes all hard disk changes?! You gotta be kidding me. Such a computer is completely unusable - you can't create documents, you can't even play games, because you can't save your game.

Perhaps you meant "removes all changes to executable files". Which leaves us with a few problems:

How do you know which files are execuable? As was already explained here, a Word document can cause execution of malicious code. How do you know that your machine is not already infected? I mean, before you "froze" it. How do you install new software? Because if you're totally forbidden from installing new software, that's not a very useful machine. How do you approuve changes? If you do install new software, you have to mark the changes as "approuved" somehow. How do you know that you aren't installing malware - which your system will prevent you from removing later, because it will keep restoring the approuved changes? How well do you think the average user is going to answer the above questions?

Yes, snapshots are a useful tool to prevent infection. I've used them myself. But they require an expert (to intelligently approuve changes, to maintain many snapshots after every software install, so that virtually any previous state can be restored, and so on) - and even an expert makes mistakes occasionally. For the average user, this is a hopeless malware prevention measure.

Regards,
Vesselin

Inspector Clouseau

June 27th, 2007, 03:40 AM

-{ Quote: "For the average user, this is a hopeless malware prevention measure." }-

*THAT* is exactly *THE* point. And if user education would ever work then we wouldn't even need any security software, regardingless if it's called whitelisting, antivirus or firewall.

FRug

June 27th, 2007, 03:42 AM

Also keep in mind that a snapshot won't prevent your private data being sent out to the net (be it passwords, logged keystrokes, your webscam stream or whatever else), nor will it prevent that your system is used as a spam bot (at least until reboot or whenever the snapshot gets applied).

Snapshots are BACKUPS, not a prevention mechanism.

bontchev

June 27th, 2007, 03:51 AM

-{ Quote: "AFAIK an exploit takes advantage of a legitimate executable to do its evil job." }-
True.

-{ Quote: "So there must be another evil object to make that possible and such evil object can be stopped also as an unauthorized object." }-
False. In general, that "other object" could be something seemingly legitimate and often-used - like a Word document. You can't block these on principle (because you'll make the system unusable) - and the exploit doesn't have to rely on dropping and running an executable (which you can block).

-{ Quote: "AE should block any unauthorized object in the system partition (Windows + Applications)." }-
Unauthorized objects running on non-system partitions can cause plentry of damage, too.

Regards,
Vesselin

bontchev

June 27th, 2007, 04:03 AM

-{ Quote: "Is there a quick and reliable procedure to find executable code in a file?" }-
In a word - no.

-{ Quote: "Because all exploits contain executable code, right?" }-
Right - but that's not of much help. You see, one of the basic principles of von Neumann computers (which is what all contemporary computers are) is the equivalence between code and data. One program's data is another program's code. Is some JavaScript text executable or not? It's data for Notepad - but it's program for Internet Explorer.

You can't predict in advance that some sequence of symbols won't be "executable code" in some environments. In fact, this is what many exploits misuse - they use special values in what is supposed to be data fields for vulnerable applications, causing buffer overflows and having these values executed as code.

Regards,
Vesselin

bontchev

June 27th, 2007, 04:11 AM

-{ Quote: "Is there a way to find such shellcode in a given file?" }-
In general - no, there isn't.

It can be done in every particular case, of course - if you know the file format, if you know what the exploit abuses, etc., then it's usually pretty easy to locate where the shellcode is. But that's no better than known-virus scanning. In the general case (file with unknown format, 0-day exploit for an unfamiliar application), you're left without a clue.

The only way to do it is run the application under a debugger, have it open the file with the exploit and see what happens, why, and where is the code that causes it. Believe me, that's no fun.

Regards,
Vesselin

bontchev

June 27th, 2007, 04:22 AM

-{ Quote: "A better statement would have been: White Listing is denying by default the running of *any* executable not on the White List. It's sole purpose for me and those I help is to prevent the unexpected." }-
Then Mike's other points still stand. :) There is no easy way of preventing execution of malicious code without making the system unusable (e.g., by preventing access to documents and pictures). And the average user is not qualified to maintain a local WhiteList.

-{ Quote: "In fact, this was discussed in another forum during the period of the .wmf exploit, and someone crafted a .wmf file with shell code which, when allowed to run, launched calc.exe.

However, I am not aware that this technique ever surfaced in a real exploit. Everyone I saw reported, launched a trojan executable." }-
Well, that's precisely the technique, isn't it? An exploit launching an external executable - it doesn't really matter whether it is calc.exe or a Trojan. That's easy to block. But there are alternative ways. The shellcode can cause damage all by itsellf (e.g., delete your files) - without launching any external executables.

-{ Quote: "In practice, many of the faculty and students I referred to have both a White List solution which will prevent the dropping|extracting|launching of any executable code not already on the computer; and an AV which hopefully will take care of other situations." }-
Yes, a combination of the two is viable - provided that the whitelist part can be tolerated or enforced. Sadly, in many environments this isn't the case.

-{ Quote: "However, from my experience with the above -- especially with real drive-by downloads, I am not optimistic about their effectiveness." }-
The bad guys use this approach because it works well against the AV programs most people are using. If most people start using whitelisting, the bad guys will switch to methods of attack that work well against them.

Regards,
Vesselin

bontchev

June 27th, 2007, 04:39 AM

-{ Quote: "- Most executables are identified by the MZ header, usually at the beginning of the file." }-
False. An MZ header identifies only EXE files, it has to be at the very beginning and it can be "ZM" too. There are many other kinds of executables.

-{ Quote: "- Encrypted executables and files containing shellcode can not be identified without a Ph.D in assembler ;)" }-
False. Detecting that an executable is encrypted (or packed) is actually pretty trivial most of the time. Just ZIP it. If the compression ratio is small (i.e., the executable doesn't compress well), then it is either encrypted or compressed (or both).

The real difficulty is in determining what is executable and in finding the shellcode in a data file that contains an exploit. The first is impossible in the general case (due to the von Neumann principle) and the second requires a lot of knowledge and experience.

Regards,
Vesselin

Inspector Clouseau

June 27th, 2007, 04:41 AM

-{ Quote: "The bad guys use this approach because it works well against the AV programs most people are using. If most people start using whitelisting, the bad guys will switch to methods of attack that work well against them." }-

Yub. There we go. It's similar to the question why is there less malware for OSX than for Windows. Is it because it's more difficult to develop malware for OSX? Certainly not. Is it because malware wouldn't run under OSX? That's also ********. So why is it like this? Because OSX is a minor, not so widely used operating system as windows (yet). Keep in mind that a lot of malware is nowdays MONEY-FOCUSED! If it's money focused they make sure that it's as much as effective as it could be. Let's assume that OSX would hold around 50 percent market share of OS. Then you would have *PRETTY FAST* new malware daily for OSX as well. Because they know they would have lot's of new "customers" for their malware creations and develop them also for this platform (because it makes then sense!)

What do i want to say with this? That there is *ALWAYS* at least one weak point in a security solution. And if one solution (not speaking about a single product here, but about a technology) has a primary market share then they're "exploiting" this technologies weak points. Same as chess. Attack the opponent at his weak points first and don't try to enter fully defended castle-edge straight. And exactly this will happen with whitelist also. It is A FACT that it can't fully protect against all malware! The malware will not stop, they will only become "focused" on bypassing whitelist with the above stated tricks. Of course nobody from the amateurish magazine writers takes this into consideration. And especially Bloor of course not. Because he would have to admit that he's a moron.

Inspector Clouseau

June 27th, 2007, 04:47 AM

-{ Quote: "False. Detecting that an executable is encrypted (or packed) is actually pretty trivial most of the time. Just ZIP it. If the compression ratio is small (i.e., the executable doesn't compress well), then it is either encrypted or compressed (or both)." }-

He was speaking about detecting shellcode INSIDE files and not how to detect encrypted files. Encrypted files you can easily determine with several methods. One is for example to have a look in the section headers for RAW size vs. Virtual Size. Or to check for imports. If it's basically only using GetProcAddress / LoadLibrary and very few kernel functions then it's a sign that a file could be runtime compressed etc.

bontchev

June 27th, 2007, 05:19 AM

-{ Quote: "The product I use, Anti-Executable, analyzes code sample in a file." }-
Do you really understand how it does that? If yes, explain it here and I'll explain you how it can be bypassed. If not, then the argument is worthless, because you don't really understand how the program works and what its flaws are.

-{ Quote: "As I mentioned in a previous post, exploiting image files was discussed on another forum, and I never saw any real-world exploit using this technique." }-
When the JPG exploit was discovered, I expected to see scores of viruses based on it. Didn't happen - there was only one virus using it and even it didn't rely mainly on it. However, after the WMF exploit was discovered, I saw HUNDREDS of malicious WMF files. So, trust me, malicious image files are used in the real world.

Regards,
Vesselin

bontchev

June 27th, 2007, 05:30 AM

-{ Quote: "I don't want a whitelist of objects of any existing legitimate software, that is only possible in theory, not in practice.
I only want a whitelist of objects of legitimate softwares on MY computer and I mean ANY object : files, registry, ..." }-
Yes, but how are you going to achie ve that? There are only two ways. One is, you get that list built by somebody else (a security software provider). Since, sadly, you aren't the only computer user in the world and that security software provider would like to sell his products to more than just you, they will have to build a global white list of all known good software - i.e., we're back to square one.

The other way is, you build that list yourself. Which assumes that you have the competence to do so - i.e., to decide which executables are malicious and which are not. If you're one of the few people who can do that - more power to you. Unfortunately, that puts you in a vanishingly small minority of users.

-{ Quote: "Once the whitelist is created, any unauthorized object is REFUSED IMMEDIATELY (not on reboot) and what is not installed, can't be executed and doesn't need to be removed either." }-
The above presumes that (a) you can determine which objects can contain executable code and (b) you can afford to deny access to all such unknown objects, even if they only extremely rarely contain executable code.

Sadly, in the real world neither of the above presumptions is reallistic.

-{ Quote: "I want an Anti-Malware that blocks ANY unauthorized object immediately, not just executable objects." }-
That's pretty easy to do. Unfortunately, it's not worth the effort doing, since you're probably the only one who will be buying (and willing to use) such a product.

-{ Quote: "Blocking objects doesn't mean you have to bombard the user with numerous popups, this can be done in absolute silence." }-
Yes, access to that Word document the boss just sent by e-mail about the next urgent meeting will be denied silently. Very useful.

Regards,
Vesselin

FRug

June 27th, 2007, 05:38 AM

Actually the email itself will be blocked not only the word document attached to it since it too could contain an exploit... hooray.

bontchev

June 27th, 2007, 05:40 AM

-{ Quote: "Does an AV need a sig to detect as such and are there Zero day exploits?" }-
"Signature" is such an ugly and imprecise term. :( Most anti-virus programs stopped replying exclusively on scan trings (which is the slightly more correct term) a couple of decades ago. So, your question doesn't really make sense - a virus scanner doesn't "need a sig to detect an exploit", if that virus scanner doesn't use any signatures to begin with.

The proper thing to ask is: does a known-malware scanner need to be updated, in order to start detecting a new exploit? The answer to that question is YES. Depending on how exactly the detection is implemented in the particular AV product, it might, or might not need further updating in order to detect other files that contain the same exploit (even if they use different shellcode, drop different executables, etc.).

-{ Quote: "Would such a jpg exploit cause probs from within a sandbox?" }-
It depends what the exploit does. If it does direct damage (e.g., file deletion) then the answer is probably NO. But it might record keystrokes and send them elsewhere instead. Then the answer boils down to what exactly the sandbox allows the applications that run in it to do, and on whether it is possible to bypass it. (For instance, there are ways to "escape" VMWare.)

Regards,
Vesselin

bontchev

June 27th, 2007, 05:48 AM

-{ Quote: "If those exploits can't be stopped in any possible way you have to accept them until you find a way to stop them." }-
I don't think that anyone claimed that they can't be stopped. The claim was only that they can't be stopped by software that blocks unauthorized executables. There are many ways to stop exploits - hey, even our known-malware scanner stops some of them. (Mostly - Office-related exploits but also some popular ones like the JPG, WMF and ANI exploits.)

-{ Quote: "Are there so many existing exploits, that they are a constant problem or are we talking about a minority of infections ?" }-
Define "many". I've seen hundreds. That might be "many" to some but it's "few" compared to the half a million of known malware programs.

Also, exploits are usually (although not exclusively) used by Trojans and less often by viruses. This is because once you implement generic detection of the exploit, any virus relying on it drops dead (i.e., can't infect any more hosts) - while a Trojan author doesn't care; Trojans are usually one-shot weapons anyway.

Regards,
Vesselin

bontchev

June 27th, 2007, 05:51 AM

-{ Quote: "However behavior blockers are imo the way to go right now. Sure they also popup warning on legit files from time (av's do that too with fp's) to time but in general they don't bother users unless something really bad is executed (takin Cyberhawk/KAV6 PDM as example). And have extremelly high detection rate with very low update requirements." }-
Behavior blockers, just like integrity checkers, are a generic anti-malware tool. They have similar strengths and weaknesses with the other generic malware tools. That is, they provide a better protection than a known-malware scanner, but are less easy to use correctly by the average user. Emphasis on "correctly" and "average user". ;)

Regards,
Vesselin

bontchev

June 27th, 2007, 05:55 AM

-{ Quote: "Why is there always a test of AV's and nothing else than that." }-
Because, although testing known-malware scanners properly is immensely hard, testing properly generic anti-malware tools like behavior blockers and integrity checkers is immensely harder.

Regards,
Vesselin

bontchev

June 27th, 2007, 05:57 AM

-{ Quote: "The malware disappears when you reboot. Why is that "too late"?" }-
Because by then your precious private data might have disappeared too - or be on its way to Moldova.

Regards,
Vesselin

bontchev

June 27th, 2007, 06:02 AM

-{ Quote: "If any of you have the book (http://www.amazon.com/exec/obidos/ASIN/0321304543/na8ayth4o-20) by Peter Szor - The Art of Computer Virus Research and Defense, look at page 484 about integrity checker. Peter too mentions the disadvantages..." }-
Heh. You don't have to tell me about the deficiencies of the integrity checkers, man, I wrote the book (ok, the paper (http://www.people.frisk-software.com/~bontchev/papers/attacks.html)) on this subject.;D

And, yes, I do have Peter's book. Personally signed. I was one of the reviewers. The structure of its first part is roughly based on my Ph.D. thesis.8)

Regards,
Vesselin

Inspector Clouseau

June 27th, 2007, 06:02 AM

Just a side comment.... Vesselin's post counter goes faster from 0-60 than a sports car... ;D

bontchev

June 27th, 2007, 06:04 AM

-{ Quote: "Can someone address ErikAlbert's proposal. It seems to be fool-proof." }-
Nothing is fool-proof, because the fool is always bigger than the proof.;D Besides, the fools are so ingenious!

But, seriously, which particular proposal of his do you mean?

Regards,
Vesselin

Inspector Clouseau

June 27th, 2007, 06:17 AM

-{ Quote: "Nothing is fool-proof, because the fool is always bigger than the proof.;D " }-

LOL :D If somebody is going to write a historical book, please include this sentence ;D

Mrkvonic

June 27th, 2007, 06:37 AM

Hello,

I'm gonna raise hell now by a little provocative statement:

Inspector, you mentioned OSX being secure - because it has a minor market share. And that it would sprout tons of malware daily if it got more share.

I disagree.

There are technologies and there are technologies.

There's no doubt that there would be malware - but to far lesser extent, both in quality and quality (severity). One of the reasons is the way the systems were designed.

Windows exploits are almost exclusively remote. NIX exploits are almost exclusively local. This is the backbone of the doctrines behind each OS, hence the differences.

There is and cannot be one-to-one translation of Windows problems to OSX or Linux or any NIX-based OS. It's the question of modularity and permissions.

The greatest hazard for OSX users will be manual downloads and execution. But this is a social problem - not software. Then again, it will be more difficult still due to centralized approach.

In Windows, you have 50 sources of update for your system. With most NIXs, it's a single centralized source. You would have far less chance of being tempted to download something manually and screw things up.

It's like saying that helicopters and aircraft suffer from same problems. Yes, both fly, but the way they do it ... that's the whole difference.

Cheers,
Mrk

FanJ

June 27th, 2007, 06:43 AM

Big thanks to Vesselin for this link:
http://www.people.frisk-software.com/~bontchev/papers/attacks.html

I will have to find the time to fully read it.

This part caught my eye (is that the right expression?):
"2.5. Deleting the Database of Checksums".

What about this: not deleting the whole database of checksums, but only change a stored checksum of a certain file along with changing that file itself too.
I posted years ago about it ;)

=====

Let’s say program P uses a checksum algorithm (like CRC32 or MD5) to check whether files have been changed.
Let’s say you want file F to be checked.
The first time you run program P on file F there will be a checksum C generated.
Then, after a while, you will check whether file F is changed.
So you run a second time program P on file F;
the algorithm used in program P makes a new checksum – let’s say C2 - ;
the checksums C and C2 are compared;
and then program P tells you whether file F has been changed or not, depending on whether C and C2 are the same or not.

So far so good, but the only way program P can perform this, is that it must compare these two checksums C and C2. That means that it after the generation of the first checksum C must store it somewhere….

Now I have a malicious program M (like some kind of a Trojan).
Malicious program M looks specific for file F and want to replace it with malicious file MF.
And malicious program M is made in that way that it already knows that changes in file F are being checked with program P. So it brings together with malicious file MF it’s checksum MC.
The only thing that malicious program M now has to do is to replace file F with file MF and replace checksum C with checksum MC.
And there is no way that program P ever can tell you that file F is changed…
Conclusion: the security that program P with its checksum algorithm can give you, depends heavily on the way how safe it stores checksums.

BlueZannetti

June 27th, 2007, 07:03 AM

-{ Quote: "The greatest hazard for OSX users will be manual downloads and execution. But this is a social problem - not software. Then again, it will be more difficult still due to centralized approach.

In Windows, you have 50 sources of update for your system. With most NIXs, it's a single centralized source. You would have far less chance of being tempted to download something manually and screw things up." }-The key operational question would therefore seem to be whether this controlled centralized approach would be scaleable if OSX had the market share, user base, and application base of Windows. I could see pragmatic constraints leading to relaxation of this level of control, which quickly puts you in a Windows-like scenario.

Blue

dan_maran

June 27th, 2007, 07:11 AM

-{ Quote: "The key operational question would therefore seem to be whether this controlled centralized approach would be scaleable if OSX had the market share, user base, and application base of Windows. I could see pragmatic constraints leading to relaxation of this level of control, which quickly puts you in a Windows-like scenario.

Blue" }-
I agee with you here, It would be interesting to see if someone did a malware% versus user base scenario in these respects, I feel percentage wise they would be the same. I thought one was done before but I couldn't find it again. A bit off-topic sorry!

Inspector Clouseau

June 27th, 2007, 07:40 AM

-{ Quote: "Hello,

I'm gonna raise hell now by a little provocative statement:

Inspector, you mentioned OSX being secure - because it has a minor market share. And that it would sprout tons of malware daily if it got more share.

I disagree.
" }-

I disagree with your disagreement. ;D
I'm using Mac's since they were invented. I *KNOW* how the MacOS / OSX works.

-{ Quote: "
Windows exploits are almost exclusively remote. NIX exploits are almost exclusively local. This is the backbone of the doctrines behind each OS, hence the differences." }-

We're not speaking about exploits only, we're speaking about Malware. Doesn't matter HOW it will reach the system.

-{ Quote: "
There is and cannot be one-to-one translation of Windows problems to OSX or Linux or any NIX-based OS. It's the question of modularity and permissions." }-

What are you going to do with script based malware? Sure, you cannot so easily erase files or format the HDD, but the stuff it allows is by all means more than enough to do malicious activity.

-{ Quote: "
The greatest hazard for OSX users will be manual downloads and execution. But this is a social problem - not software." }-

Quite funny. What do you think is becoming more and more a serious problem in the windows world? Exactly this! ZLOBS for instance. Manual Download because it claims you have to have it in order to play vidoes. There we go again. You see what i mean with "if it becomes more popular"? Then you would have that crap also for OSX.

Pedro

June 27th, 2007, 10:40 AM

-{ Quote: "
We're not speaking about exploits only, we're speaking about Malware. Doesn't matter HOW it will reach the system.
" }-
I think it matters a whole deal. I don't think an OS will ever prevent the user of installing software. Since malware is software (or something of the sort), the OS cannot tell the difference. It can however prevent unauthorized installation of malware. That is defense.

Would an AV still have a function once that OS reach enough market? I think so, for all the other reasons mentioned.
But if data could not do malicious activities, only programs (data here is docs, etc.), i see a point where a corporation would not need an AV. Maybe ;D

Mrkvonic

June 27th, 2007, 10:55 AM

Hello,

OK then, Inspector, then the problem is ... users. People who download zlobs because they think they need codecs? What can I say more?

As long as:

- people are not required to undergo a 'driving test' like with cars.
- people are not fined with real money for their stupidities with computers.

There will be people doing things like that.

Imagine. All the money harvested from people getting infected going to computer education, promotion of anti-malware campaigns, anti-malware warfare - special units that crash into houses / offices and crack down on malware cells and organizations - Jay and Silent Bob style.

After you get fined several times, you get points - and then you have to undertake the exam again.

Mrk

bontchev

June 27th, 2007, 12:02 PM

-{ Quote: "What about this: not deleting the whole database of checksums, but only change a stored checksum of a certain file along with changing that file itself too." }-
This is... not so simple. Well, a detailed treatement of the subject could fill a whole paper.;D

Basically, in order to do what you propose, the attacker must have two things: the checksumming algorithm and access to the database of checksums. However, if he has even one of these two things, other attacks are possible - so why bother with this one (that requires two)?

For instance most people are big fans of crypto checksums (MD5 and so on). This is a big mistake. First of all, they are slow. Second, they don't grant additional security. If the attacker has access to the database of checksums, he can put there the checksum of the modified infected object (i.e., the attack you propose) - because the checksum algorithm is already known. OK, some say, we'll deny write access to the database of checksums. But that's not good enough, either. An active malware can go stealth, intercept read access to the database of checksums and replace the results of the read operation with the checksum expected by the integrity checker.

It is much better to use a simple CRC with an unknown generator polynomial (i.e., one which is different for each instrallation of the integrity checker). True, if the attacker can gather enough file/CRC pairs, he can deduce the generator polynomial. But for that, he has to have at least read access to the database of checksums - and, as we already saw, if this is the case, a crypto checksum ain't gonna help you, either. And CRCs are much faster to compute (i.e., lead to a much more usable program).

To summarize, the attacker must be given neither the checksum computation algorithm, nor any access (read or write) to the database of checksums. But if these conditions are met, the attack you propose isn't feasible, either.

It was the late Yisrael Radai who first figured this out. Most of you people here probably haven't even heard his name. It's only dinosaurs like me who've had the pleasure of knowing him personally... He was a great man... The first to analyze and describe the Jerusalem (Friday the 13th) virus - if you remember that one... He had lengthy discussions with the opponents of the "CRC instead of crypto checksums for virus detection purposes" idea - maybe some of them can still be found by Google... Gosh, those were the days...

Regards,
Vesselin

lucas1985

June 27th, 2007, 02:45 PM

-{ Quote: "The only way to do it is run the application under a debugger, have it open the file with the exploit and see what happens, why, and where is the code that causes it. Believe me, that's no fun." }-
I've created a thread (Handling of suspicious Office files (http://www.wilderssecurity.com/showthread.php?t=177908)) where I compiled the procedures given in a SANS.org discussion (http://isc.sans.org/diary.html?storyid=2967) to deal with Office exploits. I would appreciate if you may find what's wrong with this approach.
I know that it's useless for the average user, but it may work for the average Wilders member who practices safe hex but doesn't want to attach a debugger to every running app :D

lodore

June 27th, 2007, 03:37 PM

the problem will always be the user.
big companies stuff there company laptops with tons of security software but always forgot that the user is stupid and clicks on random links.
i disagree about exploits in mac OS being more local exploits.
the exploit shown in a contest a few weeks ago was a remote exploit.
a remote user could take advantage of that exploit and could access anything on that Mac change settings and access any data on it.
lodore

lucas1985

June 27th, 2007, 03:48 PM

-{ Quote: "It was the late Yisrael Radai who first figured this out. Most of you people here probably haven't even heard his name. It's only dinosaurs like me who've had the pleasure of knowing him personally... He was a great man... The first to analyze and describe the Jerusalem (Friday the 13th) virus - if you remember that one... He had lengthy discussions with the opponents of the "CRC instead of crypto checksums for virus detection purposes" idea - maybe some of them can still be found by Google... Gosh, those were the days.." }-
Got his paper (PDF (http://target0.be/madchat/vxdevl/papers/avers/integch.pdf)) :thumb:
Thanks.

FRug

June 28th, 2007, 04:20 AM

lucas: the point you're missing is that shellcode does not have headers. No MZ, no UPX, no nothing. It's direct CPU opcodes only. You cannot locate shellcode by looking for markers such as those of UPX simply because they don't exist.

SystemJunkie

June 28th, 2007, 04:24 AM

-{ Quote: "lucas: the point you're missing is that shellcode does not have headers. No MZ, no UPX, no nothing. It's direct CPU opcodes only. You cannot locate shellcode by looking for markers such as those of UPX simply because they don't exist." }-

That´s really evil.

FRug

June 28th, 2007, 04:56 AM

The SANS article describes how to find embedded files, which CAN be the case if the exploit/shellcode brings along a file it wants to drop within the word document. But even then it is most likely encrypted and again cannot be found by such an approach. Note that standard embedding mechanisms like OLE used in Word Documents are supported by pretty much every AV out there, but that has usually nothing to do with the type of embedding used by exploits (which can be as simple as just overwriting parts of the real contents of the word document and corrupting it along the way)

lucas1985

June 28th, 2007, 01:48 PM

Lots of things to think about.
So, looking for executables or packers' strings is not reliable.
It's not clear to me if tools like OfficeCat (http://www.snort.org/vrt/tools/officecat.html) can spot exploit code which isn't present in AV databases.
How many exploits use non-standard embedding mechanisms? Non-standard embedding mechanisms aren't supported by STG: MFC Docfile Viewer (http://support.microsoft.com/kb/139545/en-us), correct?
Thanks FRug :)

bontchev

June 28th, 2007, 03:32 PM

-{ Quote: "That´s really evil." }-
Heh. Tell me about it.

You folks still remember what a COM file is, right? Well, a COM file is just like that - no headers, just CPU instructions, smaller than 64 Kb. If the extension is not "COM" do you know what a tremendous nightmare it is for the virus scanner to determine that a file is a COM file? And, of course, moronic testers change the file extensions of the samples in their test sets, and expect our scanners to still be able to scan the files correctly and find the malware inside - for which they usually need to recognize correctly the file type.

There is no fool-proof way of doing it with a program. (A human can disassemble the file and see whether it makes sense - i.e., whether it is a valid program - but that's not something that can be done entirely automatically.) The way our scanner does it is by trying to rule out all other kinds of files it can recognize (usually - by the presence of various headers) and then assume that the file is a COM file.

Really evil, I tell you.

Regards,
Vesselin

bontchev

June 28th, 2007, 04:07 PM

-{ Quote: "It's not clear to me if tools like OfficeCat (http://www.snort.org/vrt/tools/officecat.html) can spot exploit code which isn't present in AV databases." }-
They are not. Well, I don't know about "tools like that" but OfficeCat isn't. It is a tool for scanning for known Office exploits. They way it does it is by looking for the particular field corruptions used by the known exploits. Our scanner does it the same way. We aren't looking for the shellcode - we're looking for the exploit (i.e., for the data corruption that causes the shellcode to be executed, if present).

-{ Quote: "How many exploits use non-standard embedding mechanisms?" }-
Ah, this question doesn't make much sense. There all kinds of exploits - in various applications. Embedding is used mainly by Office. So, a more valid question is "how many Office exploits use non-standard embedding mechanisms".

But that doesn't make much sense, either. First of all, there is no such thing as "standard embedding mechanisms". The various Office programs (and Office-like programs, e.g., WordPad) use more than two dozen different ways for embedding an executable in a document. But the truth is, the exploits practically never use any of them.

To begin with, an exploit doesn't have to drop an executable, as I think I already explained - although most exploits do so, because it's easier. When they do, the executable is usually simply appended to the Office document (often in encrypted form). It's presence can be detected, but it's not easy. There is no field in the OLE2 file (the Office documents are OLE2 files - well, with the exception of Access databases) that says how large the OLE2 file is. You have to compute its physical size from various fields in a horrendously complicated structure and then check whether the computed size is sufficiently smaller than the actual physical size of the file, which would indicate that there is something appended at the end of the OLE2 file. Very, very non-trivial.

In a few cases, the dropped executable is in the middle of one of the streams of the OLE2 file and is even more difficult to spot.

Yet in other (even rarer) cases, the executable has overwritten the OLE2 structures, effectively corrupting them.

-{ Quote: "Non-standard embedding mechanisms aren't supported by STG: MFC Docfile Viewer (http://support.microsoft.com/kb/139545/en-us), correct?" }-
If the executable is appended to the OLE2 file, an OLE2 viewer won't see it. If it is in the middle of one of the streams, it will be visible with the tool. If the OLE2 structures are corrupted by being overwritten by the executable, the tool might be unable to even open the file.

Regards,
Vesselin