Approximately 800 vulnerabilities discovered in antivirus products (http://blogs.zdnet.com/security/?p=1445)

-{ Quote: "The IT/Security consulting firm n.runs AG claims to have discovered approximately 800 vulnerabilities within antivirus products based on exploiting a standard malware scanning process known as “parsing”." }-

Hmm AVG,BitDefender and F-prot the lowest to vulnerabilties.:o

-{ Quote: "Hmm AVG,BitDefender and F-prot the lowest to vulnerabilties.:o" }-

Note: that's not including the newly discovered vulnerabilities mentioned in this story.

-{ Quote: "Approximately 800 vulnerabilities discovered in antivirus products (http://blogs.zdnet.com/security/?p=1445)" }-

... and now add all the vulnerabilities probably contained in all these HIPS, Personal Firewalls ;D

I once wrote in another thread here: The more security software you use the larger is your attack surface. This report seems to confirm that.

I do wonder at times if adding security sometimes may decrease ones security In the OS itself.Like for Instance the vulnerablilities In the security apps them self opens the door for lets say a bad guy that is not there with out the security product In place.:-\PS still prefer to have something in place. though not perfect sometimes still better then nothing I think.

I would like to know how many of those 800 vulnerabilities are real (=dangerous) vulnerabilities... I've seen some "vulnerabilities" discovered by n.runs - which I certainly wouldn't call "vulnerabilities", maybe not even "issues"... but rather features they don't like.

-{ Quote: "I do wonder at times if adding security sometimes may decrease ones security In the OS itself.Like for Instance the vulnerablilities In the security apps them self opens the door for lets say a bad guy that is not there with out the security product In place.:-\PS still prefer to have something in place. though not perfect sometimes still better then nothing I think." }-
Why not LUA+SRP?

Well yes LUA Helps of course but I run vista with DEP ALL Programs with UAC ON=protection Mode On, Is that not essentially the same where I have to approve admin elevation.Besides the fact with Kav and Shadow Defender on board. may I add FirstDefense-ISR and a Offline clean Image if anything does escape my defense. I see No reason To run LUA but good suggestion all the same.

-{ Quote: "...The more security software you use the larger is your attack surface." }-
My how approaches have changed here over time...

-{ Quote: "Why not LUA+SRP?" }-

I was thinking of posting a reference to this in one of the LUA threads. Since resident anti-virus products often run code in the LocalSystem account, a buffer overflow vulnerability in that part of the anti-virus product code could lead to full system compromise, even with LUA+SRP.

the folks at n.runs are a little - how should i put this - sensationalistic about the scanner vulnerability issue...

it probably has something to do with the technology they're offering that is supposed to take care of the class of vulnerability they're going on about...

should i post a url to the blog post i did on them back in november of last year?

-{ Quote: "I was thinking of posting a reference to this in one of the LUA threads. Since resident anti-virus products often run code in the LocalSystem account, a buffer overflow vulnerability in that part of the anti-virus product code could lead to full system compromise, even with LUA+SRP." }-
So the inference is that running with LUA+SRP is safer without an AV?

-{ Quote: "So the inference is that running with LUA+SRP is safer without an AV?" }-
Actually yes. No new malware can be started without your knowledge, and if you want to install an application you can check it with, e.g., Virustotal (http://www.virustotal.com) first.

It does sound a bit scary to me, so perhaps it´s time to run scanners inside a sandbox? Another reason why we really need to have Hyper V virtualization inside the OS. And all security tools have bugs, still I think it isn´t really likely that we will get to see firewalls and HIPS being exploited.

As long as software will exist expolits and bugs will be there also and as long as viruses exists Antiviruses will be necessary. And of course viruses and exploits will always appear first and then the update. That's logical and simple.
No need to get paranoid for everything discovered. :)

-{ Quote: "As long as software will exist expolits and bugs will be there also and as long as viruses exists Antiviruses will be necessary. And of course viruses and exploits will always appear first and then the update. That's logical and simple.
No need to get paranoid for everything discovered. :)" }-
Could not agree more.

-{ Quote: "Actually yes. No new malware can be started without your knowledge, and if you want to install an application you can check it with, e.g., Virustotal (http://www.virustotal.com) first." }-
That's the way I've been operating since SRP was made available for XP Home here (thanks). It's also reassuring to see some confirmation of my hunch. Now the biggest problem is forgetting to check a file with VirusTotal first.

-{ Quote: "So the inference is that running with LUA+SRP is safer without an AV?" }-

I would say not necessarily. If you have your antivirus set to scan all files, it might detect poisoned files that would result in buffer overflow exploits in other programs. Also, antivirus can scan for malicious scripts. So I would say that antivirus is a dual-edged sword with LUA+SRP.

-{ Quote: "It does sound a bit scary to me, so perhaps it´s time to run scanners inside a sandbox? Another reason why we really need to have Hyper V virtualization inside the OS. And all security tools have bugs, still I think it isn´t really likely that we will get to see firewalls and HIPS being exploited." }-

That's a possible solution.

-{ Quote: "the folks at n.runs are a little - how should i put this - sensationalistic about the scanner vulnerability issue...

it probably has something to do with the technology they're offering that is supposed to take care of the class of vulnerability they're going on about...

should i post a url to the blog post i did on them back in november of last year?" }-

Can you please? This was the first I had heard of them.

Was Avira tested?

-{ Quote: "Was Avira tested?" }-
Apparently so.
-{ Quote: "The tests performed by the consulting company and solutions developer n.runs have indicated that every virus scanner currently on the market immediately revealed up to several highly critical vulnerabilities." }-

A couple of such attacks (http://www.nruns.com/_en/aps/press.php#doku) have been documented.

-{ Quote: "Apparently so." }-


Well then it seems that Avira is not on their graph so it appears not to have done shabbily.

-{ Quote: "Well then it seems that Avira is not on their graph so it appears not to have done shabbily." }-

The graphs shown don't include the ~800 vulnerabilities n.runs claims to have found.

-{ Quote: "-{ Quote: "should i post a url to the blog post i did on them back in november of last year?" }-Can you please? This was the first I had heard of them." }-

ok, the post in question is defense in depth revisited (http://anti-virus-rants.blogspot.com/2007/11/defense-in-depth-revisited.html), though i've since posted again about the very same announcement this thread is about...

i basically think their figures are FUD, they don't make sense, they don't match up with those of independent organizations, and nruns is anything but independent (making av products look bad drives demand for their own product)...

If this article had even 50% relevance then all of us would be running systems full of malwares, Trojans and virus. So far thats not basically the case, there are infected systems out there but not in the sense which the article is trying to relate to.

-{ Quote: "ok, the post in question is defense in depth revisited (http://anti-virus-rants.blogspot.com/2007/11/defense-in-depth-revisited.html), though i've since posted again about the very same announcement this thread is about...
" }-

Thank you :). You have some nice blog entries there.

My own take on this is that at least some of these claimed vulnerabilities do exist, but I'm not going to lose sleep over it unless exploits targeting AV become more common.

Every software can have vulnerabilities. Even security softwares. Perfect programming is not possible.

McAfee responds to n.runs, n.runs responds to McAfee's response (http://blogs.zdnet.com/security/?p=1538)

-{ Quote: "If you have your antivirus set to scan all files, it might detect poisoned files that would result in buffer overflow exploits in other programs. Also, antivirus can scan for malicious scripts." }-
Can you offer any specifics here for clarification?

-{ Quote: "Can you offer any specifics here for clarification?" }-

I'll give an example of the detection of a poisoned data file. When I did the test explained at http://forums.comodo.com/feedbackcommentsannouncementsnews/result_of_real_world_exploit_test_comodo_memory_firewall_worked-t18683.0.html;msg165810, my real-time antivirus detected the poisoned .pls file that was generated.

According to the example, had your AV not detected the data file as containing malicious code and Winamp processed the .pls file, could the admin account of your system been compromised even if running as LUA+SRP? Or would the user account have been compromised only?

With DEP compatible applications and Vista (w/ASLR, etc.), wouldn't this eliminate the need for this aspect of an AV's protection in restricted accounts?

-{ Quote: "According to the example, had your AV not detected the data file as containing malicious code and Winamp processed the .pls file, could the admin account of your system been compromised even if running as LUA+SRP? Or would the user account have been compromised only?" }-

If a privilege escalation exploit were available and used within the initial buffer overflow exploit code, then yes it could compromise the system even with LUA+SRP. Whether this has ever actually happened in practice, maybe somebody else can address.

-{ Quote: "
With DEP compatible applications and Vista (w/ASLR, etc.), wouldn't this eliminate the need for this aspect of an AV's protection in restricted accounts?
" }-

IMHO no, because many 3rd-party programs don't use these technologies. IE 7 also has DEP off by default.

Thanks for your explanations.

-{ Quote: "Thanks for your explanations." }-

You're welcome :).

I also forgot to mention that even if your other security measures protect you from harm, a positive AV detection can prevent you from passing potentially harmful files to others who might not employ the same security measures as you do.

Good point about not passing on infected files to others.

So maybe someday when all the Vista applications that someone uses are DEP aware and enabled, then buffer overflow exploits will no longer be a serious problem?

-{ Quote: "Good point about not passing on infected files to others.

So maybe someday when all the Vista applications that someone uses are DEP aware and enabled, then buffer overflow exploits will no longer be a serious problem?" }-

To avoid going off topic, perhaps read this buffer overflow thread (http://www.wilderssecurity.com/showthread.php?t=207074&highlight=buffer) and post there if you have questions. Post #119 there has links that contain a lot of related info.

Thanks.