So how firmly do you believe in today's AV detections?

Hi

Today's AV Suites are great at detecting malware etc, no doubt about the advancement of this technology.. however, i can't help but get annoyed w/ sooo many false positives or paranoid alerts..

Like i said in my other thread were i used to do manaul malware detetion, this time im trying a complete suite again (comodo).. ran a scan on my current drives and boom, over 1000 threats detected.. most are from cracks/keygens of appz i have on my drive (spare me the lessons on software piracy, let's stick to the point) but i for one have used these appz w/ the cracks/keygens w/o malware problems .. heck even legal / original software patchers to update its versions were flagged..

So i can't help but think most of these detections (at least in my case) are false positives or just coz the way these cracks/keygens work etc..

So my question is, how paranoid does one have to be? i mean do i really take into consideration these detections or do i follow my gut feeling as well as experience that these files that's been flagged has been w/ me for a long time and i've used them time and time again.. and they're safe..

confused..

Tj

 

How do you know they are safe false positives?

 

I have always viewed an AV as a good tool to use for things that are already well known about. I think they work great for that. All of them probably detect Blaster, if it is still floating around.

I think some of them can be effective on many current virii, depending upon how often they update and just what is in the definitions. I also believe they are constantly changing engines/program to become better, and I am not so sure that always brings with it better detections.

So for me, using one would be useful to ensure any older, well known virii can be detected in what I download. And while using one is probably a good idea if you are a novice, I don't personally depend on them at all for current threats. I haven't used an AV for, I dunno, two years now? I only used it as a real-time guard when I did anyway, hardly ever scanned anything.

One has to put it in perspective though. I have never really been infected with a virii/worm/etc unless I was "messing around". I have been the victim of a couple malwares over the years. I am not the average user. The average users I know have all been hit by many bugs, time and time again. Most have had an AV - so whether it is not any good, or they didn't update, or they were foolish with thier actions, who can say?

Sul.

 

I don't firmly believe in AV detections especially for zero day threats. That is why in addition to AV I use GeSWall and Returnil. AV has its place in a layered security setup but I don't use it as a front line of defense.

 

You can find a lot of strong opinions about comodo, especially the AV. The biggest complaints I see about the AV usually center around the false positives. I use comodo for the firewall/defence+ but not the AV. I ran into problems with it and stopped using it more than a year ago. There are others with reasonable detection and low FP. Personally I use MSE now, but even then I only have it scan downloaded files, not real on access. You may also want to check LUA and SRP. I feel LUA/SRP protects me better than the AV. Fortunately though, you can use both. You may find them a PITA for a while, but you do get used to it.

 

Good question..

1) coz i've been using most of these for years already, and i never noticed any problem, or firewall never flagged any suspicious outgoing connections etc..

2) coz i do (when i dont feel lazy) run my new installers and "patchers/keygens/etc" under my VMWARE virtual environment before running it in my system..in my VM, i have a snapshot tool w/c compares the computer state (files, registries, etc) BEFORE and AFTER I run these suspicious executables. I know exactly what these things did to my PC, and most of them are safe (no autorun entries, no spawning exec, etc )

that's why now that i ran Comodo on my drive felt rather dismayed at all these detections w/c i feel are FALSE POSITiVEs.. but im not stubborn self claimed expert to say I AM RIGHT all the time, hence I posted here to ask , if I'm missing something or are these really just false positives?

I have to admit im also a bit worried coz most of these detections are in the HIGH RISK category in the scan results.. but im battling w/ my own logic that tells me, i've experiences already w/ these apps and they were all OK..i dont know what to believe anymore lolz



@COmodo AV comment
- umm i actually use AVAST, w/c didnt return these massive FP (if they are FP).. but i was under the impression that the COMODO Defense engine will work well w/ it's own AV.. instead of AVAST and Defense competing to get a hold of the files first (real Time stuff) w/c may then cause conflicts or even performance degredations...

@ ALL thanks for your valuable inputs, let's keep discussing....

 

AVs are Not to be Trusted against 0-day Malware.
Sandboxing/Virtualization and other solutions (e.g. Boot-to-Restore, Instant System Recovery, and Imaging software)
can save the day...

 

And why on earth should we "spare you the lessons on software piracy"?

Let me make this completely clear:
This board was never intended for software piracy and it has from the very beginning taken a strong stand against it. Period.

 

perhaps you didnt quite understand what i meant by that.. i just want to avoid people telling me i shouldnt run cracks/keygens or any piracy stuff at all.. im sure they'd be valid points/suggestions, but i really wana keep the topic aimed at the subject.. i've posted in other forums and some posts were

"well if you will use pirated sofware, warez, or cracks, you're be bound to get infcted w/ malware" <-- out of topic.

 

AV detection rates - I do believe in them but not blindly. Forget keygen or patches, AV can even flag off legitimate files and worse still, at times some of them mistakenly flag off system files itself.

If an AV detects a particular file as riskware, then a scan on VirusTotal might help in making a smarter guess on whether the file is relatively safe or not to run.

In order to differentiate between what you should consider as a FP and a true detection in the VirusTotal results (or an installed AV on your PC), having a knowledge of which AVs having a lower record for producing false positives and which ones tend to flag nearly all suspicious/unknown files as riskware helps. Reading AV Comparatives latest comparison tests gives you that small margin advantage. Looking at the classification also helps....whether something is explicitly marked as a "Trojan XXX" or if it's just marked as "suspicious riskware" etc...

From then on, it's a matter of making wild guesses and hoping that your guess was right. If something is already marked as a DEFINITE threat by most AVs, you'd be a fool to run the file. If it's a 50-50 or 30-70 case, and you are still determined to run the file (knowing the possible risks), sandboxes or Virtual environment helps to contain files that you do not trust of running on your real system.

However, if you do need to run it on the real system itself, and you are even more wary, the likes of classical HIPS, anti-logger software and firewall also helps in 'showing' what a file wants to do on your system that might go under the radar of AV detection such as injecting dll, record keyboard input, making screenshot, making outbound connections etc.

But take note that once something is let to be executed, one is to assume that the file is able to do anything that it's created/designed for by it's author and that includes a possible bypass (even the slightest chance) of any security mechanism that is in-place, be it an AV, sandbox, virtualization, HIPS (classical/policy-based), antilogger software, etc etc

Whatever one does, it all comes back to the gut feeling. After all, who can really explicitly 'tell' whether or not something is fully worthy of trust. Trust has always been a game of gamble. And that is why many tell you not to play around with such keygens/patches in the 1st place....albeit they keep on nagging at you the politically correct mantra of "software piracy is bad".

 

An AV to me is really an "oh snap" fall back rather than anything else. They just can't and will never reach 100% detection.

My frontline is DynDNS & IE's SmartScreen, after that comes the system hardening SEHOP/DEP/EMET/etc. I could probably go without an AV, but it's good to have sometimes, especially when a friend needs directions with something in the UI.

 

Please, do not be too harsh on me, but I'd like to make a very humble question, and I'll take some parts of the original question.

How firmly would you believe in today's AV detections, if no other protection existed? (Sandboxes, etc)

 

If no other protection existed, that means we're living in the 90's/early 00's again when AV was actually adequate (yup, good 'ol days of nod32 blasting everything). The only reason we have all these extra methods of protection is because AV became inadequate (in my opinion).

Now AV companies have been forced to bundle suites, likes adding sandboxes etc, to make you keep buying their products.

 

AVs are obsolete tools based on a flawed security concept. They should have died when high speed internet became available. The primary reason they still exist is to keep users dependent on the constant updates, without which AVs would have no value at all. Their useful for scanning downloaded files for known threats, but as a front line defense, they're marginally effective and becoming less so with each passing day. Attempts to improve them with heuristics, checking "reputations" and other "cloud improvements" are little more than advertizing hype and attempts to keep a bad but profitable idea viable. Better methods of securing a PC have existed for years. Both Windows built in tools and other 3rd party applications can provide far superior protection. I stopped using a resident AV about 5 years ago. A year later, I removed the last signature based scanners from my system and have never regretted it.

Regarding the false positives, a certain amount of them is unavoidable. Heuristics on high settings can make them much worse. The last online AV I ran identified a lot of my batch as malicious. AVs will often target software the vendor considers undesirable, which can include cracks. In the past, I used a share of cracked software, most of which has been replaced with superior Open Source software. I also picked up a few for testing, both of the app itself and any malware that might be included. Very few were infected.

 

It would be interesting and beneficial to others if those of you who have mostly stopped using AV's and signature based protection would take a second to include in your comments just what it is that you are now using.
Especially for x64 systems.
Just a thought.
Happy Holidays to all.
Hugger

 

You are partially correct, but I disagree that malware detection itself looses ALL relevance in the age of broadband.

Don't confuse the nature of the beast with a core goal of the technology. The environment is evolving, but it does not completely negate the role of malware/PUP detection; and updates are necessary to provide what ability is possible in any given risk scenario. The key here is that you use the technology appropriately rather than simply using it based on faith or what the marketing message is this week.

That is one possible strength of content monitoring, but you are going too far the other way. One possible example that would make the role of any detection based technology easier to conceptualize is the role of security guard. He patrols your facility on a known (or random) route, looking for problems. Once an issue he recognizes as being within his area of responsibility is identified, he acts accordingly. While the action he takes may be limited in scope and ultimate effectiveness, he has performed his function by identifying the problem and making sure his superiors are informed of the security infraction/issue. Even if he is unable to capture a criminal, he is there to spread the alarm. And THIS is the core competency of AV/AM/AS/etc.

IOW - the AV tech is the guard/canary in the coal mine; providing a warning so others can act...

Not entirely, but there are some features that are marketing driven rather than engineering or research driven. The examples you site however are not as you describe. All they are, are additional tools your security guard can deploy to improve his chances of catching the criminal in the act or provide an earlier warning. I do agree however that these tools are more along the lines of a flashlight, better lighting in the facility, additional patrolmen, cameras in strategic areas, etc. It does not mean he will always catch the criminal, but he has a better chance of seeing the crook and getting the warning out earlier.

Yes, there are better methods than deploying a traditional AV + Firewall approach and it is good to see the discussion and research around this subject progress as it has. It does not however negate all roles for an AV within an intelligent layered strategy. Just like the canary analogy, a dead canary can't do much for you other than to warn you that the O2 level has dropped dangerously and you need to get out of the area; fast. But the fact that that canary died, probably helped save the lives of the miners who were using the canary.

The detection capability of any top/2nd tier AV provides a similar service for your Windows OS by warning the operator that something is wrong and that you may need to address something to ensure your continued security.

IOWs, you still need the warning, even if that is all that is given...

So how do you verify the cleanliness of your systems? If you say you run your computer past some on-line scanners every so often, you are still making use of the technology you are rejecting in your discussion, so at some level you are still seeking some type of expert analysis and feedback...

This is legitimate and again, should be looked at as a warning. Additionally, cracks have two problems:

1. warez/cracks are a significant source of malware infections and are legitimate targets. Even if a cracked application is "clean", its still been compromised and as a result should be viewed with a healthy amount of suspicion and caution. It never ceases to amaze me that some will make the cost analysis that leads them to explore these avenues, but then fail to take that analysis to the possible costs for cleaning up a compromised machine

2. Cracking applications is nothing better than stealing, especially when there are a plethora of free alternatives to most applications; even security solutions. You take a chance that the hacker really has your best interests at heart on faith which is just as incomprehensible to me as the trust in traditional security strategies that have been shown to fail time after time after time, etc.

That you knew about...

With your complete discounting of any AV tech use whatsoever, how do you know that they were really clean; did not install a rootkit, etc? To verify that you were not compromised, you would have had to have performed some type of investigation. For those who have the knowledge of Windows to do this manually, they act like their own AV. For those without the knowledge, they must rely on the feedback from an expert who does. Outside of schlepping your computer(s) over to the local tech (who will use AVs/AMs/ASs) every week, you still need some type of feedback...

Mike

 

I disagree. When broadband became common, PCs became connected 24/7. This combined with a default-permit security policy and a vulnerable attack surface made them easy targets and allowed botnets to be created. These made it possible to distribute malware almost instantly. These conditions still exist in default Windows systems. By the time an AV identified the code as malicious, it was widespread. This has put AVs at a serious disadvantage from which they haven't recovered.

There's no confusion. They're directly linked. The vendors primary goal is to make money. In order to be effective at all, AVs need constant updating. Those updates are a big part of the vendors income. In order to keep users paying, AVs are bundled with other more effective security solutions when they should be replaced by them. IMO, that's the primary reason that AVs are still used, to provide the vendor with continuous income.

I wouldn't call them additional tools, but variations of the same tools. Heuristics for instance is limited in what it can do by the simple fact that many activities or groups of activities can be used both maliciously and for useful purposes. A skilled user would be able to tell which ones are false positives, but not the average user. Several AVs don't like my batch files for instance. On a couple of them I've tested on virtual PCs, they disregarded instructions to ignore them. Regarding AVs that use "the cloud" (or whatever they want to call it) that's a two-edged sword. By relying on cloud servers, your AV and the PC it protects are vulnerable to attacks on or the compromising of those servers, not to mention the internet that connects them, which itself is not secure. IMO, it's a bad idea because it increases your attack surface and part of that attack surface (the cloud servers) are completely beyond your ability to protect. I wholly expect to see a successful attack on some of those cloud servers in the near future and a lot of users PCs compromised as a result.

An interesting analogy. Using the canary, I see it this way. Relying on an AV is the equivalent of using a canary to monitor the air when you have a complete real time gas analyzer available. Bundling a canary with a gas analyzer benefits the canary salesman more than anyone else.

I didn't say that it did negate all roles for an AV. I also didn't say that a firewall wasn't necessary. IMO, a firewall is more necessary than an AV, but that's a separate issue. Earlier I said that AVs were "useful for scanning downloaded files for known threats, but as a front line defense, they're marginally effective..." Scanning files can be done via sites like VirusTotal. For real time protection, both sandboxing and virtualization are superior options, as is one of the oldest options and my preference, default-deny. It's not necessary to identify every piece of malicious code if you don't allow unknowns to execute in the first place.

If I have some reason to suspect a problem, I'll run integrity checks on the system from within the OS, then from the other OS (dual boot system) and compare them. Both OS are default-deny secured so nothing unknown gets executed by either. New software is first scanned at a site like VirusTotal, then tested in virtual systems and on a separate test unit, both of which are equipped with the same security package as my regular systems along with investigative tools and install monitoring. Although I use AVs to scan new files, it's not necessary for one to be installed on my system to do this.

I disagree. An AV or anti-malware is supposed to target malicious code, not function as an anti-piracy system. That decision and the potential consequences of it is the users choice, not the AV vendors. Regarding the safety of the cracked/pirated apps that I used to use and have tested, they were put thru the same procedure and verifications that I use for all installs. They were clean. For the most part, I don't use pirated apps with a couple of exceptions. There are a few versions of apps that I use which are no longer available. The discontinuing of these versions was primarily for the purpose of forcing planned obsolescense and there are no equivalents to them that meet my requirements. If there was, I'd gladly pay for them, but the original vendors were bought out and the versions I use disappeared. The later versions are not compatible with my setup. It's not possible to buy them any more or I would. That said, on the last system I scanned with an online AV, it did not target these apps. Instead it tried to delete my scripts and batch files, labeling them as malicious. I know they're clean. I wrote them. Fortunately I had copies stored elsewhere. Neither OS on this PC has ever been scanned by an AV or anti-malware.

 

Seems like I'm the middle man standing in between noone_particular and ColdMoon on this matter seeing that I agree with what both parties are saying, despite the differences.

For e.g:

I'm one of those who truly believe in the default-deny concept. In my eyes, it's the 1st line of defense. (but that's my personal belief)
Sandboxes, Virtualization, HIPS and the likes are good competitive current technologies in the security industry. However, none of these preventative measures is perfect - each has it's own flaw, albeit differing from one to the other. Perhaps not so much has been seen in today's context but who knows what's up in the future?

noone_particular has a valid point when he said that AVs are obsolete. It is obsolete when the user depends on the constant signature updates as their 1st line of defense. That's how it used to be in the past for many and the 'tradition' is still on-going till this day unfortunately. Who should we blame that upon? That, I'd leave it up to the individual to decide/judge.

Nevertheless, AV vendors know and realize that the constant signature updates concept is flawed in nature (even if not all of them admit it) - it's a cat-and-mouse game. Hence the AV vendors put in their effort in R&D and boom - the introduction of heuristics, "file reputations" and "cloud database", included HIPS/sandbox etc etc to improve upon the concept. It has proven to improve 'results'/'detection' if you had read the likes of AV Comparatives, etc. (not that you need to) One can deem that as marketing - I wouldn't dispute that. After all they're a business organization and no matter what, getting income/revenue is one of the priorities. Figures like 98%, new jargon/terms helps to boost user-confidence in a brand and ultimately result in better sales for the company. This applies to other security technologies too - most if not all try to claim that theirs is near-perfect or 'better' over the competition.

However, we as end-users have the choice whether or not to blindly believe in all the hype. The right thing to do is to take it with a pinch of salt.

For e.g., if one's expectation of an AV is to provide fool-proof or near-perfect protection against future malware threats (inc. "zero-day") or all drive-by downloads, then one is either unaware or lying to himself. And when the AV 'failed' to fulfill that big dream/illusion, one tends to dismiss it as entirely useless or a 'failure'. It applies not to just AVs but to any other security technologies - as 'superior' as one want to believe or as the vendor claim/prove to be, they're not invulnerable. Nothing is. This is where the mistake lies. We can see this way of thinking even on this forum itself.

Only when a user learn not to expect more from what the tools are designed for in the 1st place and know their limits, they're able to accept the flaws. The importance of any layer in your setup (whether you need it or not) is largely an individual choice/preference. Not to count user skills and knowledge.

Going back to topic, I observe it's becoming more prevalent for some to doubt/argue the validity of real-time AV 'detection'. There's nothing wrong with the argument but sometimes, there's too much hate or 'look-down' by certain parties upon those who still use real-time AV.

One may ask: Why can't one simply use an on-demand scanner to scan downloaded files for known threats - perhaps through Hitman Pro or VirusTotal?

But doesn't that itself acknowledges the 'feel for a need to scan'. Some say old habits die hard. Nevertheless, imagine this: if everyone ditches real-time AV, would there still exist the likes of VirusTotal and HMP? It's like a seasaw - you need both sides to achieve an equilibrium/balance.

Default-deny, Sandboxes, Virtualization, HIPS and the likes, etc etc help to prevent infection on the PC itself but what if the file/executable had full access on the real system either through mistaken trust, a moment of carelessness or a bypass of those mechanisms itself? The user is not let-known and is left unaware of the anomaly? Not all security threats pop out right onto your face like rogueware do...

As much as we hate to admit it, an AV helps to fill that gap, although not all users need it. (advanced users probably don't) Perhaps the heuristics might have missed the initial threat but a 'known bad' signature might serve as a 'trigger' or 'warning' as Coldmoon put it. It isn't the best bet to get the job done but it's still something. Not everyone has the ability to correctly or timely 'suspect' a problem and then run integrity checks on the system - that's beyond the scope of the average Joe. And unless I'm wrong, the average Joe is the crowd in today's internet world. Geeks, experts and some of the folks on this forum are a different bunch...

Ultimately, why argue over what path a person should take in securing a PC? Why dismiss a particular method as inferior? What one feels as 'useless' or 'inferior' may work better for the other. Whatever the security path one chooses to take, we know that the end-result would not be the same but diversity itself can be good. To each his own I would say.

 

All I can say is well said safeguy.

 

I'll refrain from quoting your entire post, but nice post safeguy

 

It's best to have a well planed strategy through layered protection, and better user education. Analyze all possibilities, and have an answer for each. What may be best for one person does not hold true for everyone else. Many factors come into play; most importantly primary usage of machine or network. There is a huge difference in securing a network, and a personal computer. You have to decide on the right balance of productivity vs Security if you are in a business environment. If it's a personal computer, and the user is knowledgeable of Cyber security then I have to say it should be very easy for that person to secure that computer with today's technology. I have my own strategy that I have been using for many years that i have refined along the way, and I have never been infected by anything that i'm aware of in over 15 years. If i have been infected it went undetected. My biggest worry is burglary or natural disaster. If I do get infected with any sort of malware anytime soon then I would have to say it would most likely be hidden code in a program that I willingly install. If its a trusted program, and still has hidden code like a trojan or something else phoning home then that would be hard to prevent unless my AV detects it. I believe I have all other bases covered. I feel just as likely to win the powerball as to be infected by any other method of delivery on my personal computer. It's not very hard to secure a personal computer. I hope I did not just jinks myself lol

 

I believe in AV software as much as I believe in Santa Claus. Ho Ho Ho. If you buy AV software you are only giving Kaspersky, Comodo and Norton very Merry Christmases.

 

Thanks to those who liked my post...

LOL!!

Being a nitpick here but you don't have to buy an AV. There are good enough free ones for home use. Some provide for commercial/business use too. Anyway, you don't have to 'buy' Comodo's AV...it's free

Anyway, I don't believe in Santa Claus either but a merry Christmas to you (although I'm not a Christian)

 

All of this just begs the question - if AV works, why do people still get infected even when they are up to date?

How firmly do you believe in todays AV detection? Do you know anyone or have you been infected with an "up to date" system?

You can apply that logic to almost any scenario, from HIPS to LUA. It isn't that the detection rates are better or worse, or that AV is outdated (which it is), it is that the idiots who insist on causing problems adapt as fast or faster than the technology that is supposed to stop them.

Ever wonder why many here love to claim that they don't have problems? It gives one a measure of satisfaction, to know that in almost any circumstance, using almost any tools desired, that one has the knowledge to twart the idiots and their attempts to breach your security.

You can create the best security tool ever, but it won't be foolproof to a determined and resourceful villain. Only those who also understand what the villain understands are able to cope.

For the rest, if they rely on something other than knowledge (and that is the majority), they have to (seemingly) constantly play a balancing game of what tool/software to use to counter the threats of the day. They need to be vigilant in this, as becoming "satisfied" with the current set of tools/software only provides protection until the villains "adapt and overcome". The constant patching and updating is evidence enough that there is not, and never will be, a surefire cure-all.

Knowledge is the only security I firmly believe in. All else is like making a mystery soup -- you add a pinch of this and a dash of that -- the first batch might be very tasty -- but the next batch might not be as good.

Sul.