Antivirus is 'completely wasted money': Cisco CSO

ZDNet Australia
.

 

Which is what any decent PC-based firewall does; however, by itself that will not prevent drive-by infections, although using Firefox with a script blocker can help in that regard.

 

It goes to show that the av isn't dead at all. It is and always was meant to be run with other types of protection. And in that respect nothing has changed. Granted the malware is getting more difficult to manage but a good av product along with several other types of protection can still give good protection. We will just have to wait and see how this all plays out in the future.

bigc

 

well the av industry arent just gonna say ye antivirus is a wasted cost because they dont want to go out of business.
thats why heristics and proactive protection needs to be improved in products.
which most antivirus companies are doing. i think most people will always use antivirus for part of their secuirty. the challege is adding proactive protection that doesnt confuse the user. because if the user gets loads of prompts and doesnt understand them and allows everything then its 0percent protection.
try finding a product that can block all new malware,doesnt ask questions and never needs updating,no fp's. ye right good luck lol.

 

This is a hard one, because Microsoft deliberately left open myriad possibilities of disrupting potentials from clever coders of malware & viruses IMHO to create & expand business startups globally to cover for those limitations.

HIPS came along AFAIK helped to offset a lot of missed opportunities where AV's took it hard on the chin with their missed coverages that couldn't possibly handle them all, at least not always on time enough to secure their customers from inevidable disruptions or worse.

The only safe protection to suppliment such failing fell to Image BackUp Apps IF users were up to speed enough to impliment those emergency protections.

One thing i noticed over the years in my incognito infiltration of virus sites is that they worked intently on subverting AV's with great enthusiasm, all of them, as well as firewalls; but the never counted on introduction of HIPS and Behavioral Blockers as well as Virtual Machines and Sandboxes, and to this day they seem to still focus efforts on AV's and i read a lot of their experimentations on forming BOTS, but still these other innovations get in their way and theres little they can do about it really. Of course a BackUp Image Restore can go a long way in recovering but can you imagine having to return again and again to forge another image restore because their AV is been bit again and bypassed?

The best thing AV's have done is add these same type ProActive HIPS and not so much Heuristics IMO, but this is not my expertise but only speculation on my part, but it does seem to hold some truth against complete AV bypassing potentions.

As far as money for license and that as concerns AV's, i think they already know it's a real threat to their overall bottom line and is encouraged AV's to add better alternatives then simply depending on BlackLists alone, because it's just not always enough to keep their customers safe.

EASTER

 

Depending on what AV you choose it's wasted money...
No one AV is 100% and some popular AVs (I won't say the names to block discussions) are less than 10% and it's a wasted money if you buy it.

 

i still cant seem to understand why is HIPS better then heuristic.?

 

An explanation for this would be appreciated

 

As far as I know (and PLEASE correct me if i'm wrong), the difference is that heuristics try to identify malicious patterns on the code of files. So theoretically no signatures are needed, because it can identify when a file does bad things. They are better and worse heuristics, and of course, as with signature based AV's, no heuristic can catch 100% of bad files.

HIPS on the other side are system monitors that keep track of everything that happens on the computer, good and bad things. If a program executes, HIPS will now, if a DLL loads, HIPS will know, etc... It then asks the user to allow or deny that action. Some malware can bypass HIPS (or claims that it can), but HIPS are stronger than heuristics. They weakness is that they rely on user choices, and the user can make mistakes (deny good things and allow bad).

EDIT: more info on HIPS, here

 

I think the key word is "companies". To tell you the truth, I really can't think of a reason why a whitelist isn't better and cheaper for the majority of corporate machines.

 

these comments are absolute BS to me.

myself, and thousands/millions? of others im sure have been using computers for many years with only an antivirus with no problems.

fact is, its these people who are happy.... who dont speak up.

only the complainers - complain and question their products.

im not going to say its a perfect solution, as there is always something out-there on the WWW that can get past, however.... for protection, on home users, for the majority, an antivirus is a perfect and cost effective way of protecting their usage.

 

Whitelistening executables won't protect you from exploits in data files (PDF, Flash, QuickTime, Office) that don't drop files on the hard disc but directly execute in RAM. SQL/Slammer, anyone?

So as soon you recieve data files from the outside world, you are a potential target.

And company computers are a defined environment. The policy which software is allowed can be very strict. It's easy to use whitelistening here. But that will simply won't work with normal private users. They install new, unknown software all day, try new games, shareware and so on.

On last VB, BIT9 (company which does whitelistening) said they get 50.000.000 new clean executables per day or something like that. Have fun with the database maintaining that! And guess how BIT9 does determine if those executables are really clean/safe or not? Yeah right, they scan with various virus scanners! DUH!

There are no simple solutions. And the malware industry will surely target and bypass everything if it's worth the effort - too much money is involved now. As said in this thread, you need a multi-layered protection AND options in case your computers got infected anyway. There is no system that is 100% secure.

 

AV maybe very misleading for some... one AV company will call a virus sig one thing and the other AV company may classify it as mal-ware and some may not consider it a threat at all. in any case by the time a sig is found and summited and classified. lots of pc have already been infected and will keep on doing what the bug was designed too do. because as we all know some AV are good at finding bugs but can not remove it or they can not find the bug but may be able to remove the infection. and then hips was found and does do a very good job (for the ones that know how to read and understand the alerts) the end result is the bug makers will win until there is some kind of set standard by all security company's to have a main stream classification process and change with the times. witch some say they are but are still using 80's techniques to catch 20+ yr's of refined and proven techniques of infecting a computer.

 

Simplifying... I understand that while a black list blocks what the users registers as "bad" the whitelist (HIPS) will block all but what the user classified as "not bad"... It's the reason why HIPS is better than heuristic... When heuristics doesn't detect something as "bad" it can still be bad... but when HIPS detectes something as "not bad", suposing that the user knows what is doing, it won't be bad... HIPS can be very boring sometimes...

Right?

 

Perhaps because there is little in the way of threats out there for those who take an interest in how their machines are set up ?

Like many others I "wasted" money on various AV programs in the 90's but not for a long time since.

 

Many things can be awaste of money. However, if one gets enjoyment out of the product, than where is the waste? I personally only use freeware or programs I have received a free license for, and while I would never pay for any of them, I can certainly understand why many people do. They are simply fun to use.









ThePheonix always rises.

 

So Boclean has its uses (blacklister),its mainly a memory protector.

 

Ronjour, thanks for that link.

Everyone, there have been a few days around here where I thought this forum was going downhill despite all the best efforts of the mods. This thread is a definite uptick.

I don't really know what to do myself. OS hardening has been my main strategy for several years. Things are really bad when you read that 500,000 sites have been compromised in an automated attack. The bad guys definitely seem ahead of the good guys.

HIPS can be effective, but only in the hands of an expert, IMO. Products for the non technical person that work are needed. What use is is something that throws pop up warnings every day that Joe Sixpack does not know how to answer. At work its worse, as they stop working and make a call to support which costs $'s.

Postscript: Diver is finishing up 2 weeks of scuba diving on Roatan in Honduras. Its just glorious. Everyone around here, get outside, ride a bike, walk, run, climb, swim, dive, sky dive or do something.

 

I hear you Diver. I think most vendors are trying, but it really is for now a lost cause. I just use Returnil and reboot once a day and pray for the best.

Enjoy your time. We are leaving tommorow for a 2 day motorcycle ride of the Blue Ridge Parkway from Georgia to Virginia. Mine is ready to ride.

 

My daughter uses Avira Premium, and it has prevented 4 infected downloads in just the past 2 weeks. A complete waste of $$? NOT!

IMO, the Cisco Kid is full of it. IMO the Cisco CEO is another one of those folks who function as contrarians &/or make outlandish stements solely in order to draw attention to themselves.

 

Well, take a look at the Avira Support Forums, Viruses and other security risks.
http://forum.avira.com/wbb/index.php?page=Board&boardID=140
All well protected by Avira? Or not?

Solcroft pointed it out in this post: https://www.wilderssecurity.com/showpost.php?p=1229953&postcount=18

And what else as "trust us" should this novice Security Suite vendors like Avira or ESET tell you, when they know that they have basically nothing else to offer than old-fashioned techniques?

Cheers

 

On first glance of topics on AV forums, it appears the AV products aren't detecting various malware, but most of the time when reading the threads, problems are solved through updates (24 hours later) or by simple methods such as running the scanner in safe mode.

I think Stefan raised a good point that even where white/blacklisting were being used, companies are still relying on anti-virus products to scan and determine whether programs/files are safe (to be white/blacklisted).

All that is happening is just a shift in view. From the view of AV products being a total and complete solution, towards the view that they're an effective part of the solution.

These programs have only just reached a point where many average users have finally found them easy to use. New products would have to be as easy to use before average users would trade up on their AV/security products. I don't see this happening in the near future. In my opinion it's taken about 15 years for the average/basic (mum/dad) computer user to now realise the benefits of having security products, to actually request it when purchasing a computer, and even start speaking about it ("the viruses picked up on the son/daughter's computer").

 

I don't think AVs are a waste of money now. But later on if this new shape shifting malware becomes the main problem of malware on the net then yes having AVs will become a waste of time.

because this shape shifting malware keeps on changing before AVs can release updates.

http://itnews.com.au/News/76128,shapeshifting-malware-hits-the-web.aspx

This is why I think later on HIPs with white lists will become more widely used.

 

I agree their approach needs to change to keep up with malware advances, but as the blog posted earlier stated, it will be up to the well known companies (McAfee/Symantec) to introduce the average user to new 'terms' and 'methods' being used.