Antivirus loss the War more and more...

[testsoso]

here is a document, say this...

http://www.commtouch.com/download/1491

And even Avira is affected...

[testsoso]

i hope the Avira's detection become strong again, against those chinese virus samples...

[tsec]

Interesting and succinct.

(Had a chuckle at the UN 419 )

[dawgg]

What has this got to do with Avira in particular? - as far as I see, its about the AV industry as a whole - correction, "major AV engines" only and there is no specific naming of any AVs.


On the whole, IMO, this is why either, users need additional security features or AVs have the need to integrate additional security features in their products in order to protect users to stay on top of the game (protecting users, not only detecting) - HIPS; sandboxes etc.

The onus is not only on AVs though, users need to learn to use these additional features effectively, as "automated" protection is usually less effective than "interactive" protection, and if an AV tries to make "automated" protection too tight - it may make it more effective against malware, but runs the risks of interfering with other software's installation, uninstallation and usability.

IMO, forget Spam emails as a portal of infection/fraud (unless its phishing), they're mainly a nusence. People should know not to click on these (which also encourages spammers to spam).

Also, IMO, infected/hacked/phishing websites, social engineering and vulnerabilities are the main area of concern with the emergence of future threats as they are deceiving and not blatantly malicious.

[OnSeeker]

I think that this discussion is relative to the antivirus you're using! I'm using for example BitDefender and it suits me well! I don't have problems with anything!

Since I've installed it I think I won the war against malware

I recommend it for those of you who are dissapointed by your security solutions!

[tipstir]

Quote:

Originally Posted by testsoso

here is a document, say this...

http://www.commtouch.com/download/1491

And even Avira is affected...

Link is dead!

[ronjor]

The link was modified. If you enter the link in your browser by hand, the link works.

[tipstir]

Quote:

Originally Posted by ronjor

The link was modified. If you enter the link in your browser by hand, the link works.

Thanks..

[Stefan Kurtzhals]

While the paper isn't entirely wrong, one should consider that the authoring company has an agenda... to sell it's own, of course "far superior" (tm) solution...

[dschrader]

I would like to see more specifics from the source - and they do have an ax to grind. They are trying to show their detection is better then other vendors. How did they test virus scanning? What was the methodology? What versions of products on what platforms?

We haven't seen dramatic outbreaks of virus varients that we aren't detecting.

[bollity]

sometimes i wish that those virus makers being judged and executed. they try to hurt people with no reason just make fun for their sick minds.

[Stefan Kurtzhals]

Quote:

sometimes i wish that those virus makers being judged and executed. they try to hurt people with no reason just make fun for their sick minds.

But they have a very good reason! They make money, loads of money. The guy responsible for FakeXPA got caught, he made 50m $ or so. He got fined for 116k $ or something like this - and no jail time!
Being criminal is really paying off these days. You just need to be a BIG criminal. If you are just downloading MP3s, you are OF COURSE such an evil criminal that you need to be punished to the absolute maximum...

The name and adress of the W32/Virut virus author is known for about 2 years, he is constantly registering his new updating domains with his original name I think. Police does nothing. My understanding is that the police is not really interested in information - because the damage done to people by malware is too "low".

Quote:

James Reno and ByteHosting Internet Services were found responsible for distributing scareware products that used underhanded methods. The scam foisted software of no utility on the basis it was necessary to fix supposed security problems or remove smut from the PCs of prospective marks. The defendants - found responsible for tricking more than a million punters into buying rogue products including WinAntivirus, ErrorSafe, and XP Antivirus - were ordered to pay $1.9m last year.

Reno pleaded poverty, so the FTC has agreed to take $116K to settle the case, on condition that the defendants first get out of the scareware and second never trade with their co-defendants again. The agreement - which leaves the FTC free to pursue other defendants in the case - is conditioned on the promise that Reno and his firm told the truth about their finances, and is subject to court approval.

It's unclear how much Reno and his firm made from their illicit trade but scareware packages typically sell for upwards of $50, suggesting the whole scam might have easily netted more than $50m. Reno's original fine, much less the final settlement, is only a tiny percentage of this and therefore not much of a deterrent against future would-be scareware moguls.

[andyman35]

Quote:

Originally Posted by Stefan Kurtzhals

But they have a very good reason! They make money, loads of money. The guy responsible for FakeXPA got caught, he made 50m $ or so. He got fined for 116k $ or something like this - and no jail time!

That relative pocket-change fine to that guy sums up what a low personal risk for huge financial gain is involved with the malware 'business'.

Not long ago I read in the local paper of a robber that held up a building society with a banana wrapped in a brown paper bag,he got away with something like £3000 and when caught received a 3 year sentence!

No wonder the smart criminals have turned to cyber crime,even if the authorities can be bothered to get them into a court of law the sentence will mean just the loss of a week's wages.

[cqpreson]

I am very sad to see that.It represents our computer and network will be in danger at any time.

[Defcon]

So what's new? As they say there is no foolproof lock, and there is no completely secure solution. The stakes are high and some very smart people are involved in making both the viruses and the detection.

The really dangerous malware is probably deplyoed on select networks where it can do the most damage, their authors and botnet operators don't want it out in the open so it doesn't trigger the security companies.

[RejZoR]

They said AV's will fail long ago, but they're still holding strong. They've said this many times but AV's are still around. It's just that they have evolved further from those basic thingies we had in the past.

[raven211]

Quote:

Originally Posted by RejZoR

They said AV's will fail long ago, but they're still holding strong. They've said this many times but AV's are still around. It's just that they have evolved further from those basic thingies we had in the past.

Couldn't agree more - great insight.

[cqpreson]

,I totally agree with you.AV can't win.AV is only able to follow behind viruses.AV can't know viruses founder's thinking.

[raven211]

Quote:

Originally Posted by ssj100

In my opinion, in some ways, AV's were never winning the war. I think AV's are useful for on-demand scanning and for cleaning up isolated malware.

Why have AV's already lost the war in some ways? I'm not sure if you've read my posts in other threads, but think of it like this:

1. 10,000 new malware released per day
2. AV detects 99% of all that malware
3. That leaves 100 malware undetected by the AV per day
4. It only takes 1 piece of malware to get infected badly

As you can see, relying on an AV alone is theoretically unsound. Just how I see it though.

A note... that's why "the cloud" was created in the first place. Analyzing behavior and using "reverse detection" by looking at how many people have the file, makes those "undetected" pieces of malware get detected instead.

[cqpreson]

"The Cloud" is very good indeed.But it depends on a large number of users.And analysing viruses need time.That means it costs a long time from a virus being found to a virus being add into AV's virus database.So Antivirus can't win this war.

BTW:Maybe HIPS with a good ruleset can defend some simple viruses .

[raven211]

Quote:

Originally Posted by ssj100

"The cloud" is conceptually a very good idea. However, "the cloud" still relies on regular updating. And even with regular updating, you're still only going to get at best 99% (this is being very generous) detection rates of newly released zero-day malware. (AV-comparatives tests actually suggest a much lower detection rate, with Avira top scoring at around 71% in the latest tests from memory). Even the positive PC Mag review of Prevx (Editor's Choice) gave numbers of not much more than 90% (probably of older malware samples too) detection rates.

And given newly released zero-day malware number in the thousands per day, this type of black-listing/behaviour-blocking technology is just not enough (as I said, it's a roll of the dice). Again, just how I see it.

Taking it short... sandboxing is the ultimate defense there is, yes, but I don't understand the scores for Norton 2010 at least when tested by PCMag, since the software needs things that are run/downloaded/whatever to be analyzed or deemed safe through enough data to be allowed to run on a PC, which means that (new) malware "shouldn't" be to pass through - I honestly dunno why it does.

I don't wanna write a long post here, so Joe will have to reflect on why Prevx didn't receive a full score in PCMag's testing - he also has the insight that I will never have after all.

[pbw3]

Tend to agree with the majority posting on here that do not appear to "rely" on their AV..

Essentially, software is either downloaded intentionally (you want it) or unintentionally (trying to get onto the machine unnoticed), although I accept that social engineering tricks etc can blur that black and white perspective:

1) If an intentional download - an AV can help (whether resident and / or on-demand, cloud, or online checker like Virus Total etc), and to which one can add and / or substitute common sense, download from trusted sites, google for reputation or problems, etc, etc.

2) If an unintentional download - the AV "start with a blacklist" concept is always a more "reactive" process; and to which
a) securing the front line troops (ie the browser, OS and other software that is going to be facing the attacker first head on); combined with
b) one or more of the white list / sandbox / isolation / HIPS approaches etc - whatever your preferred flavours - to block or contain whatever a) misses;
should in theory always be far more effective.

I have been interested to see AV suppliers increasingly making the perfectly rational argument, essentially responding - to the usual posts from those who have been infected asking "why did the AV not stop it" etc - that no one should always be relying simply on their AV, but should be using the AV as part of a more structured approach.. and which is pretty much what most of you guys recommend to people who come on here looking for help..

Also agree with those of you who suggest AV's will continue to morph into these other areas, particularly given the significant revenue streams they will want to protect.

Peter

[RejZoR]

Quote:

Originally Posted by ssj100

In my opinion, in some ways, AV's were never winning the war. I think AV's are useful for on-demand scanning and for cleaning up isolated malware.

Why have AV's already lost the war in some ways? I'm not sure if you've read my posts in other threads, but think of it like this:

1. 10,000 new malware released per day
2. AV detects 99% of all that malware
3. That leaves 100 malware undetected by the AV per day
4. It only takes 1 piece of malware to get infected badly

As you can see, relying on an AV alone is theoretically unsound. Just how I see it though.

Ever thought it's just not possible doing the other way around? It's just not possible to deliver 100% detection and also provide 100% protection for anything that might come tommorow or after 7 days.