Antivirus industry struggles to keep up

This is the case, currently. But we've already seen progress on mobile platforms, where the OS takes significant responsibility for security - like Android, and iOS, both of which have very strong security models. Both systems have significant issues, but they can be fixed (they won't be).

The biggest issue with Android's model is that it provides tools for the developer to make use of and then the developer decides how secure the app is. It's run in the Dalvik VM, which is cool, because as a VM language you can force bounds checking and things like that, but it's weak to socially engineered malware - it doesn't have to be at all.

Software repositories help but strict vetting tends to hurt users (look at iOS). And, yeah, Android's app store (and Chrome's increasingly) isn't good either - it's great that it's not restrictive, but it's not cleaning up the crap.

And when something like Angry Birds is requesting ridiculous permissions like GPS how can a user ever know, based on that information, whether an app is legit? They can't, of course.

But those models are far stronger than User/Group models in Linux (Android uses them in a very cool way) that get implemented on desktops.

 

A default-deny policy running in a Standard account environment will address this scenario quite sufficiently

 

Well said

 

New York Times Outmaneuvered

It's official, the ski is falling.

In yesterday's paper, the New York Times published an article (Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt
) based on a ridiculous report from Imperva stating that av products are detecting no more than 5% of new malware. (http://www.nytimes.com/2013/01/01/t...-malware-more-effectively.html?pagewanted=all)

Everybody, shut off your computers, cut the cords, the internet is now over.

Sigh

Clearly the Times was outmaneuvered here. Well played Imperva. You'd think the Times would find someone intelligent to talk to to learn why Virus-Total is BS before indicting an entire industry.

Let the test bashing begin!

 

Re: New York Times Outmaneuvered

You're only seeing the media do what it does best. People listen to what the media tells them, which is why this "failing" industry still retains its popularity and why people still rely only on it. Go to any mainstream tech/computer site right now and see how many "AV Battle of Such and Such Year" articles you find. Perhaps, just perhaps if they'd discuss the Sandboxies of the world, the Comodos, the EMETs, things would change slightly. But no, if they're not too busy comparing IE, Firefox and Chrome for the 9 millionth time in less than a year, they're putting Norton, Kaspersky and maybe two other major AV vendors in a ring and seeing who wins...for that same 9 millionth time. And that's only when they're not recycling Facebook articles. I'd indict the media industry before the AV industry.

 

Imperva AV Effectiveness Test

http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antivirus_Solutions.pdf

Guess who got the top score? Symantec. Note number of samples missed by Kapersky.

Most interesting finding in this study is less than 5% of malware in the wild is detected by products tested. Could not think of a better example for HIPS justification on every PC.

Their assessment of SuperAntispyware is it's next to worthless.

 

Re: Imperva AV Effectiveness Test

Well, at least they have some credibility then

 

Re: Imperva AV Effectiveness Test

A HIPS is too complicated and overwhelming to configure for average Joe Public. A Default-deny AE that governs mainly paths for %ProgramFiles%, %Windir%, and %System32% directories for all executable types including DLL, as well as scripts would suffice. The User-space directories pose a greater challenge because they're not protected directories; Users can write to and execute from them. They can, however, be addressed with very literal path rules or Hash rules, the latter of which are stronger but cumbersome to manage. I found Hash rules to be too much of a PITA, so I use fairly concise Path rules for them.

Note that with Path rules, in most cases there is very little or no on-going management required, other than those that are specific to applications or certain paths. Eg, one I created for Chrome Portable:

"C:\USERS\useraccount_name\APPDATA\LOCAL\TEMP\*.TMP\KILLPROC.DLL"

In this case it's a new program installed under the User's directory, an unprotected directory at that, and because it's dangerous to simply allow a global type %UserProfile% Path rule for this directory, a specific Path rule was created for it.

If this is done on a x64 Win 7 setup with UAC at Always Notify and a well configured EMET and browser in a Standard user account, it's going to be really difficult - note I didn't say impossible - to breech by accidental encounters with malware. Only the individual responsible (administrative rights) for installing programs on the machine can circumvent it. No real-time av is required.

I guess even this setup is too much for the average person, but maybe Faronics AE or an enhanced version of AppLocker /SRP, one that helps guide the user in rules setup, could help.

 

Re: Imperva AV Effectiveness Test

Regarding Imperva's test, Roel Schouwenberg at Kaspersky said it best:

Source: https://twitter.com/Schouw/status/286553651449827329

 

Re: Imperva AV Effectiveness Test

Agreed. Using only the combined AV command line scanners and thus neglecting all other AV program features is rubbish.
And if I may, a sample set of 82 is rather poor for accurate statistic value.

As per VirusTotal FAQ;
'Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being:
VirusTotal's antivirus engines are commandline versions, depending on the product, they will not behave exactly the same as the desktop versions. For instance, desktop solutions may use techniques based on behavioural analysis and may integrate personal firewalls that can reduce entry points and mitigate propagation.
In VirusTotal, desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.

These are just three examples illustrating why using VirusTotal for antivirus testing is a bad idea...'

 

It wouldn't address anything she said. A SUA/AE won't prevent you from hitting a malicious webpage and it won't prevent any browser exploits, whether they're XSS or buffer overflow. SUA/AE jump into the exploit process so late in the game they've provided a huge amount of room for attackers to deal with the system. And very few users would be willing to use one, let alone be able to use one properly (Chrome wants to execute ChromeUpdater.exe, continue?).

 

If default-deny is complimented with scripting control in the browser and something like EMET to harden applications against memory corruption, all run from a Standard account, and the user manages to keep critical applications updated, it's realistically going to be tough to beat. It's no silver bullet - nothing is - but it's sound security without depending on highly undependable antivirus. Rmus seems to have proven so many times already that AE, not to mention an application firewall as well, is not too late to intervene in the attack. It at least stops the payload, which seems to be the main objective of these attacks.

 

Sure, if you add scripting and EMET you harden the system quite a lot more. But I feel like the prevention of scripting and EMET is the part of the equation here that's making things difficult, not the AE.

Attackers like secondary payloads, it's true.

 

The malware news is mostly rife with attacks involving a trojan this or trojan that installing and executing on a victim's machine, usually because of rogue apps or similar. This is why I'm such a proponent for the use of application whitelisting. I realize memory corruption is not to be dismissed as trivial, but keeping applications and the O/S updated and using EMET goes a long ways to addressing it.

 

There's a fair bit of bewilderment and head shaking in the A/V business based on the Imperva statements made, thus far.

 

http://securitywatch.pcmag.com/none/306552-experts-slam-imperva-antivirus-study

 

I think it's safe enough to say at this point is that Imperva is looking quite stupid. Even AV proponents like myself agree that just an AV isn't going to cut it anymore. But using a laughable amount of samples and VT to prove that was a nutty move. People will quit talking about it though soon enough. These "reports" and "studies" come up every other month or so and just shouldn't be taken that seriously.