Antivirus is DEAD!

Interestingly enough, this seems to be the method Comodo seems to be trying to take, though they apparently restrict themselves to executables, libraries and drivers, without taking into account documents like you mentioned.

Perhaps a Comodo representatives could comment on this, if there are any around?

 

Interesting IC, also seems that opera doesn't like your blog, it's displayed wrong.

 

Great article!

A poster with at least 5,859 posts that says he does not know anything about good/bad objects, has now been graduated to an ADVANCED computer user!

Mike

 

It is useful to bear in mind that any proclamation of the death of Technology X is typically no more than the birth announcement of Technology Y. At birth, we all have almost limitless potential, then reality starts to rear its ugly head.

At times, a reality-adjusted Y is sufficiently attractive to supplant X, but you really can't assess that until Y is out there in the real world facing actual field-use complexities. This situation is no different.

Blue

 

At DSLR my post simply got deleted. "deleted by moderator". Nice to know that they don't care about my opinion. Time to cancel my DSLR membership.

 

Yikes, I am sure all us paranoid posters here at Wilder's care very much about your opinion!

Of course, thank the god of your choice for the super moderators here when things get a little out of hand. (I sure wish they had a kiss-axx smiley)

Mike

 

So in effect one person is creating a couple of documents daily."Millions" adds more hype.

Sandboxing/Virtualisation has replaced an AV here!

 

Sandboxing doesn't really fix much. Even though your Firefox is running in sepaate space, it can still screw up your entire bookmarks base (for me, tis would be a major catastrophy) so you still need backups everywhere.
So in the end you haven't done much...

 

PoC? (Proof of Concept)

Mike

 

Nope, it doesn't. Guess how many people working world wide in an office and writing documents/sheets? Did you know that even *OPENING* a word document makes changes without having anything typed in? In case you didn't you know now.

You cannot expect from normal ordinary users (thats what we are speaking about) to work in a virtual environment. That simply doesn't work! Half of it doesn't even know what it means and even if they did they would not understand how to use it in a proper way without loosing all data what they really need.

And we are speaking about "stupid" whitelisting and not about virtual machines

 

Good to kow! I tried that with my wife too since i got sick cleaning her machine every week. Guess what? She refuses now to use that machine and jumps for my laptop!

 

Stupid question alert.

If it's about Office documents, wouldn't simply whitelisting the macros be enough?

 

Any way to sneak PowerShadow as the default boot on her machine and your laptop so she does not see the difference?

Mike

 

Macros yes, but how about exploits? Besides, most of the (real) office documents containing macros. Even if it's only to automate office contact data and the like

 

Folks, u should keep in mind that not everyone is willing to learn additional things. For most of the users is the computer just a daily work equipment!
That they use internet for searching something doesn't mean that they spend hours in improving their computer software setup and learning how to use it!
Just walk out on the street and ask a few womans how many can fix a engine problem in their cars. You know the answer when they ask "What's an engine?"
Still they are driving cars. You don't need to be a mechanic to do so. You have the god given right ( i mean the "other god" ) to use something without being an expert or even without having to learn more things than really needed. Because if it would be like this that everyone would know exactly what's going on we wouldn't even need a virtual system! Or AV Software or firewall - you name it.

 

Exploits wouldn't require whitelisting, I think. Their end aim is to download and execute code, and whitelisting works against that very well.

Or am I missing something here?

 

Yes you do. Because in that way you would have to whitelist *EVERY* document, regardingles if it contains macros or not! Remember: You do the opposite with whitelisting as what AV does: You have to state that a document is CLEAN. You can only do that if you KNOW the document and SAW it. AV states that something is infected BECAUSE WE SAW the virus and we KNOW it's in there.

 

Another silly question.

Why would we need to whitelist macro-less documents? Is there some kind of hostile exploit in Office that does bad stuff even without macros? Obviously if something is going to do no harm, you leave it alone (plaintext documents come to mind...).

I've been an OpenOffice user for almost 2 years, so I'm pretty out of touch with MS Office.

 

Sandboxie and PS are on my three daughter's computers and yep, not a single infection in months.They did ring every now and then for some instructions at first.

The odd online AV scan confirms.

They love those apps and say they are the best.And guess what, I agree with them.

 

We can also continue with JPG Pictures if you like.... Please tell me how the hell you will detect for example "jpg" exploits with only whitelisting? Or... maybe in 2 years a jpg2009 exploit? you have the following options:

Option 1: ALL JPG PICTURES (of course including porn pictures - i can imagine that would be a nice job profile, something like "Reverse Engineer Porn Pictures") would have to be whitelisted.

Option 2: You add something that detects the exploit itself - THEN YOU ARE ALREADY AN AV-"SOLUTION"! Since you're looking for "bad" code (blacklisted)

 

Well...

The way I see it, you leave the jpgs alone, ignore them entirely, and focus on whacking dead whatever the jpgs try to download. Because in the end it's not the jpgs that are going to do anything bad to your system, it's what they download that will.

When a blacklist scanner is concerned obviously the better strategy is to try to kill the jpg. For whitelists I think the opposite applies.

 

Do you actually know what an exploit is? Seems not. You can basically do *EVERY* thing and not only downloading and executing files! For instance just crashing the system by previewing a picture. Would you call that "Nice"? At least i don't. Because you can lose all your work in the background.

 

I see. Thanks for the explanation.

 

To give a overview about the problems with only whitelisting:

* Much more stuff to whitelist than to blacklist (Remember: The problem for the av is the workload! How will they manage to whitelist even much more?!)

* The problem with "this files we can ignore": You have always to expect that a specific file format gets exploitable! What will you do then? Starting whitelisting when you have a problem?! Then you notice you'll have to whitelist millions of things?! (for instance pictures...) As AV you just have to make sure that you scan this fileformat and that you detect this maybe ONLY ONE(!) Exploit. That takes maybe 1 day and then you protect successful against this exploit. Guess how long it will take to whitelist all that you can tell that something doesn't contain the exploit? Years?

* The "already whitelisted" problem: When a problem occurs later that applies to already whitelisted things then what?! As AV we just add a detection and we don't care about "older versions of types" because we simply detect it then in it. As Whitelist you would have to verify again the whole archiv, searching for this "problem" (exploit comes into mind) I don't think users will be very happy with the response times...

Conclusion: As i said before it is a nice "addition" to existing AV software. But it NEVER EVER solves all problems without AV in a real world environment. (What you tell your investors as whitelist company is however another story...)

 

Thanks for the reading material. Quite informative.