Antivirus is DEAD!

Discussion in 'other anti-virus software' started by farmerlee, Feb 10, 2007.

Thread Status:
Not open for further replies.
  1. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,229
    I agree that doing nothing is not helping either. But on the other side of the coin, the majority of computer users have other occupations, Doctors, nurses, cops, contractors, lawyers, sales people, raising children and maintaining a household , etc., the last thing most of them want to do is come home and have MORE to do, ie learning how to secure their computer, they just want to use it, so security solutions need to be as simple as possible for the masses. Or at least that's my opinion. I have neither the time nor the energy to delve into designing anti-malware/security programs for my computer. Do I realize the need for such things? Of course I do, or chances are I wouldn't be here.

    My own view is that a whitelisting approach, while good in theory, is impractical in implementation, to accurately do it would require even more work than the current solutions already require. All that would be accomplished would be to say that the list was clean at the time of it's creation, there is no assurance that it is currently clean as a site may have become compromised and it's files are now infected, so bascially every document/picture/program or whatever would need to be checked and verified EVERYTIME the list would be put out, and it's veracity would not be assured for any long period of time.
     
  2. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,234
    Location:
    Mass., USA
    Yes, and people that own televisions/monitors should have an oscilloscope, and be able to diagnose crt problems.
    Homeowners should all be well versed in the plumbing, electrical, carpentry skills.
    Own a car? You should be able to rebuild your transmission.
    Please.
    The computer is a tool, like a toaster oven or a coffee maker. Most users don't need/want to understand it's inner workings, they just want it to work (just as IC's wife).
    I use my puter's programs in my business to make money.
    Not ONE of my many security app.s has ever made me a cent.

    (Apologies being OT here)
     
  3. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,229
    While we are still at least relating to the topic, we have drifted from a technical discussion to a more philosphical angle, I apologize for the distracting sideline.
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    Mrkvonic's suggestion applied to using a computer not owning it.

    To get a driver license, you need to pass a written and behind the wheel test. Similarly to get a "computer license" you should pass some test. It would probably deal with internet security not the hardware itself.
     
  5. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,229
    Yes, but the test for a driver's license relates to being able to operate a vehicle. What to do when it breaks or even how to maintain it is not covered. The rules of the road are all that is required. People are doing the same, just using/operating a computer, getting a driver's license does nothing to even educate you for the need to get an alarm system, how to change the oil or a tire. So to me, the comparison is weak at best.
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    A few comments

    I like Blue's posting (reply # 29).

    I agree with Mike (IC).

    AV's are NOT dead !

    Is white/black listing new? No.
    For example in RegRun you can use it for a long time now (application database).
    No, I am not saying it is perfect !

    As Rich already mentioned elsewhere:
    You might already use some white/black listing for quite some time in some way.
    How?
    Well, in your software firewall.
    (Program X is allowed by you to have certain outbound traffic; program Y not; etc.).
    (I'd better not start again about the importance of safe storing of MD5 checksums of those programs).

    Vesselin mentioned integrity checkers.

    Years ago the file-integrity-checker NISFileCheck was made by Albert based on ideas from Joseph. (Thanks again Paul for giving us here its (now archived) dedicated forum).
    There are/were other file-integrity-checkers (ADinf32 comes to mind or FileChecker from Javacool, etc.).

    Why do I mention your software firewall and file-integrity-checkers?
    Somehow you might look at the way they work, as white/black listing.
    But: the moment they warn you about any change (be it a changed file, new added file or deleted file) you have to take a closer look at that file.
    We always have warned about that: it is you, the user, who has to decide whether such a change is legitimate or not.
    And it is at that moment that AV's (and AT's etc) come into play. And if you are completely unsure about it, check that file as much as you can, etc.
    Even Wayne agreed once here about ProcessGuard when I posted the analogy with file-integrity-checkers: it is you the user who has to decide about a change/warning.

    myNetWatchman and Philip Sloss have made a few years ago SecCheck:
    http://www.mynetwatchman.com/tools/sc/
    At the early stage of their project both Joseph and me have warned that lots of details have to be considered (like for example: language versions of files, OS versions, etc etc).

    Well, I know, lots of things I have said here might now be outdated; I do know that very well. And I know that it might be a little off topic. It was just only to give a little other look at the history here.

    I don't consider AV's as dead.
    Time will tell what the future will bring.
     
  7. Doc Serenity

    Doc Serenity Registered Member

    Joined:
    Apr 4, 2007
    Posts:
    105
    I agree.
    But whether I choose to learn about pc security or not, the programs that are sold need to be kept easy to use and set up. And even in their easiest to use mode, we should be able to maximize the level of protection.
    As an example, my av comes out of the box with an 'acceptable' medium setting for the novice.
    To get maximum protection requires fiddling around with a bunch of different settings.
    I was able to do it. But it would have been better to be able to set it to max and then if I'm so inclined, fine tune everything.
    I hope more companies look into this.
    Regards.
    Doc
     
  8. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Rmus,

    The point Inspector Clouseau was trying to make: WAS THAT WHAT IF THOSE FILES WERE REAL GIF OR DOCUMENT FILES, not executable files with a fake extension.

    How does whitelisting work against them?

    While I have not seen what malicious actions such files may do other than downloading and executing code, whitelisting is clearly impractical in this case, against this type of file format if what they say is true. Would you mind explaining how do you expect to default-deny image files in this case?
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I give up :D :D
    A quick recap:
    - Most executables are identified by the MZ header, usually at the beginning of the file.
    - Encrypted executables and files containing shellcode can not be identified without a Ph.D in assembler ;)

    [MOVE]Spurs 2 - Cavaliers 0. Go Ginóbili and Oberto :D[/MOVE]
     
  10. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    Executable code or shell code in general does not have anything to do with MZ or PE Headers or any other file type for that matter. It's simply assembly instructions in binary form, which even in form of directly executable files may have some header data (EXE, ELF, etc...) or not (COM files....).

    Shell Code is simply a blob of data that can be interpreted as valid instructions (or sometimes even undocumented invalid instructions that don't happen to crash the cpu), with all the issues that entails: encryption or trash code which can make it extra hard to spot, since even to the assembly-affine the bytecode may not look like valid code at first glance.

    Rmus: you need to dig deeper into exploits if you want to understand the point bontchev and IC are trying to make. There is no need for a downloaded file, there is no need for an extra execution of any executable. The exploit can simply take over control within the exploited process, whether it's your Internet Explorer, your Winamp or your Office. They could do so by creating new threads, or simply by not returning control to the affected application. Your examples are something entirely different, an exploit had a downloader shellcode that happened to download a file with a executable file with a fake extension (GIF/JPG). That does have nothing whatsoever to do with a real JPG, PNG or GIF exploit.

    Also keep in mind that shellcode doesn't have to be complicated to do real damage. The code to download a file is not less complex than what would be required to delete your My Documents Folder, or to search your PC for banking data and send it to a server. Or it doesn't download anything at all and simply uses already whitelisted standard applications to do all the dirty work, like FTPing your My Documents folder to some webserver on the net, or starting some distributed denial of service using multiple instances of the certainly whitelisted ping command.
     
    Last edited: Jun 11, 2007
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hello FRug,

    I am aware of this, and I did make a statement about shell code in Word and wmf, and the example someone created to show how it could work. However, as I mentioned, no real-world exploits surfaced at that time.

    I did mention that in my academic environment, both white list protection (for the exmples I gave) and black list (AV) are used. Whether any such exploit as you mention would be caught or not by AV would have to be proven when a real exploit surfaces. Regarding common exploits, I have shown that White List protection has blocked where AV did not.

    Having said that: I have decided to wave the white flag in this discussion with the Inspector and bontchev.

    White Listing encompasses many things, and they are looking at the bigger picture with all its complications, and so they are correct. I am focussing on a very narrow use of White List protection: Default-Deny of running unauthorized executables, which is very relevant to home|education evnironments, so I stand by my assertion of its effectiveness.

    regards,

    -rich
     
    Last edited: Jun 11, 2007
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hello, solcroft,

    The product I use, Anti-Executable, analyzes code sample in a file. If it detects binary executable code, it blocks, if the file is not on the White List.

    As I mentioned in a previous post, exploiting image files was discussed on another forum, and I never saw any real-world exploit using this technique.

    If the image file contained binary code, AE would block it. If not, it wouldn't, and you would hope your AV catches it.

    I will wait to see a real-world working example

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Last edited: Jun 11, 2007
  13. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Hello,

    If the claims in this thread are true, then that means exploits that bypass AE certainly do exist. Perhaps you've been lucky enough to not run across them.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Well, of course they do! AE does not analyze scripts, for example. People concerned about that will employ other means.

    I've done nothing more than show how AE using a White List effectively blocks attempts to download|install any file that has executable code. That is its sole purpose in life, nothing more. These comprise the majority of the exploits people are likely to encounter.

    Those concerned about other types of exploits will use other preventative measures.

    Well, I've never had an infection, and I don't attribute it to luck.

    regards,

    -rich
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Hi guys,
    I don't want a whitelist of objects of any existing legitimate software, that is only possible in theory, not in practice.
    I only want a whitelist of objects of legitimate softwares on MY computer and I mean ANY object : files, registry, ...

    Once the whitelist is created, any unauthorized object is REFUSED IMMEDIATELY (not on reboot) and what is not installed, can't be executed and doesn't need to be removed either.
    Faronics Anti-Executable already works that way, unfortunately only for unauthorized executable objects.
    I want an Anti-Malware that blocks ANY unauthorized object immediately, not just executable objects.
    Faronics' idea was brilliant, they just didn't think far enough.

    Blocking objects doesn't mean you have to bombard the user with numerous popups, this can be done in absolute silence. If users want to see these popups, they only have to change a setting to see them.

    Does that cover everything ? Probably not, so what ? When something doesn't cover everything, you create another security software that covers the rest. :)
     
  16. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Rmus,

    What you have said so far is very well-understood by the rest of us already, no point reiterating what's already known. What you have yet to explain is how whitelisting protects you from jpg exploits that do NOT involve executable code.
     
  17. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Now just give this guy some peace. He raised already the white flag. I think he understood what we (Bontchev and me) were trying to explain him.
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Bonjour, Inspector,

    Yes, you were looking at White Listing as the sole solution, and I was considering just a specific use of the principle.

    Speaking only for AE, which is my only White List software there is nothing to explain - I would not be concerned with that scenario because AE doesn't deal with it. White Listing would not be my solution for it.

    When a real-world exploit shows up, then there will be something to consider: method of delivery, for example. Then, preventative measures can be taken.


    regards,

    -rich
     
  19. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    :D That reminds me to the part when Frank (Jason Stathem) in the movie TT2 said: "Oh no, he's not a friend, he's french." :D

    The real problem boils down to "user education". And that this would be possible (successfully) the users must be willing to understand and to do something. (I don't want to sound too pessimistic, but that's not gonna happen.)

    Next problem is how exactly will you "perform" user education? In a classroom? Online via PHP Forms? In a forum? Via Email? In case you pick via email the next moron has the idea to create a real worm who will send itself as "Lesson Number 12: How to prevent Internet worms from spreading" BEFORE YOU REACH THAT CHAPTER in your lessons.
     
  20. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Does an AV need a sig to detect as such and are there Zero day exploits?

    Would such a jpg exploit cause probs from within a sandbox?

     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    AFAIK an exploit takes advantage of a legitimate executable to do its evil job. So there must be another evil object to make that possible and such evil object can be stopped also as an unauthorized object.
    AE is limited to unauthorized EXECUTABLE objects, that's not good enough. AE should block any unauthorized object in the system partition (Windows + Applications).
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I considered that a non-issue because

    And I was not using any of the other affected MS software.



    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  23. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    That confirms you have also no idea how exploits are working. YOU DON'T NEED *ANY* Executable for a exploit!

    The exploit "sleeps" for example in a JPG picture. Now if you display via preview this jpg picture in the windows dekstop (via open folder and windows creates a preview for example) the exploit already starts! And this exploit DOESN'T NEED TO LOAD ANY OTHER EXECUTABLES! It simply runs already in memory! It can just format your harddrive without that you have any chance to prevent this other than turning your machine of the nanosecond before it starts this.
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Actually, I've found that many *are* willing. Often they are embarrassed to say anything about their computing problems, or just don't know what to ask.

    There certainly are many possibilities.

    The small group I work with prefer to go to people's home. We do this normally on weekends, and during the week by email. Granted, we find people we know through our own socializing, so it is a harmonious working environment.


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I admit I'm not an expert. If those exploits can't be stopped in any possible way you have to accept them until you find a way to stop them.
    Are there so many existing exploits, that they are a constant problem or are we talking about a minority of infections ?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.