AV-Comparatives - Microsoft-prevalence-based analysis of the File Detection Tests

At a guess, I'm going to say MSE probably doesn't need "special" drivers because Microsoft built the necessary features into Windows Vista/7/8, and created a userspace API for MSE to use. MSE would just be just the userspace services that plug into existing kernel stuff... Again, just a guess.

@vlk

I think the problem here is that the userspace part of many AV engines tends to be compiled without much hardening (maybe to be compatible with WinXP?). I have heard of... let's see... one exploit (now patched) against an AV driver. (Actually the HIPS driver for a Norton endpoint product.) I'd imagine the drivers being a very small attack surface themselves, but the userspace service is a large potential target.

@Hungry Man

It seems to me the problem with ASLR in antivirus fiter services is that the typical method by which compromise is prevented is to crash the compromised program immediately. If this happens to an AV userspace filter, the whole OS will probably go down.

I wonder if anyone is writing their AV engines in stricter languages, like Ada or ML or something.

 

But it's complete irrelevant for the topic here. Here the test is topic and not features or misssng features of MSE, or which product is better, because it has nothing to do with this test.


btw.: SmartScreen "works" system wide since Win8 not only in IE, FileRep is no detection (it's a classification along reputation issues), Streaming updates are more a thing of old marketing (who needs that in the cloud age?) ... but stop, I won't jump into OT.

 

@Gullible Jones
I don't think that guess is correct. Outside of event notifications and minfilter drivers most things will have to be done in userland, unless I'm misinterpreting what you're thinking.

A DOS of a root program should be taken over a compromise. Even if that takes the system down, fine, that alerts the sysadmins to an active attacker.

The way Grsecurity handles it is to DOS the whole system if it detects a root attack and to log the user out if it detects a userland attack. I think this is logical.

Keep in mind that ASLR is just one aspect of all of this. Programmers do not program well. They are not taught how to write secure code. They often have no concept of how vulnerabilities work, or any real world experience. That is not their fault, stack overflows may be covered in a Data Structures course, but it's incredibly rare for a CS course to cover something like how to exploit it, how heap attacks work, etc. Programmers are not equipped to write secure code.

Somehow, people delude themselves into thinking AV programmers know better. Yes, they may have an interest in security, so maybe they know more. But it is really just not the case that they will all be better, and even if they were they will often produce vulnerable code.

Looking at their lack of ASLR is just a way to show this, as showing code quality is not possible.

 

No, FileRep are quite accurate detections and not just rough warning about low reputation, because they don't ask you if you trust the file or not and give you a choice, it flags it and quarantines it. Haven't had many false positives with that at all. There a

As for the streaming updates, most AV's cache only tiny part of signatures. avast! caches everything. So, signature detections are identical in online or offline mode. Some prefer this because they are often offline.

SmartScreen works for everything in Win8, yes, but most users prefer to disable it. You know, MS spying and all...

@Hungry Man
I wouldn't say that applies to security software as well. After all, security experts are developing them... can't exactly compare that with some garage programmer who's doing it for a hobby or not security related at all.

 

I think you are. My guess was that the kernel components of MSE were integrated into WIndows, so MSE packages would just ship the userspace stuff.

Agreed, but my understanding is that GrSec would panic immediately; my suspicion is that things would be less predictable if the AV filter went down while talking to the kernel. Could be wrong though.

I think it's less a matter of how programmers are taught, and more a matter C and C++ not being fit programming languages for userspace. Despite all the machismo of C programmers, people make mistakes all the time, and languages like C are built on the assumption that the programmer won't. IMO this is about as realistic a boss admonishing his workers not to get sick.

 

Have you looked at the Joxean Koret presentation? It's rather crude, but nonetheless quite enlightening.

Re "security experts," see what I wrote above about C. Everyone thinks they're a Real Man and won't goof up with buffer lengths or memory allocation or pointers, and everyone goofs up anyway. Even an expert needs tools that are reliable.

Edit: oh, mandatory disclaimer, I've only maintained one C program ever (and not very well at that). But seriously, look at Chromium. Google has dozens of ungodly expert C++ programmers working on it, and they're finding new vulnerabilities all the time.

 

@RejZoR

That is *exactly* my point. They aren't security experts. They are programmers. There is nothing special about them.

Yes, they will love you and hire you if you have security background. That doesn't mean they all have that background.

Comparing them to other professional programmers is completely valid, that's the point.

@Gullible Jones

Well, it's both. If people used safe languages, education would matter less. If people all knew how to write safe code, safe languages would matter less. I suppose I take C/C++ for granted though, you are correct, they are significant factors.

 

In the stone age when OO whas a concept and C++ was not standaardised yet, the security architecture also depended on the type of laguage we used

C variants for specific devices
Assembler for communication and data access layer
Cobol with special pre-compilers only allowing call (to communication and data access) move do while and some basic calculation operations

So I well imagine a simular devision in kernel and user level and webbased level. Microsofts javascript samantizing studies (nozzle or somethng) have proven to filter out 95% of exploits, by just limiting the set of available instructions.

I allways though microsoft wase heading towards this architecture with ms platform (C# and VB.net) but tht was to optimistic I guess

I feel like Archie Buker ranting against modern times praising those were the days. But I am typing this from a Win 8.1 netbook/tablet on holiday, also remembering that I had to go to post-offices in those days to collect mail (on backpack holidays through asia and africa).