[Google Chrome] 99% interesting extension

Looks like you are relying on security through psychological expectation. LOL

An attack can also involve social engineering to make grandma download and install something that isn't installed.

Firefox and IE were just examples. Any other software that faces the internet can be a vector. You'll have to constantly update your EMET config to add or remove what she uses atm. And you'll have to prey that social engineering won't make her download and install something that MSE can't detect with its poor detection rates. Or that social engineering won't make her ignore and bypass the SmartScreen warning.

2 mouse clicks = silent mode enabled (= everything is done automatically)
some more clicks in the settings = password protected, hidden tray icon, etc. (= grandma can't disable it)
Done.

When I say automatic, I say from the perspective of the user. A suite downloading and installing updates in the background doesn't require user intervention and is, therefore, automatic.

Improvements against FPs seem to be again a priority going from posts and comments on their forums. I expect better results in the future. Anyways, that number is still too low to reflect in considerably bad experience for grandma. She won't likely face all those 57 (already fixed, btw) FPs. Also, FPs tend to happen with installers of unpopular software, not docs and other kinds of attachs that grandma is more likely to download. Heck, grandma isn't a geek testing new software everyday, she will hardly face a FP!.

Finally, what products and companies were tested on that sophail v2 report that you are talking about? I'll read it later on.

 

In which case MSE has decent detection. 0day detection is somewhat lame, but about 50-60% according to av-test. Haven't check av-comparatives but I'd expect it to be similar if not somewhat higher.

All.XML contains pretty much every vector that any user will be likely to come across. It's trivial to set EMET up with variables to avoid issues with updating.

Social engineering is one reason I'd prefer MS.

Social engineering is all about trust. Do you trust your AV or do you trust the attacker.

Ask yourself - in a situation where you believe a file to be legitimate and your AV says it isn't, are you more likely to believe the AV that has never given a false positive before? Or are you more likely to believe the AV that has a significantly higher FP rate?

This is, essentially, exactly why I consider FP rates to be nearly as important as detection.

I'm not as optimistic that AVs will improve. Those 57 mean absolutely nothing by themselves - whether they're fixed or not is irrelevant. It's an indication that FPs happen much more often with that software than with MSE.

If we compare Norton to MSE purely in terms of protection Norton wins. But if you take into consideration other factors like complexity, user fatigue, etc. it's really simple to see why a user might choose a far simpler AV.

Sophos antivirus. It's just a really in depth approach. There are many articles about many products showing AVs being detrimental to security.

edit: Got my VM set up. Testing products now. A quick look at Defender on MSE and all files are ASLR/DEP enabled.

 

I don't think 50-60% is decent. It's poor. Plus, Microsoft doesn't need to improve MSE at the same rate other dedicated companies have to improve their products. Simply because MSE isn't essential for Microsoft's business. They seem to need to spend much less resources at it. This doesn't inspire confidence.

Another point to take into consideration is that these restrictions placed by EMET often break apps (some won't function normally) because they aren't really ready for them. An app that can't do what its devs planned for it and what its users expect from it = useless. And we have several reports of this here at Wilders.

Grandma is one example of user that should trust the AV (a reputable one, like Norton) in such case (and she won't have a choice, if you password-protect it and make it silent/"hidden").

Because, as I already told, its FPs tend to happen with a very small percentage of a class of things (installers of unpopular software) that she will rarely download.

Those other factors are irrelevant or don't usually affect grandma. Norton is a very decent performer when it comes to performance (the suite is among the lightest ones according to PCMAG). Complexity is irrelevant as long as it doesn't translate into issues. User fatigue should not happen with grandma when the security suite is silent and its somewhat rare FPs happen with a very small percentage of a class of things (installers of unpopular software) that she will rarely download.

Anyways, I think these articles are showing AVs as detrimental to a specific kind of security. Not overall security.

 

I disagree. Microsofts success hinges greatly on perceived Windows security just like any AV company.

1) An application running with EMET isn't restricted. It's made secure through ASLR/DEP/etc.
2) All.XML disabled mitigation techniques where there are incompatibilities.

If she doesn't trust her AV a password will do nothing but annoy her.

Who's to say what a user will or will not download? AFAIK plenty of users download installers, just as many users download fake installers.

Complexity is definitely not irrelevant, as I'll be showing soon. Based on what I've already seen the more complex software is the more areas for attack, I'll post full results sometime tomorrow hopefully.

I don't think it can really be called "silent" based on FP reports we've seen. Silent for you is not silent for everyone.

I think it's the opposite. I think AVs are only decent for specific types of security - detecting malware that comes from a family that has previously been analyzed. Overall, if you take into account many other factors they can be detrimental.

But, again, the point is not "MSE is better than Norton". The point is "MSE has lower false positives and better performance than Norton, it's less complex." (I've already looked at defender and all executable files have DEP/ASLR enabled, more than I can say for a few others, but I haven't done Norton yet).

So you can weigh those MSE benefits against Nortons benefits (higher 0day detection). But of course I originally posted MSE + EMET, so it's really comparing the benefits of a setup like MSE + EMET vs a setup of Norton. In my opinion MSE + EMET is a better option.

 

Reputable AV companies have much more to lose if they offer inferior protection. Because "protection" is basically all they sell.

Ok I meant to say "mitigations". Whatever.

Are you keeping track of every report? Or better yet, can you?

She won't even know an AV is there as long as you change some settings.

Sorry.I just can't see a grandma downloading plenty of installers to the point a rare FP will annoy her.

Let's see.

Grandma doesn't see the FP when the silent mode is ON. She will simply have to move on on the rare event of a detection and removal of a FP happening in the background. And that's fine, because at the end of the day, we need to remember that FPs are still rare events that happen with some unpopular installers.

Do you think that the analyses will somewhat "stop" at some point? Why?

And much much more often, they can be very beneficial.

MSE offers much less protection and can annoy grandma much more than a (configured to be) silent and hidden Norton 360. Unless you configure MSE together with a restricted standard Windows account, which will annoy grandma in other ways lol.

Another point to take into consideration, MSE fails in the repair and disinfection aspect too. Consider that a malware sample gets past MSE today, and tomorrow an updated definition makes MSE starts to detect it. MSE is much worse at repairing already done damage and disinfecting than Norton. From the tests, MSE is unlikely to fully remove all the traces of a threat and undo its actions.

Let's not forget that you can use Norton + EMET, although I tend to think it would be superfluous and maybe bring unnecessary issues.

 

True. I just don't think it's important to note that security is critical to their sales.

Microsoft is. They provide All.XML.

Not sure what you mean.

How? I've shown reports that MSE at default settings has virtually no FP.

What you're talking about, "Silence" can only mean two things.

1) You're disabling or 'lowering' features, which will degrade protection.
2) You're having the AV make decisions.

2) is not silence. (2) is really damn annoying when you run across a file that won't run and it turns out it's your AV blocking it without telling you - oh, and then it's password protected.

The only thing worse than an AV popping up and asking for a decision is an AV not popping up and making the wrong decision.

I don't see why you would need to do this.

Yes you can.

The discussion started based on you saying a suite would be simpler. I said I'd rather just use MSE + EMET + Chrome. In my mind this discussion is MSE + EMET vs Norton, but it could just as easily be MSE vs Norton.

There are pitfalls to using suites with all of these features. There are pitfalls to using programs that prioritize 0day detection over all else. That's what I'm trying to get across here.

I've already seen one program that directly interferes with browser security by trying to protect the browser. Defender/MSE was the first I tested - all executable files are DEP/ASLR enabled.

Testing Norton 360 now.
edit: I can't test Norton. They're asking for CC info just to use the free trial. Moving on to Mcafee...

 

lol I'm sure you can test Norton 360 without a CC

Check this: http://us.norton.com/downloads-trial-norton-360

The symantec-norton.com one seems to be a fake..

 

Yes, it does.

I'll download the Norton 360 trial and test it next.

 

It's important to note because that means they will use all the resources they can to offer a better solution than what Microsoft offers by default. This is only logical.

From Microsoft:

"Are there any risks to using EMET?

The security mitigation technologies that EMET uses carry an application compatibility risk with them. Some applications rely on exactly the behavior that the mitigations block. It is important to thoroughly test EMET on all target computers by using test scenarios before you deploy EMET in a production environment. If you encounter a problem with a specific mitigation, you can individually enable and disable the specific mitigations. For more information, refer to the user's guide that is installed with EMET."

What I mean is that AVs won't stop being effective anytime soon. They invest too much in those analyses, and they implement various, multiple types of analyses.

But most of the times, the AV will make the right decisions. And we are talking about installing it for grandma. She really can benefit from a powerful collective intelligence always improved by specialists making decisions for her.

To prevent grandma from circumventing MSE, of course.

I know there are pitfalls. But for grandma, I think they really matter much less than what she can gain with it.

 

Like I said, the All.XML comes with a list of programs that Microsoft tested. If you're deploying it with other settings it should be tested.

I don't think they're particularly effective at securing systems.

You realize a password is useless if she's got admin, right? The official uninstaller might ask for the password but I'd be very surprised if that wasn't very easy to get around. If it isn't I'm not sure if that's really a good thing - not being able to uninstall software... not good.

Anyways, if the user is at the point where they're willing to uninstall their antivirus it's obvious that the battle is lost when it comes to AV. At that point something new is needed because when a user wants to run a file, and they want to run it badly enough to disable what's preventing it from running, you won't stop them from running it.

Maybe so.

 

This "it should be tested" is what scares. I can't imagine what our hypothetical grandma will install.

I think they're generally effective at securing systems.

Yes, it's possible if she got admin. However, it involves complicated registry tweaks, download of uninstallers, typing default passwords, etc. It's a hacking job for the grandma: it isn't something the hypothetical grandma will likely accomplish with success!

Let me emphasize the 2 scenarios where grandma may want to uninstall the security suite:

1) You tend to think only about the possibility of grandma wanting to uninstall the security suite because of a FP irritating her. I already said why a FP is unlikely to ever affect her. This is a remote possibility.

2) I'm actually worried about the possibility of grandma trying ways to circumvent the security suite because of a social engineering attack. However, by adding significant complexity to the necessary steps, I'm basically hoping the social engineering won't succeed. This is a likely possibility.

 

Just an early note from what I've seen. Norton injects a non-ASLR executable file into Chrome.

As I said, All.XML covers virtually every program that is likely to be exploited in the wild. It's trivial to set EMET up with more applications, and testing is not difficult.

We disagree.

I think you're attacking the problem (or rather, a password is) with the wrong approach.

If the user is getting annoyed by the AV or believes the AV to be a pain locking them into it with a password and making it hard to remove is the wrong way to go about it. Actually addressing the annoying bits would be a far better solution.

Passwords are only useful for enterprise environments where shitting on the users isn't just allowed, but encouraged.

 

It involves a job, and more job = more stress. lol. I mean, you need to inspect the software in use by the grandma to make sure it's covered by the EMET All.XML. And you need to make sure there are no incompatibilities. That can take various minutes, if not hours.

Effectively addressing the annoying bits for the grandma is not possible. You won't be there whenever she needs you. Basically, when you are there, you address the (unlikely) annoying bits. When you aren't, you let the password-protected and slightly tweaked security suite do its job, silently and relentless.

Later on, you can always check the quarantine!

 

Why? Like I said, common applications are already secure and with compatible configurations.

Not with detection/ AV, no.

 

Because there are no guarantees she will only install common applications. At a minimum, one will have to periodically inspect the list of "Program and Features" (old Add/remove programs).

 

Earlier I thought she wasn't the type to install uncommon applications, now she is?

Regardless, securing them takes seconds.

You can trade further compatibility issues by setting system wide policies. Setting DEP to "Opt Out" instead of "Opt In" is likely to have very few issues, especially with applications made in the last decade, but it will secure arbitrary programs.

You can then set it to Always On, etc, but I don't have to explain how it works since you probably know.

I don't see EMET as a tool that requires maintenance. Again, I see AVs as tools that require far more initial set up and maintenance, especially paid AVs, which will upgrade to new "2014" versions and require money spent in order to get the latest features.

 

In the past. Nowadays, the updates include the upgrades and are automatic and made on the background as well. A subscription of 3 years, for example, will give free automatic updates (including the upgrades) for 3 years. A silent Norton 360 will automatically upgrade to the latest version when it's released. It will always have the latest features.

At least, that's how things have been working for Norton, McAfee and a few others since a few years ago. That's what they started calling "software as a service" a few years ago.

 

BTW, an AV (or security suite) offers a kind of essential protection for the grandma that EMET doesn't. This basically means that comparing their maintenance is meaningless, because grandma still needs an AV (or security suite), even with EMET.

 

Yes. That's why I've been talking about MSE.

At this point it all seems like conjecture. In my opinion MSE + EMET is the better solution, and in yours Norton is the better solution.

 

She wasn't the type to install uncommon applications everyday like some geeks. I mean she wasn't the type to install uncommon applications everyday with a frequency so high that possible FPs would be a statistically relevant issue.

 

Objectively speaking, Norton + EMET is the best solution among these, but it involves more job, so it is subjectively worse than only Norton, IMO.

 

I would much prefer MSE + EMET over Norton, but I don't think either of us will change our minds, and at 4am my mind is already decayed.

 

If anything this thread may make me finally experiment EMET. I read a lot about it and I know how it works etc, but I never really tried it. Too lazy.. lol

 

Here:
http://www.insanitybit.com/2012/12/13/analyzing-antivirus-security/

I got Norton in there among others. There's a lot of AV software out there, I'll add to that list eventually... maybe.

 

Much better layout than the white one btw