How many viruses are made by anti-virus companies?

i too have wondered whether pure safe-hex is in it's twilight hours.

all good points but those things do help. there won't ever be anything that makes the situation perfect but there are plenty of things that make the situation better.

yes, but there is also a potentially infinite number of legitimate programs too. what's more, the legitimate programs outnumber the malicious ones and grow at a faster rate - in large part due to there being more legitimate programmers than malware programmers.

the latest trend is to not put the virus definitions on the client computers but rather in the cloud so that size and frequency of update is a non-issue.

technically it has always been impossible. at no point in history has any collection of technologies and/or techniques been able to provide perfect protection. it was never if the bad guys get through, it was always when, and as things get tougher and the threat scales up the "when" becomes sooner and sooner.

and here we go - please stop listening to marketing. they were never a solution, there are no solutions, those are just tools that can help. if you don't stop listening to marketing you will continue to be let down and disappointed (and even pissed off) by the reality of what security can really do. it's not a good feeling. it will make you angry and bitter and resentful. you'll make emotional decisions in reaction to the late discovery that you were being lied to instead of rational decisions while seeing through the lies all along.

once you stop listening to marketing, the fact that marketing is lying won't matter anymore.

there are already moves in this direction - notably those like chrome-os that move the normal user experience into the cloud. unfortunately few people understand how malware will change with such a paradigm shift.

even if chrome-os never goes mainstream, malware is gradually moving to the cloud anyways as OSes incorporate tougher security. not because the OSes become impenetrable but because there are lower hanging fruit online.

designing things while having security in mind wouldn't offer much of a solution. the general purpose computing platform is fundamentally vulnerable to malware at even the most theoretical level. special purpose systems that implement fixed first order functionality would eliminate malware but merely as a byproduct of eliminating the entire concept of software and leaving us with computing devices not much different than a cheap hand-held calculator.

ok, now that seems odd. i can't imagine a single proponent of user education who would actually call it a "solution". "solution" is one of those words that's generally reserved for something you can sell, something that's supposed to be an easy fix. no one in their right mind would think user education is a) sell-able, or b) an easy fix. user education is something that can help, nothing more.

just like most students aren't really interested in school. they go because they have to. there are relatively few opportunities where you can force users to learn. most of the time you can't, so you need to utilize other models of knowledge transfer.

and they're done with a security guy like you. security doesn't have to be an inhibiting influence. there isn't any action that can't be done in a safer way, including installing games and screensavers. security education should aim to transform the way people use computers, not set up commandments about what one shall and shall not do. true security users don't endlessly follow simple scripted security procedures, they think and analyze and continuously evolve the way they use computers in order to avoid risks in an ever changing world.

whether you give a man a fish or teach him to fish, he winds up with a fish at the end, but the latter option makes him more self-reliant and better able to master his own fate.

no, the problem with user education is that we have a terrible model of what education is.

 

Far too many people. Not long ago a site visitor complained that a plugin that they downloaded from a client's site was infected, according to their antivirus software which was the best and most reputable of all AV programs. Our research proved that the AV was giving a false report due to that fact that it didn't know better, and what it didn't recognize was a new compression algorithm used in the installer. That installer maker is used by hundreds of developers world wide and it collectively took several months of pounding the error into the AV support team before the error was fixed.

Anyways, getting back to the user that complained... after being told that their AV was giving a false report the user went on a rampage because they were offended that their "best AV" had been slighted, to the point of posting complaints on many forums about shonky software being distributed with a virus.