Is there hope for antivirus programs?

Thought provoking article over at TechRepublic -

http://blogs.techrepublic.com.com/security/?p=3360

Views?

 

They used to be the most important part of your security but no more. I use virtualization and imaging and only occassionally seek the opinion of an Antivirus.

 

Hey,

Thanks for pointing out that article, very interesting, indeed.
Makes me think that relying solely on AV protection for your computer no longer does the trick.


Regards,


Carlos

 

virtualization as in sandboxie or as in virtualbox/vmware/virtual pc? (though I know that sandboxie is not a true virtualization app)

 

maybe virtualization as in returnil/shadow defender etc

 

oops, my bad, not into these products, hence they did not occur to me immediately

 

I agree completely, but still they are the only tool available to identify malware if one cares to do so. HIPS in the article is the way to go as long as you block anything from executing (they won't tell you what's rogue or not, unless HIPS nowadays have in the cloud technology).

 

When actual runtime emulations and environments show up that hide their presence(unlike Sandboxie and Bufferzone and others) I think post-infection scenarios will be almost non-existent. Using some system of time delayed signing and the above mentioned IMO is perfection.

I guess sticking with designing AVs around signature sorting engines and static heuristics keeps AV companies in business with renewed license fees though. That design though is about as effective as inline DRM on commercial software, they actually both fall under the same design principle in a way. Both get defeated by garden variety crackers and programmers literally daily.

 

What about something like Appguard or Geswall?

 

I've been hearing about the demise of antivirus products for several years.
They're still here and doing their jobs well. Much more important than the specific security product is the surfing habits of the user.

 

Yes antivirus programs are still worth using because HIPS can't stop everything. If everyone switched to HIPS then malware writers would put more effort into bypassing HIPS app. The only reason they are not as targeted now is because not many user's have HIPS on there machine.

 

FYI -- Interesting comment from NSS Labs in this TechRepublic blog, emphasizing the importance of dynamic testing...

 

As long as other programs are much less novice friendly than av programs, av programs will continue to thrive.

 

I hate sandbox type applications.
having to take program outside of sandbox is annoying plus they dont work on 64bit properly.
Also dont forget that malware stays inside the sandboxie until it is empied so passwords could still be logged in that time.
most people wouldnt have a clue on how to use hips properly and would find sandboxies a pain.

 

I also hated the idea and use of sandbox type apps. However, once I learned how to use SBIE with a competent AV, this has been my favorite security. I believe with most if not all keyloggers they need to install something to be effective. If you have the Drop rights selected in SBIE, this will nullify that sort of thing. Also, delete the contents of the sandbox after you shutdown your browser.

You are right about the 64bit OS's. I can't get SBIE to work properly in 64.

But to get back on topic, I believe there is hope for the good AV programs out there. As malware gets more sophisticated, so does the good AV's.

Ice

 

Sandboxes in practicality should be transparent, not just on an AV engine but on 3rd party solutions marketed as such.

There should be a minimal shell integration and configuration. The sandbox only does runtime environmental analyses and warns of risk and optionally shows a report. This isn't the case with any existing solution unfortunately.

Also FYI 'dynamic' testing is still static analyses. Not sure how that is going to improve an AV engine anymore than generic sampling. Teenage noob malware authors even user custom packers and encryption stubs. AV vendors evidently don't have the ability to think like someone who wants to get a process through their product to the windows loader. I'm sure they have great reverse engineers, when they get around to updating a database only then can you look forward to not getting our information stolen.

 

@Zyrtec:

I love your signature,and feel that for those without the desire to spend a little time in the learning curve,a top flight AV,Firewall,and on demand scanners are still the optimum way to achieve that.

For those willing to spend a little time learning,there are many,many combination's possible that equal or surpass the efficiency,and are nearly as user friendly.

More user friendly in my mind.
I tend toward virtualization.

 

I think they hit the nail on the head. The number 1 reason infections get in and spread is user knowledge. Old farts just want programs to run so they say yes to every pop up their firewall offers and inadvertently let a malicious file run and they wonder how it happened.

 

For normal day-to-day use, a combination of policy restriction, virtualisation, and imaging should be enough to prevent infection. Policy restriction provides a strong defensive layer in terms of prevention, whilst virtualisation and imaging simplify and facilitate recovery, but that still leaves detection. As the Returnil moderator, Coldmoon, so aptly puts it, AV software is like the canary in the coal mine, acting as an early warning system even if it is only partially effective.

One gap that conventional AV/AM software helps to fill is during software installation, which often involves disabling policy restrictions and accepting HIPS alerts. Whilst it's very useful to be able to install new software in a virtual environment for testing purposes, that alone doesn't always enable a definite determination to be made as to whether or not an application may be malicious. AV/AM software is like an insurance policy, providing an additional layer of protection.

 

AV's will continue going strong, layered protection requires some knowledge xD
Most people would just click allow allow and allow

 

Not Just Old Farts!!!
Young Bloods also!!

Really,I do see what you mean. (Old Fart Here)

Respect,
Rat

 

That's not an exaggeration ~99% of first-stage UAC circumvention is human intervention, malware only sets the runas flag in it's resource. After this even on limited accounts driver signing and 'token stealing' is trivial to circumvent. A transparent sanbox would fix the human factor. No false positives in environmental analyses, so if the engine says there is a problem, there is a problem.

lol stack and some heap protection is the only existing memory protection. A program gets to the windows loader there is no existing protection for end-users. The bulk of botnet nodes are people who were convinced those where false positives in the functional warez they downloaded, and they helped it get to the windows loader when presented with the desensitized UAC prompt.

Engineers at MS and AV vendors simply don't think out of the box, or design according to marketing. Luckily ARKs and reversing tools are not written by these people.