So how firmly do you believe in today's AV detections?

A recent example: In checking my Yahoo account Spam Folder last month, I lucked out to encounter a "0-day" file -- that is, no AV vendor identified it when I uploaded it to an online scanning site.

The next day, Yahoo's virus scanner flagged it, and almost all vendors also had a signature for the trojan FB IPsecure file by that time:



Warning About Spam Fake, Not from Facebook
Posted on 02 December 2010. Tags: About, Facebook, Fake, from, Spam, Warning
http://www.computersecurityarticles.info/antivirus/warning-about-spam-fake-not-from-facebook/

This, of course, highlights the inherent weakness of this type of security.

One can argue that with sound policies and procedures in place, the user wouldn't be tempted to install the free program offered. In that case, it follows that AV wouldn't even be necessary for protection against social engineering exploits.

That leaves the remote code execution exploits. Unfortunately, the lack of detection for the 0-day stuff would seem to make reliance on signature-based products precarious at best. Even heuristics have been shown to not be able to keep up with continuous variants of some of today's vicious malware.

There are just too many proven methods against the remote code execution exploit to chance non-detection of the malware.

Having said that, a colleague of mine uses a top-tier AV (along with other stuff) and it has never failed to flag any malware from even the most recent URLs posted in malware domain sites.

To him, this suggests that the updating of AV vendors is so quick these days, that the window of opportunity for encountering a booby-trapped web site as 0-day is so small now, that the chances of him being hit are minimal. Of course, with sound policies and procedures in place, he is less likely than others of being hit.

There -- I've presented both sides of the coin!

I've always felt that Security (in all forms) is basically a state of mind. Looking at the houses on my block, I see some with bars over the windows, and several with the heavy security metal screen doors. Some have their yards fenced; one who does, leaves his driveway gate open. Each person has a valid reason -- valid in her/his mind -- for the security measures taken.

I don't think it serves any purpose to make blanket statements at a distance about a person's decison to use this or that security product. For every example as to why this or that does not work, another will show how it does.

A recent thread berated teenagers as being careless, among other things, regarding security.

One teenager disproving that generalization comes to mind - she has used a top tier AV since high school. She is very security-aware, follows sound policies and procedures. Now in college, uses an AV suite. She feels perfectly comfortable, and who am I to argue?

----
rich

 

i left this thread i started for a few days and wow.. such a good discussion ..


it's funny huh? one can go...

.. i dont want an AV hogging my system... i can pretty much tell my system is safe for now..

...but i think i need it.. to atleast find out if new software (and even crack/keygens) are bad boys....

...so i install it.. download 2 cool apps from the internet..

1st app:
.... real time scan didint flag any... manual scan results to clean... but im afraid to install it! my AV might have missed it.. i better upload to VirusTOtal.com.. boom.. 2/42 flagged it! it could be false positive but those 2 flaggs worries me.. im stuck..


2nd app:
real time scan flagged this ap, and so did manual scan... but i think this is false positive.. it's such a good app.. i want it.. i tink im safe.. i better ask for 2nd opinion of VirusTotal.com... there! at least 10 engines said it was safe. including norton and mcafee.. so it's gota be safe.. but.. what if it's not.. what if my current AV is right?


(guy is stuck and undecided for weeks, then quits everything and decided to live in the mountains)


bottom line though...i guess we're all pretty stuck huh? .. to have an AV but not trust its results.. but can't NOT have an AV coz it's conforting to have something warn you for threats.. w/c again, you can't 100% rely on, postive or false positive.. .. and the loop goes on...

*sigh

PS.. so does sand boxing and system protection that reverts everything like RETURNIL or DeepFreeze.. if you install something you will atleast need to "apply" the changes sooon.. you can't just keep it in the sand box.. so when do you decide to "let it out?"

this computing age is soo annoying/frustrating now. hehe


anyway as for me. i've decided to keep the comodo defense/fw , and also the AV for now.. the FW will atleast tell me of apps phoning home.. the AV.. i dunno... i decided to run every darn installer of mine thru my virtual environment w/ snapshots and monitors before actually installing it into my system.. this is atleast the safest way i can think of right now.. i pitty the average PC user though.. the gazillions of them

 

If you make a full system backup before installing or updating, you're not stuck. If it's infected, incompatible, or you just don't like it, it only takes a few minutes to get back to where you started.

As for installers that only a few flag, you have a few options:
1, Wait for a few days, then scan it again. If it was relatively new malicious code, a lot more will flag it on the next scan. If the number doesn't go up, it's most likely either a FP or some type of adware that most of the scans don't feel is bad enough to target (no agreement on what constitutes adware).

2, Install on a virtual system first. Have the virtual system equipped with the security apps that you normally use, plus install monitoring software. Regardless of what the installer says is best, leave the security apps running, especially firewalls and HIPS. An installer can be clean and still be malicious by downloading the actual malware files during the install process. A firewall will warn you if it tries. Examination of the alerts from HIPS will warn you of attempts to install drivers, autostart entries, attempted usage of a command interpreter, and more. If you don't have a virtual system, install it in a sandbox. If the app won't install in a sandbox, check if other apps of that type have problems with sandboxes.

3, Use a test PC equipped like the virtual test system above. This will allow you to catch malware that is "virtual system aware."

It is not possible to take all the risk out of installing or updating software. The best you can do is to make sure that you can get back to where you were. The bottom line is this. Security apps don't protect you when you choose to alter your system. A sound security policy that addresses this vulnerable time is what will ultimately protect you, provided that you follow it.

 

Here is the real kicker, I do not entirely disagree with noone_particular & safeguy and the Virus Guard in RSS works as N_P describes (scan new content) by design with the Virtualization and default-deny Anti-Execute taking the lead roles. My point was not about AV being a viable front line defense; it isn't, never has been, and never will be. The point was to say that there is still room for the tech, even if it is only a supporting role.

As has been discussed many times, an AV is not an end unto itself as the industry marketing would like you to believe; but it does have a role. This role may not be the same for every user and has decreased over time, but it is still relevant to specific purposes and missions.

The real key is to think about the risks you are likely to encounter and then plan accordingly...

Mike

 

Gotta love and appreciate your "mystery soup" analogy. Mixing up the medicine, as someone once said.