Antivirus pioneer Symantec declares AV “dead” and “doomed to failure”

well, just another good reason to use VooDoo Shield.

 

It's SweX eating tiiiiiiiiiime, RAAAAAAWWWRR.....! =V

You know exactly what's being the point. It's not like people suddenly stopped using AV software. You see:

• Blacklisting AVs try to recognize who can't attend to your party, regardless what the guests are going to do. Godzilla is deemed as dangerous by the AV, so Godzilla is kicked away from your party. Kraken, however, is considered as safe. So Kraken can be in the party and doing anything it wants.
• Let's put policy restriction as a comparison. The PR will restrict what your guests can do, and what your guests can't do. It doesn't care if it's the President of the Universe or a hot air balloon, none of them will be able to get into your bathroom.

I am sure you can see which one is more restrictive.

AVs are declared as dead because it's technically impossible to catch zero-day threats. It is still a worthy to use for an easy anti-malware solution IMO, but saying that a blacklisting AV can give you a total protection against advanced persistent zero-day malware is just simply a nonsensical marketing gimmick. At least for the blacklisting part. I personally would love to see a whitelisting AV with superly aggressive heuristic which will detect anything and the signature updates are just for whitelisted apps database. But I don't think it will be easy to use anymore.

Now, I'm curious at what Symantec is going to do about this? As in, what kind of technology they will use that they think is more effective? If a well-known company like them can come up with something new (or at least more restrictive) then this might become an evolution of home cyber-security industry. Then I'll have plenty of toys to play with. Hoooray!

 

Some articles that may be interesting:

http://www.spgedwards.com/2014/05/anti-virus-keeps-dying.html

http://www.techweekeurope.co.uk/news/anti-virus-lives-fireeye-symantec-145032

Cheers,
Simon

 

Eugene Kaspersky lashes out at Symantec’s 'anti-virus is dead' remark

http://www.theinquirer.net/inquirer...s-out-at-symantec-s-anti-virus-is-dead-remark

I strongly suspect other AV Vendors to be making statements of some kind or another in the next days | weeks if they have not already.

 

Yeah but it also needs to be easy to use, it may work for the Wilders type of users, but far from everyone knows how to, or is willing to learn how to use that sort of stuff. I guess one could complement an AV with something like this for some users to help the AV whenever something slips by.

No, it will probably not.

 

A database of all good executables, DLLs, drivers, and system files? That would be incredibly huge and just as impossible to maintain as a blacklist would be. Consider just updates to Windows. Vendors don't get access to the updated system files any sooner than we do. When operating system files or user applications are updated, should the whitelist automatically trust them or should they examine those files? If they just trust them, how is that different than the signed files we have now? Either way, a comprehensive whitelist would have the same problems that AVs have with blacklists. Never complete, never completely up to date, never completely accurate. The sheer quantities involved make both impractical if not impossible. It would be like trying to make a database of everyone on earth. It would be outdated long before it was finished, or before you could say that it's outdated.

 

Well, an approach that uses hash+metadata whitelists could cover non-signed files and signed files from less well known entities. While also reducing reliance on signing/certificate mechanisms I suppose. Conceptually, the metadata portion could include some information about expected or unexpected behaviors. In the case of cloud AVs, it would help to eliminate cloud queries and the more of those you eliminate the better. If you limited yourself to that mechanism alone, you'd need it to be comprehensive. However, if you layer it with one or more other mechanisms, it doesn't need to be comprehensive. You could, if you wish, only maintain a whitelist of "reasonably recent/prevalent" files, those which are more sensitive in terms of privacy, etc. The delivered portion could also be pruned to fit with the user's specific OS version and location/language as well.

 

Whitelisting Files known as "good" has/can/does lead to trouble. For eg, rundll32.exe Allowing this free reign when combined with an exploit etc, will do damage. Presuming of course that the Anti hasn't caught it first. But as we know, no Anti is always 100%.

 

For such whitelisting to work, the DLLs would also have to be whitelisted. Regardless of what method is used, I can't see such a whitelist ever being comprehensive. If your security is blacklist based and the AV misses that DLL, it's game over. If one can't count on the DLLs being properly white or black listed, you can either specify the allowed command line parameters for rundll32 or you can block rundll32 from running in user mode. Rundll32.exe is just one of many such examples. Cmd.exe is another.

 

Symantec is so shameless. They are now rely on pointless and baseless jargons to confuse their customers and made them believe what Symantec said was true. How pathetic.

 

Another article about the same subject:
http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/

I've found this interesting:

 

It's not practical for normal users, but at least that's a way to not missing too many threats. Then again, whitelisting database is mostly pointless for the people who would use such tools since they will build their own whitelist instead.

 

IMO, whitelisting only what is on your system is the first step to properly securing your system. By the time you've whitelisted your system, anything that relies on blacklists is completely redundant and pointless.

 

Originally Posted by AlexC From
http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus

Yeah, the're called Zero Days. & not just Crypted nasties either !

Originally Posted by noone_particular

Not Everything though ! As i said in my Post # 33. rundll32.exe was just a For eg as i said, & indeed Cmd.exe is another of many not to whitelist. I started a list a while back of some to be going on with for people to exclude, but it didn't get many responses ? Maybe people aren't that bothered these days !

 

That was why I said it was "the first step to properly securing your system", not the end of the process. How the different components are allowed to interact and what they're allowed to do are some of the next steps. I must have missed that list you mention, or I've forgotten about it (like I do so many other things). IMO, most users, including a lot of them here want something to secure their system for them. They don't want the headache of doing it themselves or they're afraid that they'll miss something. Admittedly, it is a lot to learn. The newer systems have more tools to use but there's also more that needs to be secured. The new versions of Windows aren't making it any easier, especially when it comes to services and open ports. By comparison, my OS has very few built in tools but there's much less of it to secure, and no services to deal with. Either way, the user has to be comfortable with that responsibility.

 

Symantec is just angry because their product is totally bloated and no one really likes it much.

 

I can get Norton free via Comcast now, so I gave it a try a few weeks ago. While I had some issues with false positives, it was anything but bloated. Actually one the lightest AV programs I've tried recently.

 

Yet again someone screaming about "bloat" without knowing what bloat really is. Norton is nothing of that.

 

Probably just my intense dislike of Symantec and Norton talking.

 

Response from F-Secure:

http://safeandsavvy.f-secure.com/2014/05/07/antivirus-is-dead-yep-whereve-you-been/

 

You were right, and I strongly suspect that they have been reading this thread, since they basically repeat what I´ve already said.
http://blog.avast.com/2014/05/06/the-death-of-antivirus-has-been-greatly-exaggerated/

But I´ve read some of Symantec´s comments, and it looks like they´re saying that you can´t really prevent infections anymore, that´s quite weird, and I have to disagree.

HIPS + sandboxing should actually be able to prevent and detect attacks, for example, I like Invincea´s approach a lot. http://www.invincea.com/knowledge-center/white-papers/

 

Symantec is really talking to the business community and not so much the home user. http://www.howtogeek.com/188884/sym...ware-is-dead-but-what-does-that-mean-for-you/

 

I agree.

 

It doesn't matter who is being the subject of communication. Different approaches are mandatory in these ages. But when we see something unique, they usually will be dead in a matter of time since not a lot of people will use/buy them. This is actually very unfair. If Symantec really can come up with something interesting and make it also available for home users, that at least can be an alternative for us all to use.

 

Strange, because corporate AVs usually trade detection for a bit more usability and stability compared to the home versions, which is understandable. If they can really develop a more effective solution, it should be more suited to home users with enough time on their hands.