Antivirus is DEAD!

Well if by 'idiots' you mean the computer illiterate masses we've thus far been referring to, then I have to partially disagree with you. Obviously the vast majority of the so-called 'idiots' don't use HIPS, as such software is currently reserved for those with some interest and know-how in computer security. However, as Ilya has pointed out, a PR campaign by the computer security firms would raise awareness and usage of HIPS software, even if many of those 'idiots' would neglect or improperly use it. There will always be those among the 'idiots' that refuse to acknowledge the need for various security software and forgo using it, but that isn't any different between the various types of security software.

 

Can someone address ErikAlbert's proposal. It seems to be fool-proof.

 

Why do you need it addressed if you believe it to be fool-proof?

 

He said it seems fool-proof, he didn't say whether he believes it is fool-proof, don't confuse the two. Regardless, that shouldn't really matter. He is interested in a particular subject somewhat related to the topic of this thread and is asking for others input on the matter so that he can gain a better understanding of it. I don't get why you are questioning his motive or reasoning for seeking further information about this.

 

I don't think there is anything like that a "fool-proof" Security Protection. Everybody would be using it if it exist.

 

While I agree that, as far as I know, there is currently no foolproof security setup, and agree that in principle when concerning computers it is highly unlikely for a entirely foolproof security setup to exist, there is still the possibility for one to emerge (would likely have to come in the form of an inherently secure OS rather that third-party programs). The idea presented by Erik is an attempt towards such a setup, whether it is viable or not has yet to be determined. But just because his goal (foolproof security setup) is implausible, doesn't mean its not possible and more importantly doesn't mean ideas toward that end, such as the one Erik suggested, shouldn't be discussed.

 

But I never said it shouldn't be discussed.

 

I wan't questioning his motives, that your interpretation. Thanks for the english lecture though.

No, of course there isn't, that would be next to impossible, but you can of course try to make it as difficult as possible, not many would be able to use the "Eric Albert method" even if he or even i don't think it's too difficult, most would not be interested in such a learningcurve which would be involved. Only when other tools (read suites, most ordinary users wants no more than 1 or 2 security tools on their pc............and that stretching it in some cases!) have become very easy to operate will these perhaps become more mainstream, but this will only happen when these technologies are mature enough regarding userfriendly operation and at that time it will be the same big companies taking the market like they own it now..............with a few exeptions of course, either by buying a existing program like for example Ilya's or developing it themselves. Like the Inspector, i really doubt this will happen anytime soon, but i think it will be more of a gradual transformation of the traditional anti-viruses.............and this has already started btw.

 

I never said or meant to imply that you said that. I meant it in a generalized sense. My apologies if I wasn't clear. Now let's stop with this side discussion about discussing a particular subject within this overall discussion and get back to discussing the substance of this overall discussion.

 

Hi,folks; The battle between traditional(blacklist-signature based)AV and revolutionary(white list-non signature)one is, in an average Joe's perspective, a one similar to this situation: Suppose I will throw a party, I will have two options to screen the guests who will appear at the door step. Method#1, keeping a guest list, and checking each arrival against the LIST or Method#2, sending out messengers to inform those whose names are not on the LIST, not bothering to come. With a grade school pupil's IQ, which method is more feasible? Just think, think and think. Of course, general public, I mean average joe/jane are needed to be reminded to unearth their logical(reasoning) ability. Just a loonie thought.

 

Hi there Perman!

I hit this thread and can see it is way more fun than mine on how to optimize various FW's.

On this loonie thought of yours, I get these as well, but yours may not be so loonie since it gets people thinking

On 1st blush I was swayed by method 2 since it involved exploring on a grand scale, (only kidding). But if there was a way to set up a set of criteria that party comers would have to meet then in force it 100% the issue would be over. It reminds me of a story I heard describing the perfect job ad. It would written so only 1 person would respond, and that was the perfect candidate!

Problem is that people don't follow the rules and send in resumes anyway, some were poets and politicians but we wanted an assember programmer to work on OS development.

The bad guys don't and won't follow my filter rules and will send me their nasty packets anyway! Thus I need a gate keeper or better a mote, a draw bridge, and iron gate and boiling oil to pore on these parasites in packets should they survive the mote.

That brings us to method 1 the guest list... hmm this could be problematical as well, like say gate crashers wearing packet costumes. Even without them suppose some have come to the wrong address and have matching id's to the guest list. Who produced and maintained this list anyway? Is it accurate, complete. Let say you invite me but of get mugged by my evil twin who finds the invite, oh was there an invite sent out? Hope they didn't fall into the wrong hands.... problems problems will it never end?

I propose a layered defense, first the mote (HW FW) then the guard house SW FW where the guest (packet) has to pass a set of skill testing questions that only a valid guest would know, who invited them, prove they are who they say they are blood samples are good and then get strip searched for nasties hidden in their packets. (AV) If they pass that, then I put them in a fake guest waiting room just like the real party (but it isn't) and watch them with security cameras and subject them to tempting treats. If they misbehave as some will then I remove them from the fake party and either put them in the dungeon for later consumption by the castle beast or simply pore boiling oil over them. I would then ban all their relatives, friends and associates and any facilitators who helped them find there way to my castle. There home base would also be wiped out.

Then after proving their worth I let them in but have a shadow on them anyway. If they make 1 false move they join their friends in the dungeon.

QED

 

Well, people at viruslabs are always busy, so a quick response isn't always feasible. Jotti/Virustotal provide a good enough analysis to determine the nature of a given file.

This is the technical challenge.

This is the PR/marketing challenge. Publicity sells necessities. It doesn't matter if they're real necessities or emotional/status necessities.

 

Hi, folks; Marketing/PR in cyber space, especially in security sector, are more confined to targeting the right targets. You can conduct a survey asking any passerby on main street this question: do you ever read PC mag / or ever visit Wilders' ? I can bet you one loonie, over majority of respondents will say NAY. So who are going to convey this marketing messages to general public? The answer can be found on this day-to-day life style. Can I ask how many of you ( of course including our female friends here)have ever read Beauty/Hair Mag ? When you visit barber/beauty shop, do you have absolutely clear idea how to make your hairdo looking better? Probably not, therefore you rely on your Barber/hairstylist's suggestions entirely, and these professionals do read those trade mag. Therefore, for this new revolutionary approach to be successful, app dev needs to bring majority of computer experts(who has the opportunity meeting general public on frequent basis)onto their side. Anything short of that is just a day dream. Again just my loonie sense, eh?

 

Perman, i only wish you could use paragraph to write your posts.
That's a nice comparison, and i'd expand it.

People who don't care to make a guest list, call the police to at least stop known criminals from getting in (AV). If one decides to take it seriously, they bother to make a list, or criteria to allow people in. It's a bigger task, but effective.

Now, there's those jokers that crash in anyway (exploits?), going in through the window (buffer overflows lol). If you have locks in the window (DEP+ ASLR), you're pretty much OK. All you have to do now is make sure your list/criteria is the correct one (clean software is chosen). The fallback is to call the police anyway (AV), since it's the best way you have to get the bad.

Very insightful. I think it's true. The perfect example is the AV that comes with the computer, traded only by the AV the guy in the local shop recomends.

 

Please allow me to ask what exactly is meant by white/black listing?
How does it work?

A few possibilities:

1.
Every time before any file is executed first a connection is made to a site to check whether it is white/black listed.

2.
Frequently a white/black list is downloaded to your PC (just like an AV updates its definitions onto your PC), and then every time before any file is executed first that file is checked whether it is white/black listed.

3.
You build your own "white/black list".
Possibilities for example (just only examples!): Process Guard or an on-demand file-integrity-checker.

4.
Any combination of the previous ones.

5.
Something else ?

=====

If it is about 1 or 2:

How are those files identified?
By name, MD5 checksum, full path ?

Are you aware that there are completely legitimate security programs that:

a.
by every update don't change the name of their main .exe file, while its checksum is changed.

b.
have a different name for their main .exe file for every user who bought it.

=====

Again, have you thought about all the different language versions, the version-numbers of the programs themselves, the Windows/other-OS versions for them, the path they are installed to?

=====

Have you thought about the Windows updates, the hotfix (un)installers, and about how CCleaner handles those hotfix (un)installers (if you checked that option in CCleaner)?

=====

I could go on ....
But I leave it for that for now.

I do believe that there is certainly a place for white/black lists (otherwise I wouldn't have posted in the past about NISFileCheck, ADinf32 Pro, the CRC32 feature in TDS-3).

It all depends what exactly is meant by white/black lists and how they work.

But I don't believe that AV's are "dead".

I still think that you yourself have to check whether a file-change or new file is legitimate or not. Blue posted already about that.

You are completely free to call my a guy from the past

 

Hi guys,
I could do two things :
1. A classical security setup like anybody else, but I know the pros and cons of such setup already.
2. Another security setup, based on whitelists and recovery, one that nobody has or doesn't want, except a few members.
The first one is well-known and the second one was as good as unknown and worth to try, so I choosed the second one because the first one was OLD news.
I only wanted to know how hard it was to work with the second setup.

One thing is sure : more and more members start using immediate recovery softwares, like FirstDefense-ISR, RollbackRx, Deep-freeze, ShadowUser, PowerShadow, Returnil, ..., not as a security software, but MAINLY as a recovery software to keep their computer clean and trouble-free. AFAIK most of these users are still using a classical security setup, including blacklist scanners.

I'm using an extreme form of FDISR, called frozen snapshot and I ditched all my blacklist scanners, because I don't need them to REMOVE infections.
Only the real-time shield of a main scanner could be still usefull for me, because it prevents installation of infections.

All scanners on demand are completely useless, because my frozen snapshot does a
1. faster job, because it takes less than 2 minutes to clean my system partition.
2. complete job, because it removes all infections as harddisk-changes, which means no missing signatures and no false/positives.

The main problem with such a security setup is keeping also the GOOD changes. A minor problem is that you have to change your habits and procedures, because they are different from a classical security setup and who wants to change his habits ?

 

FanJ, i'm refering to building your own whitelist. With NoScript and SSM for instance. Or AE in Erik's case.
I've asked in a thread what can go through execution prevention, some of that is answered here, exploits. Good answers, but they seem incomplete to someone like me who wants to get the big picture.
It also seems to take a thread "Antivirus is DEAD" to summon the experts. heh

But, note, i did not through away my AV. The computer is not a disco club, so the "guest list" comparison falls short of course.
I do not know when/if i can make a mistake, or if i even have to.

 

Another input on that matter : http://ssta.over-blog.fr/article-10389932.html

KAV is the one to follow, so far, in the implementation of HIPS/behaviour blocker into a "traditional" blacklist AV.

Comming from the other side (HIPS, which integrated later an AV engine), Online Armor 2 is taking the same way : To give users a "second chance" whenever the blacklist part of the program doesn't actually protect (none of the blacklist programs are 100% in detection at a given moment).

As for the statement "AV are dead", I do not think so : They're just one part of the layered defense strategy, discussed many times on this forum.

 

Another crappy article on the same subject, by the same author:

The decline of antivirus and the rise of whitelisting

I've already sent them my comments.

Regards,
Vesselin

 

Removes all hard disk changes?! You gotta be kidding me. Such a computer is completely unusable - you can't create documents, you can't even play games, because you can't save your game.

Perhaps you meant "removes all changes to executable files". Which leaves us with a few problems:

1. How do you know which files are execuable? As was already explained here, a Word document can cause execution of malicious code.
2. How do you know that your machine is not already infected? I mean, before you "froze" it.
3. How do you install new software? Because if you're totally forbidden from installing new software, that's not a very useful machine.
4. How do you approuve changes? If you do install new software, you have to mark the changes as "approuved" somehow. How do you know that you aren't installing malware - which your system will prevent you from removing later, because it will keep restoring the approuved changes?
5. How well do you think the average user is going to answer the above questions?

Yes, snapshots are a useful tool to prevent infection. I've used them myself. But they require an expert (to intelligently approuve changes, to maintain many snapshots after every software install, so that virtually any previous state can be restored, and so on) - and even an expert makes mistakes occasionally. For the average user, this is a hopeless malware prevention measure.

Regards,
Vesselin

 

*THAT* is exactly *THE* point. And if user education would ever work then we wouldn't even need any security software, regardingless if it's called whitelisting, antivirus or firewall.

 

Also keep in mind that a snapshot won't prevent your private data being sent out to the net (be it passwords, logged keystrokes, your webscam stream or whatever else), nor will it prevent that your system is used as a spam bot (at least until reboot or whenever the snapshot gets applied).

Snapshots are BACKUPS, not a prevention mechanism.

 

True.

False. In general, that "other object" could be something seemingly legitimate and often-used - like a Word document. You can't block these on principle (because you'll make the system unusable) - and the exploit doesn't have to rely on dropping and running an executable (which you can block).

Unauthorized objects running on non-system partitions can cause plentry of damage, too.

Regards,
Vesselin

 

In a word - no.

Right - but that's not of much help. You see, one of the basic principles of von Neumann computers (which is what all contemporary computers are) is the equivalence between code and data. One program's data is another program's code. Is some JavaScript text executable or not? It's data for Notepad - but it's program for Internet Explorer.

You can't predict in advance that some sequence of symbols won't be "executable code" in some environments. In fact, this is what many exploits misuse - they use special values in what is supposed to be data fields for vulnerable applications, causing buffer overflows and having these values executed as code.

Regards,
Vesselin

 

In general - no, there isn't.

It can be done in every particular case, of course - if you know the file format, if you know what the exploit abuses, etc., then it's usually pretty easy to locate where the shellcode is. But that's no better than known-virus scanning. In the general case (file with unknown format, 0-day exploit for an unfamiliar application), you're left without a clue.

The only way to do it is run the application under a debugger, have it open the file with the exploit and see what happens, why, and where is the code that causes it. Believe me, that's no fun.

Regards,
Vesselin