Is an antivirus gap looming? Via C|Net

Some ok points, but seemingly another Antivirus is dead opinion.
Since this is on the frontpage at C|Net every half-Arsed "computer guru"(sarc.) is going to get on the bandwagon and create a bigger mess than we already have to deal with now.

Read the full version @ C|Net

 

Antivirus with regular signatures, advanced enough engine for complex malware and with good heuristics including behavioral detection can yeld outstanding results. KAV7 is a decent example of that. NOD32 is very close, NOD32 with CyberHawk is almost there... They may say antivirus is dead but i say it's time for people to start learning. Just like we know you may catch a cold if you run half naked while it's snowing outside, the same should ppl know you might catch a cold by opening attachement from an unknown email. And just like antibiotics do help to some degree, they don't always help. Same with antiviruses. There is nothing 100%, not in real life and not in antivirus world. I will still rely on antivirus but i'm also teaching people how to take care of them without antivirus (what to avoid, what to watch for etc). And honestly it did payed off.
If i look back i actually did a very small revolution when i showed my enthusiasm for security to others. People actually started to care about their security, they got to know all sorts of tools they never heard of before (most of people know only Norton and McAfee). I also teached them how to clean the system and even made a tutorial so i don't have to expalin it to each person induvidually. Rate of infections dropped drastically on those forums and i rarely see anyone with infection problems now. Thats something by itself isn't it?

 

Its a CNet "Perspective" article. Its an article about the author's opinion, much like your local newspaper's opinion or editorial pages. Its up to the reader whether he agrees with what is written or not. I don't agree with most opinion written by my local paper's editors. The author in this case if you look carefully is not one of CNet's own staff, but a senior security researcher from a security research company, Arbor Networks.

The author is not saying that AVs are totally usless. He's just questioning whether today's(or yesterday's) definition-based systems can keep up with current and future threats and he has every right to question that based on his observations and interactions with his fellow friends from the security industry.

 

Well if you mostly encounter yesterday's malware like i do, antiviruses make lots of sense. I'm mostly visiting verified webpages and forums that are well reputated on the net, yet again download stuff from again verified pages, mail provider is almost 100% malware free (in like 3 years i got just 1 mail containing link leading to malware!). So usually when i do encounter malware definitions already exist because of the gap between malware release and actual distribution. Donno but i really wonder how people manage to get infected constantly. The mystery i'll probably never understand...

 

I understand this(the meaning behind he word perspective) and I didn't state it was C|Net's article, I said it was on the frontpage.
We all know how many "fan-boy" types visit that place. If these articles fail to enforce the fact that AV's are not "useless" things may become worse then better.

 

Most of these kinds of experts write articles about “antivirus death” to cash in. They either work for these (proactive or behavior or hips) companies or they have some relation with them. Antivirus companies can easily adapt to this kind of technology when time comes. What they want you to believe is simple over and you need to jump to the other side. Its all about money and business…

For now, signature based products still work. Why? Because average Joe doesn’t want to deal with decisions or popups.


tD

 

But who's to say you haven't been hit by a 0-day virus or webpage exploits? If your antivvirus can't detect it, you'll never know you got it, and when it finally tells you 3 days later, then it might be too late, some sensitive information might already have been stolen.

Granted, for most home computer the damage can be limited. But in big government ministry or agencies or banks, it can be VERY damageable and they are the one being targeted by the new generation of malware. Plus, keyloggers and all are still very badly detected.

Just look at this article, http://news.com.com/8301-10784_3-9741357-7.html?part=rss&subj=news&tag=2547-1_3-0-5,
I wish they'd mention if an AV was present, I bet it would never have detected the keylogger.

 

Some of Antivirus programs are able to deal with these threats either via Heuristics, proactive or behavior analysis technology or simple generic detection. Not all of them are lame as they put it.


tD

 

Many of today's AV programs have or are developing proactive technologies to deal with this sort of thing.

I would also add an individual is in control of where they go on the 'net.

 

True, but while not lame, they are far, very far, from being bullet proof.

AV-comparative seems to be well respecetd here so I'll just point at the latest report they made
http://www.av-comparatives.org/

The average detection rate of all the AV fo new samples was 34%. Do you feel secure with that % of detection of new threats? Correct me if you think otherwise, but that test clearly shows that the strenght of today's heuritics/behavior based detections techniques is lacking. Even the best, scoring 71%, let passed a third of the sample base.

Try using that excuse on the manager to explain why a worm entered the network...


I work for an IT firm, we deal with lots of different environnement, depending on the client, and we see virus breakthrough here and there with up to date AV not seeing anything. Granted, this doesn't happen every day, but it still happens too often, and when the big boss come to you asking "Why wasn't it blocked? We pay tens of thousands of dollars in licenses for what should be the best corporate AV(according to study X made by group Y on day z)!!" And let me tell you, those words aren't said on a cheerful tone. And the only answer we can give them right now is "It might be the best(according to study X made by group Y on day z), but it wasn't good enough this time, uh? Heh, hmm, not funny you say..."

I am not bashing the AV companies, I know they work very hard to bridge the gap. But I agree to some degree that current AV technologies, that are still majorly based on signatures with somewhat poor to OK heuristics, are not good enough anymore, and having an AV running on every computers/servers sure isn't making us here feel any safer anymore. We've heard the promises of signatureless AV for years(5+) with nothing concrete to show yet, they just aren't reliable enough still.

Add to that that more and more sensitive informations make their way onto servers accessible remotely,instead of simple paper stored in a cabinet where they traditionally resided, and you know you want better protection than what is offered at the moment. In the dos days, someone would download something from a BBS and get infected by some virus that would make a pong ball appear on it's screen, or at worse, erase his floppy disk(that was before we had HD!) So an AV not doing it's job wasn't "too" bad. Today, with all your taxes reports on some federal agency server(s) an AV not doing it's job can be "very" bad for your life, even if you, personnaly, were never negligent or anything.

 

The same tester has results for KAV PDM against other HIP/Sandbox etc, tools. F-secure latest version offers something similar with their deep guard technology. Sophos has something new to offer as well. Look, I am not defending antivirus technology or companies. I am just saying they are very alive and kicking.

tD

 

In my opinion, people will always use AV's because they are the easiest way to protect their systems. Of course that user must learn how to avoid infections, choose an AV with very good detection rate, and have it always updated, and install a good Firewall, at least.

People wants the computers for work or play, and not to have a lot of annoying messages like HIPS programs have...

Behaviours Blockers, and few Sandbox's, are the next generation of programs to complement the AV's, and offer protection for users...