Antivirus is 'completely wasted money': Cisco CSO

Discussion in 'other anti-virus software' started by Macstorm, May 22, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    The answer is simple for the home user. for corporate entities it's a lot more dicey.

    A good Virtual System preceeded by known image backups should keep the system honorable enough and keep at bay potential intrusions meant to disrupt or otherwise carry about their other motives which don't belong to them.

    AV's are medium at best IMO at protecting, HIPS are even better but you must have someone at the helm at all times to make the decisions.
     
  2. 3xist

    3xist Guest

    I believe Blacklisting & White listing approach (Both in one AV product, or a HIPS, etc) Would be a strong point off protection.

    Some might have other ideas.

    3xist.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,

    AV reflects the reality of the past - that is the world is good and you have baddies here and there, so you blacklist them.

    This is not an effective.

    The policy should be to white only select applications / file types - and then only then, possibly use AV to scan TRUSTED files. No need to scan files you don't trust right?

    The implementation for closed-source programs is more difficult. So much simpler for open-source. But let's talk about closed source.

    How can one make sure the user is safe using whitelisting, and we're talking people who have difficulty with double-click?

    The answer is - impossible. The computer is not meant to be a fun tool, for all our attempts. A complete rewrite is required.

    Still...

    The closest to practical functionality approach ... Again, we are assuming some basic trust here.

    1. Major vendor companies build a simple whitelist of the 80-90% most common apps. Realistically, a list of 100 apps would cut it for most people. Just think about it. This is the baseline.

    2. The user then start working, happy happy joy joy. And suddenly he feels an urge to install something.

    3. When he tries to execute the file, he gets a prompt telling him his application is not whitelisted (trusted). He then has an option to install, whatever the consequence. Second option is not to install. Third option is to send a feedback about this application to a community based center.

    4. At the community based center, worldwide volunteers and even professionals from different companies overview the reported application. Everyone does their share. Some people simply vote if the apps is good or not based on their skills. Others might try this app on a test machine and report the results.

    5. After a period of time, the user gets a feedback on his application and decides whether to trust the community report or not.

    That's it.

    Now, how to make this even more workable? Well, customizable whitelists for advanced users. A virtualization layer built-in into the OS which allows temporary installs before committing to real system.

    Lastly, a simple "heuristic" AV (no signatures), which can be used to scan the community-approved apps, should the user decide that the report he's received from the community is not satisfactory.

    Naturally, to make all this work, here are some additional tools:

    1024-bit digital signature for the apps.
    Built-in checksum utility that will check every community-based app.
    Optional - some sort of CA, but this opens a lane to potential abuse.

    This way, everyone wins - the AV vendors can continue developing their products, focusing on heuristics only instead of maintaining huge lists. The user has a centralized, community based repository that can help him decide if the app he wants to use is safe or not.

    Think about it. You wanna install yrrs.exe. You send a report about it and then within a day or so, you get 500-1,000 votes for yes and no, with additional comments, ideas, reports etc. More than most people have today except the vendor's reassurance that their 5-star product is malware free.

    Mrk
     
  4. Bluenile

    Bluenile Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    122
    Location:
    UK
    How come the likes of Avira and Kaspersky regularly score in the high 90% in AV-Comparatives if they're so useless?
     
  5. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Right on! And not just 90%! In the Feb2008 comparatives, almost every single AV scored over 95%, so i don't understand why people like this Cisco guy make such comments! Statistically speaking, getting really infected, is highly improbable! With Avira you are 99.6% protected, so go figure!

    http://www.av-comparatives.org

    Honestly, myself, i can't understand why people are afraid of infections or why they torture themselves with HIPS and virtualization, when all you need to be almost 100% safe is a 1st tier av.

    Maybe Cisco is thinking of selling HIPS or behaviour blockers in the future so they slander AVs? In the last years, there is an orchestrated attack on AVs by various circles, which coincides with the appearance on the market of "alternative" protection methods, which, CLEARLY, according to avcomparatives, are completely useless (specially if you have to pay for them). Yet, these new programs have to sell too. So they organize a slander campaign against AVs, claiming (hear, hear!), that AVs aren't competent enough to do their job! Yet, i challenge you to find many products in everyday life that can take pride in scoring 99,6% efficiency as many AV tests prove!

    An good AV and a firewall is all you need. The rest is wasted money. Yeah, admitted you can be that extremely unlucky guy that can encounter that 0,4% of undetected malware, but hey, you can be hit by a meteorite or space junk while walking too.

    That Cisco guy has a hidden agenda, i 'm sure. :D

    Heck, i don't have a 99,6% certainty that i won't get killed when driving and yet some people complain about AVs because they only give you such a "low" percentage! :ninja: Unbelievable!

    :D
     
    Last edited by a moderator: May 25, 2008
  6. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,782

    No AV here and I feel quite secure. Even more so then when I ran an AV in real time. :D

    With what is in my sig and a weekly scan with DrWeb CureIt as well as Malwarebytes AntiMalware and maybe SAS I do not worry. None has found anything with this setup anyway. The scan's are for reasureance only.

    I'm not saying that AV's are a complete waste of money for everyone.
    But it would be for me. :D
     
    Last edited by a moderator: May 25, 2008
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    I will say it they have become a total waste of frigging money.
     
  8. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    But,but,but... Don't you read AV tests on magazines and the internet? What more proof do you need that an AV is virtually perfect?!!

    This is just a ploy to make you pay money for virtualization, HIPS and the like when the average Joe is pretty much invulnerable with just an AV.

    :argh:
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    I agree but to a point. I would go so far that with a little common sense, a weekly scan of Cure it would suffice with nothing else. Remember awhile back about the dude who wrote about he used Prevx:cautious: and nothing else for a year, and never got infected. I bet that same "Joe" could have used SAS and gotten the same results based on his PC habits.
     
  10. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    With common sense and safe surfing habbits, one can take the risk to stay without AV too. But, what i say, is, that AV tests prove that even an unsafe surfer is virtually invulnerable to malware, when having a top tier AV. I mean, in 100 virus, his AV will catch 99! Most probably, in one year, one won't see 100 virus at all. So, an AV is plenty for protection with a very high margin of safety.

    :argh:

    Thank God for the AV tests! Otherwise we would have to believe what a Cisco guy is saying. Ok, you may ask why so many people get actually infected everyday while running their super duper AV. Well, one CAN get unlucky and encounter that 0.4-1% that his AV will miss, but that's no argument against the AVs!

    :D
     
  11. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    First, only links to the main site of AV-C are working. o_O

    Second, you deduce your statistically reflection from the wrong test.
    AV real life protection has much more to do with AV-Cs "Retrospective/ProActive Test" than with their "On-demand comparative" test.
    Most malware doesn't bypass AVs because of their detection of yesterday's threats.
    Most malware bypasses AVs because of their lack of detection of today's threats.
    AVs blacklisting is always behind the threats by design.

    Cheers
     
    Last edited by a moderator: May 25, 2008
  12. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Dear Subset, my opinion on AVs is that they are full of holes and that AV tests are only good for marketing, promoting X or Y product, according to certain interests. You can see this more clearly in the PC magazines, where each tend to have the same "top AVs" all the time over the years. I just couldn't resist using a subtle sarcasm when i read about AV tests as a proof of why the Cisco guy is wrong.

    I only run AV for placebo effects and because i like clicking on "update now". Most of the times i had encountered a malware, my AV missed it. Same happens to a friend of mine who gets infected every month, no matter which AV he runs. I don't know if he encounters "zero day threats" all the time, or variants that the AV's heuristics don't recognize, fact is, that in real life, the AV tests that are on magazines each month, don't worth the paper they are written on. At least for the customer, that is. Because for the vendors and the magazines they worth $$$.

    Last time he got infected and phoned me because his PC was acting weirdly, he phoned me and the 2 AVs didn't find it. It was Threatfire that nailed it... I wonder, how many days after the infection zero day threats are still "zero-day"? Because he was having problems for about 2 weeks before phoning me. I guess in tests they use malware one year old, so all the fellas can get over 90% and can all be happy and make some $$$ and come back for the next happy testing.

    :D
     
  13. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I don't care about statistics. After seeing my previous AV (1st tier according to EVERY test out there and almost everybody around here) being bypassed more than once by malware, and cleaning completely hosed PC's from friends and relatives with (according to av-comparatives) ADVANCED or ADVANCED+ AV's, I decided that AV, indeed, was wasted money (at least for me).
    Changed my approach, and now I live 100% clean, for (almost) free and my PC light as a feather!

    I know that with 95+% it should be almost impossible to get infected, but I see it quite often...
     
    Last edited: May 25, 2008
  14. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    :thumb: I couldn't have said it better myself.

    My first criterion nowdays for AV, is for it to be light and free. Because it doesn't worth neither the CPU cycles nor the money for a product that might have to kick in once a year for my habbits, and most probably miss that one time too. :D
     
  15. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    436
    Location:
    The Netherlands
    I don't understand why people keep expecting 100% protection from AV's... :rolleyes:

    For the general public AV's certainly DO provide protection. But because it isn't a 100% protection, it shouldn't be your only line of defense.

    Also whitelisting doesn't provide 100% protection, because it's possible to whitelist malicious programs. This is even more true for people who are not computer techs, like grandma...

    Virtualization also doesn't provide 100% protection, because if you visit your favorite malicious website while using a full virtual copy of your OS, keyloggers for example can still transmit passwords and the keylogger will keep active until you restart your computer to close your virtual session.

    HIPS, while very powerful, also require considerate computer knowledge to be certain what you can allow or should block. If grandma just clicks "allow" on every prompt she gets, then you might as well throw her computer out of the window, because HIPS isn't gonna protect her.
     
  16. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,405
    Seems like the common theme is that nothing is perfect.

    Recently, I found out a friend had been using his gf's laptop for over a year with no firewall, AV or anything else. I thought it was going to be a 'gold mine', so I ran prevx CSI, cureit, SAS, installed threatfire, ran the scanner...eventually found nothing. Not even a tracking cookie. He kept ThreatFire and the $10 I bet his system was chock full of viruses and spyware.

    While another friend didn't even know if she had any AV installed. o_O Now that had every top ten threat installed. That was fun! :)

    All depends on the user's behaviour (programs/games installed/file sharing) and browsing habits. Some people will most likely not need anything. Others need various layers security.
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't use AV/AS/AT/AK/AR/...-scanners anymore as a daily protection.
    After six months without them, I ran every big scanner as a test, they didn't detect anything, except f/p's like ShadowProtect, Anti-Executable and a few others.
    It's very hard for a scanner to detect something in a clean system partition and that's what I have after each reboot.
    I don't say my security is perfect yet, but I certainly have a perfect recovery solution (IB + ISR).
    No malware is able to survive my recovery, not even the worst like Rustock.C, rootkits, Invisible Things and unborn malwares of the future.
    I don't even backup/restore my actual system partition (Windows + Applications) anymore, because it might be infected due to failures of my security softwares. Instead of that I replace my old system partition with a new fresh upgraded system partition, much safer and less stupid. :)
     
    Last edited: May 25, 2008
  18. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Antiviruses are for computers nothing else than what seatbelt, ABS and airbags are for car. They provide protection but you CANNOT ever expect to provide 100% protection. Even if all of them work perfectly fine you can still get killed in a car accident. Same goes for computers. Even if they work fine and are updated something can get past its defenses.
     
  19. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    436
    Location:
    The Netherlands
    And thats kinda my problem with this kind of security, you can get infected with malware, but it's not going to survive after you reboot. But during your online sessions malware certainly can do there harm, maybe not in the sense of damaging your system, but more in the privacy section. What is going to stop malware transmitting all kinds of stuff over the internet? Your malware may be completely purged after you reboot... but what protects you between reboots?
     
  20. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    :thumbd: the same thing that protected me for 3 years between reboots and with using a scanner that never found anything. I mean, come on folks, in 3 years, one keylogger here. Can I get a two. Yep one keylogger. So just what was my AV protecting me from, all 12 I went through. Nope, I will never buy that crap anymore. If you need something quicker before you reboot, use Sandboxie with Returnil, use SafeSpace by itself, but dont think a AV or a suite is going to safe guard your lockbox at your bank.
     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I still use security softwares, just like anybody else, but no blacklist scanners anymore, I use a different type of security. Scanners require too much time to run and they are incomplete, unless you believe their message "0 threats found" to make you feel comfortable in your head. :)
     
  22. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Erik,

    I'm going to have to take you to task here.

    Guess what - approaches to security not based on an AV are not structurally "much safer and less stupid" as you explicitly state.

    There are both smarter and less smart ways to employ an AV, as there are both smarter and less smart ways to employ a reboot/restore methodology. Your own posts here explicitly note a level of AV-based system scanning that certainly exceeds my own many fold over, despite your protestations of not relying on an AV. Spare me your "just making sure" protestations. The fact is, your scheme is not necessarily much safer. It can be under certain conditions, but many users don't meet those constraints. It can also be a lot less stable under some other circumstances.

    There are lots of ways to achieve the same end. You choose to focus on the path, not the goal. Ultimately, that's a losing and naive focus.

    As for the thread subject, we should probably reexamine what was originally said (emphasis added by me):
    That's a pretty simple statement, with a very important "if" as the lead off.

    It's not that AV's are a waste of money outright, but that if you employ any effort to achieve X and you don't achieve X, then what you are doing if not worth the effort (time/money). In the specific case considered - the corporate environment - an AV should be just one part of a much larger scheme to control machine and local network integrity. Casually looking at the effort expended to create a secure environment on the corporate network on which I sit, I even don't see where an AV dominates the total per seat cost when all factors are adequately included. Most large corporate groups will employ tightly defined user groups and software restriction policies to carry most of the task. If the application base becomes somewhat diverse, and in some corporate areas (R&D for example) this will happen by necessity, one can actually expend substantially effort managing the application configuration and software policies than corporate AV installations. It's almost as though the Cisco speaker assumed a homogeneous application base, which is generally most applicable to pure office communication centers. That misses a large fraction of the populace.

    In a smaller organization which does not have a dedicated IT group, an OS level configuration approach might now work. However, one can readily appeal to approaches based on third party applications (AntiExecutable by Faronics would be an example) to accomplish close to the same end state without additional support required.

    It was noted above that
    Operationally, users scan files to confirm trust in them. They really don't do it to scan files that are known to be trusted or untrusted (OK - I don't, and perhaps nobody else approaches it this way) except that it is oftentimes easier to scan everything.

    If one does not employ a signature scanner as at least a rudimentary determinant of trust, precisely what do you folks do? Do you disassemble the executables?

    Blue
     
  23. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    436
    Location:
    The Netherlands
    Can you explain something to me?

    Suppose I use Sandboxie, unknowingly I visit a malicious website which installs a keylogger. The keylogger is trapped in the sandbox, then using that same sandboxed browser with the trapped keylogger I didn't knew about, I'm going to do some online shopping with my creditcard. But since the keylogger is also still trapped in the same sandbox.... how safe am I from the keylogger still transmitting my creditcard data back to the malicious website if I don't purge my sandbox first?
     
    Last edited: May 25, 2008
  24. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,887
    Location:
    Stockholm Sweden
    That is a good setup as long as you dont change anything (install software for example) I am also one of them who doesnt care much about malware (using limited account and SRP) anymore. I feel I have the same security as you, not perfect but suitable for me. But I feel the only entry point is when I install software, and I do that alot, that is one situation where a AV comes in handy. maybe it doesnt find the zero day threats but the likelyhood for me to encounter them are so small anyway so I dont care.
    As denniz points out your [theoretical] weakness, if you install and execute new stuff, is the time between reboots. But I guess you are like me (one who hasnt encountered malware for many years) make your calculations of the likelyhood.
     
  25. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    It's simple. All you need is 5 seconds and common sense. You have sandboxie in "autodelete sandbox on exit". So, before doing anything important, like using credit card, just close the browser, the sandbox will be automatically flushed, open the browser again, and you can be sure that the system is clean. It takes 5 seconds. On the other hand, if your AV has missed the keylogger (i know, highly unlikely, but let's say one in a million it happens :) ), there is nothing you can do that will make the transaction safe, other than praying that your AV got nailed every malware on your PC.
     
    Last edited: May 25, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.