How many viruses are made by anti-virus companies?

seeing as how i was once contacted by a representative of an AV company looking for assistance getting a particularly vocal virus writer put behind bars, i can assure you they don't reward malware coders - at least not the way you're thinking.

that being said, mcafee's partnership with hbgary (in light of the revelation that hbgary wrote and sold malware to the government for large sums of money) could arguably be called a kind of reward for malware coders. i rather doubt the partnership was actually given to them in return for writing malware code, however.

frankly, the broader security community is more likely to reward people for writing some novel bit of malware. the reward in that case, however, is usually respect, social status, fame, etc. they like to call those people researchers.

 

kwismer -

The majority of my post was tongue in cheek as I don't believe there is a conspiracy going on.

But it is fun to wonder how the corporate AV industry really views malware.

 

These criminals have no problem destroying the credit of millions of innocent people, what do you think they would do with a paper trail linking them to an AV company? There would be an extortion letter sent out about 5 seconds after the first payment was received.

Either ethics or impossible to balance cost:benefit analysis prevent this from ever happening.

 

Regardless of the accusations of corporate induced malware, antivirus as sole security method is dead.

If a salesman from a major name-brand antivirus company comes up to you and says “All your Windows protection lies within the walls of our software” and you believe it….

….that’s when two fools just met.

 

Easy answer. Just think about it. With the huge flood of new malware families (not only unique samples) every day, there is no financial benefit to detect just 1 additional malware family. Nobody would care. No way to get additional customers. Actually, the AV companies would be happy if there would be LESS new malware every day.

But that's something people seem to like to believe and no matter what you tell them, they keep coming up with that myth that AV creates their own viruses.
As they do like to believe that most of the AV programs today still only use plain signatures for detection.

 

y'know what i wish was dead? the idea that anti-virus was just a single technology. there's already a word for that one single technology people mean when they erroneously use "anti-virus", it's "known malware scanning".

anti-virus includes many different technologies. every technology that can be used to prevent or detect virus infection is anti-virus. it amazes me that people have never heard of an anti-virus suite - especially since they date back to the early 90's.

 

Kurt,

I was referring to the traditional corporate 'add-on' solution as a cure-all.

 

Can you elaborate? Because you can google "antivirus" and you'll get things like Avast! or Avira or MSE. All of which are "dead tech."

 

Seriously? Avira has at least a behaviour blocker in the paid versions (although I don't know how well it works), Avast! has an automatic sandbox in all versions (and a manual one in the paid versions), Avast! also has a behaviour blocker etc. in addition to them both having very good detection. Far from "dead tech" IMO.

About the subject, I think the dozens of thousands of malware samples keep the security companies busy enough without them having time or need for developing their own malware. It also wouldn't be worth the risk of getting noticed.

 

Heuristics/ behavioral blockers are nice but they're still

1) Assuming you have malware
2) Detection and not prevention

Sandboxing in Avast! is very nice. It's features like that that are why AV's are still around, because if they were still just basic blacklists they'd be terrible lines of defense.

 

Nice read and tons of links here:

http://en.wikipedia.org/wiki/Computer_virus

Gerard

 

oooOOOooo. "solution" - that's another thing i wish would die.

security "solution"s don't solve security problems. at best they solve business problems (maybe). "solution" is both one of the most ubiquitous and misleading terms out there.

 

So at this point what's bothering you is semantics?

 

the first anti-virus is nothing like what people think of when they use the term anti-virus today. scanning, integrity checking, behaviour blocking, sandboxing, etc. are all anti-virus - they just don't get marketed that way because the public has come to expect anti-virus only means scanner.

i think it's you who needs to elaborate, though - specifically on the meaning of "dead tech".

most of the time when people say AV is dead, they're specifically referring to the practice of relying exclusively on known-malware scanning. the technology is still plenty useful.

these two points make me suspect that you are using the tools wrong. detecting that an object is malware before it has a chance to run is most definitely prevention.

"basic blacklists" is a gross oversimplification. no scanner is just a basic blacklist anymore - and that's ignoring heuristic engines and behaviour blocking, which you just lumped into the mix.

neither heuristics nor behaviour blocking qualify as "basic", and behaviour blocking isn't even necessarily blacklist-based. not only is it possible to implement behaviour blocking in whitelist mode, but since application whitelists are basically the degenerate case of behaviour blockers (they block exactly 1 behaviour - execution), whitelist behaviour blockers are rather well known (even if they aren't recognized for what they are).

 

no, what's bothering me is a lie that's been repeated so many times over the past 20+ years that our very language is steeped with terms and phrases that convey false hope in fictitious things.

 

Hungry Man, maybe you could enlighten us and tell which security technology is real malware prevention according to your point of view?

And what is the difference between "detection" (before a malware gets executed) and "prevention"?

 

Although I'm sure this is plausable...no reputable AV company would consider doing this.

I do wonder how so many strains of malware can be produced everyday?

Regards

BenMar

 

server-side polymorphism. the strains are generated algorithmically. sometimes a new strain is generated every few hours or minutes or seconds, sometimes a different strain is generated for each IP address that connects to the server handing out the malware, sometimes it's a different strain for every connection.

 

Thank you for your insightful reply.

BenMar

 

Really? What does that mean? You don't like to create solutions? I viewed your interview from the Panda Security Summit. You were wonderful!

 

Hello Stefan!

It's an honor, sir.

Could you enlighten us and tell which security technology is real malware prevention according to your point of view?

And what is the difference between "detection" (before a malware gets executed) and "prevention"?

 

Dead tech? I am really interested in what the current "in-tech" is for computer security then. Because when I talk to even the least techie person I know they know they should always have an antivirus program installed like the ones you mentioned.

Also AV companies are not just standing still as the malware comes in, I doubt any of the well known AV vendors rely on blacklisting only. I think a majority of people just call it scanner because that's how they started. Most of the time the "scanners" include cloud tech, behavior blocking, code emulation, generic signatures, and heuristics. None of those are near "basic" and the computer security engines keep on advancing.

@FlimFlam

I am not Stefan and no where as near as much experience I'd like to comment on the question:

And what is the difference between "detection" (before a malware gets executed) and "prevention"?

The way I view it is that detection is that it means the file is detected before the file is executed. Say I download a file x.exe my AV would popup and say it detected the file as trojan.randomname.abc. Now if my AV did not "detect it" when I executed it but the behavior blocked stopped it from preforming malware behavior and then killed the file I would have said it prevented the infection. Now that's just how I have viewed it, most likely their is a different way to describe it.

 

How about not deflecting the question asked you.
You're throwing charges around, so answer him please.

 

Judge Dee, your honor, I apologize for asking the question. If the court will permit, I'd like to ask the defendant the question again, if I may.

Stefan Kurtzhals,

Could you enlighten us and tell which security technology is real malware prevention according to your point of view?

And what is the difference between "detection" (before a malware gets executed) and "prevention"?

 

You're forgetting about real-time scanning, download/website blocking, sandboxing, and whitelisting.

Those 2 questions were aimed at Hungry Man, not anyone else.