AV's Useless?

Discussion in 'other anti-virus software' started by whitedragon551, Aug 7, 2012.

Thread Status:
Not open for further replies.
  1. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,264
    Location:
    USA
  2. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Well, the article clearly states that AV would be useless when dealing against...MILITARY malware.

    By that, I understand that it's not "commom malware" [the one we found everyday at MDL or malc0de] such as fake AV's or TDSS.

    It's malware much more sophisticated. The kind of malware designed to collapse a whole country infrastructure, etc.

    Against that kind of malware, there is no AV that can deal with it.

    Stuxnet was a lively example of this.


    Carlos
     
  3. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    No there not useless they serve a purpose when used properly and for people who care about security and take proper precautions.Swim in shark invested waters then your chances increase of being bitten.As far as unkown malware thats where heuristics is suppose to come in to play,But Unfortunately heuristics dont always work well and if there is no generic detection then its a problem.
     
  4. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Interesting article and it was not extremely long like other articles. Personally i still consider AV's essential, it might not protect you from those "Super Malware" or "Goverment Malware" as the article calls it, but they still protect you from most common malware that are around the internet, and even if they are not nose super malware they can still screw you up. (Keyloggers etc) :D
     
  5. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    Give it a rest o_O I doubt very much anyone here is into Espionage :ninja:
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    The only thing necessary to bypass an AV is being different. Your malware sample doesn't have to be 'better' or 'special' (obviously it still helps to use a new technique) it just has to be new and not related to any current malware families out there that have generic heuristic signatures already.
     
  7. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Sorry but all the bragging about AV's being useless is one big massive pile of rubbish nonsense.

    Do airbags provide 100% protection during car crash? No.
    Do kevlar vests provide 100% protection against bullets? No.
    Do vaccines provide 100% immunity for diseases? No.
    Do car/house alarms and door locks provide 100% safety of your property? No.

    You can still get killed despite airbags deploying properly during a car crash, kevlar vest doesn't help you much if they shoot you between the eyes, you can still get ill because vaccines don't protect you against all strains of disease (common flu for example has bunch of strains and they only cover most common ones predicted for the season in the vaccines). And no car, house alarm or lock will prevent a crafty thief from stealing your stuff. It may keep away random opportunists, but if anyone will decide to steal something from you, he/she probably will. It's just a matter of time and preparation.

    So why the heck should antivirus software being treated any different? Is software some very special case that just doesn't apply to the success/failure ratio of the above examples? The question here is, why users expect AV software to perform with 100% accuracy and 0% failure when nothing on this planet does that? Ppl constantly brag about common sense, but they apparently have none for this case...

    Antivirus software, despite not being 100% still provides elevated level of protection to the users. What is better, to have 100% chance of being infected or just a 30% chance of getting infected? Because when your life depends on just a 30% chance of survival, you still hold to it despite being a small number. But when AV provides similar numbers, they all say meh it's not relevant. It's not relevant my bottom. If it's a smaller chance of getting infected, every user should take it. And that's the whole purpose of antivirus software. To make a chance of getting infected, smaller.
     
  8. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    429
    Location:
    Australia
    It serves two points very well -

    1)To diminish the attitude that AV's are enough security in themselves.

    If you're here at Wilders you don't have that view point, and you're serious about security....probably because of direct experience with infections.

    But that's the view, IMO, of the mum's and dad's that buy a computer from a local electrical store. "Buy NIS, KIS or what have you and you're good to go" says the saleman.

    If that article, and others like it, could get out more and more to the general population -and to the computer salesmen that sell this sassafras ..so much the better for everone....users and developers alike.

    2) To make users question how vulnerable is their OS underlying this AV 'vest'.
    The use of windows 'hardening', etc is well covered elsewhere...so, going to the other side of the coin...

    Is it time to ditch Windows?...Is it time to ditch Linux?....

    There is promising work being done on what may prove to be the world's most secure OS by Joanna Rutkowska, CEO of "Invisible Things Lab" .
    see here...... http://qubes-os.org/Home.html

    lotuseclat79 posted here at wilder's [2May 2011] this article about AV's and Qubes...
    http://www.flaviostechnotalk.com/2011/05/01/is-there-a-blue-pill-for-qubes-os/

    Tom's posting......
    https://www.wilderssecurity.com/showthread.php?t=298409&highlight=qubes

    thanks lotuseclat79.

    I post point 2 not to detract from the original post of AV,s....but only that the question has a far reaching answer...

    cheers
    feandur
     
  9. On-access AVs aren't useless; they're just a ridiculous strategy, and the fact that they sometimes (or even frequently) work should not convince people that they're not ridiculous.

    Examining each executable to make sure it's not malicious, sifting through program memory for stuff that looks like a virus, etc. poses inherent problems of scalability. You're always playing catch-up with the latest malware, and always needing more CPU cycles to get the job done. It's better to have more generic solutions.

    (Anyone notice how absurdly effective Sandboxie is against just about everything? That's the power of doing things correctly.)
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Yep, some of us have noticed that.
    It sure does provide a user with peace of mind, and it makes any AV look better. ;)
     
  11. 031

    031 Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    187
    Location:
    Bangladesh
    However, the article is interesting.
     
  12. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    No kidding, they are playing catchup. Really? I never thought you can predict future events with 100% precision and thus be step ahead of someone who initiates these events in the first place. :rolleyes: It's just physically impossible unless you can warp time and space which to my knowledge we still cannot do...

    Cops are also playing catchup with criminals because importantly, they need to first commit a crime for cops to react. Should we just get rid of the cops then because they are constantly playing catcup? From what i see ppl just don't get it. And no offence meant, but some of such ppl are also present in this very thread.

    Malware writer makes a malware. Antivirus software company reacts and tries to make malware writes life harder. Malware writer makes a new malware that tries to bypass antivirus software. Antivirus software makers react again etc etc. It's impossible for antivirus software makers to 100% accurately predict what malware writers will make. They can try by following the trends and think like malware writers and make detections in AV's that can detect stuff based on these predictions. But these are nothing but predicitons which are statistically as good as just playing "good old" catch up game. They don't really 100% prevent anything, they just lower the chance of getting infected, meaning it's stilla catch up game going on. It is how it is and no one can ever change that. But we also can't just blindly say AV's are useless because of that. They do their job rather well in fact and anyone following this segment knows they've come a very long way from raw strng scanners to global networks of sensors and modules with algorithms, mechanism and all sorts of advanced tech to provide good levels of protection. It's still not 100% (like i repeat, nothing is and never will be) but having 50% lower chance of getting infected is still ALWAYS better than having 100% chance of getting infected. It's a simple math thing.
     
  13. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,854
    AVs are far from useless. Average users only use an AV or suite. If it only blocks 90% of malware, that still better than 0% by not using an AV at all.
     
  14. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I don't see anyone in here expecting their AV's to shoot down 100% of samples. The thing is though, you can prevent against that 99% without using an AV at all using other (preventative) means.

    Sandboxing/virtualization is the "kevlar vest" in your equation. LUA/restrictions the "alarm system". A clean image your "shark bite suit"... okay, that was another poster, but you get the point.

    The AV is a harpoon gun, used only as a last resort if you're dumb enough to swim around with the sharks without a cage or the suit (this is where said common sense comes into play)...
     
  15. DX2

    DX2 Guest

    I think the best solution against stuff like this is to make sure you have a backup of everything that is important to you on either dvds or external hd's. But to be AVless is ridiculous....
     
  16. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Wasting resources and putting unnecessary wear & tear on your hard drive is ridiculous. And if you can remain malware free without an AV, it is unnecessary.
     
  17. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    what a brilliant post :thumb:
     
  18. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    490
    AV's still have their place..nothing is 100%. Everything just minimizes the risk and an AV is no different. Also for the most part AV's are automatic and user friendly and thats a huge Pro.
     
  19. Jim1cor13

    Jim1cor13 Registered Member

    Joined:
    Aug 4, 2012
    Posts:
    544
    Location:
    US
    Interesting thread. A lot of good comments. It could be said, the best "protection" is to never connect to the internet, i.e., never go online. That would reduce the chance for any infection other than an existing one via an infected device, USB stick/drive, etc.

    This is not reality, we all go online, so a decent AV of course is necessary, but will never be 'foolproof' because it cannot be. Malware is ever changing, and the best forethought will never be able to catch it all, but having protection is a must *if* one must connect to the internet, receive email, browse web sites, etc.

    Maybe the key is to have a virtual environment in addition to AV protection, and this is where modern computing is likely headed, is already available via certain programs, but even with this, isn't it obvious that at some point a virtual environment will also become penetrable? Would it be prudent to discard the use of windows? In many cases yes. Use Linux, sure, safer for now...but will not remain 'safe'. Whatever is the most popular OS becomes the target, whatever is the most popular browser, becomes a target, or name any app that can be violated. No easy answer, other than stay protected as best as possible, understanding it will never be 100% foolproof because the industry is always playing catch up, but AV protection has improved.

    Bottom line: AV is necessary, along with responsible internet and computing habits. Even then, either the application fails at some point, or we fail to maintain habits that at least lessen the chance for a severe encounter with any malware. That happens when we "believe" we are as secure as we can be only to find out at some point there will always be a weakness that can be exploited no matter how good we think our set up is.

    I only know of 1 way to guarantee 100% protection, and that would be to never turn on the computer or connect to the internet. LOL Seeing how that will not happen unless the internet fails at some point, so it is obvious an AV/AM decent solution is all we can do while understanding no computing is 100% safe apart from leaving the computer turned off.

    Just my thoughts. :)
     
  20. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I agree with RejZor on this.

    To completely disregard AVs because they don't offer 100% detection/protection is akin to throwing the baby out with the bathwater.Even if they only offer 50 or 60% protection,that's 50-60% of malware that won't trouble you.The key is what you do to protect/mitigate against the other 40-50%.
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    AVs are useful for catching known malicious code. They are much less effective against new and unknown malware. Malware creation tools have definitely reduced their effectiveness. IMO, the concept behind AVs is flawed. Intercepting known malicious code was fine when there were only a few of them. At present and including variants, the quantity is going into the millions. Potentially, the number is infinite. The detection databases are already many megabytes in size and growing rapidly. They're using a lot more disk space and memory than they did in the past to perform the same job, but are not any more effective than they were.

    AVs have their place. They're fine for scanning new files and downloads for known threats but are not sufficient as a front line or primary defense. Regarding your security setup, more than anything else, the cost of failure has gone way up. Malware used to be an annoyance. Now it's a thief, a spy, a pawn in someone elses war, a means of extorting ransom, a means to frame you or make you criminally liable (being used as someone's porn server) or worse. It's difficult and working towards nearly impossible to remove.
    No to both. What needs to change is the policies and attitudes regarding their use. Until recently, Windows was a security disaster when used with its default settings and by casual users.
    Unlearned users+default permit+default administrator=disaster waiting to happen.
    Windows is gradually addressing the administrator as default problem, but the 2 biggest problems remain. As long as Windows can be modified or installed to by users who don't understand or don't care about what they're doing, the problem will remain. The obvious solutions are not acceptable to most users. They won't be told that they have to learn and they won't accept not being in charge of their own PCs. That leaves the next most viable option as containment, SandBoxie and/or virtual systems. For the masses, there are no simple answers. For the kind of users you find here, there are good options that are very effective on all versions of Windows.

    Regarding government malware, don't expect AVs to detect it, even if they can. They're caught between a rock and a hard place on this issue. If for some reason you need a system that's resistant to gov't malware, you're going to have to select, equip, and configure your system from the ground up with that purpose in mind, then be very selective about when and how you use it. No casual use system will suffice here. It will need to take default-deny to the extreme.
     
    Last edited: Aug 8, 2012
  22. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I don't see why this keeps being used as a crutch to justify your stance. Once again, nobody is stating that they expect this to be the case.

    People are disregarding real-time AV's because they can remain uncompromised without them. This makes our setups lighter, is easier on our hardware, and can actually decrease our attack surface in the process.

    If you're unable to keep your box clean without one, then by all means continue to depend on (the outdated philosophy of) blacklisting instead.

    It really is that simple.
     
  23. DX2

    DX2 Guest

    How can not having a AV decrease our attack surface?
     
  24. m0unds

    m0unds Guest

    if AVs were a commonly exploited infection vector, it could ;)
     
  25. DX2

    DX2 Guest

    ah ok :) still learning.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.