Paranoid = $$$

Hello,

Recently, I have across a very troublesome phenomenon.
Some security companies are trying to increase their sales by increasing paranoia. They simply, blatantly spread fear.

I will not go into details, but some of the typical avenues of self promotions are:

An extreme quantity of false positives - on purpose or through bad engineering, people get alarming reports about high and critical threats, when in fact nothing or just legitimate programs are being flagged. Average and unknowing users start to panic at this point.
Downgrading of counterparts - your anti-virus, your anti-spyware, your .... will not protect you from ... blah blah ... in other words, telling people that all their investments mean nothing, only this completely new product will protect them.
Rootkits everywhere - virii or spyware are no longer chic, it's time to frighten people with rootkits. Today, almost everyone is running 5 anti-rootkits to try to detect ghost threats and then start to panic when legitimate function calls and handles are flagged. Normal and functioning computers suddenyl become foul monsters full of roots.

And the list goes on.

I think this is ugly. I think this is unfair. I could like this sort of self-promotion:

We think we are better than the competitors, why don't you give us a try, you won't be disappointed.

But I can't stand the classic panic method:

Your anti-virus won't stop -1 day and 0 day attacks. Your browsers leaks information. You can get rootkits by just ..... Use our product and you will be safe. Click below for a free demonstration to see how your all other products mean jack ... And now install our product and see how well it stops the exploit we built ourselves. Works like magic eh?

I have encoutered this with at least 5-6 products, all of which seem to be considered at least reputable.

I think the rogue list should have a sub-category - not quite evil but neither quite honest. In other words, probably won't do any harm, but won't do any extra good and you will not feel any better.

What do you think about panic-ware?

Mrk

 

It is all about money, although all aplications (except firewall) are mostly useless, people are forced by companies to use as many of them as possible to get feelling, that they are protected. They claim, that every PC should have AntiVirus, AntiSpyware, AntiTrojan, AntiRookit, and just to make it safer it is also neccessary to have HIPS, Proxy, and etc. Simply put, if you do not run at least 5 aplications to protect your PC, you can not be safe. I saw many users, who have many aplications running realtime and they are still looking for new.

 

I have noticed that too, in fact I have been one of those that have had overlapping programs. Some are using multiple condoms, so to speak, and then they wonder why they have unexplainable conflicts
The good thing about having been paranoid is that I have learnt that it is really, I mean really hard, for me at least, to get infected with anything. I still have HIPS but it is mostly to learn how programs behave, but it also gives a peace of mind. I can do what ever I want, I can go to those porn and crack sites if I want to without having to worry about something sneaking in behind my back.

Sure I test new HIPS occasionally, not so much for being paranoid but to learn about security and thereby I learn about how the computer, or rather the operating system works.

 

So I have a license for Spy Sweeper, and of course the new 5.0 came out of beta this week. So when you click on the "View Spy News" on the home tab here is a selection of the text:

So are they saying their competitors products won't protect the user or are they saying that previous versions of their own software are rubbish? At any rate I'd say this is typical industry FUD.

 

Fear is an excellent marketing tool and has been used to sell just about everything.
Exaggerating threats and playing on people's fear to boost sales is not ethical.
Security tools do have their place, and it is up to each of us to decide what security level and measures are appropriate for the data we wish to protect and the reality of the threats to that data. This can become clearer to each of us through open discussion of the threats and their remedies at places like Wilders.

 

Normally all alarm bells will ringing here reading such things.

Gerard

 

exactly! .. but still SpySweeper is doing one of the best jobs there is regarding spyware removal, detection and lately their on-access scanner (realtime) is doing a good job better then before ..

but I hear you! with such commercial lines like that .. things look like they need to be investigated

I don't think SpySweeper is one of the baddest and honestly, I truely think it has the best on demand scanner on the planet (I'm not talking about general antimalware SUITES like Ewido and A2) .. off course Webroot states that they"ll nail trojans too but that is not their aim I think ..

 

If there were no security forums, many of these applications wouldn't be around, this is their market.

 

LOL:

Afraid to ask

FUD

Ruthless, terrifying, "advertorials" with strong overtones of emotional blackmail was pioneered by drug companies decades ago and backed up by vigorous end point push marketing ,with incentives, (to the doctors ) marketing.

It has taken years of work by dedicated individuals up against ruthless amoral profit driven multinationals and well funded lobby groups to s-l-o-w-l-y bring it all to heel.

Nothing new there.

Discriminating users of the softs can "filter" the useful from the dross and further filter the malware pushers.
Does any body here really rush off and $$ for something before checking it first.

Maybe, but the forums serve to educate and as groups are obviously good test beds, at least those who know what they are doing

There is little impact from "truth in advertising" protection !!

Even some of the "independent" test labs might have some commercial imperatives to bow to ??

The world wide impact of companies like Symantec and McAfee is enormous and as has been pointed out before, not without advantages for most users.

I recall Bubba had a few moments of weltschmerz not too long ago.
On a personal level having access here has been a big help to me.

Heh, love it.

@MrK love the home page
Regards.

 

I suppose this view is understandable if you take wilders as a typical example of 'security forum's that sprung up recent years for entry level users. Certainly if I want to promote a new security product this is the first place to go, unlike in most places you don't need to convince people they need more, they already are eager to lap up anything that promises more security

This is not to say that people here are stupid and are taken in by products that don't work and are 100% snakeoil, rather the mindset is such that people don't question whether they need it or not or if they do, they excuse it on the grounds that they are just playing with toys to 'learn'.

All this makes it an ideal place for people to promote their new security products. Particularly since many people here are the 'go to guys' for friends
and relatives on computer problems even if they aren't strictly Information technology professionals, influencing such opinion leaders are important.

But not all 'security forums' are so focused on security products use of course. and not all are so ready to accept additional third party security products as necessary.

 

An interesting but frightening presentation from Safe'n'Sec:

http://www.safensoft.com/security.phtml?c=253

 

Frightening? I could imagine many descriptions, although I don't believe frightening would be among them.

Blue

 

Devil's Advocate,

Would you care to share some of the other forums that would contribute to a well rounded open discussion of computer security?

 

It does seem that most vendors of security apps and suites do their best to intimidate both potential customers and those already using their software. Can't really use the term "paranoid" here as the threats are real, though they do their best to inflate them as much as possible. That presentation link is a prime example. Big on hype with no real information.
When I first took an interest in computer security, I ran into Norton Internet Security. Was just looking for an AV at the time but ran into their "one suite does it all" ads, so I bought it. I'm completely convinced Norton used the same fear tactics in the programs alerts. Many times a day, I'd get this irritating popup telling me that their firewall had just blocked some attack, usually calling it WinCrash. Back then, I knew just enough about security to be a danger to myself, so I started chasing these attacks. It didn't take very long before I started questioning the reality of these "attacks", never from the same IP twice, but always WinCrash. I was using dialup service, floating IP, so there was no way that an attacker could find me the instant I'd go online. Scare tactics was the only answer that made sense. Shortly afterwards, I was hit with a real attack, and NIS did nothing to stop it, but did keep a perfect log of everything that happened. The very next day, a malicious webpage crashed the whole suite and I was infected. It irritated me to no end that NIS went out of its way to interfere with everything I did by putting those "alerts" on top every 15 minues or so, but failed miserably when the problem was real.
It was around this time I came accross my first support forum with links to free security-ware. I took the paranoid approach after this. At one point, I had 2 firewalls, an old version of ZA and Tiny 2.0.15, which is very much like Kerio 2.1.5. I tried to run both of them, but had no idea what I was doing, so I'm sure you know the result. I also had 3 AVs and 4 anti-spyware apps. I was secure all right. My system resources were so low most of the time that there wasn't enough left to power an adware program or a trojan. They can't infect you if your whole system crashes when one of them tries to start.

Until very recently, the average user didn't have any real options to this. None of the anti-spyware apps catch much over half of what's out there. None of the AVs catch them all either. As for rootkits, I have to wonder how many more are in the wild that have never been detected.
We've seen high speed viruses that can cover the net in incredibly short time. We have malicious code that directly attacks security apps. We've seen security apps get hacked and their vendors attacked. We've seen a rootkit author defeat the security companies best detection methods at will. The signature based security apps are bogging systems down terribly, partly because the signature and reference files are getting huge. The 4 .vdf that AntiVir uses total about 8mb now. F-Prot def files total a bit under 5mb and according to them, covers over 304,000 detections. These don't include adware or a large percentage of the spyware, assuming you can get the AV/AS vendors to agree on exactly what constitutes adware or spyware, or even agree on the definitions of the terms themselves. What one calls a virus, another calls a trojan. One says it's adware and another says it's legitimate software (or consumerware). Brand A detects a specific software as adware while brand B was threatened with being sued out of existence, and decided not to detect it.
Those who rely on signature, definition, or reference file based security apps should be scared. They're incomplete and outdated the moment they're released. The sheer number of pests and their variants is unworkable and changes by the minute. If we count everything together, how many different detections should there be? Does that number have 7 digits or 8?
Some might call using HIPS software paranoid. I'd say that the opposite is true. Having to rely on multiple AV, antispyware, anti-trojan, and anti-rootkit apps, hoping that one of them will recognize the next piece of malicious code you contact is. Paranoid is the wrong term here. The right term is desperation, caused by relying on hopelessly outdated methods that can't keep up. HIPS, aka application firewalling represents a return to sanity in how we approach PC security. The only applications that can run are the ones you specifically allow. Sane and sensible, what should have been done in with Windows in the first place. Much more so than using multiple scanning and resident applications that check every process started and every file accessed against lists containing hundreds of thousands or millions of entries that are still incomplete and out of date. That's paranoid desperate. Good for security-ware vendors wallets, not the users.

Now that I'm down to one firewall and no resident AV/AS/AT/AR software, I still have 8 resident privacy/security apps, plus 4 that run once at bootup. Still paranoid.
Rick

 

Exactly, I use only firewall as the realtime protection, but if I would have to choose some additional app, I would use something like HIPS or whatever, which is not signature based.

Do not take me wrong, I allways recommend to users at least AV, Firewall, etc and no IE.
I understand, that users do not want to spend houres securing their PC without those apps.

 

Should have said:
Those who rely.....security apps exclusively should be scared.
SSM, my firewall (Kerio 2.1.5), and Proxomitron are the core of my security package. These are all powerful, rule based applications but are intended for those who don't mind investing the time they require to make them tight. I view the AV, along with the file and file system monitoring apps I use to be additional layers. Even though I'm convinced that SSM can stop the activity of viruses/worms, I'm not convinced that the learning mode is able to write a strong enough ruleset to do this. The average user still needs an AV. I still have AVs, but seldom use the resident component. They get used as manual scanners and are integrated into several apps on my system. While I'm confident that SSM will stop viruses from infecting my system, it wouldn't stop me from accidentally sending an infected file to someone else.
I'm not suggesting users dump their signature based AVs and other similar software. What I'm saying is that your security package shouldn't be based around them. Control should be the basis of your security:
1, Application firewalling (HIPS) to put an end to most problems at the source, namely the windows operating system that allows any application, executable, or bit of malicious code to do whatever it wants.
2, Control over the traffic entering and leaving your system. It took M$ far too long to figure out that this was necessary, and then only addressed half the problem, inbound traffic, and didn't even do that well.
Rick

 

Scary.

I don't see how the solution you recommend (HIPS) help with all of what you said, except arguably with the first. Once solutions like what you prefer become popular enough, we will see malicious code directly attacking them. We will see security apps like that getting attacked. We will see rootkit authors defeat their detection methods. And yes, high speed "Viruses" of that nature that bypass your prefered solutions will cover the net in incredibly short time.

Well if you ask me, whether you should be confident or not SSM will protect you, depends not only on the capabilities of SSM, but more so on your ability to respond correctly to the prompts.

Also I wouldn't rely on SSM to protect myself from certain kind of threats, particularly trojans in software installs I have chosen to run myself. SSM might alert me to a few anomoilies , and I might be wise enough to realise they are pointing to a malware situation, but even then who knows what other damage the malware has already done.

Much better to know they are malware in advance before you even run it.

 

Even with the qualifier, I really have a hard time agreeing with this statement.

Typical surfers who rely on either an AV or a suite type solution do not need to be in a constant state of fright. They should be cognizant of the world around them, and I realize that many are not, but a blanket statement that anyone who follows this path should be scared does substantially overstate the current threat level.

Blue

 

Yes, it's an overstatement, but no worse than the vendors themselves use. Compared to many of them it's quite mild.

Malware, rootkit installers, etc, are processes in their own right. Application firewalling prevents unknown processes from starting. If it can't run, it can't infect.
While I can't state with absolute certainty that SSM will stop all infecting processes, for the last year+ I've been using it on a testrig with just a firewall and no resident AV. Been visiting malicious websites, opening infected e-mail, and using any malicious code I can find to see what it can and can't stop. So far, it's stopped everything. No, my tests are by no means conclusive, but the results are more than encouraging.
Regarding the high speed viruses, they don't need to be hard to detect. They just need to move faster than the AV vendors can respond. It's estimated that such malicious code could be made fast enough to cover the internet in about 15 minutes. Would you count on your AV vendor to release detections for it that fast? These virus don't bypass anything. They just get their work done before any meaningful response can be made.
Scared is a bad choice of terms on my part. Users need to be aware that malicious code that defeats conventional security apps in short order is already commonplace.
It's inevitable that HIPS software will be attacked, just as AVs and firewalls have. HIPS isn't the final solution by any means. Just another tool in a never ending battle. It's great right now. Next year, who knows. Just keeping up is becoming a full time job.
Rick

 

Devil's Advocate, while I agree with this statement, I can hardly agree with your overall statement that this or that solution will fail when it's become popular and attacked. There is a reason why certain operating systems that are used where security is absolutely needed don't rely on virus scanners but rather on granularity and least privilege principle. Look up for XTS-400 Stop (used between others, by the US Department of Defense) for such an example.

Too hard to use for a regular user? Of course. The most separation/isolation of security levels the OS has, the harder it becomes to use. But for anybody with time and will to learn (not to mention patience) there are solutions that are MUCH more reliable than the ones used by antivirus scanners.

 

Now that's something I can agree with!

I suppose what I'm really reacting to is the steady stream of casual users who are overcome by abject fear from some of the reports, advertisements, and postings they read here and elsewhere and start grabbing and installing every application with even the hint of security in the feature set.

For a HIPS style solution to be useful to them, they have to get a lot better. Some are getting to that point, but the industrial strength ones like PG, SSM, AD/RD, and so on, are really not appropriate to most of this population while a very decent AV/router and maybe one or two additional measures are what I would generally consider more than adequate.

Blue

 

I phrased that badly perhaps. My point is simply that the poster I was responding to listed things that can happen to traditional solutions (malware targetted at them for example), with the implication that switching to SSM avoids this problem.

In almost all cases, I don't see how SSM and its cousins are automatically considered immune to such problems.

In any case, I would have more confidence if we are talking about security built into the operating system compared to ad hoc third party applications that try to build on top of them, but even such measures can be circumvented at least that's what I hear about 'shatter attacks' on what not.

 

Most of the people I interact with, neighbors, co-workers, family, are not paranoid when it comes to computer security. In some cases, I think they could be a bit MORE paranoid. They either don't have the time or don't want to spend the time to do internet research on computer security software. Thus, they are not impacted by the hype you speak of.

The computer security software that they use was preloaded on their PC when they purcased it. In most cases the OEM decided what they got, even if it was a 30- or 60-day trial. Almost without exception, they purchased licenses for the preloaded software because it provided the easiest path forward.

When they change computer security software it is usually because (1) they want to move to a security suite for convenience/$ savings, (2) their preloaded security software frequently malfunctioned, or (3) their preloaded security software trashed their computer (an extreme form of malfunction!). Very often, they will use whatever software their ISP is providing as it is 'free' (actually, it is embedded in their monthly fee even if the ISP gets a volume discount).

There are many web sites that counteract the hype you speak of. Ones that I particularly like are ConsumerReports.org and Gizmo's Tech Support Alert. Gismo's site does a very good job with free software, even if you don't agree with the rankings in all of the categories. Neither of these two sites are perfect. I'm sure all of you have your own favorites. In addition, there are local computer users groups all over the place and some have very good web sites. These sites provide very useful guidance on good computer hygiene (or "safe hex") and reliable as well as sufficient computer security software.

Is hype or false advertising good? Of course not. But I think the impact is not so great.

bktII

 

Have you looked at the learning mode in SSM? I wasn't sure that SSM would ever be a viable option for the average user. Considering that it doesn't rely on a database and doesn't need to connect back to a server for instructions/data, they did an excellent job with it in a very short time. Yes, it's for use on new installs or systems known to be clean, something I feel they don't stress enough. The instructions could also be better, but that can be carried too far as well. Considering just how fast they're moving on its development, it'll get better too.

That is one of the things at the top of their development list, how to make SSM resistant to attack. Most process killers can't terminate it. It won't allow most other apps to terminate processes either unless you specifically allow it.
I'm not saying they're immune to attack, but they are highly resistant to it, much more so than conventional security apps. IMO, it's plenty strong enough to resist attack from the malicious code circulating the net. Can it resist a good hacker? I have my doubts but conventional security software won't do any better and probably not as well. Combined with a router and a good rule based firewall, and set up to keep the firewall in memory, it just might. That's not a fair test of any security app, seeing if it can withstand a good hacker. None of them can. The average user doesn't face this kind of problem anyway. The average user has to deal with the trojans and bots they send out, and SSM can more than deal with these.
About a month ago, a friend asked me about some e-mail she'd received from someone she knew that had an attachment named "sexy" on it. I asked her to forward it, and launched it in my test unit. It was an AV killer. SSM intercepted the process itself AND its attempt to kill the AV. It was able to defeat it at multiple points. For the AV killer to work, the user would have had to make several bad decisions one after another, assuming the SSM UI was connected. If it wasn't, the user isn't asked at all. It's just blocked.

That's typical of what I find as well. I get to work on one of those this afternoon. Roughly quoting her attitude:

She told me last week she was getting cable internet. I asked her to wait til I secured it before going online. Found her on Yahoo IM Friday evening. This unit is XP SP1. She has no firewall. AV is 3 years out of date. I hate to think what I'll find.

We're talking about windows here! Every "security feature" they've added to their OS has proven to be nothing more than a weakened version of what was already freely available. Start with their firewall. Then look at their entering the anti-spyware market, and soon the AV market. The "security" built into their NT operating system is what made rootkits the threat they are now. That threat wasn't possible on the DOS based systems that weren't "secured". Makes me wonder just who they are trying to secure as the user isn't benefitting. For them it's just getting worse. Vista isn't fixing the problem, unless you call DRM and providing security to the entertainment industry interests "security". I like the idea of building security into the OS itself, but I doubt M$ will ever really do so, not without catering to other interests in the process and creating more problems than they fix. On windows, I'll trust the 3rd party software to do a better job.
Rick

 

Here's another user with only a hardware and software FW. I only turn on the AV program twice a year to update the AV definition and run a full system scan for bugs. I would never pay for an AV when there are many FREE AV solutions available for personal use.

I use BING to image my partitions. Fortunately, I've never had to use BING to remove malware proggies from my PC.

Most people don't know and don't care about PC security. This is a security forum. Therefore, there will be a lot of folks preaching about layered defense, muliple methods of data backup, and blah, blah, blah.

KISS. PC is a tool. If you look for trouble on the internet, then you will get hit with a bug. No combination of proggies will save your bacon unless you have a clean image file of your OS partition to overwrite the corrupt partition.