11.6 Percent of PCs with Security Solution Infected

Double-Check Before you Leap: 11.6 Percent of PCs with Security Solution Infected:

http://www.hotforsecurity.com/blog/...pcs-with-security-solution-infected-6893.html

 

The problem is always the user, doesn't matter what you install outside of LiveCD, always-on system virtualization, constant disk image restores, or strict whitelisting. In other words, no permanent changes in any storage.

 

That's because 99% of the security software out there is a joke, and hasn't evolved past the basic concepts that we used in the 80's to secure computers.

 

Kinda wondering what's the good 1% in your book and how are the security software supposed to be? No, I'm not flaming. I just want to know about your opinion.

 

That 1% is reserved for the projects like EMET or Sandboxie that try to do something different (even if they aren't amazing on their own, I like that the projects try something else), as opposed to "let's try to detect every payload even though crypters are more and more mainstream every day!"

Hackers are laughing at that sort of thing.

 

Definitely. Blacklisting malicious code was fine when there was several dozen or a couple hundred viruses. Trying to blacklist 6 and 7 digit quantities is futile, especially when kits can turn out new variants at a moments notice.

Any approach other than trying to keep tract of every piece of unwanted code is a better approach. In addition to what HM mentioned, there's virtual operating systems, reboot to restore solutions, and default-deny.

 

I wonder how many of those machines with a security solution have a valid license ? just because it is installed doesn't mean it protecting the machine.
Alot of computers come with 30day trials.
the other thing I have noticed is that alot of people have outdated software such as adobe reader,flash player java etc. people could be using an older version of security software even thou they can update to the latest version for free.

 

So anything that is not relying upon blacklisting aye? Kinda glad I jumped into the HIPS bandwagon.

But aren't AVs nowadays are more than just scanners? So not all of them completely stuck with blacklisting mode. Mostly are dumbed down though so the additional features aren't really at their full potential.

 

I don't run a real-time AV myself (for a few reasons that I've mentioned before) but to call it a "joke" and make comparisons to the AV of the older times is unfair and lame. No offense.

AV or to be more technically precise, anti-malware tools we have today isn't the same blacklist tools we had years back. They are no longer just known-malware scanning tools that are dependent only on signature-based detection. On the surface it may seem so (esp. more so for the non-AV crowd or AV haters) but under the hood, they have evolved.

There is a lot of Artificial Intelligence going on. Here are a few; depending on the brand name one uses:

- static heuristic analysis
- dynamic heuristic analysis
- behavioral based analysis
- code emulation in a sandboxed or simulated environment
- cloud system
- reputation system
- pre-defined HIPS
- sandboxes

A Survey on Automated Dynamic Malware Analysis Techniques and Tools (PDF file)

Of course, it isn't perfect and there's the halting problem but what do you expect? A 100% detection? Foolproof against targeted attacks? You've got to be kidding me if you say so.

"you can't judge how successful something is by only looking at it's failures".

Debating AV effectiveness with security experts

Now, if you really want to criticize AV, there are other areas of shortcomings which are more worthy of mention than it's detection mechanism. E.g. the vulnerabilities and attack surface introduced by the AV components; the lack of use of exploit mitigation techniques like DEP/ASLR to protect itself; the privacy concerns that may arise (PDF or document files being sent back for analysis for e.g.); etc In that sense, I'd agree with anyone who calls it a "joke" on such basis.

As for the comparisons made between an AV and EMET, Sandboxie or HIPS, each has it's own rightful place.

Preventing successful exploits require exploit mitigation techniques and it's own tools. That's where things like DEP/ASLR and EMET comes in. Even then, patches and updates are important to deal with kernel vulns for e.g.

Limiting functionality so that untrusted code that wants to access code that it doesn't need to or privileges higher than needed requires it's own techniques and it's own tools. That's where sandboxes like Chrome's and Sandboxie or HIPS (policy-based or classical) comes in. Even then, updating is important to keep up with known or possible bypasses.

Dealing with malware require malware prevention and removal techniques and it's own tools. Therein lies the playground for AV.

Expecting an antivirus to deal with exploits is like expecting a maths teacher in a tertiary level to teach literature and arts at Oxford University. He may be able to do it but there's a higher chance that there are probably more qualified candidates for the task. To extend the analogy further, just because you prefer literature doesn't mean the maths teacher is incapable or need to quit his job - there are others who need him. Of course, this isn't necessarily the most accurate analogy to be used but I just want to get my point across.

Understand the limitation and purpose behind the technology used. What one chooses to use is subjective depending on one's risk analysis.

 

Safeguy, this is exactly what I have in my mind as well. Although I couldn't put it in such a nice fashion like you did. But still, I started to enjoy listening opinions from all sides and try to pull a conclusion out of it. Anyway, thanks for your neat elaboration.

 

Depends on your technical competence. Something like HIPS will actually be worse for newbies unless in some type of lockdown mode (block all, no change to settings, minimize whitelist).

Yes they're way better than before, but not as nearly as foolproof as I've suggested. If you give an incompetent user more control than necessary, don't be surprised if anything happens to the computer.

 

For the average user who doesn't have someone available that can set up a better solution, there aren't really any alternatives. If they have some who can work with them once or twice, reboot to restore and sandboxing/virtual operating systems are a possibility.

I'll agree that AVs are more than they used to be. That said, the AV component of these packages is becoming ineffective. The added sandboxing, isolation components, and predefined HIPS are the real protection. IMO, the AV component is primarily to keep the money coming in as it's worthless without constant updating.

 

Which is why we have SUA.

Yes, and most users are more familiar with "Antivirus" term. They probably never heard of, as one example, disk/partition imaging maintenance of the wonderland.

 

Except for sandboxing, all of this is some method for detecting 'strains' of malware that have been seen before, or definitions based on malware we've seen before. Even the pre-defined HIPS is meant to prevent malware it has seen before. Fully Undetectable Malware is what the pros (hackers who run the botnets you don't hear about until a decade later when they retire) use and AV just doesn't cut it. Newer AVs sometimes implement sandboxes, trust me when I say that hackers don't care about them at all yet.

Halting problem isn't as much of an issue, it's this stupid cat and mouse game that hackers and AV play with avoiding heuristic detection while maintaining performant operation. It's the least of AVs worries.

Sure, I wrote about just that:
http://www.insanitybit.com/2012/12/13/analyzing-antivirus-security/

I certainly don't expect AVs to try to be anything other than AVs. That's why I'm pointing out *other* programs that do *other* things, programs that at least try something new and different, whereas AVs are still largely dependent on seeing attacks after the fact.

When people call security a "cat and mouse game" they're basing that largely on AV, where an attacker creates a file, releases it, AVs catch it and release a signature, and attackers release a new file - the cycle is endless and it's never harder for attackers to release new files (like I said, really good crypters are becoming mainstream and anyone legit is writing their own).

Like I said, 99% of security software is a joke. There's that 1% that sorta fails at doing a whole lot (EMET is really the only tool that has set out to do something and really succeeded, and I feel their direction is going to screw things up) but at least that 1% is catching up to research from the 90's, whereas AVs are just trying to refine research from the 80s.

Wouldn't it be nice if the whitehats who implement tools read the research from today? Too much to ask for, certainly on Windows.

 

Given the results of real world detection tests we see posted here I do not see why this 11.6 number is surprising or even news worthy, especially given estimates of world wide market share of the various AV companies.

See, e.g.,

http://www.av-comparatives.org/wp-content/uploads/2013/07/avc_prot_2013a_en.pdf

http://www.opswat.com/about/media/reports/antivirus-december-2012

 

Hey dont bash HIPS. They are good and very useful.

 

Still too much for the truly computer illiterate.

If they just need access to the Internet, a read-only system is perfect for them. They can carry their own USB's to save files. If they need to try anything, fire it up in the RAM. Review and backup if changes are needed. Software-wise, virtually foolproof I'd say.

 

What's going to get screwed up by the direction that EMET (team) takes.
Pardon my ignorance but I just don't understand what you mean.

 

I just think that that the Anti-ROP techniques are more trouble than they're worth. EMET 3.5+ has largely been about hardening those specific mitigation techniques, and a lot of bit has just been "OK we need to hook more things! All of them!" and it's not promising.

 

And the remaining 89% remains infected, because an updated AV is unable to find never reported zero-day infections.

 

What´s your opinion about current day HIPS? Aren´t they (combined with EMET) already able to stop most attacks, even zero days?
Or is it still possible to improve them drastically?

I already said it in another thread but I´m a bit annoyed with the fact that interesting technologies like OS level and Micro-virtualization are still not available in Windows. Another thing that would be really nice, is hypervisor based HIPS, which in fact would be like PatchGuard on steroids.

http://en.wikipedia.org/wiki/OS_level_virtualization
http://northsecuritylabs.com/downloads/whitepaper-html/

 

I think HIPS are misguided in their current form on Windows (the popup HIPS like D+).

There are drastic improvements that'll come in the next few years if people just drop the dumb pretense and start focusing on security principals.

The biggest obstacle in securing Windows is Microsoft though.

 

Grr. Had a post, but my browser ate it. Let's try again.

How so? I'm curious.

Re HIPS: the changes I'd personally like to see are

1. General purpose HIPS -> policy sandboxing like AppArmor, with presets for common applications.

2. Anti-executable -> actual whitelisting like GrSecurity TPE - only listed applications, or only those with correct permissions, are executable, period.

The main problem here is that interactivity is really really bad in security software. If the user can get their computer infected by clicking the wrong button, we're basically back to square one.

Good security software should be set-and-forget. IMO it should never query the user unexpectedly.

 

Well, on Linux if I want to change a policy I can go straight into the kernel and change it at that level, I can change the entire logic it uses, etc.

On Windows, I could at one point patch the kernel to at least gain that level of privileges, but now I'm locked into running as Admin. So I'm forced to work within predefined APIs/ limits set by Microsoft, and I can't really change that. On Linux there's LSM, so if I were a security developer without access to the kernel I could at least hook it to do *some* things. On Windows you're much more limited as a developer of security software.

So Microsoft has forced everyone into how they want to secure their systems, with their policies, etc. And they suck at it (not their fault, most people do).

Imagine trying to implement this on Linux. Super easy, hooks already exist and if they didn't you could just build them in.

Now imagine trying to implement this on Windows... yuck. Not nearly as simple, though not impossible since they at least expose some interfaces.

Sucks that Windows is the place to secure right now though. Jumping into securing Linux desktop users would be a snap by comparison, everything is already there, you just need to tweak it a bit.

 

I think the title is a bit misleading, "11.6 percent of PC's scanned with Bitdefender QuickScan Infected" is probably closer. I'd say that also narrows it down to a vastly smaller percentage.