"Anti-virus products fail to protect against attacks"

Discussion in 'other anti-virus software' started by King Grub, Dec 10, 2012.

Thread Status:
Not open for further replies.
  1. King Grub

    King Grub Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    814
  2. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    Virustotal... really? :/
    No.
     
  3. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    A report from a company selling security products and services.... hmmm... :D
     
  4. eplose

    eplose Registered Member

    Joined:
    Sep 28, 2009
    Posts:
    51
    Intresting, thanks. Gives an idea about the speed of AV-companies reaction (signatures speaking).
     
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I don't get it why some clueless persons expect 100% prevention from antiviruses. And antiviruses only. No one expects helmets to be 100% effective for everything. No one expects seatbelts and airbags to be 100% effective at protecting passengers. No one is expecting all the security measures to always function with absolute perfection. Hell, even multi million NASA projects going into freakin space fail quite often. And yet, they all rage when antivirus misses 1 malware. WHY!? What makes antiviruses such freakin exception that no one says, yes, that is statistically logical. **** happens.

    Do we boycott helmets, seatbelts, airbags or anything else man made when they fail at something? Ppl still get killed despite the fact that they had the helmet or airbag deployment didn't help or seatbelt actually prevented the passenger from escaping from a burning car. We still recommend them because statistically they still make sense.

    And whats wrong with AV? Nothing. Statistically speaking they still make a lot sense just like everything mentioned above. It's just that some ppl obviously desperately need some attention and then they badmouth state of the art anti-malware solutions. If they are so bloody smart, why not patent their "better" technology and sell it to others. Thats probably the point where the story will end.
     
  6. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    As soon as I read the bit about VirusTotal being used,the test became irrelevant to me.

    For new,custom-designed threats it's only fair to include mitigating technologies within products,such as behavior blocking,HIPS and sandboxing,etc.:thumbd:
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    They do say:

    "Despite its findings, Imperva said it would "not recommend completely eliminating [anti-virus] from an effective security posture" but said security teams should complement AV software by "focus[ing] on detecting abnormal behavior such as unusually fast access speeds or large volume of downloads and adjust[ing] security spend on modern solutions to address today's threats.""

    I don't see what's so wrong with that statement.....
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Hardly "eye opening". It uses VirusTotal so you can expect real world AV to detect somewhat higher than reported - but the point is that the protection provided doesn't justify the cost of deployment and flat purchase price.
     
  9. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    +1
    Well said.
     
  10. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,919
    "Anti-virus products on the market provide zero protection against new, unreported computer viruses" it was true in early some 1980-th, but now it sounds ridiculous. The author just substitutes term "detection" with "protection". Nowadays there exist many products protecting even without any signature detection.
     
    Last edited: Dec 11, 2012
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    A quote from AMTSO list of 10 common testing mistakes:
    I'd suggest reading the blog VirusTotal is not a Comparative Analysis Tool! as well as the statement made by VirusTotal itself that using VirusTotal for testing the protection capabilities of security products is a bad idea.
     
    Last edited: Dec 10, 2012
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    This especially applies to cloud systems. While you can still circumvent them, they are very hard to bypass, predict or disassemble unlike all the local solutions. All the hours of hard work of a malware writer could get nulled by a server side cloud refresh or change. And he can't really do much about it.
    Especially to those who have heavy cloud heuristics systems.
     
  13. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Anti-virus vendors "love" this kind of reports...
     
  14. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi

    Using VT for av testing is of course not a proper and scientific testing procedure.
    This thing said, the results are a real reflect of in the wild reality and facts.
    Far from latest results of AV Comparative tests that archive 100%.
    Again and again, 100% is an HERESY in av testing (even covered in avs eula), or only if the hidden goal is av lobbying (help to sell more and more licenses, cae of AMSTO and most of its members).
    On the other hand, the Imperva strategy is known and has been applied since years by HIPS/IPS/WEB application firewall/appliance/reverseProxy/vulnerability assesment vendors.
    And there is no need to have 40 years in the IT industry to know tha av protection is a colander like defense, and should only be a part of a multi layered defense.

    rgds
     
  15. Hawk82

    Hawk82 Registered Member

    Joined:
    Feb 11, 2007
    Posts:
    29
    virus total testing in flawed.
    I tested a while back an infected file that was having 0 detection on virus total. I opened the file and a few seconds later kasperky poped up a generic detection and disinfected the computer. I'm sure that this is not only happening in kasperky and also other AVs are having different tehnologies based on behavior that catch malware even if no signature detection for that specific file is in the virus database.
    Yes this does not mean that AVs catch 100% malware out there but they catch much more than virus total results.
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    I only read the web page so maybe I'm missing something, but there doesn't seem to be anything controversial in the article. The main thing being criticized is the slow response of some vendors to create sigs for new threats. Obviously if it takes "weeks" that's unacceptable, but I don't know who they're talking about. Symantec, for instance, pushes new sigs every five minutes with pulse updates in its' Norton products (don't know what the lag time is though between detection of new threats and sig creation). The article also criticizes the simplistic notion that the system is fully protected by running AV. Well, that's true - many people engage in magical thinking in that regard. Also, I didn't see any advertizing of proposed solutions to the problem in the article. What's the problem here?
     
  17. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
  18. er34

    er34 Guest

    That is not entirely true. They do have pulse updates, they do update often but not every 5 minutes. They can make updates once in 15-30 minutes - this is what I have seen but never every *5* minutes. The five minutes was marketing trick for version 2009.
     
  19. er34

    er34 Guest

    :thumb: +1
     
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    You're correct that I was quoting the original claim and since I'm not currently using NIS I can't time the updates. My point was that some companies don't take weeks to respond (create sigs or whatever) to new malware.
     
  21. er34

    er34 Guest

    While you are correct about this, there are still cases where some vendors don't create sigs or updates to new malware for days/weeks. The reason is simple - they don't consider the sample as malware or don't find it "popular enough" to rush to update. There are such vendors. And while this behavior can be ok, such tests like the one we discuss may consider this as a negative.
     
  22. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    er34 makes a good point there.

    A lot of malware is very short lived,so as long as a product offers pro-active protection,creating a signature isn't a priority.
     
  23. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    Yes, but what does this have to do with the original article, which is a criticism of AV and AV companies that don't respond to malware in a timely manner?
     
  24. ableright

    ableright Registered Member

    Joined:
    Dec 22, 2012
    Posts:
    2
    Location:
    United States
    I have to agree with hungry man. While I'm not saying large companies or institutions should rule out using AV, I peronally haven't used AV in years and I'm malware free.

    Why? There are so many high-tec virtual solutions and prevention solutions!! So how have I remained malware free?

    First before I get into this I will say that we need to start focusing on solutions that DON'T require signatures.

    It's just too hard to keep up with the bad guys on this old school idea of using signatures (the bad guys win in this area) just concede. It's time to move on to bigger and better things.

    If you notice more and more AV companies are including some type of virtualization in their software. Mark my words the AV companies in the next few years that will go broke Vs.the ones that make it big time willbe because they have the BEST VIRTUALIZATION SOLUTIONS!!

    The key thing to remember in almost all malware attacks is While Malware has gotten more elite over the years and better at avoiding detection (just look at Zeus or TDL4), the methods of initial infection and distribution have remained relatively the same as they always have even from over a decade ago in the Windows 95 era. ;). What are these initial methods of infection?

    Drive by downloads (from exploits like buffer overflows).
    Trojans
    Exploits in windows etc.

    So how can we avoid all of this? Logic would tell you that if you can cut off initial infection methods then the rest of this crap is unnecessary right? An ounce of prevention is worth a pound of cure.

    That's the key to winning against malware is not letting it in to start with. How do you do this?


    1.Be VERY picky about installing new software.

    I use VIRUS TOTAL to scan unknown binaries or assemblies. So from that perspective I guess AV is "helpful" but this is scanning from many AV software programs.

    Even this isn't foolproof though. If at all possible I prefer OPEN SOURCE SOFTWARE where I can look at the source code myself and further some sort of digital signature and/or an MD5 chek match check from the author.

    I wouldn't apply this rule to companies that would be highly unlikely to include malware in their software such as (Microsoft Security Essentials). What are the odds of MSE having a trojan in it? While anything is possible you must also be realistic when it comes to dealing with larger companies that likely have trustworthy software!!

    2. Virtualize key applications

    With using high-tec programs like the new Comodo virtual sandbox - Kiosk and or sandboxie ALL FREE this will avoid 99.99% of problems that you will face from drive-by downloads and exploits (i.e. the common ways malware is initially installed).

    What's happening is that virtualization techniques are getting more widely used because they work better than strict AV. Why?

    AV is a constant cat and mouse game of creating new malware vs's gathering new signatures. I was reading somewhere not too long ago that the creators of zeus trojan on average re-compile their binaries like over 5 times a day to avoid detection signatures!!

    With virtualization there are NO SIGNATURES. It's almost like everything that isn't already installed is considered BAD and should not be allowed to make permanent changes to the machine. Sure virtualization can be bypassed too, but it's much much much harder to bypass virtualization vs AV signature based detection. Why?

    To bypass an AV's signature all you have to do is change the code around slightly so that signature isn't there anymore, but to bypass virtualization you have to likely spend HOURS finding some way around that specific sandbox like Sandboxie. (Much harder)

    3. EMET
    Emet is another free program which is NO SIGNATURE based but rather detects common exploits like Buffer-overflows in your browser. If one is detected mitigation techniques are used and this WILL CRASH YOUR BROWSER!! This however is way better than getting your computer hacked because generally even though applications will crash the exploit won't complete meaning no malicious code will be executed.

    4. If you must use AV use it ON TOP OF THESE OTHER SOLUTIONS for a layered security approach, and use something free like Microsoft Security Essentials.

    These are my feelings on the issue!!
     
  25. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Good post, ableright, I enjoyed reading it. I'm going to work on limiting the number of programs, including games, that I have installed on my computer.
     
Loading...
Thread Status:
Not open for further replies.