Antivirus is DEAD!

Hello,

Entire two generations of people have been educated to work by default allow. And switching to default deny will be almost impossible. Because people are lazy and inert.

Whitelisting in software is not needed if you have whitelisting in your head. But that's the same as default deny education.

Inspector, I think people should have to pass a test to use computers. Just like cars. They don't know anything about engines, but they still must pass a theoretical and practical driving tests / exams...

Mrk

 

That is indeed not a bad idea. HOWEVER. Without cheating my wife wouldn't pass this test. (And NO, she is NOT stupid. She simply doesn't care and doesn't see any need to learn something with computers! Believe me, i've tried that since years!) And i do need her email, because otherwise how should i know during work what dinner awaits me?

 

Just don't let her see your Wilders posts ... because you might end up with no dinner, or thalium-flavored roast pork cutlets.
Mrk

 

In case she does: I LOVE YOU
But seriously, that is exactly the problem. She can use a browser, a email client and some yahoo chat. And that is according to her own words all she wants. And i do accept this. And i don't blame her for not knowing what a registry key is. And i think exactly this "profile" applies for MANY MANY other people, not only for my wife.

 

YES, be the IT support person for a spouse is like trying to walk a tight rope over the Grand Canyon!

Mike

 

Hello,

The thing is: she does not need Windows then!

Computers today are made for a WHOLE range of things. And such, they require good knowledge to utilize effectively.

Just like you have cars that transport people, you have cars that transport heavy machines, cars that collect garbage etc.

Computers should also have categories:

- For newbs (running the basic of basic Linuxes)
- For moderate users (running some nice Linux or Mac)
- For advanced users (running Linux)

Joking aside, most computers, especially Windowsy ones, are made capable of everything. Which is exactly what most people do NOT need.

Why have ftp and telnet on a standard Windows machine? Most people do not use these. Why have command line? And so on.

In particular, Windows is made open to be as compatible as possible, but this is the real problem - not everyone needs or should need or be able to use all of the options, since they require skill and knowledge.

If computers had categories, you would not need anti-virus.

Imagine a machine that has no downloads available, only a tiny browser for games and a tiny browser-based email. Simple.

BUT ... if people are using fully capable tools, they should be fully capable too. That's why Windows users must know what registry is - because they can find it and tamper with it.

In cars, you are limited. You need tools to cause damage to your engine. You need quite a bit of effort to do stuff. And because it is expensive and can also be dangerous for users, they do not do it.

Computers, no physical pain, no physical effort, quite cheap, so they afford to mess around.

Imagine you get ticket for getting infected with virus, just like running red light? Not so many people would be so quick-handed on the double click, eh?

I can go on and on, but I have a basketball game to go to.

So ... The main idea is there, not phrases as well as I wanted, but I'm in a kind of a hurry ...

Cheers,
Mrk

 

Now you have done it, you sure do .iss me off!

Click on my "DOS user" link in my signature.

Mike

 

The term WhiteListing has become a term that has lost its meaning without referring to specific situations.
Blanket statements such as the above are misleading to the uninformed.

For nothing could be further from the truth.

In its most basic application, White Listing is denying by default the execution of malicious code.
The initial setting up of a White List solution assumes a clean system. I have successfully used
such a solution on my own system and other home users' systems for many years.
It's essentially a Set-and-Forget solution.

Taking your examples:

_________________________________________________


_________________________________________________

Many of my academic colleagues -- dealing weekly with dozens of other user's Office documents -- effectively protect
against the above type of exploit with a White List solution.
Students at college with a White List solution on their laptop are protected against this type of exploit.

Someone may receive a photograph by email:


_________________________________________________


_________________________________________________

The effectiveness of such a solution becomes apparent in Zero-day attacks,
the .wmf exploit from 2005 being one of the most notorious and sensational:


_________________________________________________

http://www.urs2.net/rsj/computing/imgs/scan_wmf.gif
_________________________________________________


Many users employ White List solutions exclusively. Many combine with an AV.
There is no single setup that works for everyone.

The important thing is for the user to develop a Strategy which takes into account her/his specific needs
and situations.

To completely dismiss any solution out of hand doesn't serve any purpose.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

We are speaking about whitelisting ONLY and the claim that "Antivirus is dead". Nothing more, nothing less. So your whole post above is obsolete. Because there is no question if whitelisting makes "sense". The question was if this ALONE can replace antivirus.

Edit: Just to add one more thing: What do you want to prove with your first screenshot? Netsky.Q is a BINARY executable malware. The fact that you rename it into .DOC doesn't prove that your application blocks word documents. Or whom did u try to fool with this? Not me ;-) Same for the 2nd screenshot. Renaming files has ABSOLUTELY nothing to do with that!

 

I think you have misunderstood what Mike was trying to say in his blog. You see, there have been people predicting that at some point of time the malicious programs will become so numerous, that it will be easier to scan for known good programs instead of for known malicious ones - simply because the latter would be fewer.

However, at the AV testing workshop in Iceland, there was a presentation from some guy from Bit9. This company tries to build a database of all known good software. They noted that just sources like Microsoft, SourceForge and Netscape produce something like quarter a million new legitimate executables ever day each. Just the hash table used to access Bit9's database is currently 100 Gb and keeps increasing.

In other words, there is no hope scanning for that.

Mike's point is that it's too difficult to determine what exactly is malcious and what is not - so that you know whether to deny its execution or not.

In my experience, most users resort to an AV product after they suspect that their system is already infected.

Either I don't understand what exactly you are doing, or you are deeply mistaken. The possible alternatives I see are the following:

1. You deny access to unknown documents. This would work - but it would make the system unusable.
2. You deny access to EXE files that have the DOC extension. This, of course, won't protect against real documents that contain an exploit.
3. You deny access to the executable that it usually dropped and executed by the exploit. This is fine, but some exploits might not drop anything and execute the malicious action in memory only.

This is the second alternative - it's actually an EXE file with a JPG extension. The example doesn't demonstrate that your system would protect from a real JPG file containing an unknown exploit.

This is the third alternative - you deny the execution of the dropped executable but not of the shellcode in the exploit.

I don't think that this is what Mike was trying to do - although he was perhaps a bit sensationalistic in his message. I'm sure that there are advanced solutions that work reasonably well for some experienced users - integrity checking (whitelisting is a kind of integrity checking is one of them). However, the majority of users are far from competent enough to use such solutions.

That is why we're making scanners, folks - because this is what sells. Many companies have tried to market better solutions in the past - including ones based on integrity checking. For instance, Dr. Fred Cohen had a product he was calling "integrity shell" (essentially an on-access integrity checker), there was a product called Integrity Master, and many others. They all have failed. Without an insignificantly small number of exceptions, people simply don't buy them.

Regards,
Vesselin

 

The average Joe doesn't know anything about sandboxing or virtualisation. The point of IC's article is mainly aimed at that core of computer users. The best they can be protected is with some form of AV protection and a good dose of educating about safe computing practices.

 

What about other non-signature-based approaches, such as virtualization and behavior blocking?

I think products like SandboxIE, Cyberhawk and Micropoint have been an excellent example of how these "new-generation" technologies can be effectively put to use even by the most technically uninclined, so to speak. Do security vendors think it's a greater benefit to continue playing the catchup race against malware writers, or to invest in and educate users about these new technologies?

An additional point: Why is it that popular consensus that the public CANNOT use sandboxing/behavior blocking with any degree of success? Has there ever been any scientific studies carried out? Why do people continue to tout the blacklist scanner as THE solution for the average Joe, when it appears that average Joes continue to get infected anyway while using this very solution?

 

AMEN.

 

Once again: A user want to know if something is bad. He wants to know that FOR SURE. And that is very difficult (if even possible) with such solutions to provide. Not everyone knows what the hooking of specific API calls means, or what a "hidden" file means etc. They want something that tells you straight away "That's bad, it has a name and is called trojan.whatever and i do delete it now for you". They don't want to research themselfs based on some "strange" report if something is now really malware or not. Before they do that they let pass *everything* including malware.

 

Unfortunately, it is also a common situation that the blacklist scanner does not so much as squeak, and lets the malware execute unchallenged.

Perhaps the desire of users for their systems to remain safe can overcome their desire of having a dumb software package (try to, with varying degrees of success) do everything for them. What say you?

 

The frequency of delivering signatures has increased over the years. One time signatures were received monthly then weekly, and now daily in most cases. Some even deliver hourly now. I guess it depends if the AV company in question has the infrastructure, workforce and finances secured to allow for such rapid releases of virus definitions.

 

And for all those who still don't understand what i mean:

If you can read that here (or if you even replied here!) you're not an average computer user! 50% of average computer users don't even know what a forum is! They never visited one! You have to see this worldwide and not only based on your neighbors or people here in this forum! If you visit a security forums that shows that you CARE about your computer. Now please forgive me, but there starts already the problem: It even takes *TODAY* a drama to explain to some people why they should use at least a antivirus program! Let alone Virtual Systems or Behavior-Blocker. Congrats to all who are using them, but as i said you cannot force people to use it - no matter how big your marketing budget is. If it's to complicated (remember: it doesn't count if *YOU* think it's not) they simply don't want to use it. (See Vesselin Bontchev's Last part in his previous post)

 

you make it pretty clear to me IC,

calm down and have a drink

if people dont understand, who cares... its sunday

 

I think it boils down to education. I remember reading once about a guy who phoned Tech. Support because he had a problem with his computer, which turned out to be virus-related. The thing is he had an anti-virus product on his machine, but he just hadn't updated it for years - he believed once installed, it did its job without understanding it needed to be constantly updated against newer threats.

Then there have been cases where people don't have the real-time monitor enabled, and they wonder why they get infected!

How we educate this group of computer users is a discussion all of its own.

 

Even that's nothing. I was witness of a support case when the guy on the other phone end couldn't find the Windows Start Button... Guess what? The Monitor wasn't connected to the computer but he was trying to find the windows start button!!!

 

If user education was ever going to work, don't you think it would have worked by now?

 

A good example of this is shown in the Kaspersky article regarding Gpcode - http://www.viruslist.com/en/analysis?pubid=189678219 - where they say under the heading 'Protect your data':

 

I think the stories here have a very significant point to them. Namely: For those who are determined to not care about computer security, the blacklist scanner does nothing to help them. For the rest of us, non-signature-based solutions are beginning to look more and more like the better choice.

 

While that may be the case for advanced users, the idea that antivirus software will become obsolete due to *everyone* switching to whitelisting software, is ridiculous, IMHO. I would say more but IC and Bontchev's posts above sum it all up.

Londonbeat

 

Londonbeat,

I do not use whitelisting software.

Thank you.