Antivirus is DEAD!

Why do i have the feeling that this discussion will go off-topic soon?

To make it clear: We're discussing if whitelisting can FULLY replace a Antivirus Solution. That means you wouldn't have any antivirus. We're not discussing if it makes sense to add a whitelisting app to your existing av! Because *assuming you know how whitelist works* that indeed might make sense!

 

Same here.

However, I do believe that it will slowly become less of a need as other apps. become more advanced. They are walking all over each others security zones as it is now even today. This is in my view is a very positive development as pure signature based products would become so burdened by billions signatures. Just think what PC useage would become. I beleive and I am no expert for sure, that behavior based when done well will be the best option. This is based only on observation and reading postings here at the Wilders and other places, again I am no expert.

 

You are forgetting that there is a third group of users - and it's the majority. Those are people who are not competent enough to use generic protections like integrity checkers - but who do care about protection from malware for one reason or another (e.g., because their computer is already infected and doesn't work properly). These are precisely the people who buy and use scanners.

Face it, folks. It's a free market. The "death of signature-based scanners" was predicted two decades ago. Alternative, more secure kinds of protection have been available for all this time, too. Nobody is forcing the users what to use for virus protection. They use what they want. They vote with their wallets. All AV products that did not include any kind of virus scanner are no longer around - because the companies that used to make them went out of business. Scanners are still selling like hot cakes. What does that tell you?

If you can make a generic kind of protection work for you - great! I use several myself. I'd be the first to admit that known-malware scanners are the weakest kind of protection against malware. Yet this is what the vast majority of users understand and this is what they are going to use. Do not expect that to go away any time soon.

Regards,
Vesselin

 

I have edited my post, I did not read your prior post where you brought in question of the effectiveness of behavior blocking/sandboxing/virtualisation. Although IMO, these, along with whitelisting, are still not an effective solution for the average inexperienced user, and won't cause the 'death' of signature-based antivirus software.

 

Ah, no, in general this is not true for Word documents. (Unless, say, the document contains some self-updating fields - but even then Word will ask you whether to save the changed document.)

What you're thinking here of is Excel. That one changes the AUTHOR record in the Book/Workbook stream when you open a spreadsheet - even if you don't enter anything in it. And it doesn't tell you that anything has changed, either - it saves the change immediately without giving you a choice.

Regards,
Vesselin

 

Again, this is not true. Most Office documents do not contain any macros. The most you can say is that Excel documents contain macros much too often to make "deny all macros" a comfortable policy.

Regards,
Vesselin

 

Then it's XLS Doesn't really matter, but people using this too

 

Yes, you are. Indeed, this is what most exploits do - because it's easier to do it this way. But don't forget that before the executable is downloaded and executed, there is some other code (the shellcode) that runs - it is the code that does the downloading and executing of the main malicious executable. The shellcode runs only in memory. You can't stop it from running my preventing unknown EXE files from running. And although it's more difficult, it's entirely possible to do a lot of nasty things just with the shell code - without downloading and executing anything else.

Also, think about the CodeRed virus. This thing doesn't exist as a file at all! It spreads memory-to-memory between computers on the Internet. What are you going to whitelist/blacklist in order to stop that? TCP/IP packets?

Regards,
Vesselin

 

Yes, several.

Regards,
Vesselin

 

Thank you for the explanations; they've been very helpful.

 

I agree, most helpful. And although those of us privaleged enough to have conditioned our systems customarily with many advances that make us less dependent on AV's, as noted above, there will always remain a great majority of global users who either don't have the luxury of specially configuring security or simply are new to the internet and MUST depend on the AV solutions to be safe.

Great replies and comparisons.

 

You have got to be kidding Mike, did they give you a reason? Do they know who you are? How the hell could they just a delete a post from such a well respected and knowledgeable person??

Canceling mine as well. Thanks for letting us know. Sorry, some people are just beyond help.

 

With this thread in mind, I have to ask:
Is there a quick and reliable procedure to find executable code in a file? Because all exploits contain executable code, right?

 

No to both of your questions. There are also exploits that do not contain executable code, and it is not easy to find executable code in arbitrary files. It largely depends on the file type and on the morphology of the code. It could attempt to look like normal contents of a file or simply seem quite random with trash instructions which can be quite hard to spot in binary formats.

 

So, looking for the MZ header with a text editor is unreliable?
Another subscribed thread

 

Yes. Because you can have shellcode in jpg pictures and they don't have a MZ Signature at the start.

 

Is there a way to find such shellcode in a given file?
Thanks.

 

My statement from previous post:

A better statement would have been: White Listing is denying by default the running of *any* executable not on the White List. It's sole purpose for me and those I help is to prevent the unexpected.

Every one of my examples is a real live exploit either received by email, or via drive-by download. Again, I realize that my examples address just certain types of exploits, yet these are the most common in the wild, and hence, of most concern to the home user.

bontchev - Your comment about not blocking the shell code of the .wmf file is a valid one. As you state, it could also apply to an MSWord exploit which ran shell code.

In fact, this was discussed in another forum during the period of the .wmf exploit, and someone crafted a .wmf file with shell code which, when allowed to run, launched calc.exe.

However, I am not aware that this technique ever surfaced in a real exploit. Everyone I saw reported, launched a trojan executable.

In practice, many of the faculty and students I referred to have both a White List solution which will prevent the dropping|extracting|launching of any executable code not already on the computer; and an AV which hopefully will take care of other situations.

My concern is with the home|education user, and I watch for real exploits that they might encounter. I realize that much of this discussion is about Enterprise situations, but s simple Default-Deny program is not beyond the capabilities of anyone. AV may be helpful. However, from my experience with the above -- especially with real drive-by downloads, I am not optimistic about their effectiveness.

As I conlcuded my previous post, the important thing in security is to develop a strategy. What products a user chooses is less important than the effectiveness of the solution according to the needs and situation of the user.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

That's not that easy to explain it in a "universal" usable manner.
The "easy" exploits you can "detect" if you find a few of 0x90 (NOP's)
Otherwise u have to search for encryption loops aka xor, rol, sub, add etc.
Basically you have to detect valid assembly code.

 

Can that be done with a simple text/hex editor (such as this one) or a tool like FileAlyzer?
Thanks again.

 

YES! If you can read (and understand) assembly directly out of hex bytes (including on-the-fly offset recalculations for addresses, EXX Register tracing) It's basically very easy to learn. Took me around 15 years.

 

Rmus, the problem is that for YOU, Yes it doens't seem confusing, complicated or stupid. For most of the people here, it doesn't seem overly complicated. However, for the MAJORITY of users, they don't want or NEED a frequent parade of pop-ups telling them that this action may be dangerous, they just want to mindlessly continue surfing, emailing, looking at porn or whatever it was that they would be doing when a pop-up jumps up at them. They will merely click "Yes" or "OK" just to go back to their blissfull life. Those are the people that need protection the most, simply because they do not posses the knowledge to protect themselves. It is those very people that the makers of AV/AS/Anti whatever else comes along, must provide protection for. Because, when those people get infected or hacked or whatever, they will email the Inspector (or his counterpart at their chosen AV) and whine about why their computer got infected and how do they get back to cruising porn or whatever they were doing when they got infected.

 

I would add that I've never encounted any difficulty in setting up on "average" user's systems what I described

I agree with the rest of your statement with the qualification that those who "do not posses the knowledge to protect themselves" can effectively be taught *how* to protect themselves, which is something I and my colleagues demonstrate regularly.

Just because the "majority" seem to be helpless does not mean that something can't be done to correct this situation. A daunting task, I realize, but sitting and doing nothing accomplishes nothing.


regards,

-rich

_____________________________________________________
Just because someone's shoes are too tight, why should my feet hurt?

 

Most "common" end-users (those without knowledge of Wilders or any other security-related forum) will need an AV solution, with M$ being the dominant end-user OS provider. Not to mention those same end-users who will disable/shut-down an AV if they think their surfing is being slowed down while going after that favorite recipe, trolling MySpace, or downloading/installing other apps ("always turn off that AV first!"), etc. It's never ceased to amaze me during my previous support years how many end-users were afflicted with PEBCAK issues when it came to what we here deem as common security practices... and I'm talking *really* bone-headed, Darwin Award in-the-making scenarios.

 

To complete Rmus reply, AE (from the screenshots) does not ask questions, it informs. I'm sure that you can turn that off too.

What i'd like to be expanded is what then does the Execution prevention fails to stop. What can be achieved without executing (what danger), and if HIPS like SSM detect and block such actions. I'd like a real life example, but i'm not as rigid as Rich , you can draw a scenario for me. But that's just me, i don't know that much.

No, the AV is not dead. A trojan found is a trojan found.