Antivirus is DEAD!

User education won't solve the problem either.

Just have a look at Zlob. The user is tricked into *wanting* to execute the file with social engineering. No whitelisting will stop her/him from doing that.

On an end user system, a whitelist solution will constantly pop up because there are so many unknown applications and users update/install new things every day. After getting > 5 warnings on a day, the user will simply disable the security program. Every "normal" user I know that is using Vista has disabled the UAC because it is too much hassle for them! And you really believe you can convince them to endure even more warnings AND let them propperly decide what to execute and what not? Sorry, but that is just plain naive.

Antivirus scanning puts the work and expertise on the side of the AV company. The user must do nothing, if a warning pops up (s)he just deletes/cleans the file and the user is happy.
White listing, (simple designed) behaviour blocking, sandboxing, anything that forces the user to make decissions if it's ok to execute the file or not puts the responsibility on the user side. Good idea, really... Just shift the blame.

It is beyond my understand why people come up all the time with 20 years old ideas that have been tried again and again AND AGAIN and never worked out - and claimed they found the holy grail and the solution to all security problems. Only thing missing is that they name their product "42".
Where did I hear that slogan "will protect you against all malware, past, present and future!" again?

 

However behavior blockers are imo the way to go right now. Sure they also popup warning on legit files from time (av's do that too with fp's) to time but in general they don't bother users unless something really bad is executed (takin Cyberhawk/KAV6 PDM as example). And have extremelly high detection rate with very low update requirements.

 

In practice that looks like that:

 

Herein lies the problem. I've seen emails from people I've never heard of with unusual subject headings, some quite enticing and in quite a few cases grammar can be poor, but commonsense tells me not to even bother with it. I even have the preview pane disabled in my email client so the mail cannot be viewed lest there be web bugs contained therein.

 

Of course users are happy with a system that allows everything, because they don't want a strong security, while other users want such a security.
Scanners are a good way to keep users comfortable by giving them a fake message "Congrats, system is clean." Once they install another scanner, they find out their system was infected already during months, because their first scanner, didn't remove it, very good security.
False/positives deleted by average users, who damage their own computer, very safe solution.
It's obvious and logical, that an AV expert is pro AV-scanners.

I already told you what I want and what I want does NOT exist, because the security industry keeps on re-inventing new AV/AS/AT/AK/AR/...scanners, new HIPS, new sandboxes, ..., while the whitelist approach has been
neglected during all these years and that's why we have BAD whitelist softwares.
That's why I have to use softwares like FirstDefense-ISR and Anti-Executable, which are both NOT good enough, but there is nothing else out there.

Why is there always a test of AV's and nothing else than that. Is that a 20-year-old tradition or something ? I find these AV-tests pretty boring : always another winner and a bunch of losers.
I never saw a test of FirstDefense-ISR, DeepFreeze, ShadowUser, ... isn't that interesting enough for experts to try something else FOR A CHANGE, than repeating the same old tests over and over again, again and AGAIN ?

 

What are their failings, specifically?

 

What failings : users or scanners ?
Users fail all the time, they are the weakest link in security, because they can't control their curiosity.

 

Could you please consider using conventional black text on white background? Fx and nVidia don't like your black background and white text. I can't use auto scroll there as the screen flickers and the text becomes too tiny to read in addition to flickering in and out. Besides, I never use websites that have black backgrounds (except BlackViper) because it is so tiring for the eyes.

As for your getting your post deleted at dslr Security forum...I missed that because I was, out of the blue, banned for three days there. Ban was just lifted. I was given no reason for the ban other than that I somehow violated the TOS for the site. The offending post was not given to me but I suspect what angered Mary (WCB) was that I had posted in a thread there and mentioned that I was waiting to see if anyone would post the topic which I had posted here several days earlier when it was first news and that the discussion here was quite interesting contrary to the discussion at dslr which was juvenile. The implication that Wilders just might have the better membership now is a no-no that I had to be punished for. Mary probably deleted your post because you represent a vendor and she doesn't want vendors posting there.

I find all the comments about how most users refuse to learn anything about security puzzling. When I got my first computer in 1999, I was older than most computer users. Yet, I knew one thing: an always updated antivirus was essential. I had an awful time trying to understand McAfee 4.2 that came on the computer...I read the definition for "heuristics" about a dozen times and it was like reading a foreign language that I had no knowledge of. But I persisted and learned as much as I could about Mcafee. I also don't understand how these average users get all these viruses or why people even need AVs. All one needs is to have good judgement and be practicing safe computing. One does need something like a software firewall or ProcessGuard...that is much more important than an AV. Everyone needs a program to control what calls out! That is the main reason I use PG.

I have only had one virus in all these years (and I got it on a blank, new store bought floppy that I didn't know could be infected so I didn't scan it). I've never had spyware. And I knew nothing about computers until 1998 when I went to a county sponsored program to teach folks 55+ about computers. We didn't learn a thing about security but some about privacy. So, when I got my own computer a year later, I knew nothing about how to use the computer except how to surf. But I learned and I just can't understand how anyone could get a computer and refuse to learn how to use it properly which includes how to use the AV, the firewall, and basics about the OS and the File System. I think everyone should have to be licensed to use a computer and should be required to take security courses prior to being allowed to purchase a computer. I think the courses should be sponsored (at least in the USA) by Microsoft and the US government.

I certainly don't think AV's are "dead" nor do I think a ridiculous solution like white listing is practical or even useful. Users who insist on surfing to any site, clicking on every thing in sight, deserve what they get. First thing I learned was to be very careful what sites I visited and to never read email in HTML, or use the preview pane or open attachments without first downloading to disk and scanning with my updated AV. I also learned to never open an email from any source I did not recognize and if in doubt to read it via properties where it was never opened. All of this was very simple, very easy to learn and abide by so I don't understand users who can't learn such simple precautions that would eliminate most risk. If you insist on visiting porn/gambling sites, downloading P2P stuff, accepting files from strangers via instant messaging, etc. then you deserve a wrecked computer. A computer is not a toaster and won't be for another generation. Users have to be realistic and if they don't want to be then they should not get computers. Since they seem to have no common sense, licensing is the only realistic answer with demonstrable proof of ability to properly use a computer.

 

That is a very good post Mele.

 

My apologies; I quoted the wrong part of your post by accident. To correct my previous question: what do you find insufficient with F-DISR and AE?

 

I think a lot of this comes down to the fact that individuals with substantial know-how regarding computer security tend to assume that everyone else must have some level of competency in this area. Many individuals with that type of know-how such as those that frequent Wilders might acknowledge that everyone else (the masses) don't have the same level of know-how as them, but many still assume, perhaps because of the prevalence of computers or perhaps because it seems so basic to them, that most people in general have the capacity and motivation to acquire the necessary know-how to secure their computer. As should be obvious, this is a false assumption. Vast amounts of people, constituting a majority of people world-wide are computer illiterate and lack the willingness and ability to secure their computers.

For those whose personal experiences don't necessarily align with this notion, perhaps consider that the sample (people you've observed and/or helped in this area) that you're basing your perspective on might be skewed for various reasons. It could simply be that you have too small of a sample size to generalize with any meaning, or it could be that your sample, even if substantial in size, is unrepresentative of the larger population (say if you are working within academia or your sample consists mostly of younger individuals who tend to be more familiar and comfortable with computers then their older counterparts).

Lastly, the solution to this problem isn't some sort of systematic education for the masses, as that is impractical at best. Perhaps the only reasonable solution involving systematic education would be to educate younger students in a more comprehensive manner, teaching them the basics of how to use and secure ones computer. This could be made standard curriculum in middle and high schools (and their equivalents internationally). While even this task would be difficult and convoluted, it is at least practicable (in some countries).

All the nonsense about requiring licenses to operate a computer is absurd. Its implementation is impractical at best, perhaps even impracticable altogether. It would be a logistical nightmare, and would require an international governing entity to regulate and enforce. Even if somehow it was implemented, it would put a halt to the global economy, and would be counterproductive in getting the masses connected and teaching them how to use and secure their computers as it would introduce unnecessary costs towards achieving that end.

 

OK, my 2 cents if you don't mind...

As I always say, there are four main defense walls. That are: firewall to control your Internet connections and traffic, HIPS to cope unknown by AV malware, anti-virus to prevent already known malware from execution and clean up unknown one when it will be known, backup hard drive in case your's one will die. Each solution covers other's back (weak points).

So, there is no "AV replacement" solution as AV's are THE MOST EASY IN USE! There is only one button "Scan now!" (mostly) and this is all simple user need. Firewalls and sandbox HIPS (as the simplest tool for HIPS) are not so simple for user.

Why "AVID"? The fact is that AV industry PR their scanners as front-line anti-malware solutions. But the fact is that nowadays its effectiveness in this role is about 50% and getting lower. But the can't stop their PR machine as this will show their lie. They can't stop, the can just add HIPS solutions into their products (Kaspersky), that is the only way for industry itself. So, yes, AV's are dying as first-line defense, but they are still effective as a second-line cleanup tools (malware response time is not important this case).

HIPS. Some of them are for geeks (classical), some are for advanced users (expert), some are for averages (sandbox). It is just the matter of core architecture. But, naturally, the weakest place for HIPS of any type are... their users! Social engineering will never die, it is thousands years old technique and will live to thousands years. It is harder to do this trick with AV scanner, but it is possible anyway.

"Teaching users" technique won't works, because there are a lot of people in the world why see no reasons for it and you can't make them.

 

FDISR does a good job in cleaning your computer, unfortunately this happens only on reboot and that is too late, because infections can install and execute themselves in the period between two reboots.
The freeze storage of a frozen snapshot = whitelist of ALL objects in my system partition and that's why FDISR is able to clean my system partition completely, but too late.

Anti-Executable acts IMMEDIATELY and that is excellent, unfortunately only for unauthorized EXECUTABLE objects and not for other unauthorized objects.

If Anti-Executable (= Anti-Malware) would act IMMEDIATELY for any unauthorized object, I wouldn't need FDISR anymore.
If AE (AM) would stop any unauthorized object, there is :
- no installation of infections possible
- no execution of infections possible, because there is no installation.
- no removal of infections anymore, because there is no installation.
If my system partition has that kind of protection, I don't need to protect my data partition anymore either.
My data partition can still be infected by downloading infected data files from an unknown source, but that's MY stupidity.

There are "exploits", that can't be detected and removed, because they operate in the memory.
So be it, in that case neither whitelists nor blacklists will remove these exploits.
Exploits prove only one thing to me : this time, the bad guys were smarter than the good guys.

 

Hardware DEP + ASLR enabled will stop it cold.

 

Thanks. I will look into this. This thread didn't mention anything about this.

 

The malware disappears when you reboot. Why is that "too late"?

 

The Wilders Security world and the real world are two different things.
Try explaining things like behavior blockers, HIPS, and sandbox to a newbie, matter of fact if it wasnt for this forum I would have no idea what the hell any of those programs were.

For an example, as a newbie to software security, I know about AV's, AS, AT, software firewalls and routers, thats WITHOUT coming here and learning.
It's when you start mentioning behavior blockers and HIPS that I can almost guarantee you that the beginners or average users in the real world have no idea what the hell you're talking about, matter of fact when a discussion comes up about security programs for a computer either at work or at home why is the # 1 question "What AV do you use?"
How come no one says "What HIPS program do you use?" "Which behavior blocker do you prefer?"

I've logged onto Wilders from work a few times and you should hear the reactions/comments from some people.
They have no idea what so ever what I'm reading, cant understand alot of it and most of the time their only response to me is "WTH are you reading, how can you understand that?"
So when someone mentions AV's are dead, dead for who, the advanced users, because the newbies or average users such as myself rely on some type of protection and an AV is part of the solution.

This was just my 2 cents, thanks.

 

Because the malware could have already done its job, such as steal and transfer personal info, before rebooting.

Erik explained this in the sentence you quoted. . .

 

That is correct. FDISR doesn't recognize bad objects, because FDISR isn't a security software, it's an immediate system recovery software.

 

So why not add a firewall to your security setup, instead of praying that your one, single solution works against all kinds of threats?

 

I have a router + firewall to control internet traffic, but that's not enough.
I want to get rid of my boot-to-restore solution and only an improved and bigger AE would make that possible.
Actual AE = whitelist of all executable objects.
I want AE = whitelist of all objects (like in FDISR).

 

No doubts!

It is not really hard to do.

That means that you've red it in computer magazines, that is why you know what is it. Right? So, it is just a question of PR. I may insure you- in case of massive PR campaign even simple users will know what HIPS are and why he/she need it. That is an average story - same was with firewalls. I remember those days when I haven't heard about it and how various journalists from magazines have explained me what is it and why I need buy it. I didn't, but the idea itself is very clear...

 

When I meant firewall, I meant as in "software firewall with outbound traffic control".

A "whitelist" of "all objects" is clearly unfeasible, for reasons that have been pointed out earlier in this thread.

 

Ilya-

Explaining programs like HIPS or sandboxing may not be hard to explain for someone such as yourself (DefenseWall) but with someone like me (beginner) its quite complicated to understand, not so much with the sandbox programs but with a HIPS program I'm completely lost.
This is what I mean by the real world-people just do not understand certain security programs, yes it can be a PR issue but at the same time some of these programs are not beginner usable.
For instance SSM seems to be the HIPS of choice around here but for someone like me that's asking for trouble.
As I mentioned previously without this forum I have no idea what a HIPS program is or what it does or any other behavior blocker, sandbox.
I knew about AV's, FW's and such not from reading computer magazines but through word of mouth, matter of fact I have never read a computer magazine in my life, still haven't to this day.
I went through alot of trial and error but to be truthful it took one person to lead me in the right direction with the basics of security programs, from there I was basically self taught and to this day I'm still very much the beginner.
This is why when I ask questions about software I need as much detail as possible or I'm lost.
From my point of view everytime I read something posted here I'm doing it in newbie mode or I ask myself how would I explain that to someone who doesnt have a clue about a certain program.

 

The notion that the masses acquire most of their information about computer security from public relations (PR) seems reasonable enough. However it does make the obvious assumption that most of the information the masses receive about computer security is somehow a derivative of PR, this I cannot confirm or refute as I simply don't know, I can only speculate about that. Your extension of this notion is that if the big computer security firms put forth a PR campaign for say HIPS that the masses would then 'know what HIPS are and why he/she need it'. This is where the argument becomes less straightforward.. I agree in part with the initial premise, but just because such PR worked that way with anti-virus and anti-spyware software, doesn't mean it will work the same way with other types of security software. Granted such PR would inform the masses about HIPS, but it wouldn't necessarily enlighten them about how HIPS actually work and the purpose behind it. Your example of firewalls reinforces this point. I made a similar observation in a different thread (see below) that posed a question that your notion addresses. The reason firewalls are the exception is because of the PR behind them, at least according to the notion. However, this doesn't reinforce your extension of the initial premise. Namely, just because there was significant PR for firewalls that informed the masses about them doesn't mean the masses understood what exactly a firewall is, how it works, what its purpose is, etc. To the contrary, from what I've gathered so far, most people don't really know what a firewall does or how to properly use it. What most people (the masses) know about firewalls, if they know of them at all, is that it is good to have a firewall and that it has something to do with 'controlling the internet', as I've heard several times. This hardly constitutes understanding what a firewall is and why one needs it. To an extent, HIPS are similar to firewalls (as elaborated below) and a PR about them would likely have a similar result.

EDIT: As a side note, when you said "I didn't" in the last part of your post, did you mean that you didn't buy a firewall and don't use one?