Antivirus is DEAD!

I suppose you didn't separate your data files from your system files, like I did.
I have a system partition [C:] = Windows + FDISR + Applications
and a data partition [D:] = personal word/excel files, downloaded files, email, email-address-book, ...
My system partition is protected by a frozen snapshot + Look'n'Stop + Anti-Executable + DefenseWall.
My data partition has nothing but folders and data files.

All objects = any object on my system partition, system files, registry, ... anything on my system partition.
What do you consider as "all objects" ?

 

I'm following this thread with great interest and even though I don't understand everything, nonetheless, I do get the gist of the various posts. We've mentioned a couple of Erik's 'unauthorised objects' already and it's clear that malware doesn't need an executive extension to penetrate ones defences and do damage, as in the case of exploits and malicious .jpg items. Since whitelisting, useful and all as it is, has it's limitations and cannot be extended to cover these kind of threats, I'm wondering what the best way of dealing with them is.

I suppose possible solutions would lie in the realm of sandboxing, virtualisation and maybe behavior blockers like Cyberhawk.

One thing is clear, AV's themselves are likely to diminish in importance as the years go by and become redundant for the competant user.

Cheers folks.

 

Now you're confusing me.

If that's your definition of "all objects", then AE will work against them just fine. I thought you were referring to the type of exploits being discussed earlier.

So apparently AE's got you covered. I don't see the point of the fuss.

 

Read Ilya's post, exploits can be killed too.

 

Hi Erik, I saw Ilya's post but I don't understand it yet. I need to do some more research.

Cheers

 

This thread is an example of what I like so much about Wilders. It educates.

 

I don't understand it either. That doesn't matter, because I can learn about it. I learned so many things at Wilders.
I always think in big lines first, than the details. First the forrest and than the trees.

 

I mentioned exploits as a problem, but Ilya solved that problem. Case closed.
The rest is about whitelists or blacklists and I prefer whitelists.

Whitelists have a future because they are limited to your own computer.
Blacklists will end up in enormous blacklist databases of each scanner on your computer with a very long scan time.

 

Yes, classical and expert HIPS are quite hard to explain. But I always thought that sandbox HIPS I produce is easier
to explain even in comparing with standard dual-bound traffic firewalls (no popups). Ie, sandbox HIPS model is for average users as the most simplest for HIPS itself (I hope).

Agree. But, right now, it is, mostly, PR problem as there HIPS that are for average users.

SSM is a classical HIPS implementation, It is for geeks only (but not for me, I hate popups!).

But what is his source of information?

Believe me (and in my 5-years shareware experience). No PR- no sells. Nobody will know that there are HIPS systems that average user can use. Also, according my experience- there is no difference if you sell AV, AS, firewall, HIPS, OCR, or PDF converter- the rules are the same.

You will be laughing, but the point is that normal users doesn't understand what is exactly anti-virus is, how it works, why it is impossible to cure malware modules if they are infected,... I've just red somewhere here, that some lady had Symantec AV installator icon on here desktop (it haven't been installed!) and thought she is protected because it is SYMANTEC! After installation process made by other person, she doesn't updated anti-virus databases (why? it is anti-virus by SYMANTEC!, it has to be catch all the viruses in the world!). So, my point is: any complex software is really hard for understanding for normal user, it rather remember all the steps somebody tell him to do (constantly update databases, for instance) that need to be done, but will never understand why he do this. This behavior reminds me just well-trained monkey in zoo.

Yes, I agree. But if it is really bad? I assume that it is increase average defense level and malware production cost.

I can't say I don't use firewall as it is with my new computer's NVIDIA motherboard installation kit, it is here and active (ActiveArmor), but I never simply follow PR- I need understand what is it, why is it, if I really need it, is it suitable for me, can I write it better,..... Until I had dial-up Internet connection, I had no need in firewall and I haven't used it.

 

All is simple. Hardware DEP switch on NX/XD bit that marks data memory pages as non-executable. This prevents stack, data and heap exploits from proper execution. This scheme could be broken with return-into-libc attack, but ASLR will make this it really hard (need to guess new addresses for exploit data, system functions,...).

 

Slamming a competitor's software is not right IMO. I hope this thread doesn't evolve into criticism & promotion of specific products.

Having said that, I cannot leave this misleading comment (i.e., "for geeks only") go unanswered. I am not a geek & I use SSM. Neither is my 9-year old great-granddaughter a geek, & she uses SSM. Neither are the high school students in my business math class geeks, yet they readily use & configure computers protected by SSM. As to pop-ups, they are rare (& VERY useful) after exiting SSM's learning mode.

 

I think you somewhat misunderstood what I was saying. As a general rule, PR drives sales, no PR = little or no sales. That's a given and is not in contention. One of my points was that a PR campaign about HIPS would have a similar result as the PR campaign for firewalls, as in the masses would be informed about the existence of such security software and that they should probably use it, but most wouldn't know how it works or how to use it properly. What matters here isn't that the masses know how security software works, but rather that they know how to use it properly. Granted to some extent learning how security software works is instrumental in learning how to use it properly, but when concerning the masses, informing them about the nature of security software such as HIPS, as in how it works on a technical level, is an act in futility.

Sadly this is nature of the computer security market, at least with regards to the masses, and will continue to be so for at least several generations. As newer generations grow up surrounded by computers, they will increasingly be more familiar and comfortable with computers in general, and thus more capable and willing to acquire the necessary know-how to secure their computers.

Not sure what you mean here. I never said or meant to imply that a PR campaign or its effects would be bad in any way.

 

I think you are reading too much into Ilya's comment. All he was trying to convey was that classical HIPS such as SSM require more user input and that proper use of such software requires relatively significant know-how regarding computers and computer security and that people that have said know-how are commonly referred to as 'geeks'.

 

"Geek" is a misleading & somewhat insulting term to use for computer enthusiasts. See Merriam-Webster Dictionary's definition HERE.

Using such words as "only for geeks" in reference to a competing program can unfairly discourage purchase or trial.

 

A lot of diverging opinions regarding AV, whitelisting, firewalls, and security programs. Each user is coming from a different background and level of expertise and I will offer my personal view of the original post based on my personal and corporate use history.

1) Personal - I read some computer magazines and have a Computer Science degree (before the age of the WWW). The first AV program (DOS based) that I used was something called SCAN.EXE (which I think is a precursor to McAfee VirusScan). I have used that and several other AV programs and then later added a Firewall based on computer articles and newspaper reviews. I have read much about antispyware programs but have used it sparingly. The vast majority of users will remain with AV and firewalls until PC vendors stop loading them into hard drives or they become abandoned enmasse (such like the Netscape browser).

2) Corporate - Security is determined by system adminstrators for all work stations. Right now, only AV resides on all corporate machines. Communication traffic is regulated by corporate servers. There is no antispyware applications used nor is there ever planned for it in the future. Most users are not expected to reply to "stupid alerts" and the thousands of users would not put up with it.

The security landscape can change drastically, but I am not going to hold my breath waiting for it to happen.

 

Taken from Ronjor's link:

Whitelist/blacklisting seems to be the only things mentioned in the article.

Sandboxing/Virtualisation/Snapshots and imaging are viable additions to a security setup.

As for the magic silver bullet for a non Wilders visiting normal user, Defensewall would be my choice.

 

Franklin,

Any user, casual or advanced, may still be faced with the question of whether downloaded content is potentially malicious or not. Given that malicious and non-malicious programs can exhibit similar behaviors, the control of behavior is not necessarily a panacea. Ultimately a user needs to be able to assess whether file X is malicious or not and there's really only three paths to that answer:

• Run it and observe over an extended timeframe. This is ambiguous if the malware is a sleeper.
• Learn enough coding to reverse engineer the executable. Not practical.
• Take advantage of the expertise of professionals who can reverse engineer the executable to make an independent assessment. In other words, use a classical blacklist AV as a screening tool.

The last option is really the only one feasible in a large and heterogeneous user base and as long as content can be downloaded and used, my personal opinion is that this will always be true. Now, that classical blacklist may need to be augmented to reflect current challenges floating around, and that short list of viable additions you mention are certainly potential avenues for anyone to explore.

Proclamations such as that leading off this thread or the Robin Bloor piece, that the classical AV is effectively dead, are ludicrous and something that even extensive user education will not change.

Finally, there are no silver bullets now, and there never will be as long as the motivation to perform malicious deeds is present.

Blue

 

BlueZannetti, I have to agree with you 100%. I don't believe that conventional AV's will just cease to be effective, But with the addition of new technologies will continue to be a valuable security tool.

bigc

 

I would add the option of using one of the on-line sites employing multiple scanners [my method when I'm not sure about a downloaded file]. Probably as uptodate as would be your own AV product.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

If any of you have the book by Peter Szor - The Art of Computer Virus Research and Defense, look at page 484 about integrity checker. Peter too mentions the disadvantages...

 

I MEANT NO SLAMMING! In fact, I thing that SSM is really good in their niche! I just wanted to say that SSM and PG are still 2003-2004, but those types of product are still not mainstream. The reasons for that is that those types of products are requires a lot of technical knowledge from their user, so, this niche usually calls "for geeks".

I agree.

There still will be some "technically idiotic" people who will be good in other fields of human activity (literature, music,...), but yes, common knowlege level will increase dramatically.

 

You've missed one more point here: send it to anti-virus laboratory for human expertise. I don't believe in AV scanners too much (false positives, false negatives), but human expertise gives more reliable mark as you may send sample to many labs.