AT vs AV, a 12 round bout for control of your security.

Agreed, and what's to stop an AT company from adding virus definitions and touting their product as doing so. Doesn't sound any different from what they're doing now (definition, heuristics, resident scanner).

 

I believe every player starts with some kind of ideal...from programmer's view it would be unheard off to begin with something like Kaspersky (all around detection) cause this would cost too much.

second...the economics are real bad everywhere, people have to choose. Just like we do I guess.

the separation is a good case still, hence layered security.

 

Hi Infinity,

Read all my posts. I don't want them to go out of business. In fact, I think they have the perfect opportunity to surpass the AV companies because of what they do and the threats they shoot down.

I wound prefer to use an AT resident and an AV on-demand, but give me some virus detection too and I'll be a happy camper.

Regards,
Jaws

 

Infinity, you type too fast.

 

ok what you would like is:

* memory virus scanner (on access) * memory trojan scanner (on access too)
* big database
* something pro active
* good price ?

what I said before:

SnS with AV (bitdefender = great Trojan detection too) would be our golden bet if it would have their memory (on access) scanner.

without that...it would remain ... the cost is too big for any AT to add virus database...all those work...that's not cheap...

have fun.

 

Hey Jaws,

One thing to remember, is that there are literally a TON of members who frequent and view forums...but don't actively post in them. For every one person who posts...there are countless more than do not. Also, not everyone who is security conscious is a member of or visits any security forums. I have friends and family members with various AV, AS, AT, etc. type programs on their machines that NEVER visit a forum like this one.

Also, I think the reason trojans pose a bigger threat is due to the relative newness (if that is actually a word) of them. Viruses have been around a lot longer, and as such software manufacturers have had longer and much more of a head start in dealing with them. Malicious software makers are now moving into other areas...and once those have been pretty well covered and dealt with accordingly, they'll probably try their hand at even more dubious and underhanded methods. You hate to say that it will never end, buuuut.....

I guess that's what will keep the security software manufacturers and forums in business (and users up on the latest technology and products)

 

yes, exactly JRCates

 

Thanks, Infinity...I was just hoping that I worded it the right way and that it made sense and came across like I intended it to

 

Hi All,

Now that things have settled down, let me just add something, and then this thread can die an ungraceful death.

First off, I never stated that AT companies are out of business. On the contrary I wish them well and hope they keep up the good work they're doing.

Second, I don't know the economics of their business and if they can continue on their current coarse and can make a buck, all the better for them. Again I wish them well.

Third, I wanted people to think differently about their PC from a more insidious threat then viruses. Vis-a-vis resident trojan scanners with some (doesn't have to be all or nothing) virus definitions.

Fourth, the domination of AVs and the (in my mind) consequences to the AT vendors. Read my first four or five posts to get my meaning.

Last, I wish someone from an AT vendor would have posted a comment but it's not to be.

Regards,
Jaws

 

hmmm, I understand what you're saying jaws...I had the feeling (I still have btw) that you're pointing out to an combination of at and av...AT's should consider to use virus sigs too in their database...

it could be the other way around better: av's that would use trojan sigs in their database cause I believe Virii are more in amount then Trojans...cause virii is still older then trojans...

Hope I'm clear.

 

Why wish for this thread to die? It's one of the more interesting threads that have been started in here for a while.

As for wishing that a vendor would respond...I hear ya and share in your pain. Unfortunately, that just does't seem to be the case in these forums. THANK GOD for the very knowledgeable and helpful forum members....because if I relied on any of the vendors with a presense (or even those without a presense) to post and reply in these forums, I would have been gone a loooooooong time ago.

 

Most vendors do not like to reply as much in forums for the simple reason that some have made comments in the past that have later come back to haunt them.

I think most vendors prefer to remain quiet now unless a rare issue comes up that makes a non-response detrimental to their business. Even then most vendors are careful with what they say.

There are a few vendors that have sort of put their foot in their mouth in past by discussing/arguing with customers/other competition and I think many have become gunshy about answering any question unless it specifically relates to their product.

Another reason for the lack of comments is that the AT industry has become extremely competitive as there are more choices than ever before. I think most of the vendors are now in the labs trying to find the thing that will give their product the edge......so they can stay alive as a company.

I don't think it would benefit any of the AT companies to discuss whether their company or industry can even survive.....for then they would lose sales as people question if their product is even necesarry.

I think most AT vendors would prefer this thread died....LOL



Starrob

 

Yes, absolutely true. Funding, resources, and internal capabilities are all part of the equation. AT vendors do have a substantial challenges ahead of them. One is to have the necessary resources (including money) to compete. The other is to have an actual value proposition. For example, if KAV is currently detecting over 99% of the trojans out there, how do the AT vendors differentiate themselves? (It is of course easier to make a case for an AT when the AV is detecting 90% or less of the trojans).

Memory processing scanning is a valuable technique by many of the top ATs and a reasonable value proposition for detecting trojans that AVs might miss (as is often discussed on this forum), but isn't the value proposition of AVs that detect the trojans, before they ever get a chance to execute (by interrogating the source files), an even more attractive value proposition, from a sales/marketing point of view? (Setting aside for the moment the difficulties of doing this in all cases).

Whether or not an AT company can stay in business depends upon:

1) Their ability to articulate an attractive value proposition which in turn -

2) Invites a) investment into the company and b) sales of the product (free scanning products do not bring in much revenue though they may eventually translate into revenue).

3) Of course, the financial goals of the company are also part of the equation. Some companies are willing to live on the cheap. But even the most altruistic developers eventually lose interest, energy, or run out of resources. (Everyone has to live).

So, I can clearly see how some of the better AV companies can expand and grow going forward (not all will make it), but the AT companies have some pretty substantial challenges. I'm the type of guy who pays for products that I use no matter what, since I know that every company needs funding in order to help create new technologies, and I support the companies that help keep my computer secure. So of course, I hope that the better companies (AV and AT) all do well.

Cya,
Rich

 

I agree with Rich and personally believe there will be a continued "niche market" for products like Ewido, BOClean, TDS-3, TrojanHunter. This touches on something I've been discussing in private but, fact is, even the well known AVs {Norton, McAfee, TrendMicro, etc.} do not have as broad a coverage of Expanded Threats as does Ewido for example -- I know because I submit a lot of such samples to AV-Vendor because they are undetected! So I think Rich is correct in his observations and I also think, short of all of us using some superduper product with the broad detection power of a KAV for example -- {which won't happen in a highly competitive market, I mean no one such product will be able to totally dominate} -- there will be continued niche market for Ewido and like products to supplement our AV-of-choice. Also consider illukka's comments: just because, say, KAV can detect something, doesn't mean an AV can clean the malware as well as a dedicated product {such as dedicated AT or AS} might be able to. Your AV could alert you to the problem, then if it couldn't clean it, your other {AT or AS} program might be able to. Just my two cents.

 

Very good points, Starrob, I honestly hadn't thought about it from that angle. Everything you said makes a whole heck of a lot of sense.....

and particularly the last part about AT vendors

 

Hi all,

I think the really attentive AT vendors who are looking to imrove their marketing and technology positioning will probably read this thread with some interest and try to improve upon their "marketing message", so that it succinctly and clearly identifies the value propostion of their software as compared to AVs and other ATs. It would also be helpful (though not necessary) to articulate a technological direction that would induce a user to purchase their product as a long term "investment" as opposed to a short-term solution. I think all good companies recognize the need to do this.

Cya,
Rich

 

I think it is time to resurrect this thread. My question is can any AT survive in light of what happened to TDS-3?



Starrob

 

It's really going to be tough for the AT vendors. The next year or so will probably separate those that will and those that won't. Some company's may continue to exist for a good period of time off their current customer base, but the product itself will probably slowly wither away.

I was just perusing the latest user documentation for ZoneAlarm 6, and the product is packed full of IPS and anti-malware features that will put lots of pressure on AV and AT vendors alike - as well as HIPS vendors. If ZA6 works as advertised, it is probably a harbinger for what's to come, and clearly it will require lots of ingenuity and a good amount of resources to compete.

 

I have half a eye on Zonealarm. I am not sure what to think about them because I don't understand everything going on under the hood of their software.

I know Kevin (BoClean) seems to heavily criticize it. I am not sure if his criticism's come from real potential flaws in the product or because the ZA 6.0 sort of conflicts with BoClean by causing many alarms on Boclean or if he is criticizing because they are a competitor that could knock him out the box at some point.

I study these things over time. Time often reveals the real answers. My personal opinion at this time is that ZA 6.0 does have a few flaws but we shall see if these will be worked out or not over time.

Zonealarm might have their own competition at some point. Let me start a wild theory to get people thinking. What if Google bought a company like LooknStop and branded it the Google Firewall which is part of the Google Malware Prevention Suite which is nothing more than top of the line technology assembled by either buying companies outright or hiring the best programmers available.

What if Google gives their software away for "free" like Microsoft did to Netscape with their Internet Explorer?

Understand something...Google is not interested in any recurring revenue from updates. What they are interested in is driving more eyeballs to their website. Giving away top of the line security products that are the equal or better than paid products would drive a tremendous amount of eyeballs to their websites. They could even get their foot in the door in a few corporations, maybe SELLING them top of the line search functions or other services in addition to their "FREE" software.

I am telling you developers...you better revise your business model fast. This is only one theory but there are other theories that can steamroll you if you can't get your head out of your LAB....lol



Starrob

 

ZoneAlarm, in their user manual, actually does quite a credible job of outlining specific IPS functions and appropriate user actions.

http://download.zonelabs.com/bin/media/pdf/zaclient60_user_manual.pdf

The IPS reference is documented in the Appendix starting at P. 225. The functions will look very familar to users of ProcessGuard.

There are flaws in every product - including the current crop of IPS software. But keeping in mind that a good AV is already going to stop maybe 98-99% of the malware out there, then how flawless does a product like ZA6's IPS have to be. Frankly, if ZA6 works, it is going to put IPS into the hands of millions of users who had never heard of it before. This should be very interesting.

I agree.

While indeed possible, there are a variety of management, financial, and technical reasons why this particular scenario will probably never happen. (I won't go into the mundane aspects of business models, and how it drives large companies, or small companies that aspire to be large companies).

However, I think that the really big guns in the industry (Check point/ZoneAlarm, Symantec, Microsoft, Computer Associates, McAfee, etc.) will be speading out and will put lots of pressure on second tier companies. I agree with you that in general it will take innovative ideas, excellent business acumen, and a very happy customer base to surive. Shakeouts in the software industry are fairly common and happen about once a decade - e.g. database, work processing, spreadsheet, desktop publishing, etc. Now it appears to be happening in the security software arena.

 

Perhaps the question should be can any AT, AV or firewall vendors survive? I don't think this is an AT problem alone.

I think one of the main problem with the, end all - be all, suite will be ease of use. Contrary to Kevin's (BOClean) very critical remarks about "home users" wanting constant notification that a product is actually doing something , via popups, I personally don't want to be constantly hampered with interruptions. I can just see a ZA suite with popups for outbound apps, intrusions, trojans and viruses. What a pain in the ass that will be.

Then there's the problem of getting the all in one suite working without problems and getting everything to play nice together, especially after product updates. I'm sure everyone remembers the fiasco ZA had with their ver. 5 upgrade. At least with independent products, a person can assemble the best of the best that work together without problems.

Then you come to the possibility that MS, with all their cash reserves, could just buy out every security software maker and fix (or more rightly defend) their insecure OS and browser. However, luckily the law will not allow this. And would you even trust them?

Jaws

 

Maybe Microsoft can't but Google can. IAC can and a few others can. Some may dismiss this possibility but you can be sure a company like Google has a eye on something like this to see if they could possibly make it work.

I for one will not be surprised if something like this happened.




Starrob

 

Hi Jaws,

Yes, all of the issues you have pointed out will - and apparently do already - exist. In a general way, it seems that the security industry is moving from scan detection to Intrusion Prevention Systems (IPS). There will be a long learning process as vendors attempt to enter into the market quickly, and provide services, while still grappling with usability, compatibility, marketing issues.

At this moment, I am trying to understand any comflicts that may exist between ZA 6, ProcessGuard, and RegDefend, since there are many functions that overlap - yet each provides additional functions that the other does not. A tough situation. For now, I am holding back on any ZA 6 upgrade until I better understand the issues.

It seems like we are entering into a whole new era - just when I thought my situation was settled. Oh well.

Regards,
Rich

 

My impression from looking at the TDS-3 threads is that it was the ever-increasing number of trojans (doubling every year to judge from Kevin's posts) and the consequent increased support that the program needed that triggered DiamondCS' decision, rather than competition from AV vendors.

Trojan and virus detection have one great difference - viruses replicate while trojans (generally) don't. That means that the chance of an AV company picking up a new virus and adding it to their signature databases before most users encounter it is far greater than with a trojan, meaning that simple signature scans can provide good protection. With a trojan, any you encounter (if you do pick one up...) are more likely to be tightly targetted (e.g. on a specific website or file download) and modified to foil simple signature detection (via compression, encryption, rebasing or other techniques) which means that there is far less chance of having the necessary signatures to pick it up.

Therefore an effective anti-trojan scanner either needs to combine signatures with techniques to counter masking, or use another approach to detect malware. One option is heuristics (which only NOD32 seems to do really well) or behaviour blocking/IDS which is where many of the current AT (and some AV) scanners seem to be heading.

As such, the real "threat" to AT-vendors (aside from all malware writers simultaneously taking early retirement from their ill-gotten proceeds... ) would seem to be coming from the IDS programs (Process Guard, Safe'n'Sec, A2, etc). These do have the weakness of requiring a greater level of user knowledge than AV software currently (since they pick up on legitimate software also) but once this issue is resolved (most likely via a signature "whitelist" of known good programs), signature-based scanners will likely be relegated to a secondary role (perhaps working in conjunction with the IDS to advise on the most common nasties).

 

If you use the TDS database size as a measure, as I did here, you'll see the doubling time appears to be somewhat shorter -roughly every 9 months since Sept 2004. That's a very sobering statistic, at least to me.

Blue