Cloud-Client Integrity Protection (CCIP)

I don't disagree with that. But, eventually, we all have to elevate something right? And, when elevating something, in this case MSE would need to catch it at that same moment (on execution). If it doesn't, and then malware is able to simply kill it... Anyway, hopefully MSE team does believe in self-protection?

 

The best defence is common sense.

That means being careful where you go and what you download, steering clear of stuff like torrents and binary forums on Usenet.

I do run Prevx but also check its integrity by running an online scan from one of the other vendors.

I would think though that after the incidents that occurred all the providers beefed up their infrastructure security both from a software point of view such as adding additional firewalls or upgrading the existing ones and tightening security on the servers along with reviewing staff security policy.

 

They won't change their minds.

 

The best defense is layered.

Take driving your car for example.
You maintain the vehicle (tires, fluids, mechanical, etc).
You look at your surroundings and try to drive safely.
You wear a seatbelt.
You have airbags.
You have crush zones.
You have OnStar calling for emergency help if you get into a horrible accident and are impaled and dying.

All of these things are layers of protection. Some are everyday, and some are extreme circumstance and some are backup protection. But taking away any layer would be silly.

Koch's claim is similar to saying "Seatbelts are worthless because if you get into a horrible head-on collision at 90 MPH, the seatbelt won't help and it might trap you in the car that's about to explode in three seconds." It doesn't even acknowledge the fact that the vast majority of the malware out there DOESN'T and CAN'T circumvent self-protection, and the SPS is effective against these. Sure, if you get ZeroAccess, you're pretty much OOL until some method of protecting against that specific exploit comes around, but all those user-mode ransomware apps will be unable to send a terminate signal and succeed.

Like I said, try using kill.exe or task manager to turn off WSA. It doesn't work, and that's due to the self protection. With no SPS at all, a virus coded in .NET or VB by a 10-year-old could kill the AV program.

Anyway, on the lines of people who are afraid of the cloud, this just shows a lack of understanding of the concept of attack surface. Your computer natively has hundreds of thousands of surfaces, but not all of them are attack surfaces. Most aren't in fact. An Attack Surface is a facing by which an exploit may be able to be introduced into an environment.

By the logic of "Any AV that has to communicate to a server" being used, then technically -EVERY- AV does. Why is a "cloud database" a bigger attack surface than the server presence of the DB they load onto your machine regularly? Without that DB, how can the AV work effectively at all?

It also comes down to "Effective Safety Balance". You could TECHNICALLY say "I am never going to go outside because I could possibly trip over a curb or step on something gross". After all, when you are outside, you've just immensely increased your attack surface. You are exposing yourself to weather, the whims and faults of thousands of other people, acts of Doug, and acts of Dog too (which is something gross to step in).

But honestly, is staying indoors in a bubble all that much better? Somebody could come with a bulldozer and break your wall, or break into your house with a gun and shoot you, or throw a brick through your window and bean you in the head while you're sleeping.

So obviously, there is no solution. Therefore it all just depends on how paranoid a person is and what kind of balance they try to end up with.

Consider:
With no door on your house, you have easy, convenient access. But everybody can see in, walk in, etc.
Put a door with a knob and now you have to stop to open it. Your convenience is reduced, but not by much. Your security is increased because people can't look in, the weather and bugs are kept out in general.
Put a lock on it and now you have to stop to pull out a key and unlock it. But again, more security.
Put a deadbolt on it to prevent people from carding it and more security, but also more effort to unlock it.
But what does it mean when it gets to the point where somebody has to set down their groceries, unlock three deadbolts, seven key padlocks, two combination locks, iris scanner, thumbprint scanner, DNA scanner, voice analysis... then can finally get into their house as long as they pick up their groceries and make it through the door in under three seconds. And have steel plates over their windows... Yeah... Secure? Sure. Inconvenient? Very.

 

Wow...

Techfox: You ought to be revered for that post. I don't think I've ever seen a better analogy post. This should be pinned as a sticky for that. Rob Koch ought to read this!

You know, I agree with what you say. Just because there are edge scenarios where self-protection is "worthless", doesn't mean it is worthless altogether.

Heck, if I may try my luck at an analogy: By Rob Koch's logic, not only is self-protection worthless - protection is worthless, because hey...malware sometimes goes undetected right? Worthless! >.>

Nice post Techfox. I love it.

 

Good luck getting Bob to read it.

Really, security is a lot of posturing lately and a LOT of misunderstanding. I've been in the security industry for 17 years now. A lot comes down to PR and under-informed people, and then even more in scaremongering.

After all, the security industry STILL has people up in arms over cookies. The free Security Scan style utilities by a lot of vendors look for Cookies that they have a VERY reasonable assumption will exist in order to crow "OMG, Your current security program missed these!!!! They suck, so use us instead!" Scan, go to a web site, and within five minutes, the cookies are back. So yes, it's a safe bet it will find the cookies.

And what do the cookies do? They make people paranoid for the most part. I mean, really, I went to look at the Ford web site, so when I go to New York Times, I'll see an advert for cars. Great. True, marketing can get kind of creepy and embarrassing sometimes (See: http://foxnewsinsider.com/2012/02/2...ager-can-are-stores-tracking-your-every-move/ for example). Nothing like getting adverts for adult services in the mail because you signed up for a free adult site... But really, it all comes down to visibility. If you're going to a web site that you don't want somebody else to see you going to, then why are you going there to begin with? You're putting yourself at risk of discovery through MANY more venues than targeted advertising. Having your spouse come up behind you while you're in a "mature" chat won't be prevented by deleting cookies.

But yeah. It's always the Security Balance. After all, if the logic in the infection is: "Look for AV program. Kill it. Verify death. Kill it again if needed. Repeat verification and kill until it is truly dead. Install myself." Then if the AV and Virus get into a fight in the verify and kill portion, notice that the virus never reaches the "Install Myself" instruction, so it never does. Heck, a virus can use self-protection by saying "If something touches me, I BSOD the computer." It's very effective. Inconvenient for the person seeing the crash, but the virus never gets removed and the user blames the AV program for the crash. Win/Win for the virus.