How easy is it to bypass an AV?

I'm no expert at all,but I heard it was really not a difficult thing to write a virus that's able to bypass Avira,Kaspersky etc. I heard people saying,given the name of the AV,I'll slip through it. If this is real,then those which people use most,are targeted and "will probably become poor AV products eventually". The popularity of Kaspersky in China certainly arouses the local virus writers' interest against it.

I know there's not a "Yes" or "No" answer. Questions like "Are you 'expert' enough?","who can be called an expert" would be asked then.

Here's another expert bashing AV products.

No,I'm not paranoid. I'm using Avira free now.

I just think AV products are losing their ground so fast,aren't they?

 

Quite interestingly when asked (Joanna Rutkowska) for security recommendations this is what she said about AVs:

This isn't the first time I read about programs which weaken the OS that they are supposed to protect. On the other hand I can't think of any other tool to find out whether a system is infected or not. It would be interesting when testing AVs for malware detection, to test them on the impact they have on XP and Vista, particularly at kernel level. I presume that such tests would be very expensive as they would have to be carried out by independent expert programmers.

 

sure antivirus can be bypassed and i have seen this myself.thats why i use another security software besides the antvirus specially a good hips program like online armor, comodo or outpost.

 

if the malware can't execute on the machine then it can't bypass anything. so limited user logon, blocked scripting and common sense need to be bypassed first

 

if you're talking strictly about known-malware scanning (as those people you heard from almost certainly were) then yes, it's fairly simple to write a new piece of malware that won't be detected. the reason is quite simple - new malware is not yet known and therefore known-malware scanning won't be able to find it by definition.

heuristics help, but not enough (av comparative's retrospective test results are dismal) and certainly not when the person creating the malware keeps tweaking it before release until the heuristic engine s/he's targeting can no longer find anything.

rutkowska is not an anti-malware expert, far from it in fact. what she is expert at (besides marketing) is creating one very particular type of malware. that gives her a very biased view of anti-malware.

long ago i wrote an article about the absurdity of the so-called 'security expert' - essentially it's like being an animal expert, and ask yourself if you have a question about insects do you ask an 'animal expert' or an entomologist.

again, if we're talking strictly about known-malware scanning then certainly there are some very high-profile problems that seem to just get worse and worse - however in reality AV refers to far more than just that. it's somewhat of an umbrella term, which is why i make a point of referring to specific types of technology - to get rid of the ambiguity and put comments like "it's easy to bypass AV" into proper context.

 

Say,if you download a *.exe and intentionally execute it,your av fails to detect the virus contained in the file.

 

sure, it is a never ending race as the ultimate defence is the user

 

I assume the exe file you intentionally executed must have been downloaded from a dubious source?why would you execute such a file?

 

*.exe is just one example. There are many cases that I need to execute a file from dubious source. Or maybe I don't even know it's from dubious source. Is there a line between dubious source and trusted source?

And in terms of common sense. I think most of PC users don't have your "common sense".

 

and I think the tide is turning in favour of users with common sense

 

if you REALLY try you can bypass any type of security,physical or virtual,no anti-malware vendor or hardware firewall manufacturer can ever be certain that users are not going to be determined to be stupid enough to make their products worthless,I've had PCs brought to me with malware on them that the user was warned about by the product they had installed but ignored the warning "because they wanted the software":-its not the malware thats the problem but the users!(lol)

 

.
If by "AV" you mean a signature based scanner then yes, they are losing ground - the number of malware keeps growing and the AV developers can't create signatures fast enough. Antimalware developers are taking their products in new directions though. For instance Cloud technology, as implemented by Prevx and Hitman Pro is a step in the right direction IMHO. The real problem though is not the effectiveness of security products, but the lack of awareness of users. Many users have a simplistic idea that they will be safe if they choose good security software, not understanding they must stop visiting high risk websites, using P2P software like Limewire, etc. Would you feel safe playing in a mine field just because you have a metal detector? Hopefully not, but this is analogous to what people do on computers.

 

That's a bit of an obsolete opinion. Nowadays, there are so many hacked legitimate sites (such as e-shops you often visit, magazines, government pages... simply ordinary webpages), with the malicious code appearing one day here, one day there - that dividing websites into "high" and "low" risk doesn't make much sense. You can get infected anywhere, even on the most "legitimate" sites you can imagine.

 

what you're talking about is still very rare,most get infected by visiting crack sites,"free" porn sites:-the offer of free porn is always a good one to get guys to download something they'd rather not have!,file sharing and other risky habits online,like I wrote earlier if you really try you can bypass any form of security you're using to protect your pc,common sense still plays the biggest part in keeping malware off pcs

 

No,it is not rare at all. Everyday there are new lists of infected legitimate sites.

 

as a % of legit sites ones that get hacked/infected with malware is very very low,get a list of non-infected sites and compare the two!problem is when a site does get compromised in any way at all by some malware,the writer of the malware writer gains notoriety and so likes to broadcast the fact that they have done it even if the way in which a site is attacked doesn't cause the public any probs:-remeber how it was big news not long back where various AV venders sites were attacked and claims personal data stolen:-turns out it was a load of bunk,the stuff claiming to be stolen wasn't even kept in the place it was claimed stolen from,it was on different data bases at other 3rd party computers:-don't believe everything you read or all the claims made

 

well i havent been to one yet so i dunno how common it can possibly be, if u didnt know their are Millions and millions of sites in the internet, wen a few get hijacked, a majority of people still wont be effected by it.

 

I'm afraid you must be living in a different world... you seem to be talking about hacks changing the web to claim "I did it!" etc. - yes, that is indeed pretty rare - compared to silent malware distribution.
Actually, the word "hacked" may not even be always correct in this context - it's possible that the credentials to the websites is e.g. stolen when the author's computer gets infected, the data distributed to the malware guys - who use it to access the site.

How do you know? (that you haven't been to one?)
You wouldn't probably notice; the injected scripts check for various exploitable software (mostly the usuals - operating system, browser, acrobat, quicktime, ...); if none of your software gets exploited, nothing happens... so you can hardly say you've been to such site.

 

was using the word"hacked" to cover a broad spectrum of malicious intent aimed a a website/server/company/homeuser the actual % of websites that are affected by any kind of malware or attack or even just altering simple things such as the way it is displayed is very small if you want to believe otherwise you're believing too much of the hype that surrounds the amount of malware claims made by the writers/distributors and a few(not so few)bogus anti-malware companies who tend to prey on users paranoia about how easily it is to infect a protected pc,if you believe even half what is earsay you'd leave all your pc's turned off because I'm sure that even without web access I'm sure someone somwhere would claim that you could get infected down the mains and some users would believe it

 

OK, I'll pass your message to the guys in our virus lab - that they shouldn't believe that those huge numbers of infected sites they see every day, and add detections for, are real... I'm sure they'll be happy to save themselves quite some work

 

which lab is that,or is that a secret??If you do work for an av company why be shy?(do you get the impression I don't believe you??)

 

.
I don't see anything obsolete about my opinion. Avoiding high risk sites is a way of significantly reducing risk, while intentionally visiting them is a way of almost guaranteeing you will be attacked/infected. The fact that legitimate websites are sometimes hacked and contain threats does not change this. An important part of avoiding infection is lowering your risk profile.

 

I thought for a novice like me, AV is all I need.
Now I'm not sure what to do.

 

No firewall,no HIPS?

I kinda hate HIPS myself though. I mean the crazy pop ups of HIPS.