Is there hope for antivirus programs?

Discussion in 'other anti-virus software' started by iravgupta, Mar 29, 2010.

Thread Status:
Not open for further replies.
  1. iravgupta

    iravgupta Registered Member

    Joined:
    Dec 17, 2009
    Posts:
    605
  2. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    They used to be the most important part of your security but no more. I use virtualization and imaging and only occassionally seek the opinion of an Antivirus.
     
  3. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Hey,

    Thanks for pointing out that article, very interesting, indeed.
    Makes me think that relying solely on AV protection for your computer no longer does the trick.


    Regards,


    Carlos
     
  4. iravgupta

    iravgupta Registered Member

    Joined:
    Dec 17, 2009
    Posts:
    605
    virtualization as in sandboxie or as in virtualbox/vmware/virtual pc? (though I know that sandboxie is not a true virtualization app)
     
  5. kasperking

    kasperking Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    406
    maybe virtualization as in returnil/shadow defender etc:p
     
  6. iravgupta

    iravgupta Registered Member

    Joined:
    Dec 17, 2009
    Posts:
    605
    oops, my bad, not into these products, hence they did not occur to me immediately
     
  7. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,219
    I agree completely, but still they are the only tool available to identify malware if one cares to do so. HIPS in the article is the way to go as long as you block anything from executing (they won't tell you what's rogue or not, unless HIPS nowadays have in the cloud technology).
     
  8. xorrior

    xorrior Registered Member

    Joined:
    Mar 22, 2010
    Posts:
    66
    When actual runtime emulations and environments show up that hide their presence(unlike Sandboxie and Bufferzone and others) I think post-infection scenarios will be almost non-existent. Using some system of time delayed signing and the above mentioned IMO is perfection.

    I guess sticking with designing AVs around signature sorting engines and static heuristics keeps AV companies in business with renewed license fees though. That design though is about as effective as inline DRM on commercial software, they actually both fall under the same design principle in a way. Both get defeated by garden variety crackers and programmers literally daily.
     
  9. buckslayr

    buckslayr Registered Member

    Joined:
    Jun 1, 2009
    Posts:
    484
    Location:
    Michigan, USA
    What about something like Appguard or Geswall?
     
  10. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    I've been hearing about the demise of antivirus products for several years.
    They're still here and doing their jobs well. Much more important than the specific security product is the surfing habits of the user.
     
  11. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Yes antivirus programs are still worth using because HIPS can't stop everything. If everyone switched to HIPS then malware writers would put more effort into bypassing HIPS app. The only reason they are not as targeted now is because not many user's have HIPS on there machine.
     
  12. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    FYI -- Interesting comment from NSS Labs in this TechRepublic blog, emphasizing the importance of dynamic testing...

     
  13. ALiasEX

    ALiasEX Registered Member

    Joined:
    Mar 30, 2010
    Posts:
    240
    As long as other programs are much less novice friendly than av programs, av programs will continue to thrive.
     
  14. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    I hate sandbox type applications.
    having to take program outside of sandbox is annoying plus they dont work on 64bit properly.
    Also dont forget that malware stays inside the sandboxie until it is empied so passwords could still be logged in that time.
    most people wouldnt have a clue on how to use hips properly and would find sandboxies a pain.
     
  15. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    I also hated the idea and use of sandbox type apps. However, once I learned how to use SBIE with a competent AV, this has been my favorite security. I believe with most if not all keyloggers they need to install something to be effective. If you have the Drop rights selected in SBIE, this will nullify that sort of thing. Also, delete the contents of the sandbox after you shutdown your browser.

    You are right about the 64bit OS's. I can't get SBIE to work properly in 64.

    But to get back on topic, I believe there is hope for the good AV programs out there. As malware gets more sophisticated, so does the good AV's. :D

    Ice
     
  16. xorrior

    xorrior Registered Member

    Joined:
    Mar 22, 2010
    Posts:
    66
    Sandboxes in practicality should be transparent, not just on an AV engine but on 3rd party solutions marketed as such.

    There should be a minimal shell integration and configuration. The sandbox only does runtime environmental analyses and warns of risk and optionally shows a report. This isn't the case with any existing solution unfortunately.

    Also FYI 'dynamic' testing is still static analyses. Not sure how that is going to improve an AV engine anymore than generic sampling. Teenage noob malware authors even user custom packers and encryption stubs. AV vendors evidently don't have the ability to think like someone who wants to get a process through their product to the windows loader. I'm sure they have great reverse engineers, when they get around to updating a database only then can you look forward to not getting our information stolen.
     
  17. ratwing

    ratwing Guest

    @Zyrtec:

    I love your signature,and feel that for those without the desire to spend a little time in the learning curve,a top flight AV,Firewall,and on demand scanners are still the optimum way to achieve that.

    For those willing to spend a little time learning,there are many,many combination's possible that equal or surpass the efficiency,and are nearly as user friendly.

    More user friendly in my mind.
    I tend toward virtualization.
     
  18. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    I think they hit the nail on the head. The number 1 reason infections get in and spread is user knowledge. Old farts just want programs to run so they say yes to every pop up their firewall offers and inadvertently let a malicious file run and they wonder how it happened.
     
  19. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    For normal day-to-day use, a combination of policy restriction, virtualisation, and imaging should be enough to prevent infection. Policy restriction provides a strong defensive layer in terms of prevention, whilst virtualisation and imaging simplify and facilitate recovery, but that still leaves detection. As the Returnil moderator, Coldmoon, so aptly puts it, AV software is like the canary in the coal mine, acting as an early warning system even if it is only partially effective.

    One gap that conventional AV/AM software helps to fill is during software installation, which often involves disabling policy restrictions and accepting HIPS alerts. Whilst it's very useful to be able to install new software in a virtual environment for testing purposes, that alone doesn't always enable a definite determination to be made as to whether or not an application may be malicious. AV/AM software is like an insurance policy, providing an additional layer of protection.
     
  20. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    AV's will continue going strong, layered protection requires some knowledge xD
    Most people would just click allow allow and allow :D
     
  21. ratwing

    ratwing Guest


    Not Just Old Farts!!!
    Young Bloods also!!

    Really,I do see what you mean. (Old Fart Here)

    Respect,
    Rat
     
  22. xorrior

    xorrior Registered Member

    Joined:
    Mar 22, 2010
    Posts:
    66

    That's not an exaggeration ~99% of first-stage UAC circumvention is human intervention, malware only sets the runas flag in it's resource. After this even on limited accounts driver signing and 'token stealing' is trivial to circumvent. A transparent sanbox would fix the human factor. No false positives in environmental analyses, so if the engine says there is a problem, there is a problem.

    lol stack and some heap protection is the only existing memory protection. A program gets to the windows loader there is no existing protection for end-users. The bulk of botnet nodes are people who were convinced those where false positives in the functional warez they downloaded, and they helped it get to the windows loader when presented with the desensitized UAC prompt.

    Engineers at MS and AV vendors simply don't think out of the box, or design according to marketing. Luckily ARKs and reversing tools are not written by these people.
     
Loading...
Thread Status:
Not open for further replies.