The short answer is... it helps immensely. So yes. But I imagine that certain systems and/or practices could be put in place that would allow a completely uneducated user's computer to stay secure. But for how long and at what cost would this uneducated user's computer stay secure?
In order for the typical user to stay secure, one of these two has to apply: 1, The user has to be knowledgable enough to secure their system and/or data. or 2, The system must be secure to start with and not alterable by the user. As long as the user can alter their system without any understanding of the security implications of their actions, no security software can compensate for their actions.
Or the user can alter the system but is never given reason to. For example: When an antivirus gives a false positive the easiest way around that is to turn the AV off and run the program again. So what if the user only believes it to be a false positive? Security bypassed. So instead of making the easiest way around the AV turning it off they should provide another option, such as running it anyway but within a virtualized environment or with some type of restrictions or monitoring to ensure easy cleanup. Suddenly the choice of the user to run the program regardless of it being blacklisted doesn't infect the computer.
The user is only going to believe it's a false positive because they've either encountered a false positive before, or because of all the reports they've seen on false positives, and false positives do occur routinely with antivirus products, therefore it's the fault of antivirus developers for their inability to produce a false positive-free product.
I agree entirely. If a user encounters a false positive one time there is instantly a dangerous precedent. Next time they may just think it's a false positive and they'll say "Oh well it's been wrong before."
Which is why I, for one, only take antivirus scan results with a slight grain of salt. TBH, most of the installer files I download I don't even bother scanning, because I obtain most of them from sources I trust, and this approach has never once backfired on me. If it ever does, I know how to resolve the problem, and then it would just be a little excitement in an otherwise humdrum routine
Yep, installing form a trusted source is one way to go. But with 80% of malware distributing websites being hacked legitimate sources I try not to be too trusting.
I saw no details on their criteria for "hacked" and "compromised" - which may be different concepts because they added an "or" on that snippet. I even downloaded their PDF report, in hopes of finding more details, but I couldn't find anything relevant. So, maybe if a person uploads a malware to a "Rapidshare like site" with the "Rapidshare like site" forbidding malware uploading under its TOS, Sophos immediately considers the "Rapidshare like site" "hacked" or "compromised"?
I don't think education in pc security is necessary........security software and tools should be let take care of any concerns.......I mean nowadays security software comes with almost every necessary tools to protect any user.....
Now you're back where we started. User education is definitely required for setting up virtualization and a virtual OS to run on it. Either that or someone has to do it for them. Either way, user/administrator education is needed. I got a call from a client yesterday (which I'll answer when I'm good and ready) telling me that they're seeing all kinds of security alerts for virus, spyware, etc. I equipped the PC with and AV, a firewall, and SSM, originally locked completely down. On the last visit, I gave them the password for SSM so they could unlock it and update/install along with very simple instructions regarding when to do this. The very first thing they did was shut off the security apps, then infect it with fake AVs again, 4th time this year. I am beyond sick of trying to educate these people. No matter what I've tried to tell them, they trust and install any piece of crap they see on Facebook and their game cheat sites. With some users, education is impossible. Regarding AV vendors not being able to eliminate false positives, I don't believe it's possible. 1, There's too much to ever hope to identify it all. 2, Detecting only malicious code and not legit apps by activity or heuristics is just as impossible. In many cases, they perform almost the same actions, use the same APIs, etc. There's too many variables to say "It's malicious if it does this". IMO, on this front, malware is beating AVs badly and getting farther ahead all the time. This is something I've been saying for years. There is no such thing as a trusted site. I can't comment on the latest versions of IE, don't know if it's changed, but they've had it backwards from the start. You visit a site first in the internet zone. This makes the restricted zone worthless. What good is it to restrict a site after you've visited already it with more permissive settings? The default zone should be the restricted or untrusted zone.
No,, install a Security software and hope it will deal with all malwares... No tension... If u get some knowledge then problem begins.. Search for malwares ,new security softwares 24x7 busy .. high tension... But i voted YES
I would think "hacked" means an outsider infected the site. Compromised could mean rogue employee or a site that at one point was legitimate voluntarily began spreading malware. I will read the full report and get back to you.
That was purely an example. In an ideal situation that would be handled for them. I agree, which is why fault positive tolerance is so important. As with your example, users just don't trust their AV.
If you downloaded Adobe Flash installer straight from the Adobe website and your AV said "Malicious!" and quarantined it... would your trust your AV? Or would you trust that the website wasn't compromised? There really isn't a right answer here - you'll either end up running it or you'll end up not installing it or you'll end up second guessing the AV with more AVs.
In an ideal situation, none of this would be needed at all. I stopped trusting AVs and other detection software about 8 years ago and stopped using them on my own equipment shortly afterwards. The only time I've ever been infected was when I used an AV. AFAIC, AVs should have died a long time ago, and would have if they weren't so profitable for the vendors by their making users dependent on the constant updates. Trying to identify and intercept malicious code when the potential quantity and variations are almost infinite is futile. IMO, an OS with a default-permit based security policy operated by the typical, unskilled user is a guaranteed failure in the long run. Sandboxing, Virtualization, etc are IMO stopgaps that will be follow the same old penetrate, patch, repeat, road we've been on for years. One or the other main variables (user or the OS itself) has to change.
Take this problem a bit farther. We've already seen that the internet structure itself is vulnerable. What guarantee do you have that the Adobe site you're seeing isn't a fake and you haven't arrived there via DNS poisoning? Combine that with this rapid update process some apps use and some very nasty scenarios are becoming quite possible.
I suppose. I just mean that the sandboxing would not need to be handled by the user. The user doesn't have to do anything, or barely anything, and when they do something there should be a backup plan. I agree. Blacklists attempt to see the entire scope of malicious files, which is unreasonable, and heuristics engines are iffy. Yes, either the user or the OS has to change - I agree with that as well. IMO it's a lot easier to have smart people program something than have smart people try to get the uninterested users to care.
Yep, exactly my point. That adobe installer may very well be malicious. I see legit sites get hacked all of the time. It's just impossible to trust anything so I don't see why so many systems are based on an all or nothing scheme.
I would resort to a third option......keep it in monitor with my av reducing it's rights........send it to the av support team to analyse it.......if it comes out clean then allow it if not remove it ........all of this with my av.......to be sure I would analyse it using meta av scanning tools like virus total .....I use my av and other avs ........
