Main Area and Open Discussion > Living Room
Do virus scanners need to get stupid again?
daddydave:
Remember back when virus scanners were basically glorified grep and all they did was search for signatures in files all day long? And we were warned virus scanners would have to get smarter and detect specific behavior rather than just mindlessly search for strings in files? Nowadays we have virus scanners that try to detect suspicious behavior. The unintended consequence seems to be that now the burden is on the user to determine whether a particular DLL call behavior is suspicious or not. It's enough to make a person wish for the glory days of virus scanners when if you got a message saying a virus detected, you could be fairly confident a virus was detected. Being good at recognizing false positives has become a requirement of using antivirus software much more than it used to be in my opinion. Granted, it helps to avoid crap virus scanners (or ones that exaggerate the possible threat), but even the ones I recommend (avast or Microsoft Security Essentials or Symantec* if you want to spend money) politely bring up warnings of suspicious behavior likely to freak out a non-techie.
Do virus scanners need to get "dumb" again and just search for signatures instead of trying to be so smart? I'm kidding in a way, but also semi-serious. Or have I mischaracterized?
*Actually I haven't seen it in Symantec, but maybe that is because I don't use it, because I don't want to spend money.
tranglos:
You are so right about how behavioral analysis shifts the burden of deciding whether something is malevolent onto the user. What am I paying them for? (And yes, I've paid in turn for Nod32, Kaspersky and Avira, am unhappy with them all.)
At the same time, despite the rising frequency of false positives, I'm seeing a tendency in AV software to limit what you can do about the detections. Avira still lets you ignore suspicious files (though it complains bitterly), but Kaspersky does not have an "Ignore" option that I can see. When it can't disinfect, the only available route is delete. And of course it can never disinfect a false positive, or more specifically, it cannot disinfect when the only evidence is circumstantial, from behavioral analysis.
But I guess what you're positing will never happen. The bloat in AV software follows the bloat of the companies^H^H^H corporations that make them. When it was one diligent coder, you could reason with him or her, but you can't reason with the board of directors or with the shareholders.
I'm sorely tempted to run without an AV, but I'm too chicken for that, and I do receive plenty of attachments daily and share USB drives with friends, so I'm susceptible. But behavioral detection (and heuristics) is the first thing I disable in AV. It's just not worth the aggravation.
J-Mac:
Agreed! Drives you nuts anymore.
Jim
Renegade:
I for one am tired of false positives that you report and then they say that it's a virus, so you report it again and... Sigh...
I wonder if having a "safe signature" would help...
J-Mac:
Eset NOD32 that I use recently popped up a dialog saying that there was a file that needed to be submitted for review to Eset. I clicked Next to bring up the file submission window and the file was 'firefox.exe' from the Program Files directory! I ignored it but it kept reminding me every few days - so I finally submitted it. Wonder what they will find?
Jim
Navigation
[0] Message Index
[#] Next page
Go to full version