Welcome Guest.   Make a donation to an author on the site April 19, 2014, 02:01:17 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2013! Download dozens of custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Do virus scanners need to get stupid again?  (Read 2789 times)
daddydave
Supporting Member
**
Posts: 816



see users location on a map View Profile Give some DonationCredits to this forum member
« on: September 10, 2010, 04:28:14 PM »

Remember back when virus scanners were basically glorified grep and all they did was search for signatures in files all day long? And we were warned virus scanners would have to get smarter and detect specific behavior rather than just mindlessly search for strings in files?  Nowadays we have virus scanners that try to detect suspicious behavior. The unintended consequence seems to be that now the burden is on the user to determine whether a particular DLL call behavior is suspicious or not. It's enough to make a person wish for the glory days of virus scanners when if you got a message saying a virus detected, you could be fairly confident a virus was detected. Being good at recognizing false positives has become a requirement of using antivirus software much more than it used to be in my opinion. Granted, it helps to avoid crap virus scanners (or ones that exaggerate the possible threat), but even the ones I recommend (avast or Microsoft Security Essentials or Symantec* if you want to spend money) politely bring up warnings of suspicious behavior likely to freak out a non-techie.

Do virus scanners need to get "dumb" again and just search for signatures instead of trying to be so smart? I'm kidding in a way, but also semi-serious. Or have I mischaracterized?

*Actually I haven't seen it in Symantec, but maybe that is because I don't use it, because I don't want to spend money.
« Last Edit: September 10, 2010, 04:36:20 PM by daddydave » Logged
tranglos
Supporting Member
**
Posts: 1,079



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: September 10, 2010, 08:33:47 PM »

You are so right about how behavioral analysis shifts the burden of deciding whether something is malevolent onto the user. What am I paying them for? (And yes, I've paid in turn for Nod32, Kaspersky and Avira, am unhappy with them all.)

At the same time, despite the rising frequency of false positives, I'm seeing a tendency in AV software to limit what you can do about the detections. Avira still lets you ignore suspicious files (though it complains bitterly), but Kaspersky does not have an "Ignore" option that I can see. When it can't disinfect, the only available route is delete. And of course it can never disinfect a false positive, or more specifically, it cannot disinfect when the only evidence is circumstantial, from behavioral analysis.

But I guess what you're positing will never happen. The bloat in AV software follows the bloat of the companies^H^H^H corporations that make them. When it was one diligent coder, you could reason with him or her, but you can't reason with the board of directors or with the shareholders.

I'm sorely tempted to run without an AV, but I'm too chicken for that, and I do receive plenty of attachments daily and share USB drives with friends, so I'm susceptible. But behavioral detection (and heuristics) is the first thing I disable in AV. It's just not worth the aggravation.

Logged

J-Mac
Supporting Member
**
Posts: 2,807


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: September 10, 2010, 10:28:43 PM »

Agreed! Drives you nuts anymore.

Jim
Logged

J-Mac
Renegade
Charter Member
***
Posts: 10,361



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #3 on: September 10, 2010, 11:27:09 PM »

I for one am tired of false positives that you report and then they say that it's a virus, so you report it again and... Sigh...

I wonder if having a "safe signature" would help...
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
J-Mac
Supporting Member
**
Posts: 2,807


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #4 on: September 10, 2010, 11:41:04 PM »

Eset NOD32 that I use recently popped up a dialog saying that there was a file that needed to be submitted for review to Eset. I clicked Next to bring up the file submission window and the file was 'firefox.exe' from the Program Files directory! I ignored it but it kept reminding me every few days - so I finally submitted it. Wonder what they will find?

Jim
Logged

J-Mac
Renegade
Charter Member
***
Posts: 10,361



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #5 on: September 10, 2010, 11:59:42 PM »

Eset NOD32 that I use recently popped up a dialog saying that there was a file that needed to be submitted for review to Eset. I clicked Next to bring up the file submission window and the file was 'firefox.exe' from the Program Files directory! I ignored it but it kept reminding me every few days - so I finally submitted it. Wonder what they will find?

Jim

That's actually not surprising. Given the ability of FF to host all kinds of extensions, you never know what could be going on.
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
J-Mac
Supporting Member
**
Posts: 2,807


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #6 on: September 11, 2010, 12:37:53 AM »

That's actually not surprising. Given the ability of FF to host all kinds of extensions, you never know what could be going on.

Really think so? Sure was a surprise to me!

Jim
Logged

J-Mac
Krishean
Honorary Member
**
Posts: 75



I like pie

View Profile WWW Give some DonationCredits to this forum member
« Reply #7 on: September 11, 2010, 12:51:20 AM »

submitting firefox.exe itself is probably going to turn up nothing, as long as it hasn't been altered to include malicious code. i have seen other antiviruses request common programs to be submitted for analysis myself (MSE requested that i submit a beta version of 7zip for analysis once)

you would have to submit the malicious extension for anything to be done about it.

additionally, signature-based approaches are ineffective, thousands of new malware variants are released each day, and creating signatures for all of them is impossible (see the second half of my post here for a better explination with links to articles)

i also agree that the heuristic approach is flawed, and needs to be drastically improved before it will be of any use. false positives (and also "potentially unwanted programs") are particularly annoying.
Logged

Any sufficiently advanced technology is indistinguishable from magic.

- Arthur C. Clarke
Stoic Joker
Honorary Member
**
Posts: 4,876



View Profile WWW Give some DonationCredits to this forum member
« Reply #8 on: September 11, 2010, 10:54:43 AM »

Not to mention the insanely irresponsible shoot first and ask questions later policy many of the fringe/malware "Security" sites seem to have. Just Google anything.dll or.exe and many of them will surface.

There was a time these sites were (screened properly) helpful, but now... Hell last week I found several site that featured horrific warnings about the "deadly" Tclock virus...  huh ...Yeah that one. wallbash Unfortunately, being that it was Kazubon's build, I can't really do much...So I'll let it go for now.

These idiots actually had three (yeah that's right 3/three/III) pages of instructions on how to remove a program that consists of 2 binaries & a single registry key. WTF?

...Who do Ya trust? These days nobody - I'm even half tempted to think my own eyes might lie to me...  cheesy
Logged
tomos
Charter Member
***
Posts: 8,059



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #9 on: September 11, 2010, 01:31:30 PM »

Is there any antivirus that have a good record in this regard? - Sorry that's probably veering off-topic (and may be discussed elsewhere?)

Re Avira I've complained in their forums three or four times now about how difficult it is to report false positives on their website. Each time they ask me for the link or file and report the thread as solved. In my latest effort Still having problems reporting false-positives at Avira website, I have stuck to the topic (i.e. not given anyone on the forum the details of the false positive) and am now simply getting no response. I get the impression there are a couple of employees who's job it is to reply on the forums and they work on a commission basis per threads marked <Solved>. (And solving that just doesnt seem to be on Avira's agenda...)

When my year with Avira run out (or maybe sooner) I'm moving on...
Logged

Tom
Renegade
Charter Member
***
Posts: 10,361



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #10 on: September 13, 2010, 08:42:21 AM »

Just installed some banking software... Got a false positive... Sigh...
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
Bamse
Supporting Member
**
Posts: 410


View Profile Give some DonationCredits to this forum member
« Reply #11 on: September 15, 2010, 10:54:10 AM »

Last week PrevX decided to change opinion about Nirsofts tools. Previously they have said they are all white listed since most exe-flies can be misused so no need to jump on little Nirsoft. FPs suck, even more with PrevX, but I don't really believe anyone is haunted by them. Even Emsisoft is fairly ok these days. You can collect enough evidence proving that is too optimistic, most have horrible stories of mistaking even system files, but in the bigger picture you still ignore number of users vs. problems parameter. So blown out of proportion but also true that most security companies do not care that much about what they estimate/sense is only relevant to minority http://blog.nirsoft.net/2...ache-to-small-developers/ In other words they suck smiley Much is fixed by a "possible unwanted program" type of tickbox btw. On the other hand to get closer to 100% idiot proof security that should be ticked! Can't look bad in stupid AV-test. How it is.

Avira most likely have paid helpers, in one way or another, but expect similar from all populated forums serving a product. They can do more harm that good, get too eager.
Logged
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.038s | Server load: 0.33 ]