Main Area and Open Discussion > Living Room

Antivirus companies support virus writers?

<< < (5/9) > >>

Dmytry:
Well, i don't think antivirus software is a correct approach to the problem in first place. Blacklisting bad software or whitelisting good software is stupid (and whitelisting is just good ol racketeering as the developer has to pay to get whitelisted)

Think about an application like a web browser, and what sort of access it needs to your hard drive.
Basically, it has to be able to:
0: access network.
1: read and write inside it's own configuration folder
2: read the files you choose through system's standard file open dialog.
3: write to locations you choose through system's standard save dialog.
It is entirely possible to lock down file access *extremely* tight without *ever* nagging the user with extra dialog, relying on the dialogs which already are presented to the user.  But it has to be done on the system level.
Of course, there would still be privilege escalation exploits and such - but those have to be dealt with by *patching* not by blacklisting.

Bamse:
I am not sure it will move you an inch but most AV companies are actually obsessed with finding new ways of protection. Even Symantec has "Stops threats unrecognized by traditional antivirus techniques" in their feature list. Probably why they bought PC Tools (Threatfire). More is better since more is needed is how they design software. Since there are new demands is it not nice of them to deliver? ;) HIPS, Behavior blocker, quarantine if unknown stuff. Avast just got a build-in sandbox. Must not forget "web" scanners (web is evil as you have been told), a common feature and where you get the most false positives as well. There are loads more. Just take a look at their web sites.

In their defense I would say that tools usually work better if settings, features and limitations are known to user. Installing one of the bigger packages on a computer used by a person with a history of doing the opposite of common sense will not be a smooth experience. Not possible to fix stupidity/lack of knowledge, experience with software. Or may be it is but then you need to handpick and spend time setting things up. Must have the perfect setup. Many tools will have password locking of settings for the same reason. User must be protected against user! Jumping at any random advertised package using default settings can go wrong.

I don't think majority believe Mcafee produce malware. More like they and other "reputable" brands are protecting and let them use computer as they wish. Have way too much convenient faith in "being protected". Increase requirements, annoy usability and in many cases there will be a user vs. security problem. Some are more likely to ignore features/msg. from AV or simply turn stuff off than educating them self on what the problem really is. Also why many reject UAC which is harmless/easy compared to 3rd party "proactive" stuff. Takes very little to annoy. I have heard IT people saying the first they do for their "clients" is to turn off UAC and make them admin. How it is and partly why there will continue to be work for AVs.

Are you referring to Software Restriction Policy on Windows Dymtry? Sure you can lock program and activities down, much is possible with already available build-in features, but what type of user are you thinking of? Must be a very interested one. Same problem as with firewall in Vista/7. Sure it does "outbound" control, why bother with notoriously buggy 3rd party software? Well try set it up then. There are probably more I don't know about but fact is on Windows such "deep" defenses are not made for everyone. Practically hidden, not meant for public consumption.

Dmytry:
"Even Symantec has "Stops threats unrecognized by traditional antivirus techniques" in their feature list"
Even small brand rogue scareware has this sort of stuff in their feature list.
 Just what the hell is that supposed to mean? No it does not stop brand new malware, never did, and never will, because anyone who makes malware (except possibly the antivirus vendor) tests the malware against the antivirus software to make it pass. Heck, everyone who makes software has to do this because of false positives! If by a chance antivirus flags some new malware in development as malware - the chance exists for any new software - well, I suppose the author will simply swap a few functions around, fiddle with compiler's optimization options, maybe screw a little with UPX source code or not use UPX, and it'll pass.

From where i'm standing, we don't need separate piece of software to protect from the browser exploits and similar things; any decent browser gets patched before the
antivirus in any case. What do regular users really need antivirus software for is software piracy. Software piracy is not practical without having a good antivirus. (Ofc you can't pirate the antivirus itself because it phones home all the time to get updates). If there's someone who profits big time from piracy, that's not piratebay. That's our glorious 'good guys' the antivirus vendors.

"Are you referring to Software Restriction Policy on Windows Dymtry"
No i'm not referring to software restriction policy, or any implemented method, for that matter. I'm making an observation:
Almost none of the applications I or you use, except for a couple special utilities (file search tools, and such which layman user may not even have), read from or write to files and locations that aren't either
a: in software's own folder, or
b: are chosen by user through the file dialog AS OF NOW WHEN THERE IS NO SECURITY.
This is the un-enforced convention which large majority of good software nonetheless obeys.
Nobody's interested in enforcing this; they're interested in blacklisting, because blacklists have to be up to date (=subscription services), they're interested in whitelisting, because that will let them extort money out of software developers - those developers whom actually make anything of value - they're interested in showing a ton of scary popups, they're interested in  'heuristics' (tricks that aren't guaranteed to work, and do not work), because those generate a lot of false positives (extortion from honest developers again, though fortunately this is not so bad because you can always work-around false positive by fiddling with the code - same applies for true positives for real malware). But they're not interested in doing anything relatively quiet that'd work. Our only hope is that microsoft eventually sorts security out.

f0dder:
If by a chance antivirus flags some new malware in development as malware - the chance exists for any new software - well, I suppose the author will simply swap a few functions around, fiddle with compiler's optimization options, maybe screw a little with UPX source code or not use UPX, and it'll pass.-Dmytry (February 19, 2010, 08:04 AM)
--- End quote ---
That will stop pattern-based and code analysis heuristics (stuff that analysis before the malware runs), but it won't stop HIPS functionality that looks at the actions running code performs. As long as a new nasty privilege escalation bug isn't discovered, a decent HIPS will be able to block the malware. I don't know if there's any decent HIPS around, though, since I haven't been running anti-malware stuff for years :)

What do regular users really need antivirus software for is software piracy. Software piracy is not practical without having a good antivirus.-Dmytry (February 19, 2010, 08:04 AM)
--- End quote ---
I disagree - drive-by exploits are a reality, and it's not like you're likely to get infected by piracy... as long as you have better sources than google searches.

Bamse:
As I understand it your observations are in family with SRP then. More like a new Windows which educate user in a different way right? You are overestimating desire for change and understanding for a safer logic though. Will never happen. Windows Vista and upwards is it. Optional UAC shows how MS think, may be how they must think. Windows is not Linux but ultimate freedom ;)

Non-signature based detection is not just a hoax. You are right about piracy being the obvious reason for AVs. Well dig in to that area and you will learn how AVs work. Or just install Threatfire or similar tool and test. Anything with no use of blacklists. When it pops up after whatever AV has approved you should read warning carefully. Norton also use a block/qurantine by default policy towards unknown files btw. Cloud feature... I think you are underestimating their features a bit. Must always remember that increasing requirement to user is almost not an option. There are limits to what they will ask the average Windows user to do.

Btw, you can use cracked security software and many do. I don't use cracked software but keep me updated. Can't remember a popular security program that is not available for "free".

f00der posted, well he is right about "drive-by" though that usually means an exploited plugin, pdf, flash. Browsers are not a target them self. "Drive-by" a really cute buzzword loved by paranoid people since it means WHATEVER amount of common sense you have, you can still be screwed! = BUY a sucurity package, you MUST. Almost entirely BS but don't forget pdf, flash though. Due to my attempt to keep up with warez scene all I will say is those people know zero about security and do not care. Very likely you get infected by using "good" sources. The other day I almost saw a moderator get infected in real time. He asked about why the hell a certain popular site redirected him to some weird stuff. I checked and it was a nasty pdf exploit. Like only just listed on malware domains, days or more like only few hours old. He replied that then good he just got updated to 9.3 or something. Hmm that was flash dummy. He went FU#% and deleted the thread. This is the level. Or go to some of the very big warez forum, pick random threads and check properly. Tons and tons of stuff is infected and nobody cares that much. Majority probably don't even know their computer is hosed. If they figure it out they just install new free Windows, who cares... Really not difficult to understand how stuff gets spread around.

If by good sources you mean more private networks then you could be right. Something with invites or ? I would not know but do believe in "safe" cracking. Popular sites/forums are full of junk and typical member is clueless. They are just normal Windows users ;)

Navigation

[0] Message Index

[#] Next page

[*] Previous page