topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Saturday November 9, 2024, 7:52 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Do virus scanners need to get stupid again?  (Read 8274 times)

daddydave

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 867
  • test
    • View Profile
    • Donate to Member
Do virus scanners need to get stupid again?
« on: September 10, 2010, 04:28 PM »
Remember back when virus scanners were basically glorified grep and all they did was search for signatures in files all day long? And we were warned virus scanners would have to get smarter and detect specific behavior rather than just mindlessly search for strings in files?  Nowadays we have virus scanners that try to detect suspicious behavior. The unintended consequence seems to be that now the burden is on the user to determine whether a particular DLL call behavior is suspicious or not. It's enough to make a person wish for the glory days of virus scanners when if you got a message saying a virus detected, you could be fairly confident a virus was detected. Being good at recognizing false positives has become a requirement of using antivirus software much more than it used to be in my opinion. Granted, it helps to avoid crap virus scanners (or ones that exaggerate the possible threat), but even the ones I recommend (avast or Microsoft Security Essentials or Symantec* if you want to spend money) politely bring up warnings of suspicious behavior likely to freak out a non-techie.

Do virus scanners need to get "dumb" again and just search for signatures instead of trying to be so smart? I'm kidding in a way, but also semi-serious. Or have I mischaracterized?

*Actually I haven't seen it in Symantec, but maybe that is because I don't use it, because I don't want to spend money.
« Last Edit: September 10, 2010, 04:36 PM by daddydave »

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,081
    • View Profile
    • Donate to Member
Re: Do virus scanners need to get stupid again?
« Reply #1 on: September 10, 2010, 08:33 PM »
You are so right about how behavioral analysis shifts the burden of deciding whether something is malevolent onto the user. What am I paying them for? (And yes, I've paid in turn for Nod32, Kaspersky and Avira, am unhappy with them all.)

At the same time, despite the rising frequency of false positives, I'm seeing a tendency in AV software to limit what you can do about the detections. Avira still lets you ignore suspicious files (though it complains bitterly), but Kaspersky does not have an "Ignore" option that I can see. When it can't disinfect, the only available route is delete. And of course it can never disinfect a false positive, or more specifically, it cannot disinfect when the only evidence is circumstantial, from behavioral analysis.

But I guess what you're positing will never happen. The bloat in AV software follows the bloat of the companies^H^H^H corporations that make them. When it was one diligent coder, you could reason with him or her, but you can't reason with the board of directors or with the shareholders.

I'm sorely tempted to run without an AV, but I'm too chicken for that, and I do receive plenty of attachments daily and share USB drives with friends, so I'm susceptible. But behavioral detection (and heuristics) is the first thing I disable in AV. It's just not worth the aggravation.


J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: Do virus scanners need to get stupid again?
« Reply #2 on: September 10, 2010, 10:28 PM »
Agreed! Drives you nuts anymore.

Jim

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Do virus scanners need to get stupid again?
« Reply #3 on: September 10, 2010, 11:27 PM »
I for one am tired of false positives that you report and then they say that it's a virus, so you report it again and... Sigh...

I wonder if having a "safe signature" would help...
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: Do virus scanners need to get stupid again?
« Reply #4 on: September 10, 2010, 11:41 PM »
Eset NOD32 that I use recently popped up a dialog saying that there was a file that needed to be submitted for review to Eset. I clicked Next to bring up the file submission window and the file was 'firefox.exe' from the Program Files directory! I ignored it but it kept reminding me every few days - so I finally submitted it. Wonder what they will find?

Jim

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Do virus scanners need to get stupid again?
« Reply #5 on: September 10, 2010, 11:59 PM »
Eset NOD32 that I use recently popped up a dialog saying that there was a file that needed to be submitted for review to Eset. I clicked Next to bring up the file submission window and the file was 'firefox.exe' from the Program Files directory! I ignored it but it kept reminding me every few days - so I finally submitted it. Wonder what they will find?

Jim

That's actually not surprising. Given the ability of FF to host all kinds of extensions, you never know what could be going on.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: Do virus scanners need to get stupid again?
« Reply #6 on: September 11, 2010, 12:37 AM »
That's actually not surprising. Given the ability of FF to host all kinds of extensions, you never know what could be going on.

Really think so? Sure was a surprise to me!

Jim

Krishean

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 75
  • I like pie
    • View Profile
    • Draconis Labs
    • Donate to Member
Re: Do virus scanners need to get stupid again?
« Reply #7 on: September 11, 2010, 12:51 AM »
submitting firefox.exe itself is probably going to turn up nothing, as long as it hasn't been altered to include malicious code. i have seen other antiviruses request common programs to be submitted for analysis myself (MSE requested that i submit a beta version of 7zip for analysis once)

you would have to submit the malicious extension for anything to be done about it.

additionally, signature-based approaches are ineffective, thousands of new malware variants are released each day, and creating signatures for all of them is impossible (see the second half of my post here for a better explination with links to articles)

i also agree that the heuristic approach is flawed, and needs to be drastically improved before it will be of any use. false positives (and also "potentially unwanted programs") are particularly annoying.
Any sufficiently advanced technology is indistinguishable from magic.

- Arthur C. Clarke

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Do virus scanners need to get stupid again?
« Reply #8 on: September 11, 2010, 10:54 AM »
Not to mention the insanely irresponsible shoot first and ask questions later policy many of the fringe/malware "Security" sites seem to have. Just Google anything.dll or.exe and many of them will surface.

There was a time these sites were (screened properly) helpful, but now... Hell last week I found several site that featured horrific warnings about the "deadly" Tclock virus...  :huh: ...Yeah that one. :wallbash: Unfortunately, being that it was Kazubon's build, I can't really do much...So I'll let it go for now.

These idiots actually had three (yeah that's right 3/three/III) pages of instructions on how to remove a program that consists of 2 binaries & a single registry key. WTF?

...Who do Ya trust? These days nobody - I'm even half tempted to think my own eyes might lie to me...  :D

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,964
    • View Profile
    • Donate to Member
Re: Do virus scanners need to get stupid again?
« Reply #9 on: September 11, 2010, 01:31 PM »
Is there any antivirus that have a good record in this regard? - Sorry that's probably veering off-topic (and may be discussed elsewhere?)

Re Avira I've complained in their forums three or four times now about how difficult it is to report false positives on their website. Each time they ask me for the link or file and report the thread as solved. In my latest effort Still having problems reporting false-positives at Avira website, I have stuck to the topic (i.e. not given anyone on the forum the details of the false positive) and am now simply getting no response. I get the impression there are a couple of employees who's job it is to reply on the forums and they work on a commission basis per threads marked <Solved>. (And solving that just doesnt seem to be on Avira's agenda...)

When my year with Avira run out (or maybe sooner) I'm moving on...
Tom

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Do virus scanners need to get stupid again?
« Reply #10 on: September 13, 2010, 08:42 AM »
Just installed some banking software... Got a false positive... Sigh...
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Bamse

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 410
    • View Profile
    • Donate to Member
Re: Do virus scanners need to get stupid again?
« Reply #11 on: September 15, 2010, 10:54 AM »
Last week PrevX decided to change opinion about Nirsofts tools. Previously they have said they are all white listed since most exe-flies can be misused so no need to jump on little Nirsoft. FPs suck, even more with PrevX, but I don't really believe anyone is haunted by them. Even Emsisoft is fairly ok these days. You can collect enough evidence proving that is too optimistic, most have horrible stories of mistaking even system files, but in the bigger picture you still ignore number of users vs. problems parameter. So blown out of proportion but also true that most security companies do not care that much about what they estimate/sense is only relevant to minority http://blog.nirsoft....to-small-developers/ In other words they suck :) Much is fixed by a "possible unwanted program" type of tickbox btw. On the other hand to get closer to 100% idiot proof security that should be ticked! Can't look bad in stupid AV-test. How it is.

Avira most likely have paid helpers, in one way or another, but expect similar from all populated forums serving a product. They can do more harm that good, get too eager.