
Antivirus Makers Struggle to Adapt - earllee
http://www.nytimes.com/2013/01/01/technology/antivirus-makers-work-on-software-to-catch-malware-more-effectively.html?hp&_r=0
======
josephagoss
On windows I have been recommending people to use Microsoft Security
Essentials, which is free. I understand Microsoft cannot bundle MSE because of
that being a monopoly but I really wish they could, With MSE being pre-
installed as opposed to Norton and McAfee trials being pre-installed and
asking for money after 3 months.

~~~
lucian303
Better software exists (for free). A little research will lead you to it.

~~~
DanBC
Why the coyness?

What is that better software?

Some people might have weird definitions of "better", so it might also be
handy to say why that software is better.

~~~
lucian303
Exactly for that reason.

~~~
illuminate
I wouldn't bother if you're just going to be cryptic.

------
jdangu
Traditional A/V are broken for the web.

With dynamic languages like JS and ActionScript, their approach is to
fingerprint 10 different strains of the same threat. Then the 11th strain can
be generated in a few seconds with new obfuscation.

So the A/V only starts working if/when eventually a native code payload
reaches the target.

~~~
throwaway2048
no, it really dosent. native code can do the exact same sort of tricks.

a pretty standard tool in detection evasions bag of tricks is to write a
custom virtual machine that generates code on the fly, which makes static,
signature based analysis of payloads totally useless.

~~~
gizmo686
What keeps you from finger printing the VM just as easily?

~~~
throwaway2048
the vm is eaiser to modify than the entire codebase, you have to update only
one small bit of code, rather than everything. The vm is written with this in
mind, and is trival to automaticly obfuscate/transform.

------
revelation
_The data security firm recently found that antivirus software programs
perform poorly against new viruses._

The remainder of the article provides similar enlightenment.

~~~
oskarpearson
The article basically adds a few interviews and photos to an Imperva press
release:
[http://investors.imperva.com/phoenix.zhtml?c=247116&p=ir...](http://investors.imperva.com/phoenix.zhtml?c=247116&p=irol-
newsArticle_Print&ID=1764440&highlight=)

Aside: this reminded me of PG's article "The Suit is Back":
<http://www.paulgraham.com/submarine.html> That, at least, is well worth a
read.

So I guess Imperva might be a company to watch - at least we now know they
have a good PR firm :)

~~~
lucian303
There's anti-virus and then there are the programs that fill in the gap where
the AV program lack. A simple google search will yield you the results.

------
talleyrand
I thought antivirus software existed merely to deal with flaws in Windows...

~~~
jimbobimbo
While I understand that Windows' past does make it a convenient target for
such remarks, most "viruses" now are not really viruses, but malware that
either exploit holes in (mostly) third-party software, or goes after a human
factor. Stricter security practices from Vista onwards (UAC, low-privileged
user accounts by default, etc.) make Windows no easier target than Mac or *x,
if social engineering involved. No anti-malware product will help if user is
tricked into voluntary entering their credentials or credit card details.

~~~
beagle3
If a site gets you to download an executable, it's now 3 mouse clicks to get
it to run on an average desktop setup (As opposed to 0 in the Win2K days and 1
in the early XP days).

In Unixes, it's still "open an xterm and chmod a+x executable". There's still
a huge difference.

~~~
jimbobimbo
UAC prompts for a password, not a clickthrough.

~~~
beagle3
Only if you have a password set up. about half the systems I interact with do
not, and the UAC is just a click through on them.

~~~
jimbobimbo
Fair enough. This is being more or less mitigated by "file reputation" system
though. It's pretty effective preventing user from accidentally running a
suspicious file. This, and browser that sets the flag "downloaded from
internet" on executable and ZIP files.

------
pixl97
If I had to think of anti-virus I would trust the most it would be this.

The computer would reboot in to a maintenance mode where it would boot in to a
check mode. Hopefully off the network or some other source that couldn't be
altered by a virus/malware.

The check mode would checksum all executable content and update its database,
reporting all changed and added files. It could also check for known out of
date executable files. All files would be checked against a A/V database too.
If nothing fails the computer reboots back to the OS, else it is halted until
repaired.

This still has two risks I can see, one is the BIOS is altered and subverted
there. The other is non-executable content runs transient programs that do not
survive reboot.

~~~
gizmo686
I think that concept would work better as sighning executables rather than
stopping the world and validating against a data base. Create a private key
from the user's password (which of course cannot be derived from information
stored on the computer). When an unsighned binary tries runing, require the
user to provide their password to sighn it.

------
alok-g
Newbie questions (I have searched the Internet a bit, did not find information
to answer these):

I understand that anti-viruses (AVs) maintain signatures of viruses (which as
I understand are byte patterns present in that virus not present in non-
infected software code). They also look for executables modifying others.

Questions:

1\. If AVs have to match byte patterns for a very large number of known
viruses (millions??), would this not make scanning each executable very slow?
This seems to be O[e*v] operation where e is the number of executables and v
is the number of viruses. Since it does not seen as slow intuitively, what is
going on?

2\. I presume AVs would also track check-sums of known executables so that
these can be safe guarded against new viruses for which signatures are not yet
available. Is this right?

~~~
brutos
First I don't really have an idea about security software. But to your first
question:

The algorithm that is used is probably a variation of the Aho-Corasick
algorithm. This is a string matching algorithm that can match k patterns in
O(kn+m).

This is basically linear and doable.

Two your second question I can only point to a flaw in some virus scanner a
couple years ago where it detected a false positive in an essential Windows
file, removed the file and left Windows in an unbootable state. I do hope that
there was some learned lesson.

------
nodesocket
I am not trying to be an Apple fan-boy, but does anybody run anti-virus on
their Mac's? AntiVirus these days seems like snake oil.

~~~
mattquiros
I actually have the same question. I just switched to a MacBook a few months
ago and never felt the need to install an antivirus (I've always had Avira on
my old Windows 7 PC, but primarily for scanning flash drives). But actually,
even in my old PC, I never really had major problems with viruses. I've always
thought you can only get them by irresponsibly downloading and installing
untrusted software, and websites.

~~~
protomyth
Generally, my only real reason for running an anti-virus on the mac has been
to check e-mail attachments so I don't spread something.

------
msluyter
Given that these A/V products are only marginally effective, does anyone have
any suggestions for what might be the best bang for the buck in terms of
protection a Win7 machine? My preference would be just not to run windows, but
it's my mom's system, and she needs certain windows based accounting
packages...

------
nnnnnn
Maybe McAfee could come back and save the day. It would make a great addition
to his storytale-like-blog.

~~~
lucian303
Yes, he can create the next great security product from jail. ;-)

------
lucian303
No shit. This isn't news, it's a well known fact.

~~~
enraged_camel
Not sure why you are being downvoted, as anyone who deals with computers will
be well aware that anti-virus software exists mostly as security theater. It
_can_ be useful against certain types of viruses, especially those who are
widespread, but it is a very dangerous thing in and of itself because it
states that the user's system is "protected," causing most people to gain a
false sense of security and drop their guard.

~~~
gizmo686
I do not think anti-viruses are pure security theater. They will not protect
against zero day attacks, however, once a specific virus hits enough people,
anti-viruses will be updated, preventing large scale infection. In order to
avoid this, attackers need an attack vector that would allow them to change
the virus binary at will. These definitely exist, but A/V does stop a non
trivial amount of infections.

~~~
lucian303
There is software out there that specifically targets zero day attacks. It
would be a conflict of interest for me to mention specifics, but a trivial
matter for those interested to find out.

