

Should antivirus vendors block state malware? - FSecurePal
http://www.net-security.org/malware_news.php?id=1663

======
iuguy
For those that don't know, the man quoted, Mikko Hypponen is a really smart
guy, and completely wrong.

Antivirus solves a specific problem: compliance. AV demonstrates that you're
taking steps to reduce the likelihood of you infecting another person's
computer. In our experience at Mandalorian, Antivirus has roughly a 20-40%
success rate at stopping malware. That's a wide margin, but still the wrong
side of 50%. To put things into perspective, in the past several hundred
penetration tests, there has not been one where the AV stopped our attack,
subsequent compromise or persistence mechanisms. Let me clarify:

In the past 18 months the total number of simulated attacks by us on customer
engagements that have been stopped by Antivirus is: 0.

I'm fairly confident that we've never had an AV stop us, but I don't have data
going that far back. Now if that's what a commercial penetration testing
outfit can do, what can governments do?

There's no real such thing as 'state malware' per se (well there is, but I'll
come to that in a minute). When defending against state level attack you need
to understand your adversary and their capabilities. A government attacking
you or another government is not a technology, it's a threat group. They will
have a specific goal in mind and it's up to you to identify it and defend
accordingly.

Now assume that to develop something like Stuxnet is expensive. A government
is going to require a lot of resources to create ordinance to use in these
attacks. They'll start with things like metasploit because if they can get in
with that they don't risk blowing their own code. Then you'll start seeing
zero day exploits, botnet toolkits and more before you start seeing
specifically developed targeted code.

The reason is simple - it takes months to develop the attack and the exploits
and persistence are a massive part of that. If you can detect it, block it and
share the indicators, that work is now burnt.

Antivirus vendors are not targeting that space (or if they are, they won't win
- unless they're receiving the indicators of compromise, also known as IoCs).

~~~
sucuri2
AV != IDS. Goal of the AV is to stop known malware from propagating.

Goal of the IDS is to detect (or block) attacks (or your penetration tests).

~~~
iuguy
The AV should detect the code I'm using to maintain persistence as malware,
no? When I change permissions on a section of memory so I can inject into a
process it should pick it up, right? What about the driver I uploaded and
installed to do it? After all, any AV worth it's salt does disk and memory
scans.

------
tobylane
Yes. The hole that the state malware use couldn't be kept secret, therefore
it's not safe to not patch everything. Plus, the state has no right to free
access to our computers without warrants. There are many sides to this
argument.

------
Zak
The answer to this seems obvious to me: much like a lawyer, the interests of a
security vendor must align with those of its customers, even when some of
those customers might be doing bad things.

