

Breaking antivirus software - kramarb
http://www.slideshare.net/JoxeanKoret/breaking-av-software-33153490

======
DominikD
Here's PDF:
[http://mincore.c9x.org/breaking_av_software.pdf](http://mincore.c9x.org/breaking_av_software.pdf)

Disclaimer: I hate slideshare with passion. Presentation format and how they
use HTML makes it painful to use if there are some connection issues (and
their servers routinely hang on slides.

~~~
username223
> I hate slideshare with passion.

Same. I can't figure out why people trying to share their PDF slides use it,
when any device more sophisticated than a flip-phone has a good built-in PDF
reader.

------
wmt
I can imagine AV engines having massive attack surfaces due to having to
support a ton of exploitable file formats and decompression methods, and often
supporting decade+ old detections. It still is a surprising that some vendors
(I'm looking at you Bitdefender!) have obviously not even tried to fuzz their
product. Koret's presentation is already a year old, so I hope vendors
would've now gotten at least some of their shit together. I wouldn't bet too
much money on it though, as it still has virtually no effect on how much the
product will be sold. Take a guess many people will still give money to
Bitdefender because they have had a really good review performances.

There's definitely a pattern that AV companies put their efforts in being able
to say they're #1 in outside tests or in reviews. In ye olden times someone
would just take multiple vendors, scan against 1000000 old viruses and rank
them based on the detection %, and as the end result the "best" (and the most
sold) products ended up being resource hogs. Later reviewers took notice and
started also measuring file copying performance and detection capabilities
against active malware, and in a year or two many vendors adapted and improved
their performance and their efforts against malware that actually is being
spread.

Hopefully reviewers will take notice and include some exploitability metrics
in the future so that vendors need to focus on it or go out of business.

Funny thing is that despite Bitdefender having thousands of exploitable points
in their product, at the moment your average user will still be less
vulnerable against online criminals than most those who don't run anything.

------
leni536
This is mostly just sad. Updating through HTTP without proper signing, really?
Also last time I checked I couldn't even download Avast through HTTPS.

~~~
eterm
It surprised me just yesterday to note that Microsoft security essentials is
also downloaded by way of HTTP.

~~~
angry_octet
Same with all Microsoft updates, but the update catalog and the updates are
signed. This is because they support downloading to a corporate master updates
mirror, and further downstream mirrors.

------
Retra
>Any software you install makes you a bit more vulnerable. AV engines are no
exceptions. Just the opposite.

The only time I've ever gotten a (disruptive) computer virus was after
installing Norton Antivirus. These days my goal is to ensure that I can
quickly reformat and reinstall my system. I keep records of what I've
installed and how I configure it.

Antivirus software is usually either dangerous, not worth paying for, or
basically malware. How much anti-virus software is just resource-hogging,
popup-spamming adware? No thanks.

------
HackinOut
Most viruses are identified by their signature only, because most of them are
dumb. Heuristics for unknown threats are often there purely for marketing.

AVs have all more or less the same signature database due to the same reason
as above, most viruses are dumb and well known (most can't even be called
_viruses_ , think adware & co). IMO this the best reason for not having
multiple AVs. I personally do not trust an AV for anything more than dumb
signature checking (which are easily circumvented with polymorphism or
sometime encryption alone) and targeted heuristics.

I also don't even want to start thinking at the mess that could be created by
several AVs's injection/hooking mechanisms on the same machine.

------
Shank
Obviously it wouldn't be easy to test on Linux, but it would be really
interesting to see the results of fuzzing against Windows Defender. Seeing as
it's the de facto AV packaged with Windows 8, and a lot of people use MSE on
prior versions, imagine the attack surface area.

Then again, if Microsoft is competent in how they built their AV engine, it
might be properly fuzzed already. With such a wide deployment, you'd certainly
want to think so...

~~~
ugexe
"In an interview with Dennis Protection Labs, Holly Stewart, the senior
program manager of the Microsoft Malware Protection Center, said that
Microsoft Security Essentials was just a “baseline” that’s designed to “always
be on the bottom” of antivirus tests. She said Microsoft sees MSE as a first
layer of protection and advises Windows users to use a third-party antivirus
instead."

~~~
orng
Huh... That is really not the vibe I get from their website[0].

>"There are a host of nasty intruders on the Internet including viruses,
trojans, worms and spyware. Microsoft Security Essentials offers award-winning
protection against these intruders without getting in your way."

To me that reads like MSE is really good at protecting your computer. Why
should I as a consumer think that I need something else? They really need to
message that better if that is indeed the case.

[0]: [http://windows.microsoft.com/en-us/windows/security-
essentia...](http://windows.microsoft.com/en-us/windows/security-essentials-
product-information#tabs1=overview)

~~~
shitlord
That website was probably written by professional marketers. Large companies
usually don't let its engineers advertise to consumers (and that's effectively
what MS is doing here).

