
The anti-virus age is over - ColinWright
http://codeinsecurity.wordpress.com/2012/06/13/the-anti-virus-age-is-over/
======
tedivm
I work for Malwarebytes, although what I'm about to say is my own opinion. I
have a few thoughts on this post-

* When people mention signature based detection as a reason why antivirus or malware is dying I always get a bit confused. It's like saying that the transportation industry is going to die because horses are an inefficient way to transport goods. This is something everyone knows already, followed by a conclusion that to me skips the obvious answer everyone else has come to- use different types of detection.

* The rise in APTs is interesting, and it talked about quite a bit. However, the rise in a new type of threat doesn't mean the decline of the old. The targeted threats need to be protected against, and security software needs to evolve to do that, but that does not be mean the millions of home computers out there aren't a pretty target too.

* HTML5 is really interesting. The example there would be somewhat limited- without exploit it can't escape it's little sandbox, meaning it would be great for things like DDoS but not for stealing private information.

* Focusing on what's going on in memory is not the only way to do this. The network traffic tells all sorts of fun information, and it's possible to hook into programs like the browsers themselves to look for suspicious activity.

* Comparing programming salaries is a joke at best. While it's certainly not easy to find and hire great antimalware people, it's not easy hiring great developers either. Malware authors simply do not use bottom of the barrel labor- building malware is just as skillful as detecting it as you need to know how to detect it to evade detection.

This field of technology is just like any other, in that it's constantly
evolving. Old methods will get replaced by new, which will get replaced again
soon after.

~~~
wglb
What do you think of Mikko's statement _Flame was a failure for the antivirus
industry. We really should have been able to do better. But we didn’t. We were
out of our league, in our own game._?

~~~
sillysaurus
It might not have been possible for an antivirus to detect Flame, because the
people behind Flame likely tested it against all antivirus software before
deploying it. They were very, very careful. It's how they escaped detection
for so many years.

~~~
iuguy
Most malware writers test their malware components against AV software before
deploying or selling it.

~~~
merlincorey
There are even websites dedicated to testing against multiple engines at once
for you, automatically.

Of course, those are collection sites as well...

------
tptacek
Nobody wants AV to die faster than I do, but these complaints could just as
easily have been written in 1995 as in 2013. Polymorphic malware, for
instance, is older than many HN readers.

The forces that keep AV chugging along have more to do with how the market for
AV software works than with anything fundamental about how effective AV is.

------
Piskvorrr
The anti-virus _never_ was anything but a high-pass filter (any illusion to
the contrary is propagated by AV stakeholders): who needs to exploit machine-
executable code when you can get the users to do it for you? Just promise them
dancing hampsters, and voila.

There is no silver bullet, especially not when people are involved.

~~~
sliverstorm
Well, they've certainly been trying to make it more than an HPF. Which is
understandable- I bet there are big bucks to be made if one of the vendors
starts reliably blocking even sophisticated exploits.

~~~
Piskvorrr
Certainly so; the effort put into making an actual smart AV is admirable.
Alas, it doesn't seem likely to succeed.

~~~
thirsteh
Anti-virus protection is a mediocre "solution", or a "decent component in a
larger security system" at best. It's marketed as being a silver bullet; "all
you need to stay 100% safe." Understandable--it makes it a much easier sell to
people who aren't tech-savvy. It also makes it completely understandable that
the AV industry is almost universally reviled among people who are.

------
shirro
The anti-virus industry has always been a bit of a con. It is probably hard
for people who habitually use Windows to understand since their AV software
has probably saved them a lot of times but it is actually a really hit and
miss way to filter things and it gives a false sense of security with a big
performance hit. In the Windows world it has been necessary but not sufficient
for a very long time and people get confused about what you mean when you say
this and push back. Proper security practices involve minimising your
installed software, only installing from trusted sources, using signed
software where supported or checksumming it otherwise, running apps in
sandboxes, isolating machines you need to protect, monitoring your systems
behaviour and a lot more.

~~~
WayneDB
I've been running Windows without AV for over 10 years, so it's not even
really necessary if you know what you're doing.

The only anti-virus measure that I take is to upload unknown executables to
[http://www.virustotal.com/](http://www.virustotal.com/)

~~~
thirsteh
As far as you know. Even the dumb malware writers don't write stuff that pops
up floating skulls and "OwNEd by CyBeRKiLLeR" messages anymore. It's all about
staying on the machine, and staying silent.

I hate this "I've been running without AV for ages, and I never saw any
viruses" argument. Of course you didn't. Making you aware hasn't been the
motive for a long, long time.

It's virtually impossible to run a Windows (or Linux, or Mac) installation
with the usual suspects--Java, Flash, Adobe Reader, etc.--without being
exposed to good old, non-targeted malware. Take into account that most of it
is distributed from "good" sites, and "if I don't see it, it must mean there's
nothing there" and "I never go to any risky sites" prove pretty silly.

I'm not saying that AV is the best solution, or even a good one--indeed it can
even be what contains the vulnerabilities used to take over a machine--but
there is a reason it exists. Let's not pretend that AV solves all ones
problems, but let's also not pretend that it's completely ineffective. It's
only ineffective if there really is no other (probable) way for things it
detects to get through--which there is on most desktop operating systems
unless you (manually) go to great lengths to isolate the different things you
do. There are ways to make AV moot, but it rarely comes built-in or without
user overhead/experience requirements. (Ironically, in Windows 8 _anti-virus_
comes built-in.)

~~~
diminoten
> It's virtually impossible to run a Windows (or Linux, or Mac) installation
> with the usual suspects--Java, Flash, Adobe Reader, etc.--without being
> exposed to good old, non-targeted malware. Take into account that most of it
> is distributed from "good" sites, and "if I don't see it, it must mean
> there's nothing there" and "I never go to any risky sites" prove pretty
> silly.

Do you have more information about this? I wasn't aware that malware was just
"floating" out in the ether. I have been staunchly in the camp of, "If you
know what you're doing you can remain safe." but you seem convinced otherwise.
Why?

~~~
thirsteh
[https://www.google.com/transparencyreport/safebrowsing/malwa...](https://www.google.com/transparencyreport/safebrowsing/malware/#region=ALL&period=90&size=LARGE&compromised&attack&asn=57010&page=1)

See "Compromised sites" at the bottom.

In my experience, compromised sites and insecure ad networks are by far the
most common means of distributing malware through legitimate sites.

Even if you know what you are doing, you are very likely to come across sites
running e.g. Wordpress, Drupal, etc. with shitty addons, e.g. timthumb, that
have been compromised and are serving exploits through hidden iframes,
redirecting you to bad pages, etc.

~~~
diminoten
What percentage of those exploits are 0day? Part of "knowing what you're
doing" involves keeping your software up to date, after all. Commodity malware
isn't a large threat if it can't run.

Very cool link though, thanks.

~~~
thirsteh
I don't know (presumably few to none if Google is detecting them), but yes, I
agree. You can be exposed but not be vulnerable.

------
seldo
Headline: "the anti-virus age is over"

Final line of article: "Now don’t get me wrong, AV still has its place in the
security world ... However, it’s no longer much more than a filter for the
most basic attacks."

So... not really over at all. In fact, escalated.

~~~
gsuberland
The anti-virus age was the era when AV companies battled it out to innovate
and keep ahead of the competition. That era is, in my opinion, over.

------
wmt
Is the age of seatbelts also over? People die in car accidents by the
thousands despite using seatbelts, so they must be useless.

The article almost could've been written in the nineties before the commercial
malware arrived, but when polymorphic malware became the standard.

The age of AV is unfortunately anything but over as long as people wish to run
software they want to, e.g. unlike the iOS. AV is a good filter for most of
the malware that you might accidentally bump into, but that's it. You're silly
if you don't have one, and you're silly if you think that you're totally safe
with it.

~~~
benhoyt
I'm silly, then. :-) I'm on Windows 7 (and XP before that), I've never used
anti-virus software, but I'm careful about what I download and run. Many of my
friends, who do use anti-virus software, are constantly complaining of malware
and the like. I realize this is just an anecdote and I could be caught out one
day, but my approach is "don't install junk".

~~~
kenjackson
Good approach, but how do you know you're not infected?

~~~
munin
if you run antivirus software, how do you know you're not infected? many
malwares now will partially paralyze your antivirus so that it seems all is
well, but your computer is operated by someone else. TDSS would do this as
long ago as 2008...

------
xSwag
It's funny how you mention polymorphism in malware. Just recently I came
across a modified version of a stock exploit kit which was serving Zeus with
each signature being unique. I didn't look into it too much be it seems like
there were several thousand precompiled version of the executable on the
server and each unique copy was only being loaded for a few hosts to evade
anti-virus detection.

There is even open source software that helps evade Antiviruses. If anybody's
interested in further reading, I would definitely recommend:

[1][https://www.veil-evasion.com/tutorial-veil-payload-
developme...](https://www.veil-evasion.com/tutorial-veil-payload-development/)

[2][http://blog.webroot.com/2013/02/22/diy-malware-cryptor-
as-a-...](http://blog.webroot.com/2013/02/22/diy-malware-cryptor-as-a-web-
service-spotted-in-the-wild/)

[3][https://www.christophertruncer.com/veil-a-payload-
generator-...](https://www.christophertruncer.com/veil-a-payload-generator-to-
bypass-antivirus/)

[4][https://www.net-security.org/secworld.php?id=15173](https://www.net-
security.org/secworld.php?id=15173)

------
joss82
Why can't security specialists also come from India?

~~~
phaus
A high percentage of security jobs in the U.S. are government positions. If
you can't get a clearance, you can't get a job. It is far more difficult for a
foreign national (especially from a place like India) to get a security
clearance of any sort, let alone the Top Secret clearance that most security
roles would demand.

That's not to say that it's impossible though.

Also, unless I'm mistaken, securitytube.net is owned by Indians. It's a great
site and the instructors for their courses are indeed experts.

~~~
null_ptr
So are all computing security jobs tied to the U.S.? I can think of Avast in
the Czech Republic and Kaspersky Lab in Russia off the top of my head, there's
probably a lot more out there.

~~~
cliveowen
Obviously not all of them, but these companies you mention have no real
interest in dealing with this kind of advanced malware. What they do is build
a software product aimed at home/small business consumers. AV products can't
do nothing to prevent sophisticated malware from being injected in the system
through 0-day vulnerabilities. As I understand it the only interest in
analyzing this kind of malware is merely for research purposes, maybe trying
to find a way to detect similar patterns from various infections so as to try
and develop some product for governmental organizations and high-stakes
businesses.

------
_greim_
It's unsurprising that the kinds of threats that are most common nowadays are
the ones that get around automated security, which is essentially what AV
software is. That doesn't mean that automated security has no future. It just
means that, barring some sort of strong AI, automated security needs to hand-
in-hand with manual security efforts.

------
coolnow
Recently i reinstalled Windows 7 on my gaming PC. It was only a week or 2 into
my usage when i realised i forgot to install antivirus software. I don't even
think i need it anymore.

I use Sandboxie for any potentially dodgy programs. I use Adblock (Chrome) so
the chances of being infected by a rogue ad provider is reduced. I keep tabs
on my incoming and outgoing network traffic using SMSniff (for curiosity) and
i use Malwarebytes for the occasional scan to see if anything slipped by. I
used to hear people facetiously saying "Common Sense" was the best antivirus,
but i think they were right. As long as you stay away from dodgy files and
sites (such as cracks and keygens from P2P groups) and sandbox any programs
you don't trust much, you should be fine.

~~~
georgemcbay
I highly recommend installing Microsoft Security Essentials (which was rolled
into Windows Defender as a built-in component in Windows 8, but IIRC for
Windows 7 is something you have to download).

It gives you basically the same amount of protection as commercial AV tools
but is drastically smarter about resource usage and not getting in your way
all the time. Unlike other AV tools that are constantly trying to upsell you
(and thus have to appear to be 'doing something'), the only point of
MSE/Windows Defender is to make Windows suck less.

~~~
ubercow13
What makes you think it is drastically smarter about resource usage? I've
noticed it slows down a lot of things considerably. It also has a history of
causing DCP latency problems on some hardware/drivers. I wouldn't say it is
miles worse than anything else but not noticeably better than the other good
ones.

------
bittired
Is anyone aware of any documented reports of well-known "reputable"
antivirus/antimalware companies being involved in the development or spread of
viruses, etc.? I've heard in the past reports (that make sense) about these
companies making business for themselves by ensuring a threat exists to fight,
but it is tough to believe that this could happen without it eventually coming
to light.

Could John McAfee have known about this or even have been involved, and this
is one of the reasons for some of his strange behavior (related guilt,
involvement with criminals and criminal organizations)? Or is there no basis
to any of that?

------
newmana
This has been argument since viruses became well known, they've Turing
complete since the beginning:

"Much like an infection, a well-intended but badly designed program to stop
viruses can run amok, knocking out thousands of computers or destroying vast
amounts of data. Indeed, one program intended to defeat a known virus has
destroyed data on personal computers used by businesses and the Government in
the United States."

[http://www.nytimes.com/1989/10/07/business/computer-virus-
cu...](http://www.nytimes.com/1989/10/07/business/computer-virus-cure-may-be-
worse-than-disease.html)

------
purephase
Now if we could only tackle the certificate authorities...

~~~
ChuckMcM
This is a aalient point but somewhat moot. Consider that as nation states deem
they want to break into your computer then you are as likely to be able to
prevent that as you would if they chose to occupy your home by force. Not many
people can fend off a military attack on their residence.

But this does make clear that the future of secure computing will come from
the crooks, not from software companies. They are after all just as likely to
be penetrated as the next guy and so they will endeavor to build systems that
can resist the sorts of threats that they themselves exploit against others.

~~~
ihsw
A physical presence is far more difficult to conceal than a digital one, and
furthermore the concealment of digital presences can be re-used across vast
swaths of the world whereas physical presences require a great deal of man-
power to duplicate. This is a key distinction that makes comparing physical
security and digital security into a specious and pointless comparison.

Also, the realm of digital security is quite different in that vast swaths of
the world have effectively _no_ digital security.

------
joeblau
I think it's interesting how this event coincides with the majority of
consumer computer systems now running *nix based operating systems.

------
FollowSteph3
I always wondered why there aren't more botnets just using JavaScript with
browsers. Many people leave tabs open forever.

~~~
krapp
Maybe, even with that, they wouldn't be persistent enough or would be too
easily traceable to a source, or blockable? Or maybe js doesn't allow the
level of access that flash or java might, so the ROI isn't worth it.

Although the case might be different for browser plugins (I don't know), it
might be more effective to poison one of those than, say, run something
directly in a browser.

------
trotsky
The anti-virus age may be over, but if the supporting evidence is that host
based signature products don't provide an effective defense against a variety
of common security threats then the anti-virus age was over a long, long time
ago. Like back to when things propagated for moths or years autonomously
without any modifications to the main component - the stuff that actually
matched the term "virus" that we now use as a synonym for malware.

The last time that such items were anything but an unusual novelty was
something like 2003. The last time they were the most substantial threat was
sometime in the 1990's. And while it typically wasn't viral, a variety of
naive threats produced by amateurs continued to be a good portion of the
threat landscape until around the middle of the last decade.

That isn't to say database driven signature systems never stop any attacks.
They just provide such a small amount of defense and so consistently unable to
identify well publicized threats months after their public use in the wild
that there is little to any statistical difference in compromise between a
well configured and patched system with an av engine and the same system
without an av engine.

But while their product is ineffective, they are far from alone in the
security industry. IDS systems are wildly ineffective in any configuration
that isn't custom tuned for defending an extremely limited network that
exclusively transports a few specific protocols in very predictable ways -
mostly backend networks in datacenters. Typical edge firewalls defend against
a threat primarily exists because they enable it - clients are so vulnerable
on local networks that can't survive that way on open networks. But without
them we'd have just reduced the attack surface like we;ve done with public
facing servers. As nearly every compromise includes a service that's
intentionally exposed or intentionally allowed through the edge, they at best
are a limited crutch to avoid having to ensure each computer is as minimally
exposed to start with. If your firewall allows you to be an extra soft target
once an attacker has established a foothold inside it's arguable that you'd
have been better off totally exposed so that you limit the number of
additional systems that exist in radically insecure postures.

The only automated system that comes to mind that ive seen provide any real
amount of value are the expensive and exclusive block list subscriptions that
contain databases of actively operating C&C servers and similar active apt
sources. But these would become worthless if any of them ever enjoyed
widespread adoption, as they'd simply stop being lazy and using the same
servers all the time.

ASLR, DEP and even managed code to a certain extent all are similarly
ineffective in that while making exploits more complicated they've had no
impact on the rate of compromise.

The simple fact is that offensive security has won for the forseeable future
and defensive security has lost entirely, with no real hope of change without
dramatic practice shifts.

For client security the only things that have provided clear and practical
benefits have been a) reducing the attack surface by mass removal of services
and features and b) building the system withe the expectation of regular
compromise, and including an easy and reliable way to wipe and restore. Oh and
forced automatic patching.

The ChromeOS team gets it. The windowsrt team gets it. ios gets it. Anyone
producing a client OS that is feature rich, highly configurable strives for
easy out of the box use should be considered systemically insecure at this
point. Any motivator attacker will succeed against it 99%+ of the time.

But since there are really no other options for so many people and tasks, it's
very uncomfortable to explain to someone that they are able to do little to
nothing about it that won't involve draconian systems users would refuse to
use, and that compromise is at some point essentially inevitable.

So you tell them to run anti-virus. It's like children hiding under their
desks in the event of nuclear war. It helps avoid some amount of existential
crisis.

That's why the anti-virus age won't be over for a long, long time. Because if
you don't have a replacement that's actually good, and no one even has a clue
what that would look like, you still need to tell people to use their AV. Just
like you need to tell people there is heaven.

------
rorrr2
> _an average software developer in India gets about 320,000 INR per year,
> which equates to roughly 5700 USD. Compare that to the price of a malware
> analyst or systems security analyst, which is 60,000 USD before insurance,
> pension and other benefit costs are tacked on. That means that for every
> analyst that an AV company hires, the bad guys can hire 10 developers._

I doubt an average developer from India is capable of writing a polymorphic
virus. Or not from India.

Most developers I know only know a few technologies and stay within that
bubble, and rarely do any side projects, or code for fun.

------
corresation
The bit about Indian developers is simply bizarre. Firstly, Indian developers
are more expensive than they've ever been, so that notion made more sense a
decade ago. Secondly, has anyone every heard of outsourced shops developing
exploits using low-paid talent? I don't recall that ever being the case, and
instead it's a small number of very skilled but unfortunately motivated
developers.

Those inexpensive offshore developers can barely sling some Visual Basic
together. They aren't developing clever NX circumvention exploits.

~~~
gsuberland
Hi there, I'm the author of this article.

I wrote this about a year ago, when the average salary of an Indian developer
was significantly less, and there was a huge market in low-quality low-cost
development houses out there. These days you can replace "India" with Sri
Lanka, China, or any of the other countries with a significant poor minority
and an up-and-coming tech market.

My primary point was that there are people with a price-point way below that
of your average US or UK worker, so the cost of production is much lower.

