
Netflix Is Dumping Anti-Virus, Presages Death of an Industry - karlheinz_py
http://www.forbes.com/sites/thomasbrewster/2015/08/26/netflix-and-death-of-anti-virus/?ss=Security
======
thaumaturgy
I guess we're going to debate the merits of statements in a thinly-veiled bit
of PR now? There's almost no news about this company until about a month ago
([http://www.networkworld.com/article/2955017/security/endpoin...](http://www.networkworld.com/article/2955017/security/endpoint-
security-firm-sentinelone-challenges-traditional-anti-virus-software.html)).

They recently hired a new PR company
([http://www.mgpr.info/](http://www.mgpr.info/)) who's been spamming articles
to Reuters on SentinelOne's behalf
([https://www.google.com/?gws_rd=ssl#q=site:reuters.com+sentin...](https://www.google.com/?gws_rd=ssl#q=site:reuters.com+sentinelone)),
and then reaching out to hacks to write submarine articles
([http://paulgraham.com/submarine.html](http://paulgraham.com/submarine.html))
about the death of anti-virus -- which just happens to be the marketing lede
of SentinelOne's endpoint protection product.

Then they landed a big contract with Netflix and got a sucker at Forbes to
write some PR like it was news, and now it's been picked up by HN and being
discussed as though it had some substance.

~~~
TFoxBrewster
Just wanted to chime in to clarify that I contacted Netflix directly without
having ever spoken to SentinelOne. When I contacted SentinelOne after the
interview they said they couldn't even go on the record about the Netflix
contract. Much love, Sucker at Forbes.

~~~
thaumaturgy
Can you say what prompted you to contact Netflix then? The article really
reads like a love letter to SentinelOne, and includes some pretty odd bits
that work well with their marketing for their endpoint product, like
describing it as not an anti-virus product.

And what does "post-AV anti-malware" mean?

~~~
TFoxBrewster
Sure. So it turns out Netflix is this really big company, and I met one of
their security architects at Black Hat. I thought, hey, I wonder if they're up
to anything interesting at Netflix. I'll give them a call.

A love letter? You send love letters like this to people? Are you like a post-
modern Keats?

~~~
thaumaturgy
OK, so then you talked to someone at Netflix, and they said, what, "umm...
well, we just replaced our anti-virus product with this other thing called
SentinelOne that isn't really an anti-virus product", and then you looked at
their site and called them and decided they totally weren't an anti-virus
product? And that the real story here was that this was the death knell for
anti-virus, or the beginning of "post-AV anti-malware", or something?

Clearly you have technical chops. But the most technical part of your article,
concerning whatever technology somehow separates this product from the rest of
the industry (let alone makes it "not anti-virus"), is this single line:

"Its end-point security doesn’t rely on signatures, it monitors every process
on a device to check for irregularities and does not perform on-system scans
or require massive updates like anti-virus..."

If SentinelOne is doing something truly new, something that merits coverage
from tech journalists, it would be nice to read about it.

And btw, you said earlier, "When I contacted SentinelOne after the interview
they said they couldn't even go on the record about the Netflix contract",
which is an odd thing for them to have told you, since they have a Netflix
logo and an official statement from them under the testimonials section of
[http://www.sentinelone.com/?show_epp=true](http://www.sentinelone.com/?show_epp=true)
\-- wait a minute, in fact the quote from your article is a word-for-word
match for the testimonial on SentinelOne's site: "The direction we decided to
go was with a company called SentinelOne, who we’ve been working with for year
and a half. They were a true replacement for end-point protection".

Your contact at Netflix must've been reading from Rob Fry's script...

~~~
TFoxBrewster
See above.

------
jasode
A more nuanced title would be: " _To continue its fight against new viruses,
Netflix is dumping classical disk-scanning-fingerprints software for newer
technologies such as statistical analysis of anomalies._ "

Netflix and whoever they hire (e.g. SentinelOne) is _still fighting viruses_.
They're just doing it using more sophisticated algorithms instead of
fingerprints. Traditional anti-virus software trying to match file signatures
is not effective against 0-day attacks.

What's newsworthy is that a vendor was able to convince important people (e.g.
AV-TEST Institute) that algorithms scanning for anomalies is equivalent to, or
stronger than, traditional disk-scanning. However, it doesn't look like
they've convinced the credit-card industry yet. They're the ones who determine
PCI DSS compliance. However, PCI DSS may not apply to Netflix.

Interpreting the story as an _ongoing progression_ of anti-virus technology,
it means the industry won't "die" at all. They're just retooling themselves
with more algorithmic approaches. Maybe Symantec will add algorithms and also
be included in the changing industry of fighting viruses.

~~~
dogma1138
PCI-DSS applies to Netflix very much, they probably still will have
traditional AV in their CHD environment and any other system in scope of the
certification (e.g. the desktops the sysadmins use to administer servers
within the CHD environment).

Also the PCI council doesn't define which AV is compliant or not, only states
that you need anti-virus protection on all systems commonly affected by
malicious software.

It's up to the QSA and acquirer(if that one gets really bored) to accept the
solution, neither of which care really. You can use Windows Defender, Clam or
the most super duper expensive AV out there it's all the same for them.

The requirement is also worded very carefully "on all systems commonly
affected by malicious software" so people could make a case against installing
AV on things that AV solutions are not common for, such as Mac's, Linux box's,
and even Mainframes (yes there are mainframes in certain PCI-DSS scope's
because the QSA wasn't smart enough to find a loop hole to keep it out of
scope or the costumer is dumb enough to actually process or store credit cards
on it).

------
douche
Anti-virus software is a scourge that I'd be happy to see disappear. For the
most part, its business model is to prey on the ignorant - I can't even count
how many times I've been asked why a computer is running slowly, only to
discover that there are three or more competing anti-virus products running,
every one of them hooked into every single file read or write. Just yesterday
I had to turn off Windows Defender real-time scanning, because it had gone out
to lunch and leaked memory to the tune of 2.1 GB. Hot garbage.

It seems like the popular thing lately is to bitch and moan and question the
morality of using ad-blockers, but using an ad-blocker is the single most
important thing you can do to improve security on your machine for the average
user. Blocking Flash, or, should you happen to still encounter it, Java, from
autoplaying comes in second. Blacklisting SourceForge in your hosts file might
be up there, if they are still bundling crapware with the few legitimate
downloads that haven't moved elsewhere.

~~~
notfoss
> Blacklisting SourceForge in your hosts file might be up there, if they are
> still bundling crapware with the few legitimate downloads that haven't moved
> elsewhere.

ublock origin has a "Badware risks" filter list with sourceforge in it.

------
bigtunacan
<TL;DR> SentinelOne, creators of anti-virus software no one has heard of,
don't use the term "anti-virus" for their anti-virus software. Somehow that
landed a sucker at Forbes to write a shoddy PR article about the death of
anti-virus software. End game; If their PR stunt is wildly successful then no
one will need to buy SentinelOne's software either...

Wat?!!

~~~
profinger
Pretty well summarized!

------
GordonS
I definitely agree that we need more than anti-virus these days - but I still
think anti-virus has a part to play in a multi-layered approach to security.

But in any case the content of the article is rather less sensational that the
headline. It seems like Netflix is 'dumping' anti-virus for... well, another
anti-virus tool! It's just that SentinelOne is not signature based, and relies
on dynamically detecting dubious activities by processes (which some existing
anti-virus tools already do, if to a lesser degree).

~~~
sqldba
I'd like to know more about what it's doing and how it works. I can imagine a
couple scenarios:

1) It might have a "baseline" time during which it allows and records
everything, and then locks down anything outside of that (like the old
ZoneAlarm did for firewalls).

2) Or it might only lock down certain APIs? File and registry and network
access? Not sure where you'd stop with that. What about when it emails
everyone in Outlook?

Unless I'm completely off base.

------
upofadown
So who cares what Netflix does for anti-virus? Their business is about running
servers with almost read only data that can't normally propagate a virus
infection.

~~~
ams6110
This is about what they're using on staff desktops, not their video-delivery
systems.

~~~
upofadown
Right, so this would of been just as relevant if it was about a local trucking
company.

They are dropping the wrong name if they actually want to promote the product.

------
pstadler
Photo caption says: "Netflix is quitting anti-virus. Will its millions of
users benefit?"

Wat?

~~~
OJFord
Ha! That is totally nonsensical.

I didn't agree at first, but this smells more and more like PR - there seems
to be very little understanding of the news in the article.

What is "the post-AV anti-malware game", and why on Earth would Netflix's end-
users benefit from the company's staff computers entering said game?!

------
bitJericho
Tldr: Netflix is dumping old antivirus for new antivirus

------
nso95
This article is terrible...

~~~
makeitsuckless
OTOH, excellent work by SentinalOne's marketing department.

Probably cost them no more than a decent lunch while they dictated it to the
hack who's name is in the byline.

------
zamalek
In general anti-virus is more useful for less educated users. For example, I'd
never escalate (sudo, UAC, etc.) a process that I wouldn't expect to need the
escalation. This severely limits the control a virus can take (stopping most
in their tracks). The only people who really _need_ AV are the type of idiots
who run as root, or turn off UAC.

The real concern are advanced worms. Most of these would likely infect a
machine regardless of the presence of an AV, either because they are zero-day
or because a machine does not have security patches installed. AVs, typically,
would struggle to catch an e.g. malicious BIOS flash resulting from an
escalation vulnerability.

In the face of security patching, AVs are _largely_ obsolete, irrespective of
their detection rates: not 'completely' because human error does exist (which
is why I still run one).

~~~
tormeh
Many, many security patches are way late. AV software is nice when a vendor
can't be bothered to update their software.

~~~
zamalek
> Many, many security patches are way late.

My main point was: a virus that uses a 0-day (or unpatched/unfixed 0-day) is
likely going to cause problems for an AV:

> AVs, typically, would struggle to catch an e.g. malicious BIOS flash
> resulting from an escalation vulnerability.

Over-exaggerating to clarify: AVs are like bringing a knife to a gunfight. You
might just be actually able to eliminate the weaker opponents (who also
brought knives), but you're going nowhere against the veterans.

~~~
dogma1138
It takes about 5min to refactor the code of existing malware to avoid
detection, heck playing around with compiler settings is enough in many cases.

I've recompiled Netcat probably 200 times by now, small refactoring playing
with compiler flags (compile with x64 profile, debug on, add some symbols
etc..) and every time it avoids every AV out there.

I usually use Virustotal which means that it will be short lived but i can do
it over and over and over again ;)

~~~
brobinson
There's actually tools to automatically do what you're talking about for
malware:
[http://www.rapid7.com/db/modules/encoder/x86/shikata_ga_nai](http://www.rapid7.com/db/modules/encoder/x86/shikata_ga_nai)

(Japanese for "it can't be helped")

~~~
dogma1138
Encoders and compactors are not good actually they usually leave too many
patterns that are easy to detect.

The might work on some binaries in some cases but if you want to avoid evasion
refactor the malware yourself.

Encoders and compactors are intended to modify existing binaries only :)

~~~
brobinson
That's what I'm seeing people doing (modify existing binaries):
[https://www.google.com/#q=shikata+ga+nai+antivirus](https://www.google.com/#q=shikata+ga+nai+antivirus)

Seems like it's pretty effective for bypassing AV according to how everyone is
using it.

~~~
dogma1138
Well if you actually read the search results you'll see :)

1st result 2012: "If you want to avoid detection, a 60% success rate is not
good enough. _Remember, our implant was caught by 40% of the products, not 40%
of the targets. Assuming the better anti-virus products have a larger market
share, our 40% product failure rate could look more like an 80 or 90%
detection rate on target machines_. - See more at:
[http://www.digitalthreat.net/2012/02/anti-virus-evasion-
choo...](http://www.digitalthreat.net/2012/02/anti-virus-evasion-choosing-a-
payload/#sthash.htXfsyBb.dpuf")

4th result 2014: "There are a couple of built in encoders in Metasploit
(shikata ga nai is the most popular one), but these signatures have been
updated in many Antivirus solutions, resulting in detection."

Every decent AV out there today has signatures of packers and encoders they
are very easy to find since the artifacts of things like PE headers and binary
cave of the encoded binaries will be identical every time you use them.

Most people who claim it works are simply rehashing the same old metasploit
guides that are not really relevant in the real world anything that is wide
used will be singnatured in a second by every AV company.

Yes if you encode it and upload it to VirusTotal even today you might get 50%
or more evasion but those 50% of products will have maybe 5% of the market,
and pretty much zero enterprise users.

~~~
brobinson
Thanks for the detailed reply!

------
probably_wrong
So, Netflix is ditching anti-virus in favor of a software that was certified
as doing what any other anti-virus can do.

How is that "ditching anti-virus", then? Wouldn't a better title be "Netflix
is switching anti-virus providers"?

------
bikeshack
I like tools that rather than scan for signatures (which can be polymorphic in
nature and bypass AV), they can look for out-of-place behaviour on the OS. The
Sysinternals Suite is great for malware hunting:
[https://technet.microsoft.com/en-
us/sysinternals/bb842062](https://technet.microsoft.com/en-
us/sysinternals/bb842062)

And things like Reason Core are brilliant for nuking any rootkits that somehow
get on to a system
[https://www.reasoncoresecurity.com/](https://www.reasoncoresecurity.com/)

Malware has grown up and is now residing in hardware and can survive entire OS
re-installs. I feel sorry for Windows users these days because malware has
grown up and it is not as obvious you have malware. In the past there were
obvious signs you were infected and the malware made itself known (sort of
stupid when you're an attacker really).

Also some of the 'second opinion' tools are interesting too:

[http://www.surfright.nl/en/hitmanpro](http://www.surfright.nl/en/hitmanpro)

------
d_theorist
One of the most moronic articles I have read this week.

~~~
UnoriginalGuy
Further still, I'd describe it as an advert more than an article. Seems to
lack substance and has a clickbait title, and the only purpose of the article
is to sell you SentinelOne.

The dumbest part is that the title isn't even right, Netflix still absolutely
do anti-virus/anti-malware, they've just given up on ineffective signature
scanning, and are moving to a dynamic scanning engine.

I actually think signature based AV sucks and would be happy to see the
industry move away from it, but cannot condone such dumb submarine articles as
this.

------
stabilo
Interestingly, no matter what the user-agent string, I am not able to view
this without Javascript.

Precluding cautious web users from reading is somewhat ironic given that this
article is about web security, if indeed that is what this is about. It's
probably not intentional, just oversight on Forbes' part.

------
scrumper
Hijacking this: how does the ordinary solo user go about finding malware if AV
is so bad at it? As a Mac user, I know there are rootkits and other nasties
out there but I have no idea how to go about detection.

------
kriro
I wonder how the equivalence is shown for the certification. Do they use
something similar to bioequivalence tests (TOST etc.) over the mean number if
infections/issues detected?

------
benbristow
Wait until an employee gets some malware and some data gets leaked or lost.
Then they'll be running back.

~~~
blkhawk
if you read the linked article the you will notice that they don't dump AV -
they just switched to a "AV" product that does away with the signature
database completely and replacing it with heuristics - it also sounds like
there is some white listing of processes involved as well. This is something
AV products have been doing for quite some time now.

~~~
OJFord
but...but.. this one is _post_-AV! It must be better!

------
nbevans
The real question is why Netflix needs anti-virus at all. Whether it be the
old signature style or the new (as of about 2002) heuristic analysis style.
Presumably they're turning off UAC, giving out admin privs to everyone,
disabling automatic updates, and hiring delinquents that run every .exe email
attachment?

~~~
UnoriginalGuy
The trend in malware right now is not to even target administrator/root, and
instead to steal information/blackmail/send spam+DDoS from the user's context.

------
gadrfgaesgysd
.

