
The Antivirus Era Is Over - olalonde
http://www.technologyreview.com/news/428166/the-antivirus-era-is-over/
======
rickmb
I've been using computers since the 80's. I haven't used anti-virus software
since the 90's. And yes, I have been using Windows until somewhere in the
00's, including Windows 95, which is about as vulnerable as it gets.

When I was using antivirus software, it never set off any alarms once. I still
occasionally install and run antivirus software, it doesn't find anything, so
I remove it again. I've sat in the middle of major virus outbreaks inside
companies and not be affected.

I have no idea how people manage to get infected. Every time I read about some
malware scare, I look at how it spreads and think to myself "but... why would
you do _that_?".

In the 80s we had boot sector viruses that would bite you as soon as you
inserted a disk, and disks where the only way of exchanging data. You couldn't
protect against those without antivirus.

But today most malware seems self-inflicted, and only spreads through naivety,
ignorance and laziness.

Sure, I could still get infected tomorrow. After 25 years of computing it's
bound to happen to me at some point. But it will most likely be because I did
something I shouldn't have, not because I don't have adequate anti-malware
protection.

~~~
ansible
Well, you've either been very good or very lucky.

 _But today most malware seems self-inflicted, and only spreads through
naivety, ignorance and laziness._

I assert that stereotypical "stupid users" were indeed the cause of most virus
spreading in the 1980's and 1990's. There is still a fair amount of "stupid
user" stuff happening these days, such as clicking on a link in an email to
log into your bank account. (1)

However, these days, I'm also worried about exploits against browsers. If you
have your system infected by just by visting a webpage, I don't consider that
the user's fault.

Every year that goes by, the browser gets more complex (like recent support
for 3-D rendering), and the attack surface increases. I'm glad that most
browsers are fairly secure, but they're not perfect now, nor are they likely
to be in the near future.

(1) It continues to annoy me that two of my banks will send out legitimate
emails (new bill, etc.) that have clickable links in them. If the banks would
stop putting links in their emails, and try to educate their users to not
click on links in emails, that would reduce the problem.

~~~
e40
_It continues to annoy me that two of my banks will send out legitimate emails
(new bill, etc.) that have clickable links in them._

This a million times. It never ceases to amaze me when I see this. It shows
even the banks don't understand security!

~~~
ceras
Do you mind explaining what the problem is? Are you speaking against links in
any emails, or just those with sensitive information? Why?

------
thirsteh
Anybody who's ever thought about how an antivirus product works has come to
this conclusion: Antivirus will detect software that does things that are
known to be bad, but not software that does things in a new way. Depending on
the level of sophistication of the antivirus solution, that either means a
completely black-and-white distinction between what matches what is
essentially a rainbow table of MD5 signatures and what doesn't, or more
complex binary analyses like what kinds of actions an application binary
performs, or what IP address ranges it attempts to establish a connection to.

Now, this doesn't mean that antivirus is useless, or that the antivirus era is
over--by the logic of this post, the antivirus era was over the minute it
began. What it means is that antivirus is a tool that helps protect you
against "stupid"/mass malware, but not a tool that gives you any kind of
"complete" or "100%" protection (although every AV vendor will certainly try
to convince you that their products do), and this is particularly true--today
as it was 10 years ago--when it comes to malware that isn't widely
distributed, or, put more fashionably, "targeted malware" and "advanced
persistent threats" (hence: malware which belongs to a "family" that hasn't
been caught, analyzed, and added to a binary/behavioral signature/heuristic
database of some kind beforehand.)

~~~
brasmasus
I've had an IT consultancy for 7 years. There was a time when I would
recommend a certain antivirus because I observed that it was consistently able
to cleanly intercept in-the-wild badware attacks or even clean out something
that already had a foothold. Eset, Prevx and even Norton had solid, effective,
best-in-class products at one time or another. However, based on what I've
seen over the last year or so, there's been a sea change; the badware that
gets on a machine typically does what it wants, antivirus or no, the majority
of the time. Detection has become much more the exception and much less the
rule.

Sure, antivirus has never been 'complete' protection but, speaking from a lot
of firsthand experience, some of it used to be pretty darn good compared to
lately. Now even 10-15% protection from AV sounds like a stretch. Hence, in
terms of the soho PC segment I've dealt with day to day, I'd say The Antivirus
Era Is Over And It Has Been For Awhile.

~~~
thirsteh
I'm going to guess that a lot of these were the fake AV and similar rogueware.
Most of these were pretty good at changing regularly to avoid naïve signature
detection, and most vendors acted really slowly because it wasn't "malware."
They're not really special in any way that requires a fundamental change to
allow detection, though.

I'm not going to dispute that AV vendors have become complacent recently, but
10-15% is on the low side. Most families of widespread malware are detected by
most solutions within a few months (yes, that slowly.) It's probably around
80-85%, but, at the same time, 90%+ of the _really_ dangerous (and especially
targeted) malware is more often than not in the remaining 15-20%.

Ultimately, what this article and your comment insinuate is that you can
uninstall antivirus and be "just as safe." That is not true (except in rare
cases where the AV software itself is vulnerable and provides a way to
escalate privileges.) I'm all for getting rid of shoddy blacklisting, but we
need a replacement, such as innovations in OS security models (a la Chromium
OS.)

~~~
brasmasus
Clarification: by my saying "10-15% protection" I mean I'm guessing that
85-90% of the time my clients' machines come across badware in the wild, their
AV misses it and they are compromised. Not a hard number, but my impression
over the last year.

> _"Ultimately, what this article and your comment insinuate is that you can
> uninstall antivirus and be "just as safe." That is not true..."_

Agreed, but at the same time it's hard to recommend paid AV solutions that
don't really work for what people perceive as 'a virus'. What I've come to do
is:

* de-emphasize the importance of AV to my clients; tell them it may help but don't count on it

* recommend running the free AV of their choice

* emphasize the importance of updates

* emphasize Chrome + 'Click to run' as the primary protection approach: [http://www.pcstrikeforce.com/taking-chrome-security-next-lev...](http://www.pcstrikeforce.com/taking-chrome-security-next-level-one-setting-clicktorun-plugins/)

> _"I'm all for getting rid of shoddy blacklisting, but we need a replacement,
> such as innovations in OS security models (a la Chromium OS.)"_

right on

------
Derbasti
Frankly, my computer has not had a virus in years. It has been on the web, it
has downloaded stuff from dubious websites, it has installed stuff. But no
viruses.

That is not to say that there is no malware any more, but the infection
vectors have changed. More often than not, malware will be explicitly
installed by the user. More broadly, it will trick the user into doing
something that is not in his best interest.

In other words: In the current age, malware is targeting users, not computers.
Now _we_ have to install virus scanners, by educating ourselves about how to
spot viruses. This is a very different game from a few years ago!

~~~
simonbrown
How do you know?

~~~
Derbasti
I guess you are asking this question in reference to "my computer has not had
a virus in years".

By the naïve measure of "my antivirus did not ever find a virus", which might
not be 100% reliable, as the article points out. However, it _should_ identify
viruses eventually, though possibly too late. But it didn't.

------
notatoad
The antivirus era will never be over, as evidenced by the antivirus apps for
smartphones. It provides the same purpose as the TSA: it inconveniences people
just enough to make them feel like something is being done to protect them. It
doesn't matter how ineffective an antivirus is, as long as it pops up a
message every couple days saying "your computer is protected", it has served
its purpose.

Anybody who has worked consumer IT can tell you, it doesn't matter how many
times a person's computer has been infected despite running kaspersky, they
still absolutely depend on the messages from their av program to tell them
it's all good.

~~~
rplnt
I don't know if there has been a thorough test on capabilities of smartphone
antivirus apps but I know there has been a lot of reports of malicious apps,
basically viruses for smartphones. Protection is necessary (for majority at
least).

------
qdog
Flame was signed by a trusted signer (Microsoft in this case) due to a bug
that allowed code to be signed with a Microsoft key that was meant for
something else.

People would like to make behavioral stuff, but it's quite difficult.
Sandboxing sounds great, but it requires more processing power to run a VM,
and the biggest complaint most people have about AV software right now is that
it slows down the computer, so running in a VM with a behavioral model...yeah
good luck. It looks great on paper, but has no been put into good use yet.

If you like to be secure, run 2 boxen, one that has no service except a
logger, log everything from your main box, only log into the logger box from
console when you want to look through the logs to see if something has gone
awry.

FD: I work for a security company, and no, none of our products works like
that. Most (all?) customers have a higher priority on useability of their
network and computers than on security.

------
ladzoppelin
You need a good antivirus program to clean up computers if discovered malware
becomes widespread.(Like Stuxnet, Flashback Trojan). Since Windows Security
Essentials/Defender Windows 8 I don't really think about other anti virus
vendors however it is very important that all of them remain active. One
antivirus company would be a dream for malware creators. Personally I think
severe global penalties for creating malware/'social engineering' or a
chip+software breakthrough is needed to change the current situation.
Antivirus software has actually become pretty good at cleaning known attacks
which is really all you can ask for at this point in the game considering how
advanced malware has become.

------
andreasvc
The fundamental problem is that anti-virus software operates on the principle
of enumerating badness: a list of known viruses and their signatures, a list
of suspicious patterns in binaries such as obfuscation techniques.

OSes should move to the opposite strategy, enumerating exactly what is
allowed, and dropping anything else by default. The challenge here is that the
granularity should be small enough for this to be effective, but on the other
hand this gives configuration overhead for the user. For example, the firewall
could enforce that only the user's preferred email application is allowed to
send and receive mail. Currently the permissions in plugins and smartphone
apps are too broad to be meaningful, but they're already experienced as a
nuisance, so it's a difficult problem.

~~~
munin
> OSes should move to the opposite strategy, enumerating exactly what is
> allowed, and dropping anything else by default.

when they do, it results in hackers being emo about Gatekeeper or the app
store or whatever.

~~~
RHSeeger
The problem that most of the complaining is about (from what I've seen) over
current sandboxing solutions is not that you need to enumerate what your
application can do. Rather, it's that the OS makers decide that certain
functionalities are not allowed by apps (running downloaded code, etc) and
just don't allow them. I think a lot of people would prefer that all
functionalities be available, but each one need to be specifically allowed by
the user.

That being said, that makes life harder for the user.

------
mikemoka
What do you think about sandboxing,is it possible to think of each process as
a separate virtual machine in order for them to be "rootkitproof"?

~~~
fpp
this has been done by a company called Advanced Computer Research in the 1990s
- it has been proven to be working very well, so well that it was taken off
the market (with force / criminal means). Officially the company was sold to
an US conglomerate and immediately all products were taken off the market.

It was - in difference to the snake oil antivirus software sold commercially
otherwise since then - also able to protect against unknown threats by
creating a security focused virtual machine inside the PC and a sandbox around
applications. This was the first VM available for PCs (1995)

The only links still visible that I could quickly find are:
<http://www.securityfocus.com/tools/803>
[http://web.archive.org/web/19990117023714/http://www.acrmain...](http://web.archive.org/web/19990117023714/http://www.acrmain.com/index.html)

~~~
oconnor0
That sounds very conspiratorial. What evidence do you have that it was taken
off the market via force / criminal means?

~~~
fpp
first hand experience

------
based2
[http://security.stackexchange.com/questions/19714/cohens-
pro...](http://security.stackexchange.com/questions/19714/cohens-problem)

[http://security.stackexchange.com/questions/14735/how-
antivi...](http://security.stackexchange.com/questions/14735/how-antivirus-
companies-create-virus-defnitions-for-new-outbreaks)

------
nyar
I have not used an antivirus in years, I use a firewall which allows me to
control behavior of every process with allow/deny rule creation. It's blocked
java exploits and trojans on my system that were not yet in antivirus
databases. Antivirus is cool for a monthly just in case checkup and for
scanning suspect files before executing.

