Hacker News new | past | comments | ask | show | jobs | submit login
How to Compromise the Enterprise Endpoint (googleprojectzero.blogspot.com)
553 points by nnx on June 29, 2016 | hide | past | favorite | 179 comments

"Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it - the victim does not need to open the file or interact with it in anyway."

That seems big. Is there any precedent on AV software vulnerabilities of this scope?

Worse than that. Apparently,Tavis emailed the exploit to Symantec in a password protected zip file. He included the password in the body of the email. The email server, running Symantec, grabbed the password out of the email, decrypted the zip file, and upon reading the exploit code, crashed itself.

Seriously? That's incredible. I'm not sure if I should be impressed that doing so worked, or saddened by the fact that it ACTUALLY WORKED...

It's hilariously ironic. They're in the business of scanning things which smart people want them not to. How does someone send them something they really shouldn't scan?

I very much started reading your post as a comedic sci-fi ending to the story.. but now I am actually not sure. It would be quite creative to think of that scenario! Did this happen?

I'm afraid this did actually happen[1].

[1]: https://bugs.chromium.org/p/project-zero/issues/detail?id=82...

I do not see any indication in the link you posted. Am I missing something?

> I think Symantec's mail server guessed the password "infected" and crashed (this password is commonly used among antivirus vendors to exchange samples), because they asked if they had missed a report I sent.

This is just an assumption

At least they eat their own dog food.

At the end of the day, we all pivot back to our own solutions when it appears we're almost out of runway.

That's a hell of a proof-of-concept.

It wasn't intentional. This was alluded to in Tavis's previous exploit.

But that being said, it's hilarious.

Nice to see that even security researchers can't be bothered to PGP encrypt their messages then.

Why should they? Signing, maybe; encrypting, superfluous and risky in this context (if the other party won't accept or read encrypted mail).

Perhaps because they are discussing critical system vulnerabilities, some of which would be disastrous if they got into the 'wrong' hands before they were patched?

And, from Symantec's own page: Symantec strongly recommends using encrypted email for reporting vulnerability information

Yes, I believe there are several precedents. Tavis has found remote code execution exploits in Sophos[1] and TrendMicro[2] products too.

Continuous protection by nature opens up an enormous attack surface, and AV vendors' seem in no way up to the challenge. For this reason, in my company, security policy is to use only what's built in to each O/S.

[1] http://www.pcworld.com/article/2013580/researcher-finds-crit... [2] http://arstechnica.co.uk/security/2016/01/google-security-re...

That's a progressive stance that few organizations have the balls to implement.

In one case, a contractural compliance thing required that we have AV be present. We complied, but disabled the filter driver and let it scan nothing. ;)

I'm sure your legal team was thrilled when you approached them with that, haha.

We're small enough not to have a legal team yet. But if we did, this is not something I'd be overruled on easily. The technical issues seem pretty clear cut, and if you have a written policy in place (and it was there before anything bad happened) I can't see how it's a genuine risk. It was also no problem for our ISO27001.

If you're using Windows, does Microsoft Security Essentials (or whatever its current name is) not qualify?

Project Zero has uncovered a similar issue in ESET a year ago:


So, what do people run on their servers / macbooks for AV? Anything?

I was in a meeting just last week with our new "head of Security" who exclaimed when i stated our Macbooks nor or Ubuntu severs run any AV software (We run firewalls and things like fail-2-ban, but no traditional AV).

I know i'm going to get into a debate with them over this, so, what would be a good 'win-win' type position for me to fall back on to satisfy this point and not clutter my machines up with junk, if there is such a thing?

It depends on your strategy for dealing with endpoint security and why the security folks are demanding it. Usually these requirements are driven by external compliance or some zealous security guy reading NIST docs without context.

For UNIX, try to get ClamAV through or buy whatever solution is cheapest. IIRC, McAfee worked in the most platforms, including AIX.

For Windows, Microsoft stuff (Windows Defender and the "Enterprise" equivalent baked into SCCM) have the lowest impact on the system... But are pretty "meh" solutions. But even the best AV is pretty meh.

Personally, and coming from alot of experience managing lots of computers (or people doing the management), I would recommend running the cheap/free Microsoft AV to check the box and do the following: force users to run without privilege, disallow internet access from privileged accounts, use an application whitelisting solution, use a good proxy/anti malware solution like Palo Alto or zScaler.

The whole point of this stuff isn't to stop threats -- that's a game you always lose. You want layered protection that stops what it can, helps prevent lateral movement and increases the probability of detecting a compromise.

On Windows PCs, I use Microsoft Security Essentials/Defender/Whatever-it's-called-this-release. It's already there, and basically can't be turned off, so why not?

I do not use AV on any other platforms.

Windows MSE can be way more resource hungry than many AVs while providing a worse protection. Symantec might actually be worse than MSE depending on your data etc.

Avira is the best free one right now IMO. No spam you can't opt out of and no pop ups.

Any proof for this claim?

I work on a product that required testing of all these AVs in real life scenarios and also requires to improve upon them.

Regarding scanning speed for MSE:

On my current Windows installs (2 VMs - one Win7, one Win10) and one installed on bare metal, it takes up to 5 seconds to scan a 5MB file after it is downloading and before it is run. These systems have a lot of software installed on them so such results may not generalize to everyone.

Also, "antimalware service" sometimes goes nuts and would take up 100% disk usage on non-SSD disks after an update for hours on end. I am not sure what the reason for this is.

Regarding which AVs are faster at scanning:

you can try them all here just for static analysis: https://github.com/joxeankoret/multiav

However, the overhead in many cases doesn't have that much to do with scanning speed but deals with what the AVs choose to scan and what types of files are being scanned.

For example, how do they handle changing files on a live system? Do they take shortcuts with files at a known location with known initial bytes/hash?

Then there is the annoyance factor - Kaspeprsky for example keeps trying to get you to sign up/use their non-antivirus features within the software package.

Finally - efficacy. The only reason we are using the AVs at all.

In the efficacy dept, the best one by far out of traditional AVs is ESET-NOD32. It detects about 70-75% of new threats when they're in PE32 format. Symantec detects roughly 40% in my testing, which is on par with 42% that Microsoft MSE detects. The samples came from a number of sources, but perhaps the best one is virusshare - https://virusshare.com/

Anyone can do their own test if they're so inclined, but nobody should trust the tests where there are claims that the top AVs detect 99.5% of malware. I am not sure where they're getting such numbers but I've never seen more than high 70s on currently circulating recently (within last week) released malware.

I might do a blog post about it later since this is a topic many people disagree on.

Disclaimer: The views expressed here are my own and do not necessarily represent the views of my employer.

Thanks for that lenghty reply! Interesting to hear that NOD32 is still the best.

> No spam you can't opt out of


What specifically is the pop-up? I don't see any you can't disable.

To be honest, I wouldn't put AV on anything but Windows. There I'd opt for Microsft's Security Essentials since it's the least offensive/annoying solution.

On mac and linux I just don't see the need unless you're doing questionable things or trust shady sources. Be aware that macOS also comes with a very basic and rudimentary protection built-in called XProtect.


The best AV is: - keep everything up to date - uninstall flash, java, silverlight - don't open random junk - use homebrew/homebrew cask to install stuff

> The best AV is: - keep everything up to date - uninstall flash, java, silverlight - don't open random junk - use homebrew/homebrew cask to install stuff

Indefensible. Just browsing a web page is “open random junk.” Ad networks bring malware to mainstream web sites; Adblock is now a major line of defense.

You could wallow in despair, or you could use QubesOS. Which, infuriatingly, does not include IPv6 yet.

Web browsers are at least somewhat sandboxed - they have to be. (I'm not sure about adblock - it blocks some threats in an ad-hoc way, but it might add an exploitation vector of its own). QubesOS is only a little bit more sandboxed than a web page; it's relying on Xen (which has a poor security track record) and mostly still using commodity OSes written in C for the insides (though there is some hope e.g. http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewal... ), so at the moment even running Qubes you're still almost certainly vulnerable in all sorts of places. I agree that something like qubes (that is to say, an OS formed of a number of strictly isolated modules with a small well-defined API between them) is the path to genuine security, but we'll have to at a minimum replace the Xen layer with something proven correct before we can claim to have a genuinely secure system.

Xen has poor security track record compared to which VM or sandbox?

Poor in absolute terms. I don't know that there's a better alternative, but Xen has vulnerabilities frequently enough that at any given time the version you are running is probably vulnerable.

IMHO, the best AV for windows is: start a fresh VM at each boot and discard it at shutdown. If your shared folders contains only harmless data, you have almost nothing to fear.

You don't have to discard it each time. You can just have it revert to a snapshot whenever the VM is rebooted.

Use a web proxy to block ads and malware sites.

I've never run AV software on any of my Mac computers or any of my Linux PCs. There's no need. I will never get a Mac or Linux virus.

I'm vehemently against running AV software on Linux at the enterprise level, too. The best I've been able to do there, though, is to ensure that on-access scanning (aka "slow the system down to 10 percent of its usual speed for no reason at all") is completely disabled.

Edit: any explanation for the downvotes?

>any explanation for the downvotes?

I noticed that before on this subject: I agree with you and said that before on the subject of AV on Linux and got downvoted. Not claiming there are not viruses on Linux, just saying that, in roughly 20 years of using it, I have never seen one on my servers or workstations. So why would I sacrifice speed?

For workstations I think Linux people are more careful than others (I have no citation just personal experience). I do not need warez and if I have to browse something fishy I do that from a VM or another account; not 100% safe but a lot safer than the entire mess people seem to have on Windows boxes (incidentally it has been around 20 years since I last worked with Windows seriously too).

Just wanted to add on that the down-votes probably come from people that take your comment as perpetuation of the argument that macs don't need AV, vs taking it at face value that its been your experience (and mine) with the OS.

On the flip side, I have 4 infected mac's being flagged by webroot right now because the users downloaded and ran things like fake flash installers. So "every day" users do dumb things on macs and windows. For those user, the AV performance hit is worth it (to me) :)

The thing that kills me is, AV software for Linux is just looking for Windiws viruses. Tripwire seems more appropriate for Linux.

I've had that debate and it was decided that we had to have something. FWIW we use TrendMicro deep security.

Typical AV for Linux is for server products serving mainly Windows clients, and the Windows clients are more probable to run random binaries.

Linux malware, outside of someone trying to crack the computer, largely doesn't exist because have you ever tried to ship binaries for all Linux distros?

ClamAV on public facing smtpd/MX that talk to the world: https://en.wikipedia.org/wiki/Clam_AntiVirus

On Ubuntu you have Apparmor, and mandatory access control (in practice, any sandboxing mechanism) is vastly superior to antivirus, at least in default-deny mode (which, sadly, Ubuntu does not use by default).

If arbitrary software needs administrator level policy set to access the filesystem or devices, rogue software cannot harm your system. If trusted packages also need policy, then exploits in that software cannot do any more damage than the minimum amount of capabilities allocated to the application, which is quite frequently just the apps config file.

I realize that it's better than nothing but be careful with the default AppArmor profiles, they're very coarse grained and allow a lot of stuff that they don't really have to for compatibility reasons (so they just work). I'm not saying they're useless but they could certainly be better and/or tweaked to your needs.

Little Snitch -- at minimum it makes you more aware of who's trying to phone home.

If you know what you are doing, and how the apps you are using work.

It's very easy to shoot yourself in the foot, and prevent apps from working correctly. In addition to driving apps developers mad with bug reports, you can end up being less secure by breaking update mechanisms.

Little Snitch is pretty good at visualizing the traffic, including the blocked traffic. It's not a tool for beginners, however.

You can explain that traditional viruses are less common on Linux. Rootkits and privilege escalation exploits are more likely.

One strategy might be to say that Linux systems are not sheltered from any threat (saying otherwise might lead the other person to consider you as a biased Linux fan), but instead to explain that the threats and consequently the defensive tools to adopt are different.

So, instead of an AV, I would recommend 1) an host-based intrusion detection system (HIDS), like OSSEC or Tripwire, and 2) a kernel patched with Grsecurity.

The HIDS will send you an alert every time an important file (like /etc/shadow) or a new binary / package is installed or modified.

Grsecurity will offer multiple very efficient protection mechanisms against privilege escalation exploits (among other things).

For the MacBooks, I don't know.

That kind of security/noise Avalanche seems only effective for paranoid administrators that can process the data from a small number of servers.

Maybe a little controversial, but I think the most effective solution is simply to replace boxes frequently with full OS updates.

grsecurity[1] for linux.

You don't even have to use RBAC if you don't want to (you can still use AppArmor/SELinux/etc) but RBAC comes with a built-in learning mode which is good and will likely do a better job than you could and generating a profile. Sure you'll probably have to hand tune it a bit but for production servers I see no reason why RBAC couldn't be used with it's training/learning mode.

[1] https://grsecurity.net/

Plugging Alpine Linux, a distro that while known for its small size, which led to widespread adoption as a Docker base image, includes grsecurity by default in its kernel and is very security focused.

It's hard to believe that Alpine is "very security focused", when both the .iso and checksums are served over http/have no https forced.

The ISOs are GPG signed.

True, but public key is also send with http by default and signature doesn't even have proper https. It is possible to securely verify the integrity etc (e.g by using keyservers), but Alpine doesn't help with this at all.

The first tool I run on new Macs is osxlockdown[1] (use [2] if you want a UI). It disables a bunch of features and enables things like the firewall. Make sure you don't disable things you're actually using, though. I don't run any AV, but I use OpenDNS Umbrella, a DNS-level malware blocking service with the capability to switch to "active" traffic filtering (basically a MitM proxy, though that part is completely optional). It's a neat tool with a nice dashboard, and the pricing is okay with $20/year.

OSSEC is a great tool for servers, but not the kind of "Let's just throw some AV at it so we can tick that compliance box" tool many are looking for.

[1]: https://github.com/SummitRoute/osxlockdown

[2]: https://objective-see.com/products/lockdown.html

>[PASSED] Disable IPv6

I'd like to see the rationale behind disabling IPv6 outright.

Edit: https://github.com/SummitRoute/osxlockdown/issues/4

In production you still need to protect from zero days with some form of protection that is not necessarily detection or antivirus such as AppArmor or more commonly SELinux.

On my macbook I run Linux for AV.


From the perspective of a person who thankfully no longer has to support any Windows based platforms:

"Symantec considered harmful"

full stop.

Let's not forget this: http://arstechnica.com/security/2015/10/still-fuming-over-ht...

Symantec should have suffered the CA "death penalty" and had its trust removed from the browsers that hold most of the global market share.

What we need is for Microsoft, Apple, and Mozilla to settle on a plan to collectively eliminate negligent CAs. It seems like existing CAs would have to hand out valid certs to Hitler before they are removed from the trusted root store. We already have high standards for any new CAs to be added, why can't we have high standards for CAs to keep their trusted status?

We don't have to either do nothing or revoke the CA entirely. We could just only trust certificates with an issue date before a certain deadline. When the next DigiNotar or Comodo pops up just set a deadline of 3 or 6 months to revoke their status as a CA. No customers would be harmed by this, they have the rest of the lifetime of their cert or 6 months to move to a decent CA. This would be a clear stop to an untrustworthy CA without the negative ramifications for any party other than the CA itself. And 5 years or so after the deadline has past, all of their certs are invalid anyways and the CA can be completely removed. If the CA starts issuing bogus certs with a forged issue date, just remove them immediately and make sure that every CA knows that this is the process for removing a CA.

Maybe we wouldn't have CAs in the news every year if there were actual consequences for existing CAs.

It's ok to hand certs to Hitler.

It's not OK to let Hitler be an intermediate CA.

I don't see a good reason why handing out a certificate to Hitler would be grounds for having your root trust revoked.

Exactly, I don't get this argument at all. I think the way Google handled the Symantec issue was just fine, but we don't need to live in a world where CA's need precrime units to clear someone for a cert. I do Nazi issuing Hitler a cert as a problem, anne frankly I don't think anyone should care.

I was mostly just being hyperbolic but I meant valid certs for domains that our hypothetical Hitler did not own.

What if there were a middle ground between browsers trusting and rejecting a CA? What if there were a yellow "proceed with caution" warning on sites using certificates issued by CAs that have very occasionally behaved improperly?

If this gets implemented in a way that's clearly visible to the user, the effects on the CA are almost indistinguishable from the death sentence. The vast majority of customers would switch to some competitor that's not affected. Even a handful of saved customer support cases due to this warning is going to make up for the cost of switching. Most importantly, if users are confronted with warnings all the time, they become increasingly oblivious to them and might very well click through more important warnings down the line.

Given the propensity of normal end users to click "OK/Accept" through just about anything, I don't think this is a good idea, as another poster points out. There's a reason why it's a multi-step process/warning in Firefox or Chrome to accept a self-signed or invalid SSL certificate from an httpd. If it's a single click yellow warning banner it could do real harm to widespread use and trust of https.

Netscape used to have support for something similar. I think another idea would be an icon in the address bar.

I know about this incident. I don't think that would be a good idea in this case.

In my opinion the bar is set much too high for the "Root CA death penalty". There has really only ever been one case:


Agreed. Comodo has fucked up so badly, they really should be on the list:


Only one major case. There are other minor cases too, but mostly affecting less commonly used small CAs.

I would be interested to hear why.

It's hard for me to believe that anyone uses this crap software. A few years ago I spent hours uninstalling it for a friend. It has slowed his laptop to a crawl and he was about to buy a new one. After the uninstall, it was snappy enough to use for a few more years. Really, that software is some of the worst I've ever witnessed, and I've seen some shit.

I work for a Fortune 500 company who just switched away from the product mentioned in this article for one which I'm sure isn't much better. Besides the overall performance impact, we also have a daily virus scan that runs at noon on every system. Don't normally take your lunch at noon? Oh well, you certainly won't be getting any work done.

That's a purely self-inflicted wound. Someone in IT/ISO has more power than sense.

It comes pre-installed on many machines, and the mindshare is large.

I also attempted to remove Norton from a friend's computer a few years ago. I failed and later discovered that was actually unable to be uninstalled. Norton published some instructions to let you remove parts to the point you could ignore it at least.

I swore to never to touch anything from Norton/Symantec ever again. I bought ESET/nod for a few machines but now I rely entirely on Windows Defender for the few Windows machines I own.

ESET brings back good memories, I was a happy customer as long as I administered Windows boxes. I never remember a false positive with ESET/Nod32.

Norton, OTOH, would happily delete nmap.exe and cain.exe then beg for praise after the fact, a kitten with her first kill.

Everywhere I see lots of praise for ESET, but the program isn't even capable of installing itself properly on my system. If I then try to uninstall it it can't even do that and I have to go into safe mode to uninstall it from there, using their uninstall tool, which thankfully worked.

Before windows 10, windows antivirus were the best advertising for Apple computers

"Apple Computers Don't Get Viruses"

Still a very common misconception, however it's fair to say that macOS is still much "less likely" to be infected because of quantity.

Yes, there are now drive-by packs, crypters and RAT's that include OSX as a target. But the ratio for infections would be vastly lower.

Size of user base is pretty much irrelevant to how vulnerable an OS is, Linux/GNU and BSD derivative operating systems are inherently more secure than NT based ones due to user/group permissions and privilege escalation being a core aspect of the former, and a tacked-on afterthought of the latter.

err no.

outside of rarely used acl systems basic unix/linux permissions are far less granular than the windows equivalents.

For desktops modern windows handles things very similarly to modern linux, which is to say that you don't run as "root" or "administrator" by default and programs request escalated privileges via sudo on linux and UAC on windows.

As to privesc vulns, most desktop linux distros have limited protections there. One kernel bug can see someone escalate from user to root fairly easily.

With modern Windows apps there is at least a sandbox in play, so that a sandbox escape is required in addition to the kernel bug.

Both Operating systems can be configured to be more secure of course...

NT has a more secure model than UNIX since day one, modeled on top of object capabilities, much more powerful than UGW permissions.

If people decide to run as root that's their problem.

Also you don't need root to exploit UNIX users, getting hold of their $HOME is way more valuable than getting hold of the OS.

Sure, except that you have functions like processing fonts and image formats in the kernel. Layer on userland stuff like OLE and IE and you have a cocktail for security hell.

When things work correctly, NT has historically had a more robust and accessible set of controls, although I think modern UNIX closed that gap. But things often don't work correctly, and the complexity of the ecosystem makes it pretty trivial to exploit.

It is not perfect, but it possible to configure properly.

Also NT always focused on the user productivity first and as server afterwards.

Whereas UNIX always focused on the server first and user productivity afterwards.

It is always a mix and match between security and productivity.

A security model defeated by a bonkers architecture.

I’m especially baffled that font processing is in the kernel. Allegedly, Windows 10 now moves non-system fonts into a restricted user-mode process, so exploits are a lot harder. But it still acts like the kernel is doing the processing, for backwards compatibility.

>object capabilities, much more powerful than UGW permissions.

    man 5 acl
>If people decide to run as root that's their problem. Also you don't need root to exploit UNIX users, getting hold of their $HOME is way more valuable than getting hold of the OS.

Same on windows.

>>getting hold of their $HOME is way more valuable

>Same on Windows

Windows 8 Metro/Modern/UWP apps do not have access to your home directory.

What is being done to improve the situation on the Linux side of things?

I believe Flatpak/Snap (Fedora/Ubuntu's new app packaging formats) makes this possible quite easily. It'll take quite some time until these initiatives really take off, but then again things aren't all that different on Windows today. A typical Windows system is still one Office macro away from losing $HOME.

But then no standard desktop OS is immune to users executing code from untrusted sources, you need something more locked down like iOS for that.

To get a macro running in office the user has to explicitly ignore security warnings to do it, this would be the same in linux or MacOS where code execution capabilities were present.

I'm making a comparison to Windows, and my point was that it's no different there today despite the fact that Metro apps exist (just like Flatpak/Snap exists on Linux). Walled gardens such as iOS are definitely superior in that respect.

> To get a macro running in office the user has to explicitly ignore security warnings to do it, this would be the same in linux or MacOS where code execution capabilities were present.

Sure, but it's pretty easy to ignore those warnings when you see something like [1] or [2].

[1]: https://3.bp.blogspot.com/-ginpmnFHC_E/V3J3kFADrxI/AAAAAAAAo...

[2]: https://pbs.twimg.com/media/CiqwqUOWgAAVTzE.jpg:large

indeed those messages are good examples of social engineering, but when comparing OS security there's nothing inherent about MacOS or Linux that would make them any more resistent to the same kind of social engineering attack.

I'd suggest that the reason that there are fewer attacks of that nature on those platforms isn't down to superior OS security but less profit available to attackers, due to smaller market share and perhaps lack of a ubiquitous target app. like office.

I think you're missing my point. I'm not saying either is better in that respect (like zyx321 claims for Windows), I'm just saying they're both just as vulnerable despite the existence of sandboxed apps.

The IEEE 1003.1e draft 17 ("POSIX.1e") document describes several security extensions to the IEEE 1003.1 standard. While the work on 1003.1e has been abandoned, many UNIX style systems implement parts of POSIX.1e draft 17, or of earlier drafts.

Note the implement parts of, that is not something UNIX has in any portable way.

likelihood of infection != vulnerability

If you live in a bad neighbourhood, you're more likely to get shot. If you live in a nice neighbourhood, you might get shot, but it's much less likely.

The ability for someone to shoot you in each neighbourhood is irrelevant when talking about likelihood of being shot.

What has Windows 10 changed on this front?

Presumably now Windows 10 is the best advertisement for Apple

In this case, things like SmartScreen and Windows Defender was introduced in Win8.


Comments that add to conversation and happen to be phrased in a witty way are.

Making fun of Windows is "witty?" I thought this was a more serious forum.

I haven't used it in about a decade, but the corporate version used to be pretty lightweight compared to the retail version. I started using the corporate edition soon after I joined the military because we got it for free. There was an immediate and noticeable improvement in my pc's performance after replacing the retail version.

Regulations mandate picking one of the available crap softwares.

Same here. We have moved to something called Sophos.

Sophos does not exactly have a good security reputation either... https://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-so...

A note for everybody asking "why on earth does anybody run this software": When my company had to get corporate liability insurance in 2007/2008, the actual insurance contract stipulated "having AV installed on all machines". We did solve it by having an unused folder with ClamAV on every box, but I was impressed by the fact that AV is pretty much legally mandated for enterprises.

This is very common in boilerplate enterprise contracts. They will often have provisions about compliance with certain security and disaster recovery standards.

I always wonder why, despite all these flaws and vulnerabilities, big enterprises still use them.

Is there some kind of "compliance" or "regulation" that mandates companies to install them on every workstation?

You know you bring up a good point, in that I don't think the relevant regulations like pic, hippa, etc ever really require a certain tool, just certain checks and verifications. It's generally industry "best practice" to install antimalware anywhere that can handle it, with even the formerly forbidden embedded devices getting it sometimes.

Honestly, hids like ossec seems more apropos for what businesses really want to know, eg, did files XYZ change and by what when?

Well would you want to be the guy (or gal) responsible for explaining why all your computers don't have A/V installed after an infection?

I would make that argument a few years back when 3rd party A/V is the only choice. But now you have the built-in Windows Defender, which is a valid A/V, why not upgrade your OS and get it for free?

Some endpoint vpn solutions scans the pc to try to make sure it is secure. Some of these might not recognise or accept all antivirus solutions.

(Source: doing remote support)

Yes. It is a checkbox on many compliance checklists, including PCI DSS (credit card industry standards that apply widely).

A bug in their software would be forgivable. This article pointed out both an extremely poor design decision (lots of unnecessary code in the kernel) as well as a serious organizational problem (not doing vulnerability management). These are especially bad considering that they supposed to be a security company.

In both cases, one bad example means it's likely there are many more still undiscovered.

Win32k before Win10 used to do TrueType/Type 1 parsing in the kernel, with an entire bytecode virtual machine!

So what? Linux, today, has a full bytecode interpreter

Bigger attack surface in the kernel, for something that doesn't need to be there, and that is historically very difficult to code securely.

grsecurity just disables it outright IIRC (the new one that was added sort of recently, probably year+ at this point).

Anti virus is like a compromised immune system: it joins the other side and will help to kill the host in short order. It's a miracle these companies are still in business and it is very sad to see Peter Norton's name dragged through the mud like this over and over again.

Many years ago, installing Malwarebytes Anti-Malware dramatically reduced the amount of on-site technical support calls for my well-meaning but too trusting ("I just clicked on it") parents. This was before I was able, with the help of my brother-in-law, to convert them to Apple/Mac.

Is Malwarebytes Anti-Malware still the gold standard for Windows Malware protection? What is the gold standard for Windows virus protection now?

The gold standard is now Apple MacOs or Linux. I've converted my parents over to Apple systems and no longer have to do any support for them, Apple products "just work". Worth the premium in saved support, in my book.

I use Ubuntu as my main OS, personally.

I would argue that the gold standard is now a chromeOS laptop.

To be honest, Mac OS X do have things like Gatekeeper.

Do you mean MacKeeper? GateKeeper is Apple's software that prevents you from installing non-verifed apps, MacKeeper is (from what I can tell, haven't installed it or looked at the site) spamware.

It never was.

The stuff from Microsoft seems less fraught than the rest.

The stuff from Microsoft unfortunately misses a large amount of malware.

I think they recently are beginning to do Anti-Ransomware, though have no idea how good it is.

How does a ransom ware get activated? Did it always require a user to open a file like an executable (or a word document in unsafe mode) or are they sophisticated enough that simply downloading it will make sure it exploits some vulnerability in the browser or the OS?

The former for the most part.

IMHO, the security industry has been guilty of adding complexity to existing systems rather than doing its duty of stripping it away.

I'm not really sure I consider McAfee, Norton and the like the security industry. They're definitely a part of it, but in the same way car dealerships are part of the auto industry. They provide a service, but there's a real debate to be had about whether they are more beneficial or harmful.

Fair point, though at times it seems that the markets and regulators in this space tend to favor turnkey products, appliances, et cetera. To ride on your car analogy (pun intended), one finds it is not easy buying directly from a manufacturer, the heavy bias is towards the dealerships.

symmantec is a dumpster fire, according to people I know that work there.

I think this every time AVG busts out a popup in the middle of a Counter-Strike match.

Edit: 5 minutes later, AVG "detected" csgo.exe and asked me if I want to quarantine. Uninstalled.

Maybe csgo.exe does tricks that look like a virus when it's doing its anticheat probing?

I'll bet you're right about that. To AVG's credit, it may be overly protective and annoying at times but I don't think it has ever let me down outside of being annoying popupware. Maybe I should just finally pay for it like I should have since I've been enjoying their free edition for longer than my memory serves me. Note to self: do the same for Sublime Text.

The software you buy to keep you safe actually exposes you to more risk than if you didn't buy it. How ironic.

It was ironic fifteen years ago. Now it is just business as usual,

How much more? I always imagined that it's more likely for a standard user to open every email attachment and execute it than it is to get targeted by a malicious attacker who knows what software your users are running and writes exploits tailored for them, but I could be wrong.

No tailoring required with something like this since it's worm-ready; blast out a ton of emails to seed the worm, then post exploit the worm emails itself to everyone in your address book. It won't take too long before a significant portion of the vulnerable systems win the world are infected.

See Blaster, Slammer, CodeRed for historical examples....

Isn't Norton antivirus itself malware? And McAfee too, for that matter? I finally convinced my mom and my wife to stop downloading it everytime they update Adobe Flash. (Yes, they still do that. On Windows of course. Sigh. One thing at a time.)

You don't even have to update Flash anymore. It's built-in to Chrome (and updates on its own) and (the other one) updates with Windows Update. I suppose you might have to if you're using Firefox but Firefox would be the last browser I would chose for someone like the people you described (Chrome being the first).

Was about to recommend using ninite to update flash only to find out Adobe demanded they remove it back in 2013.

At least it is only McAfee Security Scan which don't seem to have the kernel stuff.

I thought even Security Scan had the {network, FS} filter drivers?

Here's a question I have every time I see "RCE" type issues, and I'm completely serious when I ask: what is the use case for allowing remote execution in your software? Why would you want to allow arbitrary code to be executed? Or am I perhaps misunderstanding this, is it some sort of break out of the program bounds which allows execution?

It's a vulnerability. No one wants it (except attackers).

Of course there are some situations that some people actually do want (controlled) remote code execution, such as ssh.

The latter.

I've seen a few cases. (Not that they were justified, but that it was a very convenient way to program by someone at the time)

The use case here being you fully trust another developer to use the API properly, not realizing a user could also use the API.

Now, code review with a security perspective is usually enough to stop intentionally adding it.

What are the reasons one would want to use an antivirus? Can someone share some insight on how does antivirus actually work?

Traditionally they scan files, either in a batch job or on the fly, to see if the file matches a signature, basically a hash, of known viruses. This worked when there were only a couple thousands viruses in the wild. Now this approach is pointless because there are so many viruses, odds of the antivirus having seen it before are effectively zero. Not to mention countermeasures virus writers take make this even harder.

Signatures are definitely not hashes. They usually match families of malware or methods of obfuscation. Nor do any respectable AVs scan after something has started running...

AVs usually upload suspicious files from user PCs for further analysis to help aid in discovering new variants/types. The odds your AV has seen it is proportional to the odds of you running into it.

The industry is moving away from signatures regardless. Now AVs use runtime heuristics to spot bad behavior of executables and block them even if they've never been seen; Cylance literally only does this and it's pretty effective.

Sounds like the same old snake oil to me.

> if being “part of a community” means we need to share our algorithmic, unique conviction engine with Big AV so they can steal our convictions, then yes we will not be able to meet that criteria.

I have no love for Symantec but this new breed of security software can go screw itself for all I'm concerned.

You might want to check one vendors explanation on their detection engines: https://labsblog.f-secure.com/2016/05/17/whats-the-deal-with...

Quite a few major enterprises use SEP/SEPM in combination with other IPS/IDS. Time to make sure everything is updated I suppose. Good work project zero.

I've been saying this for years, but when are people going to realize that running Norton on your PC is actually worse than not running AV software at all?

In the fast-moving world of IT security it's refreshing to see that Symantec's web site makes no mention of these profoundly important vulnerabilities on their landing page

They don't seem to have any Status / Current Alerts style pages -- but on their somewhat hard to find blog page we find the most recent update from the guys is from two days ago:

"Malicious app found on Google Play, steals Viber photos and videos"


EDIT: Oh, they have a Vulnerabilities page - https://www.symantec.com/security_response/landing/vulnerabi... - with the most recent entries listed as 13 days ago (blimey that US mm/dd/yyyy date format is uncomfortable).

Symantec have described some vulnerabilities that sound like these ones, dated 2016-06-28 (no time) here:


Detailed description and credits sections don't seem to be in complete alignment with details of OP, but I may be misreading.

I don't think that they have much to do with the OP. The OP's post is easy to understand, Symantec's seems to be corporate double-speak.

The more important question is what should Symantec/Norton users do to prevent being exploited right now?

It's in the top menu bar on their technical support page. This is visible on browsers, but closed my default on mobile.

I spoke to their technical support this morning (sadly my company still runs Symantec, although we are moving from it). None of them appeared to be aware of the issue.

They have a separate page for "Security Advisories Relating to Symantec Products" here:


The link can be found in a small line of text here:


Windows 10 has a built-in antivirus that's very effective, safe, and doesn't impact system usability. There's little reason for anyone on Windows 10 to run Symantec/Norton.

> and doesn't impact system usability.

I have to disagree with this statement. It's kind of a resource pig, actually. When it got to the point it was affecting my day-to-day productivity, I deleted MsMpEng.exe from my hard drive, and now my machine is snappy and responsive again.

I used to have this problem, but then I configured it to run scans overnight.

I am not surprised in the least. Norton Antivirus is one of the worst of its kind. I've used it for many years. Every single virus/trojan/adware infection I got went straight through Norton Antivirus without it doing anything. Back as a kid I opened a lot of downloaded executables, like games, and some of them were infected. Later, I got more cautious with executables but got rid of all antivirus software - best software decision ever. My computers have never been faster.

> googleprojectzero.blogspot.my

Why is this linked to on a .my domain? Is this an official mirror, or is there something sketchy going on here?

Blogspot, for reasons that defy logic, redirects visitors to "localized" domains (I assume via Geo-IP). OP is probably from Malaysia.

Not only is it incredibly annoying and breaks things like URL deduplication, it also leaks your origin when you share links. What a great feature!

>Blogspot, for reasons that defy logic, redirects visitors to "localized" domains (I assume via Geo-IP). OP is probably from Malaysia.

Because a whole bunch of countries keep wanting to block stuff. So:


If we receive a request to remove content that violates local law, that content may no longer be available to readers on local domains where those laws apply. Note: Country-specific domains is not a different blog address, but a domain redirect based on the country where you're currently located.

I'm having difficulties understanding this. If Google receives a request to remove content from some specific country, I would assume they are doing this based on Geo-IP rather than based on the domain users enter. It wouldn't really make sense otherwise, as the link to the blocked content would not necessarily need to use the localized domain, so this would be ineffective. It seems like an unimportant implementation detail - one that seems to do more harm than good.

It means countries that want to block certain content can block all the other blogspot.* domains. i.e. blogspot.us is a site that they promise will only ever contain content that's legal in the US, so any country-level firewall in the US should leave that site unblocked, and so on.

That still seems like an odd trade-off. The same logic should apply to things like YouTube and Google+, but they don't have a ccTLD redirect for those sites.

Blogspot is older (and/or maybe put more thought into it early on - a blogging platform is naturally a speech medium whereas YouTube may not have thought of itself in the same terms), country-level firewalls are a lot more sophisticated these days.

Blogspot changes the main tld acording to the location of the viewer. From my home, it's redirected to https://googleprojectzero.blogspot.com.ar/2016/06/how-to-com...

HN has a special canonization case for Blogspot, so most of the times you don't see the tld in the HN link. I guess they missed blogspot.my

I suppose it's only for certain countries, no redirection here in El Salvador.

I think it is official but yes it should be changed.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact