That seems big. Is there any precedent on AV software vulnerabilities of this scope?
But that being said, it's hilarious.
And, from Symantec's own page: Symantec strongly recommends using encrypted email for reporting vulnerability information
Continuous protection by nature opens up an enormous attack surface, and AV vendors' seem in no way up to the challenge. For this reason, in my company, security policy is to use only what's built in to each O/S.
In one case, a contractural compliance thing required that we have AV be present. We complied, but disabled the filter driver and let it scan nothing. ;)
I was in a meeting just last week with our new "head of Security" who exclaimed when i stated our Macbooks nor or Ubuntu severs run any AV software (We run firewalls and things like fail-2-ban, but no traditional AV).
I know i'm going to get into a debate with them over this, so, what would be a good 'win-win' type position for me to fall back on to satisfy this point and not clutter my machines up with junk, if there is such a thing?
For UNIX, try to get ClamAV through or buy whatever solution is cheapest. IIRC, McAfee worked in the most platforms, including AIX.
For Windows, Microsoft stuff (Windows Defender and the "Enterprise" equivalent baked into SCCM) have the lowest impact on the system... But are pretty "meh" solutions. But even the best AV is pretty meh.
Personally, and coming from alot of experience managing lots of computers (or people doing the management), I would recommend running the cheap/free Microsoft AV to check the box and do the following: force users to run without privilege, disallow internet access from privileged accounts, use an application whitelisting solution, use a good proxy/anti malware solution like Palo Alto or zScaler.
The whole point of this stuff isn't to stop threats -- that's a game you always lose. You want layered protection that stops what it can, helps prevent lateral movement and increases the probability of detecting a compromise.
I do not use AV on any other platforms.
Avira is the best free one right now IMO. No spam you can't opt out of and no pop ups.
Regarding scanning speed for MSE:
On my current Windows installs (2 VMs - one Win7, one Win10) and one installed on bare metal, it takes up to 5 seconds to scan a 5MB file after it is downloading and before it is run. These systems have a lot of software installed on them so such results may not generalize to everyone.
Also, "antimalware service" sometimes goes nuts and would take up 100% disk usage on non-SSD disks after an update for hours on end. I am not sure what the reason for this is.
Regarding which AVs are faster at scanning:
you can try them all here just for static analysis:
However, the overhead in many cases doesn't have that much to do with scanning speed but deals with what the AVs choose to scan and what types of files are being scanned.
For example, how do they handle changing files on a live system?
Do they take shortcuts with files at a known location with known initial bytes/hash?
Then there is the annoyance factor - Kaspeprsky for example keeps trying to get you to sign up/use their non-antivirus features within the software package.
Finally - efficacy. The only reason we are using the AVs at all.
In the efficacy dept, the best one by far out of traditional AVs is ESET-NOD32. It detects about 70-75% of new threats when they're in PE32 format.
Symantec detects roughly 40% in my testing, which is on par with 42% that Microsoft MSE detects.
The samples came from a number of sources, but perhaps the best one is virusshare - https://virusshare.com/
Anyone can do their own test if they're so inclined, but nobody should trust the tests where there are claims that the top AVs detect 99.5% of malware. I am not sure where they're getting such numbers but I've never seen more than high 70s on currently circulating recently (within last week) released malware.
I might do a blog post about it later since this is a topic many people disagree on.
Disclaimer: The views expressed here are my own and do not necessarily represent the views of my employer.
On mac and linux I just don't see the need unless you're doing questionable things or trust shady sources. Be aware that macOS also comes with a very basic and rudimentary protection built-in called XProtect.
The best AV is:
- keep everything up to date
- uninstall flash, java, silverlight
- don't open random junk
- use homebrew/homebrew cask to install stuff
Indefensible. Just browsing a web page is “open random junk.” Ad networks bring malware to mainstream web sites; Adblock is now a major line of defense.
You could wallow in despair, or you could use QubesOS. Which, infuriatingly, does not include IPv6 yet.
I'm vehemently against running AV software on Linux at the enterprise level, too. The best I've been able to do there, though, is to ensure that on-access scanning (aka "slow the system down to 10 percent of its usual speed for no reason at all") is completely disabled.
Edit: any explanation for the downvotes?
I noticed that before on this subject: I agree with you and said that before on the subject of AV on Linux and got downvoted. Not claiming there are not viruses on Linux, just saying that, in roughly 20 years of using it, I have never seen one on my servers or workstations. So why would I sacrifice speed?
For workstations I think Linux people are more careful than others (I have no citation just personal experience). I do not need warez and if I have to browse something fishy I do that from a VM or another account; not 100% safe but a lot safer than the entire mess people seem to have on Windows boxes (incidentally it has been around 20 years since I last worked with Windows seriously too).
On the flip side, I have 4 infected mac's being flagged by webroot right now because the users downloaded and ran things like fake flash installers. So "every day" users do dumb things on macs and windows. For those user, the AV performance hit is worth it (to me) :)
I've had that debate and it was decided that we had to have something. FWIW we use TrendMicro deep security.
Linux malware, outside of someone trying to crack the computer, largely doesn't exist because have you ever tried to ship binaries for all Linux distros?
If arbitrary software needs administrator level policy set to access the filesystem or devices, rogue software cannot harm your system. If trusted packages also need policy, then exploits in that software cannot do any more damage than the minimum amount of capabilities allocated to the application, which is quite frequently just the apps config file.
It's very easy to shoot yourself in the foot, and prevent apps from working correctly. In addition to driving apps developers mad with bug reports, you can end up being less secure by breaking update mechanisms.
One strategy might be to say that Linux systems are not sheltered from any threat (saying otherwise might lead the other person to consider you as a biased Linux fan), but instead to explain that the threats and consequently the defensive tools to adopt are different.
So, instead of an AV, I would recommend 1) an host-based intrusion detection system (HIDS), like OSSEC or Tripwire, and 2) a kernel patched with Grsecurity.
The HIDS will send you an alert every time an important file (like /etc/shadow) or a new binary / package is installed or modified.
Grsecurity will offer multiple very efficient protection mechanisms against privilege escalation exploits (among other things).
For the MacBooks, I don't know.
Maybe a little controversial, but I think the most effective solution is simply to replace boxes frequently with full OS updates.
You don't even have to use RBAC if you don't want to (you can still use AppArmor/SELinux/etc) but RBAC comes with a built-in learning mode which is good and will likely do a better job than you could and generating a profile. Sure you'll probably have to hand tune it a bit but for production servers I see no reason why RBAC couldn't be used with it's training/learning mode.
OSSEC is a great tool for servers, but not the kind of "Let's just throw some AV at it so we can tick that compliance box" tool many are looking for.
I'd like to see the rationale behind disabling IPv6 outright.
"Symantec considered harmful"
Let's not forget this: http://arstechnica.com/security/2015/10/still-fuming-over-ht...
Symantec should have suffered the CA "death penalty" and had its trust removed from the browsers that hold most of the global market share.
We don't have to either do nothing or revoke the CA entirely. We could just only trust certificates with an issue date before a certain deadline. When the next DigiNotar or Comodo pops up just set a deadline of 3 or 6 months to revoke their status as a CA. No customers would be harmed by this, they have the rest of the lifetime of their cert or 6 months to move to a decent CA. This would be a clear stop to an untrustworthy CA without the negative ramifications for any party other than the CA itself. And 5 years or so after the deadline has past, all of their certs are invalid anyways and the CA can be completely removed. If the CA starts issuing bogus certs with a forged issue date, just remove them immediately and make sure that every CA knows that this is the process for removing a CA.
Maybe we wouldn't have CAs in the news every year if there were actual consequences for existing CAs.
It's not OK to let Hitler be an intermediate CA.
I also attempted to remove Norton from a friend's computer a few years ago. I failed and later discovered that was actually unable to be uninstalled. Norton published some instructions to let you remove parts to the point you could ignore it at least.
I swore to never to touch anything from Norton/Symantec ever again.
I bought ESET/nod for a few machines but now I rely entirely on Windows Defender for the few Windows machines I own.
Norton, OTOH, would happily delete nmap.exe and cain.exe then beg for praise after the fact, a kitten with her first kill.
Still a very common misconception, however it's fair to say that macOS is still much "less likely" to be infected because of quantity.
Yes, there are now drive-by packs, crypters and RAT's that include OSX as a target. But the ratio for infections would be vastly lower.
outside of rarely used acl systems basic unix/linux permissions are far less granular than the windows equivalents.
For desktops modern windows handles things very similarly to modern linux, which is to say that you don't run as "root" or "administrator" by default and programs request escalated privileges via sudo on linux and UAC on windows.
As to privesc vulns, most desktop linux distros have limited protections there. One kernel bug can see someone escalate from user to root fairly easily.
With modern Windows apps there is at least a sandbox in play, so that a sandbox escape is required in addition to the kernel bug.
Both Operating systems can be configured to be more secure of course...
If people decide to run as root that's their problem.
Also you don't need root to exploit UNIX users, getting hold of their $HOME is way more valuable than getting hold of the OS.
When things work correctly, NT has historically had a more robust and accessible set of controls, although I think modern UNIX closed that gap. But things often don't work correctly, and the complexity of the ecosystem makes it pretty trivial to exploit.
Also NT always focused on the user productivity first and as server afterwards.
Whereas UNIX always focused on the server first and user productivity afterwards.
It is always a mix and match between security and productivity.
I’m especially baffled that font processing is in the kernel. Allegedly, Windows 10 now moves non-system fonts into a restricted user-mode process, so exploits are a lot harder. But it still acts like the kernel is doing the processing, for backwards compatibility.
man 5 acl
Same on windows.
>Same on Windows
Windows 8 Metro/Modern/UWP apps do not have access to your home directory.
What is being done to improve the situation on the Linux side of things?
To get a macro running in office the user has to explicitly ignore security warnings to do it, this would be the same in linux or MacOS where code execution capabilities were present.
> To get a macro running in office the user has to explicitly ignore security warnings to do it, this would be the same in linux or MacOS where code execution capabilities were present.
Sure, but it's pretty easy to ignore those warnings when you see something like  or .
I'd suggest that the reason that there are fewer attacks of that nature on those platforms isn't down to superior OS security but less profit available to attackers, due to smaller market share and perhaps lack of a ubiquitous target app. like office.
Note the implement parts of, that is not something UNIX has in any portable way.
If you live in a bad neighbourhood, you're more likely to get shot. If you live in a nice neighbourhood, you might get shot, but it's much less likely.
The ability for someone to shoot you in each neighbourhood is irrelevant when talking about likelihood of being shot.
Is there some kind of "compliance" or "regulation" that mandates companies to install them on every workstation?
Honestly, hids like ossec seems more apropos for what businesses really want to know, eg, did files XYZ change and by what when?
(Source: doing remote support)
In both cases, one bad example means it's likely there are many more still undiscovered.
Is Malwarebytes Anti-Malware still the gold standard for Windows Malware protection? What is the gold standard for Windows virus protection now?
I use Ubuntu as my main OS, personally.
The stuff from Microsoft seems less fraught than the rest.
Edit: 5 minutes later, AVG "detected" csgo.exe and asked me if I want to quarantine. Uninstalled.
See Blaster, Slammer, CodeRed for historical examples....
Of course there are some situations that some people actually do want (controlled) remote code execution, such as ssh.
The use case here being you fully trust another developer to use the API properly, not realizing a user could also use the API.
Now, code review with a security perspective is usually enough to stop intentionally adding it.
AVs usually upload suspicious files from user PCs for further analysis to help aid in discovering new variants/types. The odds your AV has seen it is proportional to the odds of you running into it.
The industry is moving away from signatures regardless. Now AVs use runtime heuristics to spot bad behavior of executables and block them even if they've never been seen; Cylance literally only does this and it's pretty effective.
> if being “part of a community” means we need to share our algorithmic, unique conviction engine with Big AV so they can steal our convictions, then yes we will not be able to meet that criteria.
I have no love for Symantec but this new breed of security software can go screw itself for all I'm concerned.
They don't seem to have any Status / Current Alerts style pages -- but on their somewhat hard to find blog page we find the most recent update from the guys is from two days ago:
"Malicious app found on Google Play, steals Viber photos and videos"
EDIT: Oh, they have a Vulnerabilities page - https://www.symantec.com/security_response/landing/vulnerabi... - with the most recent entries listed as 13 days ago (blimey that US mm/dd/yyyy date format is uncomfortable).
Detailed description and credits sections don't seem to be in complete alignment with details of OP, but I may be misreading.
The more important question is what should Symantec/Norton users do to prevent being exploited right now?
I spoke to their technical support this morning (sadly my company still runs Symantec, although we are moving from it). None of them appeared to be aware of the issue.
The link can be found in a small line of text here:
I have to disagree with this statement. It's kind of a resource pig, actually. When it got to the point it was affecting my day-to-day productivity, I deleted MsMpEng.exe from my hard drive, and now my machine is snappy and responsive again.
Why is this linked to on a .my domain? Is this an official mirror, or is there something sketchy going on here?
Not only is it incredibly annoying and breaks things like URL deduplication, it also leaks your origin when you share links. What a great feature!
Because a whole bunch of countries keep wanting to block stuff. So:
If we receive a request to remove content that violates local law, that content may no longer be available to readers on local domains where those laws apply.
Note: Country-specific domains is not a different blog address, but a domain redirect based on the country where you're currently located.
HN has a special canonization case for Blogspot, so most of the times you don't see the tld in the HN link. I guess they missed blogspot.my