That fix could be a memory-safe language, or it could be sandboxing. But the assumption should be that for any antivirus product which does its file-parsing in C or C++, and which doesn't sandbox is scanning engine, there's going to be at least one critical vulnerability in the scanner. Bitdefender is still unsandboxed, so fixing this particular vulnerability is only of limited use; there are almost certainly other, similar vulnerabilities in it, so users running it are vulnerable to anyone with the resources to find one.
AV companies have mostly gotten away with this sort of thing in the past, because individual AV scanners tend to have low enough market share that they aren't as desirable targets as web browsers. But Windows Defender recently broke that trend by being present on every Windows system, and having a critical vulnerability, so now there are a lot more researchers looking at unsandboxed AV scanning engines and finding problems.
A lot (all?) of the parsers for various formats are written in C or C++. Two small exceptions: I've seen that there's a Rust image library available, however it's part of another larger project and has almost zero documentation or comments. There's also a Rust lib for zip files, but it wraps a significant amount of C.
It looks to me that Mozilla aside the industry has given up and decided to sandbox.
Considering the amount of crap code out there, it's understandable. I like to read the details about vulnerabilities when updating Ubuntu. Most of those could be easily avoidable in C++ if one knows how to write secure code. The fixes are usually adding some checks, an extra if, an initialisation, etc - treating the symptom.
e.g: the Bitdefender team missed that a 64 bit uint was passed to a function taking a 32 bit parameter. They likely have all casting warnings disabled - a lot of C library code spews a ton of warnings.
"Fixed" by changing the parameter to 64 bit.
 Shameless plug: https://github.com/duneroadrunner/SaferCPlusPlus
So, question, is this subset you speak of as safe as Rust?
The implementation of SaferCPlusPlus as a language/dialect is not yet complete. For example, there is not yet a proper compile-time "enforcement" tool to verify that your code is actually free from unsafe elements. But as a programmer, you basically know what those potentially unsafe elements are, and the SaferCPlusPlus library already makes it practical to write C++ code that avoids the vast majority of them.
That said, I would say that, at the moment, SaferCPlusPlus is not a direct alternative to Rust. If you have the resources to do a rewrite of your project in Rust and memory safety is paramount, then that's probably the way to go. On the other hand, if you need a more expedient way to address code safety or have some other issue with using Rust, SaferCPlusPlus may be a more attractive choice.
> SaferCPlusPlus does not restrict the number and type of references to an object that can exist at one time (i.e. the exclusivity of mutable references)
> SaferCPlusPlus .. deals with this issue by having the pointer/reference itself "know" if its target dynamic object is still valid.
It sounds like this happens at runtime (reference counting?), as opposed to compile time. Do I understand that correctly?
Also, I see that there is the `access requester` type, are there any facilities like Send/Sync in Rust which guard against data races at compile time or runtime?
Thanks in advance!
"Mut" (i.e. retargetable) references, on the other hand, do require a borrow checker to ensure, at compile-time, that their target will outlive them. Since SaferCPlusPlus does not have a borrow checker (yet), you'd have to use "registered" pointers, which do have run-time overhead. But in practice, retargetable references are generally much less common than non-retargetable ones (particularly in inner loops), so there tends not to be much effect on performance.
SaferCPlusPlus does not yet have an exact analogy to Send/Sync. But as I understand it, those are basically just indicators that say "Trust me, this object is safe to send to / share with other threads." without any verification of the proclaimed safety. At the moment, SaferCPlusPlus does something functionally similar by providing the "TAsyncSharedObjectThatYouAreSureHasNoUnprotectedMutablesReadWriteAccessRequester" which basically allows you to make the same claim about the safe shareability of the object. (And has an unwieldy name to remind you of the seriousness of the claim.) Basically the rule of thumb is "Don't share any object that contains pointers/references/iterators (or is declared "mutable" in C++) or has any (non-static) member functions that return pointers/references/iterators."
Rust and SaferCPlusPlus maybe take different positions on whether sharing objects between threads should be encouraged with abandon, or done prudently and only as necessary.
Thanks for the details, much appreciated!
This is a bit of a broad brush. It assumes that all people always act with the best security hygiene.
I detest traditional AV as snake oil and realize that there is additional risk added by using AV, but it does have its place in many threat models, especially for those who are not internet+security literate.
Staying up to date on your updates is the best advice you can give.
I don't think you can reasonably defend this position.
Let's take a pessimistic guess at the efficacy of antivirus software and say it blocks 50% of the new malware generated in a given day. Now let's take a wildly optimistic stab at the added risk of using antivirus and say it increases your exposure by 1%.
Are you really saying that a 1% risk increase is too high a price to pay for halving your risk overall?
Don't get me wrong, there are all kinds of reasons for power users to bemoan antivirus. RCE vulnerabilities are certainly one, but even just day-to-day usability issues are a legitimate concern. The average user, though, is still statistically much safer with antivirus.
> Staying up to date on your updates is the best advice you can give.
The vast majority of attacks don't involve vulnerabilities, even counting events like WannaCry. It's mostly down to people clicking on things they shouldn't be clicking on. Keeping your software updated is important, of course, but absolutely will not keep you safe.
Are you really saying that a 35% risk increase is an acceptable price to pay for a small reduction in overall risk?
You can't just pull numbers out of thin air to make your point.
Experience has shown us that antivirus software does not do what it says on the tin.
> Experience has shown us that antivirus software does not do what it says on the tin.
I built WildFire at Palo Alto Networks. We analyzed a few tens of millions of new potential threats daily, including the VirusTotal firehose.
As part of our internal efficacy and competitive monitoring, we took the top 5 enterprise antivirus products and ran everything coming into WildFire through them.
The delta between ground truth and what the antivirus engines caught using only static scanning and emulation was about a third, i.e. better than the pessimistic estimate of half I threw out. (In the real world, antivirus actually does better because malware is easier to catch after it starts running.)
The danger of antivirus, on the other hand, is wildly overstated in this thread. A small fraction of attacks use vulnerabilities to begin with, and in the scheme of things, very few antivirus vulnerabilities have been found. 1% is just a nice, round number chosen for illustrative purposes; it's orders of magnitude greater than the real risk.
Now, this will surprise exactly no one who works in security, since most new malware is a minor variant of existing malware and exploits are relatively uncommon, but for the less experienced folks reading these comments, I implore you: Don't listen to people who say antivirus is useless or, worse, makes you less secure.
It isn't. It doesn't. They're wrong.
1. It's the biggest ATP product out there, took the crown from FireEye c. 2015. https://www.paloaltonetworks.com/products/secure-the-network...
But AV vulnerabilities sit on the top of the attack class pyramid. They often are remotely executable, run with kernel privileges and do not require user interaction.
You can't lump that together that with malware that requires tricking a user into downloading an installer, clicking through it and granting it elevated privileges.
Off the top of my head, users of Bitdefender.
You're right of course, my point is that without some evidence you're just making up numbers to prove your point and any jerk with a keyboard (like say, me) can do the same thing. Thanks for providing some background to those numbers.
If you're talking about something else, I've stated that antivirus detects around two-thirds of new malware on any given day. In case it wasn't already clear, two-thirds is terrible.
Your claim is far more extreme, though. You said "You're better off not using an antivirus". That's wrong. Antivirus won't keep you safe, but you're still safer with it than without it.
If you're saying cookies shouldn't be flagged by antivirus, that's wrong. Cookies can be associated with malware in any number of ways, although grayware (especially adware), which antivirus also flags depending on configuration, is a more likely culprit.
1. Check out PyExfil, for example: https://github.com/ytisf/PyExfil. Cookies for data exfiltration. DNS controls on firewalls are there for similar reasons.
Rather, I run antivirus software to prevent vulnerabilities due to human error and known threats, and in this regard it functions admirably. Think of it as one of the latter lines of defense in a multi-layer strategy. We are human; we trust our family, friends, and colleagues innately; and even the best of us makes mistakes. One tiny mistake, one shortcut---maybe not even by ourselves but by someone inside our circle of trust---and even security experts can end up running malware. Antivirus acts as a backstop, a last ditch defense predicated on the likelihood that the malicious code in question is well known.
I don't know where you got your numbers from, but I've run enterprise antivirus for about 15 years now. I haven't seen anything target the scan engine. I have hundreds of thousands of instances where someone ran malware and the scan engine caught it, sometimes even just using heuristic signatures. So you do you. I'm going to continue running it even though I know it's reactive.
Antivirus has it's place of course but they are not all created equal. There's a lot of marketing B.S. associated with AV products, especially consumer versions.
A lifetime ago I worked in IT support and AV was a constant pain point. For me it was a lot of energy wasted cleaning up PCs that were "protected" by the likes of Symantec and Norton. I hope the state of the industry has improved since then.
AV is unlikely to do that well against new malware.
I get the idea that we should ditch an AV if vendor sucks at producing and maintaining the AV software, because that's literally inviting for a thief to stop by. You are better off reducing the risk exposure. But there is still a value to have one.
As with any software there are bugs. It just so happens Edge is shipped with Windows 10, and is also made by Microsoft. So should we give up on Chrome / FireFox / Opera because they also contain vulnerabilities but are made outside of Microsoft, which means we have another update schedule? No, because people value other browsers and most importantly Chrome and Firefox updates are so frequent we feel safe. If we assume AV vendors are as responsible as Chrome and Firefox developers, constantly pushing software updates so security bugs are fixed in no time, then why should we reject something that can be helpful?
How about Windows Defender? It's built-in, but doesn't have 100% successful rate in independent testing, and even so those are just samples that aren't like WannaCry, popping up out of nowhere.
So being able to defend the basic attacks is good enough. What really sucks is people are paying a lot of money for basic protection (and even more for the "Internet suite" and bundled with VPN etc). This is a true ripped off, but whether one is computer savvy or not, we can't take out a screw if all we have is bare hands and nothing else (nothing around you but on a lonely island without trees or plants or rocks but water and dirt). You can try by breaking the wall or the plank, but it would be a painful task. So take your risk. I won't stop you.
AV makes your system more vulnerable to malware.
I get the idea that we should ditch an AV if vendor sucks at producing and maintaining the AV software
They all do suck.
While I'm a very careful user, this combination, to the best of my knowledge, has kept me safe. (MalwareBytes caught a piece of commercial software that I paid $59 for -- a Blu-Ray player -- that tried to install a browser add-on that would have presented alternate advertising.)
Is there an antivirus that _doesn't_ parse untrusted input in a process with full system privileges? What a joke.
However this piece is realtively simple to implement on windows so I can only hope they would implement the same thing for avast eventually at least. This is IMHO the only sane way to do scanning without exposing the system to a huge risk
The whole concept is just useless. Scanning all system IO for 20 year old BIOS viruses is a pure waste of energy.
In D, implicit truncation of an integer value is an error, not a warning.
I've predicted before that lack of memory safety will be the demise of C in internet-facing programs. Dealing with the bugs is just too expensive.
I have the following issue: I would like to be able to download a file from the internet (jpeg, pdf, mp3, mp4, etc) without the risk of getting malware on a Windows machine. Or Mac. Or Linux.
Can't be done.
Everything is relying on crappy C code dragging around pointers and sizes, making index calculations, calling malloc and free.
We'll see. I only made it last May :-)
In a nutshell, most anti-virus vendors that are licensing the Bitdefender engine extend it with their own engine to improve their detection rate. For example, they support more exotic file formats and binary packers, or fancy heuristics, etc. Essentially this means they have the full attack surface from Bitdefender plus their own attack surface...
I don't see an update for the mac version.