Evidently, "We tested this site and found it very risky". Even though it's the public site for a 5-year-established (and popular) SaaS product. Even though it has no downloadable executables of any description. Even though it has no non-moderated user-generated content.
But it's got this: http://www.siteadvisor.com/sites/www.s3stat.com
... which is a page saying that their automated somethingorother scraped the internet and decided that my site is crazy dangerous, listing reasons such as... well, nothing actually. But look at it. It's RED! Must be bad.
So even if you don't actually write software that could possibly contain viruses, you can still end up on the wrong side of the antivirus companies.
But here is something that is peculiar: my main company site. When I went to vlesolutions.com (ie, http://www.siteadvisor.com/sites/www.vlesolutions.com) I saw this message:
We've tested millions of websites, but we haven't tested this one yet. Be the first one to submit feedback on it!
It doesn't help when we get business groups or developers saying "we need this site unblocked in order to see a 1pm webinar!" and it's 12:59. Site Advisor is useless.
An aptly timed popup from the antivirus vendor will appear shortly thereafter asking the user to pre-purchase 2 more years of complete computer protection! Oh, the business of fear mongering. . .
EDIT: This is one of those very hard problems startups should be solving.
There are over 25k new malware samples coming out daily, and everybody is just trying to cut through them as fast and efficiently as possible. Yes there are innocent casualties of this -- False positives -- but these are sincere mistakes .
False positives are very embarrassing for the security company. It is something that can even cause people their jobs. Don't you think for a second that these are not looked at.
I make malware definitions for a living, and you can trust me when I say that I check the FP reports first thing every morning, several times during the work day, & I check our forums every night at home to make sure we don't have any FP's rolling in.
At most security software companies, FP's taken very seriously & I know that personally I would love to be able to educate Indie developers about what triggers detections and ways we can both work together to reduce them. It's easier said then done, however, and also it is delicate info that you don't really want to yell off the rooftops - because malware creators could really use the same info to their advantage.
However, the bottom line impact of a false positive on some indie software has to be negligible.
Except, the antivirus flagged it. I called the AV vendor and they (probably the first-line tech support) said unless that my dad called the vendor, they could do nothing.
The only false positive that might be remotely reasonable is my executable name is identical to a virus. rte.exe or something similar, as I recall. Whatever. A binary difference should have demonstrated substantial difference between my exe and the virus.
So, my dad didn't get his program, and I got left with a renewed awareness that AV vendors are ruinously unhelpful, and I'd rather work on moving my family and friends to Linux or OSX.
Am I mis-reading you?
When going through airport security, do you think it matters at all if your name is Osama Bin Laden? Such a person is going to experience a much larger degree of scrutiny from TSA then a person named John Smith.
Neither is it the least bit surprising that support personnel and developers consider the shear number and consistency of false positives as "fear-mongering".
It would only take a further small step to then consider, what is the point of having AV at all in the first place since the best it can do is fill an increasingly small hole in prevention for ordinary user behaviour and a static role for precursor forensics (actual forensics would not need the service).
TL;DR. AV industry has a LOT to answer for, to the point where it maybe should not exist in its current form.
Here's an example:
Some companies block anything named 'svchost.exe' that isn't in system32. Create a txt doc and name it svchost.exe and drop it on your desktop and some antivirus software will detect and remove that item.
Why? Because there is no good reason for someone to have svchost.exe anywhere other than SYSTEM32 and also because svchost.exe is one of the top 10 most common names for malware. So, at risk of some FP's -- some companies have a rule that simply removes these if found anywhere else.
Names - particalarly short ones - are not what you might call unique identifiers.
It's idiotic to match on names like rte.exe.
Or just impersonate your father on the phone?
Specifically with Norton, I've received warnings/quarantines where it's rather non-obvious and difficult to learn what the actual problem is. The program's interface allows one to click and drill down one or two levels, but the descriptions are often more non-descriptive than descriptive. And then one faces a link (which is, by the way, not tooltipped or otherwise designated as a link) that fires up your browser and takes you to a web page on the security software vendor's (in this case, Norton) web site.
Well, that's f-ing annoying. And then, to boot, often the page that is navigated to contains content that is little or no more helpful in telling you what specifically they detected or why specifically the warning/action triggered.
I recall one case in particular, where going through all this and reading between the lines, it appeared that the quarantine was the result of a "reputation" trigger. Norton wasn't familiar with the executable and it didn't have much or any presence in their reputation system, so the default action was to flag it a "high security" risk and to "quarantine" it.
I understand there is a balancing act. If you don't keep it simple and use strong enough language, Joe Blow user may start to disregard the warnings, until soon enough s/he has a real problem.
But as a more advanced user, this is completely frustrating. I want to know what the problem is, so that I can make an informed decision with regard to the "security event".
(And yes, on the Windows machine, I do run Norton. Comes with my only Internet connectivity option, anyway, and it makes an acceptable, and useful, component of a layered defense.)
Not to mention that if you start alerting the user too much, they'd start tuning out the alerts; that becomes a big problem if and when they're infected with something.
AVG update bricks Windows 7 (Dec 2010):
McAfee update shutting down XP machines (Apr 2010): http://www.engadget.com/2010/04/21/mcafee-update--shutting-d...
They throw up these scary pop-ups that basically say "this is a nice computer you have isn't it? It would be... terrible if something were to happen to it, wouldn't it?"
Interestingly, the best AV I've found seems to be the one from microsoft.
couldnt agree more. I am using PC with XP/7 for years now and never had a virus. I go online into some questionable websites and downloads sometimes but if user uses a common sense, he wont open that AllPrinterDrivers.exe from unknown source just to install drivers to his printer.
I never needed and I think I never will need an AV.
On my personal machine, I don't run any anti-virus software, but I also don't use adobe pdf and enable flash only on sites I trust.
But as malware authors find more holes and use more exploits it becomes harder to know what's safe or not. Having some weird defaults in operating systems (don't show file extensions; perform an action based on the extension and not the type of file; build a web-browser into the OS; use a preview pane that auto-opens a lot of things so you don't need to "open" an email message it's been opened for you by the pre-installed email client etc etc) really didn't help.
There's also a problem with users. (This comment in not aimed at you!) Some operating systems have very many users who believe themselves to be clueful but who really really are not. The arrogant 19 year old who can slot together a motherboard and GPU and PSU and put them in a case, who can connect his aunt's computer to the Internet, who can install add-ons to his web browser. These are people who think they know what they're doing, who think that the pirated OS they use is fine because they checked an MD5 hash, and who think the pirated software they use is fine because someone would have said something in the torrent comments if it wasn't. And then, if they have a problem, they'll download a pirate AV and hope that isn't infected. These are the people most mocking of the "wipe and re-install; that's the only safe option" philosophy. They'll spend a day using various bits of anti-malware and scanners and web-searching. And they won't find the infected WMV file and they'll get re-infected a few days later.
AVs are a first-line and an indication that something is wrong. If you need to run the AV to clean an actual, real virus, you should be reloading the machine.
Good definitions will go on killing items in the wild well past the date the initial zero-day came out (the one that caused the need for the definition in the first place).
This is why brand new generations of malware drop and they are detected by a few security guys. This is also why some people have huge #'s of FP's -- because they allow so much room for flexibility to catch future malware - that they accidentally kill off legit files in the process.
I'm glad I'm not a startup or small company trying to ship Windows executables.
I walked him through getting to Add/Remove Programs and asked him if he saw Norton Internet Security. Told him to uninstall it. Everything works.
He asked if that made his computer less secure. I said 'Technically yes, but only because you can actually use the internet now.'
I worked at that ISP for a week, had the same problem come up three times. My mother had the same issue, and I've had two other friends who had it. Thankfully, I knew how to deal with it because it had happened to me when I bought a Dell laptop years ago.
HOWEVER, I've been using Microsoft's free security essentials package for Windows 7 for about 2 years. It never pokes you in the eye, never lets a single thing through and doesn't screw your system resources. It just keeps out of your way. As I said, it's $0 which is how much it should cost and is supplied by the vendor which knows their own security problems the best.
With respect to Linux or MacOS X, I never have installed an AV package ever.
I do run ClamAV on my linux big box, just in case I'm passing on any Windows virii, this might be voodoo
I'd go for an ad blocker rather than a hosts file hack.
Adblock plus works fine on Firefox and Chrome. There are TPL subscriptions for IE that block everything (google around for them).
Because most malware does this exact thing to obfuscate its payload. Here's a good example of the relative entropy distribution of malware executables versus non-malware executables on page 26 and 27:
It's free, it stays the hell out of the way, doesn't slow the system down, and works.
Edit: I do not work for Microsoft, and this post was written on a netbook running Ubuntu.
I'm not a security expert, but it seems like you can have a perfectly secure computer without an anti-virus.
Among other things, I review orders for an advertising service, 20-30 a day. Some of these orders are purposely placed to advertise sites with malicious code that installs malware. My fully patched Windows 7 system behind a firewall, running antivirus and the latest Google Chrome, gets infected with something or other on a regular basis -- at least once a month -- without me ever downloading any files.
Last week it was one of those fake antivirus programs that terminates all your real antivirus programs and pops up a window saying you're infected and need to upgrade for $29.99 every 20 seconds.
That one was probably a Java plugin vulnerability.
That's not entirely accurate. Most vulnerabilities do get patched quickly.
It's still not worth enabling it in your browser though, because so few sites use it.
Then I look at the products out there, there are a lot of them and they all seem terrible. We've got giant computers compared to 10 years ago and this software still takes them to their knees at times and you just want the crap to be invisible. In part I think it has to do with the all encompassing "security suite" concept where they try to be all things to all people. It does seem ripe for some disruption.
I mean, like maybe using some virtualization software to have multiple "zones" or something, trusted, suspect and untrusted and some clever reverting and snap-shotting to let you run programs in untrusted environments fairly seamlessly or something. Scan it with some uberscanner and then promote it to trusted. Or something, the OS vendors will have to help and MS has created an AV cesspool.
With the Microsoft Linker this is achieved by adding /SWAPRUN:CD,NET - it means that the image might be running of CD-ROM or Network - and both can lose media connection, so copy the image in memory beforehand.
This could be useful, only if it wasn't for certain Anti-viruses that treat a lot of my executables as viruses once any of these two flags are on (CD, NET or both).
You can actually edit the flags on existing executable, using EDITBIN (or LINK /edit - it's the same - linker is a bit like "busybox" here).
Another reason is that the antivirus we currently have installed at work slows down copying off the shared network. And because it's off the network, the antivirus has to check it everytime (unlike HDD, where it can keep some cache of what was checked).
That effectively solves the virus problem since the worst that can happen is that something unwanted runs as the user privileges or deletes/infects files in home directory. The machine itself stays clean and you can avoid full reinstalls.
If the user gets a virus then all you need is restore his home directory from a clean backup. And if you want, possibly run some antivirus on anything that gets backed up, to try to make yourself feel good about backups being clean.
Don't waste your time with this crap. You don't have any secrets on my computer. I will crack your DRM and reverse engineer as I please.
Anti-virus tools are a net loss, but we can't remove them without appearing to be irresponsible.
Norton, on the other hand, is pure evil. If Microsoft bundled Security Essentials with Windows and thereby pushed all those pathetic AV vendors out of business (just like they did with web browsers), I might turn a blind eye this time and call it the lesser of two evils.
Replace it with a simple app that randomly shows fake notifications for threats, with a clickable button called "remove threat" that doesn't do anything. Upon clicking, show some stats on how many fake threats were dodged.
(1) you won't be seen as irresponsible anymore
(2) since users will constantly receive threat warnings, they'll be more careful than usual, improving security
You have no idead how many internet connection problems I solved with the Norton removal tool.
It's all about either keeping some type of a balance going or shoveling enough shit as to not get buried in it.
Why it can't keep a list of known good DLLs and then not rescan them, I don't know...
Man: "Doctor! Doctor! It hurts when I do this!"
Doctor: "Well, stop doing that ..."
Man: Wait, but won't the other one start hurting because I'm using it more?
Doctor: Oh right, I guess if everyone switching to use Linux tomorrow, then the malware authors would begin targeting it more aggressively. I supposed my anti-Microsoft rant was misplaced.