Why antivirus programs have become the problem, not the solution

Electron1

Electron1

Expert Member
Joined
Jan 29, 2009
Messages
4,229
Reaction score
199
Location
Joburg
Why antivirus programs have become the problem, not the solution

Staggeringly poor programming and security practices have made antivirus programs a gaping security hole in millions of computers.
By James Sanders | June 30, 2016, 8:25 AM PST
Click to expand...
This week, Tavis Ormandy of Google's Project Zero security research team disclosed a major vulnerability in security products by Symantec (and their consumer-targeted Norton brand) which arguably make users of these products less secure than they would be without an antivirus program at all.

This vulnerability is particularly bad—exploiting the vulnerability requires no user interaction. The vulnerability exists in a default configuration, and code execution occurs at the highest privilege level, if not the kernel itself. According to Ormandy, open source libraries used in the products such as libmspack and unrarsrc had not been updated "in at least 7 years."

SEE: Symantec security flaws are "as bad as they get," says researcher (ZDNet)

This problem is not, itself, an aberration, and is not limited to Symantec. Security software necessarily requires high access privileges to operate effectively, though when it is itself insecure or otherwise malfunctioning, it becomes a much higher liability due to the extent to which it has control over the system. These software issues, combined with logistical and political problems in the antivirus industry itself, are making users less secure.

Purely programmatic problems

In March, a mishap in free and paid enterprise versions of Panda Antivirus flagged core program files as malware, in turn prompting the removal of files from System32, leaving computers inoperable if rebooted. Affected systems often lost their networking capabilities, leading to the helpful response from Panda to not reboot systems as they deployed an update to fix the issue...over the network.
Click to expand...

A variety of issues have been identified in Comodo Antivirus this year, again from the work of Tavis Ormandy and team. Among these was the bundled program "GeekBuddy" which installs and starts a poorly protected VNC server. This disclosure is actually the "fixed" version of this program, as disclosures made in 2015 noted that the VNC server had no password at all.

On the topic of passwords, Ormandy discovered a vulnerability in Trend Micro Antivirus in which the bundled password manager launches a local web server that listens for API commands from the internet, without a whitelist or same origin policy—effectively allowing remote code execution. In a message to Trend Micro, Ormandy stated that "Anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. I really hope the gravity of this is clear to you, because I'm astonished about this."

In December 2015, users of AVG products had the "AVG Web TuneUp" Chrome extension forced upon them, in an labyrinthine and indirect installation process apparently aimed at bypassing malware checks in the Chrome extension API, for the purpose of modifying search settings and the new tab page. In an email sent to AVG about the vulnerability, Ormandy said: "I'm really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP."
Click to expand...
Concerning corporate conduct

At the 25th RSA conference in March—and in the middle of the disclosure of the aforementioned vulnerabilities—a self-aggrandizing press release was released applauding Comodo for receiving the "Excellence in Information Security Testing Award" from ICSA Labs (itself a division of Verizon). The criteria which ICSA uses in their assessment (PDF) is ridiculously simplistic—among other things, programs must be able to "detect malware on-demand" and "log the results of malware detection attempts," which astute TechRepublic readers will recognize as attributes that practically any antivirus program would have.

Relatedly, Comodo's CEO recently embarked on a bizarre tirade over the Let's Encrypt project, claiming that Comodo "invented the 90 day free SSL." The company briefly attempted to register "Let's Encrypt" as their own trademark, despite the name being used by the nonprofit Internet Security Research Group since 2014.

SEE: Download: Securing Windows policy (Tech Pro Research)

In October 2015, AVG's new privacy policy came into effect. This change permits AVG to collect your browsing and search history, as well as assign a per-device advertising ID, among other details, which they will sell to third parties in order to generate a profit from providing a free antivirus program.

What to do?

There is not an easy answer to this question. Microsoft's antivirus tools have improved dramatically since they were introduced in 2009, and should be sufficient for most people using computers responsibly—in other words, not participating in file sharing or downloading every email attachment they get.

The status quo for paid security products, however, is absolutely lacking. With this in mind, it is well overdue to roll up your sleeves, cross your arms, and get serious about desktop security.
Click to expand...
 
Relying on AV programs is a bit like having a hired security guard between your front gate and your front door. You invite in thousands of guests (browse and click links) who enter through the open gate. Once inside your property, you expect the guard to identify and catch the baddie before he enters the house.

That's going to work only some of the time. And it's only as good as the eyesight and training of the guard, neither of which I can affect.

So I've moved my defences elsewhere.

First, implement a decent firewall with enterprise-grade protection. Tie that into DNS extension services to further protect against botnets, phishing, malware and targeted attacks (OpenDNS, Zscaler).

Second, implement a thorough, comprehensive backup and DR system.

Third, bolster user training and awareness, so users can quickly and habitually spot suspicious sites and links and learn self-control to avoid link incontinence.

Fourth, use the latest Windows and make sure its patched and updated regularly.

Fifth, use only established and proven applications from reputable vendors. Apply all security updates.

Sixth, restrict/avoid the use of portable storage and free public cloud. Where plug-in removable storage is used, make sure that system is especially hardened and locked down.

This approach has allowed me to run our systems malware-free for over ten years. I dropped using paid-for AV eight years ago.

If course there is still a place for AV. And if I were to buy today I'd go with Eset Nod32.

The price of liberty is eternal vigilance.
 
Last edited:
Arthur said:
Fourth, use the latest Windows and make sure its patched and updated regularly.
Click to expand...
Oh, no... Better to get a virus than a malware and corrupting itself Windows 10. If you decide to stay with Windows 7, you can't enable automatic updates, as you will receive new 'telemetry' spying software and forced update to Windows 10. In other words keeping Windows up to date is not a viable option these days.
 
Spliffcat said:
Linux. I'll say no more.
Click to expand...
More a case of security through obscurity. Most malware authors don't bother because Linux marketshare in their target market is miniscule.

Wikipedia said:
In 2008 the quantity of malware targeting Linux was noted as increasing. Shane Coursen, a senior technical consultant with Kaspersky Lab, said at the time, "The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system ... The use of an operating system is directly correlated to the interest by the malware writers to develop malware for that OS."[4]

Tom Ferris, a researcher with Security Protocols, commented on one of Kaspersky's reports, stating, "In people's minds, if it's non-Windows, it's secure, and that's not the case. They think nobody writes malware for Linux or Mac OS X. But that's not necessarily true,"
Click to expand...
 
sajunky said:
Oh, no... Better to get a virus than a malware and corrupting itself Windows 10. If you decide to stay with Windows 7, you can't enable automatic updates, as you will receive new 'telemetry' spying software and forced update to Windows 10. In other words keeping Windows up to date is not a viable option these days.
Click to expand...
Crap. And you know it.
 
Arthur said:
Crap. And you know it.
Click to expand...
I am telling the truth. When arguing you must supply details what I am saying is wrong and a proof. You called me on the previous occasion "undeducated lier", but everything I wrote was correct and was confirmed later.

You must register on the forum as an Microsoft business associate, so everybody who read your posts know who you are.
 
So it's ok for you to make unsubstantiated assertions, and when I say that's crap I must substantiate? Really? In my book that's a double standard. I have never called you or anyone else a liar. Uninformed, mistaken, even ignorant - sure. That's not the same thing as being a liar. I think you genuinely believe what you believe. But you do say ridiculous things at times, and you calling Windows 10 malware is another example of that. It's silly.

I left Microsoft 19 years ago, and since then have had absolutely nothing to do with them. My opinions are my own.
 
Last edited:
Antivirus software nowdays tends to be bloated and often the cause of poor performance or unusual issues. Having said that, with POPI coming in sometime, you want to be able to say you have implemented security measures and it will be a hard sell to justify running basic antivirus (Microsoft's bundled antivirus).
My biggest issue though is the spread of ransomware that has the antivirus vendors on the back foot. You absolutely need a good backup strategy and that is a different discussion, one would expect an antivirus to be protecting you from all types of threat - Virus, Malware, Spyware, Ransomware...
 
Spliffcat said:
Linux. I'll say no more.
Click to expand...
+100 and the security through obscurity is also BS.

http://www.pcworld.com/article/202452/why_linux_is_more_secure_than_windows.html

"Linus' Law"--named for Linus Torvalds, the creator of Linux--holds that, "given enough eyeballs, all bugs are shallow." What that means is that the larger the group of developers and testers working on a set of code, the more likely any flaws will be caught and fixed quickly. This, in other words, is essentially the polar opposite of the "security through obscurity" argument.

With Windows, it's a limited set of paid developers who are trying to find problems in the code. They adhere to their own set timetables, and they don't generally tell anyone about the problems until they've already created a solution, leaving the door open to exploits until that happens. Not a very comforting thought for the businesses that depend on that technology.
Click to expand...
 
All of the services the article references are those "joke brand" AV products which you know not to trust.
I've even enterprise servers running up-to-date Kaspersky and are filled with malware.

People will say "oh I use linux."
Sure, there's much less for you to catch on it, but when the average user is copypasting commands from dubious blogs and repos, do they REALLY know what they're doing?

I've only ever trusted Eset, one of those rare brands that doesn't give you trouble or security issues, it also checks for vulnerabilities due to missing Windows updates. If you're extra paranoid you can always turn on Smart security and just use a positive security model.
 
Electron1 said:
Antivirus software nowdays tends to be bloated and often the cause of poor performance or unusual issues. Having said that, with POPI coming in sometime, you want to be able to say you have implemented security measures and it will be a hard sell to justify running basic antivirus (Microsoft's bundled antivirus).
Click to expand...
By a paranoniac thinking, yes. In reality all you have to do is to prove that you acted in resonable way, no matter what tools were at your disposal. Using expensive tools don't make a better defense case, not at all...
 
Spliffcat said:
Linux. I'll say no more.
Click to expand...

a linux machine setup by a commoner is just as, if not more, vulnerable to an attack from a person who is proficient at unix and has malicious intent, no anti virus or what ever will detect the intrusion.

more people use windows, more rewards attacking that platform.

less people use linux, less reward attacking the platform.

some highly advanced unix users i know would argue a windows pc is more secure out the box, than a linux system out the box.
 
access said:
more people use windows, more rewards attacking that platform.

less people use linux, less reward attacking the platform.

some highly advanced unix users i know would argue a windows pc is more secure out the box, than a linux system out the box.
Click to expand...
It is true. My Windows XP is more secure, as hackers lost of interest in XP.

Regarding Linux security, some distrubutions are more focused on specific applications. If you chose a right one, default distribution has proper security already in place. It is easy to defeat security by user stupidity acting with root privilege. Windows is trying to protect itself from a dumb user, is more resistant to user errors.
 
access said:
a linux machine setup by a commoner is just as, if not more, vulnerable to an attack from a person who is proficient at unix and has malicious intent, no anti virus or what ever will detect the intrusion.

[snip]

some highly advanced unix users i know would argue a windows pc is more secure out the box, than a linux system out the box.
Click to expand...
Dunno where you picked up these pearls of wisdom.

Go ahead, hack my system it's online now, been up for the last 6 weeks.
 
Arthur said:
Relying on AV programs is a bit like having a hired security guard between your front gate and your front door. You invite in thousands of guests (browse and click links) who enter through the open gate. Once inside your property, you expect the guard to identify and catch the baddie before he enters the house.

That's going to work only some of the time. And it's only as good as the eyesight and training of the guard, neither of which I can affect.

So I've moved my defences elsewhere.

First, implement a decent firewall with enterprise-grade protection. Tie that into DNS extension services to further protect against botnets, phishing, malware and targeted attacks (OpenDNS, Zscaler).

Second, implement a thorough, comprehensive backup and DR system.

Third, bolster user training and awareness, so users can quickly and habitually spot suspicious sites and links and learn self-control to avoid link incontinence.

Fourth, use the latest Windows and make sure its patched and updated regularly.

Fifth, use only established and proven applications from reputable vendors. Apply all security updates.

Sixth, restrict/avoid the use of portable storage and free public cloud. Where plug-in removable storage is used, make sure that system is especially hardened and locked down.

This approach has allowed me to run our systems malware-free for over ten years. I dropped using paid-for AV eight years ago.

If course there is still a place for AV. And if I were to buy today I'd go with Eset Nod32.

The price of liberty is eternal vigilance.
Click to expand...

lalalala what does a normal user do then? in english. in layman's terms. because not one word of that made any sense.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X