Ask Slashdot: How Dead Is Antivirus, Exactly?

Safensoft writes: Symantec recently made a loud statement that antivirus is dead and that they don't really consider it to be a source of profit. Some companies said the same afterwards; some other suggested that Symantec just wants a bit of free media attention. The press is full of data on antivirus efficiency being quite low. A notable example would be the Zeus banking Trojan, and how only 40% of its versions can be stopped by antivirus software. The arms race between malware authors and security companies is unlikely to stop.

On the other hand, experts' opinions of antivirus software have been low for a while, so it's hardly surprising. It's not a panacea. The only question that remains is: how exactly should antivirus operate in modern security solutions? Should it be one of the key parts of a protection solution, or it should be reduced to only stopping the easiest and most well-known threats?

Threats aren't the only issue — there are also performance concerns. Processors get better, and interaction with hard drives becomes faster, but at the same time antivirus solutions require more and more of that power. Real-time file scanning, constant updates and regular checks on the whole system only mean one thing – as long as antivirus is thorough, productivity while using a computer goes down severely. This situation is not going to change, ever, so we have to deal with it. But how, exactly? Is a massive migration of everything, from workstations to automatic control systems in industry, even possible? Is using whitelisting protection on Windows-based machines is the answer? Or we should all just sit and hope for Microsoft to give us a new Windows with good integrated protection? Are there any other ways to deal with it?

Dead as a profit source for Symantec, well, ...

[fraxinus-tree]

Dead as a security layer - not really. Also not dead as a profit source for other companies.

Re:Dead as a profit source for Symantec, well, ...

[fraxinus-tree]

p.s. it is perfectly viable for a literate individual to not use an antivirus. It is also possible to not use AV on a PC in a corporate environment, but it has its implications. Then again, on a mailserver, a non-intrusive AV scanner (i.e. not adding 7 lines of bullshit at the end of every legitimate email) has a pretty good hassle-to-benefit ratio.

Re:Switch to linux / OsX.

[Der Huhn Teufel]

Which will last exactly as long as it isn't profitable to make a virus for it. If everyone swapped to a certain distro of Linux, I'd be willing to bet you'd have major problems within a week.

Saw similar posts before the web existed

[dbIII]

I saw similar posts before the web existed, let alone Slashdot. A policy of "allow all" was seen to be easiest so the malware problem persists despite all the lessons of the past and good advice like the above.
Java was supposed to be sandboxed entirely with zero chance of malware getting to anything other than it's own litter tray. Look how that turned out when it was seen as all too hard and compromises were made. Then there's the opposite that was born stupid, things like Active-X from MS that were such a stupid idea that a librarian (not a programmer) was telling me how stupid it was before launch. Then things like allowing execution of arbitrary code in images, another case of MS fucking up in a truly astonishing way - how the hell do things like that end up as anything other than SF novel plot points in a large corporation that is supposed to be competantly managed?
The answer as always is to learn from the lessons of the past instead of throwing together a pile of bits that look software shaped and rushing it out the door.

Re:Sandboxing

[Opportunist]

That is actually the problem. You cannot have both.

EITHER you only allow execution of programs that are explicitly whitelisted by some authority. Whatever authority that may be. A corporation, the state or you (respectively whoever happens to be your admin). Then you can be certain that only stuff that had the dead chicken waved over will run.

OR you allow the user to determine what to run. Then there is literally NOTHING any security concept can do to avoid a disaster. I'm all for this approach, believe me, but what blame could you put on the OS when it keeps telling the user that it's NOT a smart idea to run happy_funny_kitten.avi.exe and the user insists?

No, you don't need AV, even on Windows

[davmoo]

The most important piece of equipment for computer security is the one positioned between the chair and the keyboard. Learn to not click on stupid shit and its entirely possible to remain virus and malware free. I don't run AV software and I've never had a virus or malware on any Windows machine that I didn't purposely infect to see what happens (I work in IT, I'm expected to know that kind of stuff, so I have a machine specifically for the purpose of infecting :) ). And I run Windows almost all the time on my main daily-user machines (I run Linux on a couple of personal servers.) My just-barely-computer-literate 76 year old mother also does not run AV software, and has never had a virus or malware...and various flavors of Windows is all she's ever used.

Yes, Microsoft needs to do a better job on security. But saying its a Windows problem is a polite way of saying 90 percent of computer users are too embarrassed to take responsibility for their own stupidity.

Re:Saw similar posts before the web existed

[NoNonAlphaCharsHere]

Much as I despise posts that start with "this", I have to agree. Until Microsoft loses their fascination with whizzo shit like displaying (i.e. running) unexamined/foreign stuff as "previews" and confusing that with "interoperability", the problem will persist. They've never gotten it through their heads that all this "seamless" wonderfullness that looks so great as 2-minute demos in developer conference rollout keynotes cause unending grief for decades to come. Sometimes other companies fall prey to this kind of thinking (Firefox toolbars), but they learned it all at the feet of the masters, with Outlook previews and Word macros, and Explorer running code from .bmp files when you visit the directory... And then, of course there's IE, the crack whore of the industry, who'll have unprotected sex with ANYTHING.

Ummm, not at all

[Sycraft-fu]

Anti-virus is still extremely useful. It is not an end in and of itself, it isn't a panacea that will keep you safe from everything, but it is a useful layer of security. The only true defense that has any chance is defense in depth, layers of security. So that when one layer fails, and they WILL fail there's no perfect security, other layers stop the problem.

AV is a useful layer. It screens for known threats and good AV gets that list updated multiple times per day. So it can flat out stop any known threat from getting on a system. It can scan things as they download, before they execute, and block known threats.

That is useful, particularly against the kind of threats normal users face. They don't usually face highly specialized and targeted threats, they face something that sneaks in through a bad ad in a compromised ad network or the like.

We make plenty of use of AV at work and it has done a great job cutting down on compromised systems, and cleaning up systems that do get compromised (which generally don't have AV). I certainly wouldn't rely on it as the be-all, end-all, but it is a good layer of security.

It's also a pretty cheap one. You can have MSE for free, which has about a 90% catch rate, or for $40ish per year you can get one with a much higher catch rate (NOD32 being my preference). That's not a bad price for a useful layer of security.

Re:No, you don't need AV, even on Windows

[Imrik]

While I agree with the general sentiment, it would be more accurate to say that you've never noticed a virus or malware on the machines, rather than you've never gotten them.

Re:Switch to linux / OsX.

[swillden]

Which will last exactly as long as it isn't profitable to make a virus for it. If everyone swapped to a certain distro of Linux, I'd be willing to bet you'd have major problems within a week.

Actually, compromised Linux systems are in high demand because they make great botnet command and control servers. They're far more valuable than a compromised Windows box.

Also, the assumption behind your assertion is easily demonstrated to be untrue. MacOS had major virus problems, in spite of being much less popular than Windows. OS X has almost no viruses, in spite of being much more popular than MacOS. Android is a great case study: The dominant Android versions, using the Google Play store only, have no significant virus problems, while the much, much less popular Chinese devices have lots. iOS, of course, has basically none, and it's a far more attractive and profitable target than Chinese Android devices. It's less popular than mainstream Android, but given the demographics of the platforms is probably more attractive.

Market share has basically nothing to do with vulnerability to malware.

Re:Sandboxing

[AmiMoJo]

Agreed, but we don't need perfect security. We just need really good security and moderately careful users. I know, that's easier said that done, but I like the Android option of defaulting to just the carefully managed Play store and with Google having the ability to remotely delete apps (even if side loaded), while still giving power users the option to do what they like.

Re:Dead as a profit source for Symantec, well, ...

[Ol Olsoc]

Thinking back, I can remember several PCs needing recovery work because of the AV system in use

THIS! Symantec once decided to start a virus scan in the middle of a disc defrag.Did a good job - bollixed the whole thing up.

I'd had to fix other computers all bitched up by McAffee also.

When the anti virus is effectively identical to a virus, there isn't much point in using it.

In the end, and while I was still using Windows, I just used MSE, which worked pretty well.

AV is dead.

[Deathlizard]

First, let me start off with the Notion that All Antivirus sucks. Regardless of the brand, or the Reputation, If you gave me an hour or less and a windows PC with any Antivirus app on the market on it, pay or free, I will give you an infected box. So why does this happen?

1) Hot, Fresh, Just for you! This is not just a slogan you see on McDonalds made to order burgers anymore. Today's Virus Obfuscation techniques are so fast and random, that when you activate an payload dropper (whether it be a Flash, Java, Website, Browser exploit or even a Trojan installer) The Payload that you get will only be statistically seen only once. You and only you will get that version of the virus even though it's using a well known virus kit that would be detected if it was not obfuscated. This technique is the reason why no AV firms detect the Fake antivirus variants or FBI Warnings or cryptolockers of the past even though all of the major codebases were detected by most AV Firms.

2) I'm an Necessary App! People need me to change their search engine, hijack their DNS, spy on them, and pop up ads randomly all over the screen and websites! [slashdot.org] Read the Slashdot Journal link for some insight on how adware gets on people's PC. Let me make something clear here. Adware is a Virus When a customer comes into my shop and has something like Conduit searchprotect, or Wajam on their machine, I tell them that's a virus because it is. They didn't want it, they got it and it's doing things they don't want. Sounds like a virus to me, yet just about every AV Firm ignores these and lets them gleefully install because they're afraid of getting sued by one of these companies so instead they make guidelines to let them slip through. [technet.com] The first AV I find that reliably removes all Adware as well as viruses without me having to manually remove them or fallback to a removal tool (like ADWCleaner, which is now starting to miss stuff as of late) I will sell in my store.

3) In Soviet Russia, Trojan Exploits You! [slashdot.org] This Journal link has been on my sig for years now, and is the primary reason why AV doesn't work anymore. This week alone I had no less then three of my customers Directly call Fake Support Scammers [youtu.be] because their PC / Printer / Camera didn't work, and they called the phone number on the first link (The Ads) they saw when they searched for "(PC / Printer / Camera) Support" and if you're letting the bad guys in to physically touch your own box you're already screwed and no AV on earth is going to save you.

Right now, I'm telling people three things:

1) Install MSE All AV sucks, The only question is how much do you want to pay for something that sucks. MSE is free, at least blocks most of the ultra bad stuff and doesn't pop up ads of any kind so it's what I install.

2) Install Adblock on all browsers I install Adblock Plus on any machine that leaves the store. if you're going to infect yourself chances are an Ad is going to lead you there. Blocking the ads blocks most of the infection vectors off the bat.

3) Don't Download or Install anything. There is no safe place I can direct people to download files without getting some sort of Adware Virus. This is easier to tell users rather than pay attention to what you download. (See #3 to understand) If they protest, go to your PC, go to ask.com with your adware blocker turned off, type in any program you would think they would download (I use VLC Media player. It never fails to show me adware links) and have them pick the download link, when they get it wrong (chances are they will) download the file and send it to virustotal.com. chances are one of the scanners will detect the Adware dropper from the fake site, Then drill it home about not downloading anything.

4)

Re:Never mind the quantity, feel the quality

[Curunir_wolf]

"only 40% of its versions can be stopped by antivirus software" Take a general case. What proportion of crime is stopped by the police?

Bad analogy. Antivirus software is designed to stop virus infections, but the police are designed to make arrests, not to stop crime.

Re:Never mind the quantity, feel the quality

[JeanInMontana]

Good antivirus programs have the capability to identify suspect behavior via heuristics and stop many would be infections. Symantec has long been at the back of the pack in producing a product that doesn't slow a PC's performance to a crawl they can't seem to come up with a product that does the job without hogging up all system resources. Poor Symantec. Crying sour grapes IMO. PC security is not a one program and your set operation. Layers of protection make for a secure system. Firewall, antivirus and antimalware,(yes there is a difference between antivirus and antimalware) are recommended by those of us who have and are working the trenches on help forums removing infections for users who fall victim to malware. I would add use an ad blocker , often this is where the nasties lie in wait, if the user doesn't see the ad they don't click. Don't click on random links in emails, text messages etc. You can infect an entire network from one bad link or site. Users are often to blame because they engage in known risky behavior or don't bother with updates to the system or the products they may or may not use for protection. Parents need to restrict kids abilities to install without approval. Kids are often targeted because they are easy to fool. Running non administrative accounts for everyone makes it much harder to get infected. Only use the admin account when you must install new software you know to be safe. Anyone complaining about constant updates is an idiot. Be glad to see your software is updating that only means it is doing it's best to stay ahead of the bad guys.

Re:Never mind the quantity, feel the quality

[penguinoid]

I always log on as admin on my home machine. [...] It's more risky, sure, but it's far more comfortable to use.

This, of course, is because of the terrible decision by Microsoft to make everything wonky if you aren't admin, leading everyone and especially their mother to run as admin despite the dangers. This lead to the ironic situation where people with the most access were the least qualified, while highly qualified individuals got lesser access. Windows 7 is somewhat better about that, thank goodness. Conversely, Linux did the reverse by making things wonky when your run as root, so people don't do it unless they have to.

Considering that it takes almost zero time to request privilege escalation on the few occasions that it is needed, and that this would happen simultaneously with things that generally need "are you sure" style prompts, it really isn't that much trouble to say "escalate+yes", rather than just "yes", it is a tiny price to pay for a lot of safety.