"Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it - the victim does not need to open the file or interact with it in anyway."
That seems big. Is there any precedent on AV software vulnerabilities of this scope?
Worse than that. Apparently,Tavis emailed the exploit to Symantec in a password protected zip file. He included the password in the body of the email. The email server, running Symantec, grabbed the password out of the email, decrypted the zip file, and upon reading the exploit code, crashed itself.
Yes, I believe there are several precedents. Tavis has found remote code execution exploits in Sophos[1] and TrendMicro[2] products too.
Continuous protection by nature opens up an enormous attack surface, and AV vendors' seem in no way up to the challenge. For this reason, in my company, security policy is to use only what's built in to each O/S.
So, what do people run on their servers / macbooks for AV? Anything?
I was in a meeting just last week with our new "head of Security" who exclaimed when i stated our Macbooks nor or Ubuntu severs run any AV software (We run firewalls and things like fail-2-ban, but no traditional AV).
I know i'm going to get into a debate with them over this, so, what would be a good 'win-win' type position for me to fall back on to satisfy this point and not clutter my machines up with junk, if there is such a thing?
It depends on your strategy for dealing with endpoint security and why the security folks are demanding it. Usually these requirements are driven by external compliance or some zealous security guy reading NIST docs without context.
For UNIX, try to get ClamAV through or buy whatever solution is cheapest. IIRC, McAfee worked in the most platforms, including AIX.
For Windows, Microsoft stuff (Windows Defender and the "Enterprise" equivalent baked into SCCM) have the lowest impact on the system... But are pretty "meh" solutions. But even the best AV is pretty meh.
Personally, and coming from alot of experience managing lots of computers (or people doing the management), I would recommend running the cheap/free Microsoft AV to check the box and do the following: force users to run without privilege, disallow internet access from privileged accounts, use an application whitelisting solution, use a good proxy/anti malware solution like Palo Alto or zScaler.
The whole point of this stuff isn't to stop threats -- that's a game you always lose. You want layered protection that stops what it can, helps prevent lateral movement and increases the probability of detecting a compromise.
On Windows PCs, I use Microsoft Security Essentials/Defender/Whatever-it's-called-this-release. It's already there, and basically can't be turned off, so why not?
To be honest, I wouldn't put AV on anything but Windows. There I'd opt for Microsft's Security Essentials since it's the least offensive/annoying solution.
On mac and linux I just don't see the need unless you're doing questionable things or trust shady sources. Be aware that macOS also comes with a very basic and rudimentary protection built-in called XProtect.
The best AV is:
- keep everything up to date
- uninstall flash, java, silverlight
- don't open random junk
- use homebrew/homebrew cask to install stuff
I've never run AV software on any of my Mac computers or any of my Linux PCs. There's no need. I will never get a Mac or Linux virus.
I'm vehemently against running AV software on Linux at the enterprise level, too. The best I've been able to do there, though, is to ensure that on-access scanning (aka "slow the system down to 10 percent of its usual speed for no reason at all") is completely disabled.
On Ubuntu you have Apparmor, and mandatory access control (in practice, any sandboxing mechanism) is vastly superior to antivirus, at least in default-deny mode (which, sadly, Ubuntu does not use by default).
If arbitrary software needs administrator level policy set to access the filesystem or devices, rogue software cannot harm your system. If trusted packages also need policy, then exploits in that software cannot do any more damage than the minimum amount of capabilities allocated to the application, which is quite frequently just the apps config file.
You can explain that traditional viruses are less common on Linux. Rootkits and privilege escalation exploits are more likely.
One strategy might be to say that Linux systems are not sheltered from any threat (saying otherwise might lead the other person to consider you as a biased Linux fan), but instead to explain that the threats and consequently the defensive tools to adopt are different.
So, instead of an AV, I would recommend 1) an host-based intrusion detection system (HIDS), like OSSEC or Tripwire, and 2) a kernel patched with Grsecurity.
The HIDS will send you an alert every time an important file (like /etc/shadow) or a new binary / package is installed or modified.
Grsecurity will offer multiple very efficient protection mechanisms against privilege escalation exploits (among other things).
You don't even have to use RBAC if you don't want to (you can still use AppArmor/SELinux/etc) but RBAC comes with a built-in learning mode which is good and will likely do a better job than you could and generating a profile. Sure you'll probably have to hand tune it a bit but for production servers I see no reason why RBAC couldn't be used with it's training/learning mode.
The first tool I run on new Macs is osxlockdown[1] (use [2] if you want a UI). It disables a bunch of features and enables things like the firewall. Make sure you don't disable things you're actually using, though. I don't run any AV, but I use OpenDNS Umbrella, a DNS-level malware blocking service with the capability to switch to "active" traffic filtering (basically a MitM proxy, though that part is completely optional). It's a neat tool with a nice dashboard, and the pricing is okay with $20/year.
OSSEC is a great tool for servers, but not the kind of "Let's just throw some AV at it so we can tick that compliance box" tool many are looking for.
In production you still need to protect from zero days with some form of protection that is not necessarily detection or antivirus such as AppArmor or more commonly SELinux.
It's hard for me to believe that anyone uses this crap software. A few years ago I spent hours uninstalling it for a friend. It has slowed his laptop to a crawl and he was about to buy a new one. After the uninstall, it was snappy enough to use for a few more years. Really, that software is some of the worst I've ever witnessed, and I've seen some shit.
I work for a Fortune 500 company who just switched away from the product mentioned in this article for one which I'm sure isn't much better. Besides the overall performance impact, we also have a daily virus scan that runs at noon on every system. Don't normally take your lunch at noon? Oh well, you certainly won't be getting any work done.
It comes pre-installed on many machines, and the mindshare is large.
I also attempted to remove Norton from a friend's computer a few years ago. I failed and later discovered that was actually unable to be uninstalled. Norton published some instructions to let you remove parts to the point you could ignore it at least.
I swore to never to touch anything from Norton/Symantec ever again.
I bought ESET/nod for a few machines but now I rely entirely on Windows Defender for the few Windows machines I own.
I haven't used it in about a decade, but the corporate version used to be pretty lightweight compared to the retail version. I started using the corporate edition soon after I joined the military because we got it for free. There was an immediate and noticeable improvement in my pc's performance after replacing the retail version.
A note for everybody asking "why on earth does anybody run this software": When my company had to get corporate liability insurance in 2007/2008, the actual insurance contract stipulated "having AV installed on all machines". We did solve it by having an unused folder with ClamAV on every box, but I was impressed by the fact that AV is pretty much legally mandated for enterprises.
This is very common in boilerplate enterprise contracts. They will often have provisions about compliance with certain security and disaster recovery standards.
A bug in their software would be forgivable. This article pointed out both an extremely poor design decision (lots of unnecessary code in the kernel) as well as a serious organizational problem (not doing vulnerability management). These are especially bad considering that they supposed to be a security company.
In both cases, one bad example means it's likely there are many more still undiscovered.
Anti virus is like a compromised immune system: it joins the other side and will help to kill the host in short order. It's a miracle these companies are still in business and it is very sad to see Peter Norton's name dragged through the mud like this over and over again.
Many years ago, installing Malwarebytes Anti-Malware dramatically reduced the amount of on-site technical support calls for my well-meaning but too trusting ("I just clicked on it") parents. This was before I was able, with the help of my brother-in-law, to convert them to Apple/Mac.
Is Malwarebytes Anti-Malware still the gold standard for Windows Malware protection? What is the gold standard for Windows virus protection now?
I'm not really sure I consider McAfee, Norton and the like the security industry. They're definitely a part of it, but in the same way car dealerships are part of the auto industry. They provide a service, but there's a real debate to be had about whether they are more beneficial or harmful.
How much more? I always imagined that it's more likely for a standard user to open every email attachment and execute it than it is to get targeted by a malicious attacker who knows what software your users are running and writes exploits tailored for them, but I could be wrong.
Isn't Norton antivirus itself malware? And McAfee too, for that matter? I finally convinced my mom and my wife to stop downloading it everytime they update Adobe Flash. (Yes, they still do that. On Windows of course. Sigh. One thing at a time.)
Here's a question I have every time I see "RCE" type issues, and I'm completely serious when I ask: what is the use case for allowing remote execution in your software? Why would you want to allow arbitrary code to be executed? Or am I perhaps misunderstanding this, is it some sort of break out of the program bounds which allows execution?
Quite a few major enterprises use SEP/SEPM in combination with other IPS/IDS. Time to make sure everything is updated I suppose. Good work project zero.
I've been saying this for years, but when are people going to realize that running Norton on your PC is actually worse than not running AV software at all?
In the fast-moving world of IT security it's refreshing to see that Symantec's web site makes no mention of these profoundly important vulnerabilities on their landing page
They don't seem to have any Status / Current Alerts style pages -- but on their somewhat hard to find blog page we find the most recent update from the guys is from two days ago:
"Malicious app found on Google Play, steals Viber photos and videos"
Windows 10 has a built-in antivirus that's very effective, safe, and doesn't impact system usability. There's little reason for anyone on Windows 10 to run Symantec/Norton.
I have to disagree with this statement. It's kind of a resource pig, actually. When it got to the point it was affecting my day-to-day productivity, I deleted MsMpEng.exe from my hard drive, and now my machine is snappy and responsive again.
I am not surprised in the least. Norton Antivirus is one of the worst of its kind. I've used it for many years. Every single virus/trojan/adware infection I got went straight through Norton Antivirus without it doing anything. Back as a kid I opened a lot of downloaded executables, like games, and some of them were infected. Later, I got more cautious with executables but got rid of all antivirus software - best software decision ever. My computers have never been faster.
[+] [-] cypherpunks01|9 years ago|reply
That seems big. Is there any precedent on AV software vulnerabilities of this scope?
[+] [-] zabuni|9 years ago|reply
[+] [-] gmac|9 years ago|reply
Continuous protection by nature opens up an enormous attack surface, and AV vendors' seem in no way up to the challenge. For this reason, in my company, security policy is to use only what's built in to each O/S.
[1] http://www.pcworld.com/article/2013580/researcher-finds-crit... [2] http://arstechnica.co.uk/security/2016/01/google-security-re...
[+] [-] pilif|9 years ago|reply
http://googleprojectzero.blogspot.ch/2015/06/analysis-and-ex...
[+] [-] verelo|9 years ago|reply
I was in a meeting just last week with our new "head of Security" who exclaimed when i stated our Macbooks nor or Ubuntu severs run any AV software (We run firewalls and things like fail-2-ban, but no traditional AV).
I know i'm going to get into a debate with them over this, so, what would be a good 'win-win' type position for me to fall back on to satisfy this point and not clutter my machines up with junk, if there is such a thing?
[+] [-] Spooky23|9 years ago|reply
For UNIX, try to get ClamAV through or buy whatever solution is cheapest. IIRC, McAfee worked in the most platforms, including AIX.
For Windows, Microsoft stuff (Windows Defender and the "Enterprise" equivalent baked into SCCM) have the lowest impact on the system... But are pretty "meh" solutions. But even the best AV is pretty meh.
Personally, and coming from alot of experience managing lots of computers (or people doing the management), I would recommend running the cheap/free Microsoft AV to check the box and do the following: force users to run without privilege, disallow internet access from privileged accounts, use an application whitelisting solution, use a good proxy/anti malware solution like Palo Alto or zScaler.
The whole point of this stuff isn't to stop threats -- that's a game you always lose. You want layered protection that stops what it can, helps prevent lateral movement and increases the probability of detecting a compromise.
[+] [-] ams6110|9 years ago|reply
I do not use AV on any other platforms.
[+] [-] thirdsun|9 years ago|reply
On mac and linux I just don't see the need unless you're doing questionable things or trust shady sources. Be aware that macOS also comes with a very basic and rudimentary protection built-in called XProtect.
[+] [-] jedisct1|9 years ago|reply
The best AV is: - keep everything up to date - uninstall flash, java, silverlight - don't open random junk - use homebrew/homebrew cask to install stuff
[+] [-] beedogs|9 years ago|reply
I'm vehemently against running AV software on Linux at the enterprise level, too. The best I've been able to do there, though, is to ensure that on-access scanning (aka "slow the system down to 10 percent of its usual speed for no reason at all") is completely disabled.
Edit: any explanation for the downvotes?
[+] [-] benjarrell|9 years ago|reply
I've had that debate and it was decided that we had to have something. FWIW we use TrendMicro deep security.
[+] [-] walrus01|9 years ago|reply
[+] [-] zanny|9 years ago|reply
If arbitrary software needs administrator level policy set to access the filesystem or devices, rogue software cannot harm your system. If trusted packages also need policy, then exploits in that software cannot do any more damage than the minimum amount of capabilities allocated to the application, which is quite frequently just the apps config file.
[+] [-] vinhboy|9 years ago|reply
[+] [-] Thaalei|9 years ago|reply
One strategy might be to say that Linux systems are not sheltered from any threat (saying otherwise might lead the other person to consider you as a biased Linux fan), but instead to explain that the threats and consequently the defensive tools to adopt are different.
So, instead of an AV, I would recommend 1) an host-based intrusion detection system (HIDS), like OSSEC or Tripwire, and 2) a kernel patched with Grsecurity.
The HIDS will send you an alert every time an important file (like /etc/shadow) or a new binary / package is installed or modified.
Grsecurity will offer multiple very efficient protection mechanisms against privilege escalation exploits (among other things).
For the MacBooks, I don't know.
[+] [-] ryuuchin|9 years ago|reply
You don't even have to use RBAC if you don't want to (you can still use AppArmor/SELinux/etc) but RBAC comes with a built-in learning mode which is good and will likely do a better job than you could and generating a profile. Sure you'll probably have to hand tune it a bit but for production servers I see no reason why RBAC couldn't be used with it's training/learning mode.
[1] https://grsecurity.net/
[+] [-] pfg|9 years ago|reply
OSSEC is a great tool for servers, but not the kind of "Let's just throw some AV at it so we can tick that compliance box" tool many are looking for.
[1]: https://github.com/SummitRoute/osxlockdown
[2]: https://objective-see.com/products/lockdown.html
[+] [-] devonkim|9 years ago|reply
[+] [-] jcoffland|9 years ago|reply
https://wiki.archlinux.org/index.php/MacBook
[+] [-] walrus01|9 years ago|reply
"Symantec considered harmful"
full stop.
Let's not forget this: http://arstechnica.com/security/2015/10/still-fuming-over-ht...
Symantec should have suffered the CA "death penalty" and had its trust removed from the browsers that hold most of the global market share.
[+] [-] e40|9 years ago|reply
[+] [-] heywire|9 years ago|reply
[+] [-] emmelaich|9 years ago|reply
I also attempted to remove Norton from a friend's computer a few years ago. I failed and later discovered that was actually unable to be uninstalled. Norton published some instructions to let you remove parts to the point you could ignore it at least.
I swore to never to touch anything from Norton/Symantec ever again. I bought ESET/nod for a few machines but now I rely entirely on Windows Defender for the few Windows machines I own.
[+] [-] dvhh|9 years ago|reply
[+] [-] phaus|9 years ago|reply
[+] [-] nikanj|9 years ago|reply
[+] [-] sidcool|9 years ago|reply
[+] [-] tdullien|9 years ago|reply
[+] [-] Mango_Diesel|9 years ago|reply
[+] [-] paradite|9 years ago|reply
Is there some kind of "compliance" or "regulation" that mandates companies to install them on every workstation?
[+] [-] tmandry|9 years ago|reply
In both cases, one bad example means it's likely there are many more still undiscovered.
[+] [-] yuhong|9 years ago|reply
[+] [-] jacquesm|9 years ago|reply
[+] [-] wallflower|9 years ago|reply
Is Malwarebytes Anti-Malware still the gold standard for Windows Malware protection? What is the gold standard for Windows virus protection now?
[+] [-] ngneer|9 years ago|reply
[+] [-] kbenson|9 years ago|reply
[+] [-] coderdude|9 years ago|reply
Edit: 5 minutes later, AVG "detected" csgo.exe and asked me if I want to quarantine. Uninstalled.
[+] [-] electic|9 years ago|reply
[+] [-] quantumhobbit|9 years ago|reply
[+] [-] wmt|9 years ago|reply
[+] [-] sverige|9 years ago|reply
[+] [-] shortstuffsushi|9 years ago|reply
[+] [-] a_c|9 years ago|reply
[+] [-] NetTechM|9 years ago|reply
[+] [-] beedogs|9 years ago|reply
[+] [-] Jedd|9 years ago|reply
They don't seem to have any Status / Current Alerts style pages -- but on their somewhat hard to find blog page we find the most recent update from the guys is from two days ago:
"Malicious app found on Google Play, steals Viber photos and videos"
http://www.symantec.com/connect/symantec-blogs/symantec-secu...
EDIT: Oh, they have a Vulnerabilities page - https://www.symantec.com/security_response/landing/vulnerabi... - with the most recent entries listed as 13 days ago (blimey that US mm/dd/yyyy date format is uncomfortable).
[+] [-] FuturePromise|9 years ago|reply
[+] [-] snarfy|9 years ago|reply
I have to disagree with this statement. It's kind of a resource pig, actually. When it got to the point it was affecting my day-to-day productivity, I deleted MsMpEng.exe from my hard drive, and now my machine is snappy and responsive again.
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] Kenji|9 years ago|reply