I work for Malwarebytes, although what I'm about to say is my own opinion. I have a few thoughts on this post-
* When people mention signature based detection as a reason why antivirus or malware is dying I always get a bit confused. It's like saying that the transportation industry is going to die because horses are an inefficient way to transport goods. This is something everyone knows already, followed by a conclusion that to me skips the obvious answer everyone else has come to- use different types of detection.
* The rise in APTs is interesting, and it talked about quite a bit. However, the rise in a new type of threat doesn't mean the decline of the old. The targeted threats need to be protected against, and security software needs to evolve to do that, but that does not be mean the millions of home computers out there aren't a pretty target too.
* HTML5 is really interesting. The example there would be somewhat limited- without exploit it can't escape it's little sandbox, meaning it would be great for things like DDoS but not for stealing private information.
* Focusing on what's going on in memory is not the only way to do this. The network traffic tells all sorts of fun information, and it's possible to hook into programs like the browsers themselves to look for suspicious activity.
* Comparing programming salaries is a joke at best. While it's certainly not easy to find and hire great antimalware people, it's not easy hiring great developers either. Malware authors simply do not use bottom of the barrel labor- building malware is just as skillful as detecting it as you need to know how to detect it to evade detection.
This field of technology is just like any other, in that it's constantly evolving. Old methods will get replaced by new, which will get replaced again soon after.
What do you think of Mikko's statement Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.?
> HTML5 is really interesting. The example there would be somewhat limited- without exploit it can't escape it's little sandbox, meaning it would be great for things like DDoS but not for stealing private information.
May I suggest you take a look at http://www.beefproject.com/ and see what can be done without escaping it's little sandbox. Also if the goal is compromising a host, there will generally be an exploit as part of the toolkit, not necessarily an easily detectable one. At CanSecWest earlier this year there was an interesting Chrome-based pwn2own from the guys at MWR.
> When people mention signature based detection as a reason why antivirus or malware is dying I always get a bit confused. It's like saying that the transportation industry is going to die because horses are an inefficient way to transport goods. This is something everyone knows already, followed by a conclusion that to me skips the obvious answer everyone else has come to- use different types of detection.
This is true, but I've spent a fair bit of time digging into how various AV engines work internally (including yours, if I remember correctly!) and have found a very high percentage of them to use little more than a flat hash for most signatures. I think in one case there was a 95% majority. Yes, there are many other detection methods, but you need to spend the time to actually come up with proper and functional signatures. I just haven't seen it happen yet - not that I've looked much in the year since I wrote the article.
> The rise in APTs is interesting, and it talked about quite a bit. However, the rise in a new type of threat doesn't mean the decline of the old. The targeted threats need to be protected against, and security software needs to evolve to do that, but that does not be mean the millions of home computers out there aren't a pretty target too.
Again, true, but it doesn't stop it from being a "new type" of attack model that is largely impossible to protect from, especially by automated mechanisms like AV. IDS / IPS helps, if you actually bother to review the damn logs, but most people (in my experience) don't.
> HTML5 is really interesting. The example there would be somewhat limited- without exploit it can't escape it's little sandbox, meaning it would be great for things like DDoS but not for stealing private information.
Yup. Doesn't make the AVs any better at detecting it, though!
> Focusing on what's going on in memory is not the only way to do this. The network traffic tells all sorts of fun information, and it's possible to hook into programs like the browsers themselves to look for suspicious activity.
Unless it's HTTPS, or obfuscated. And since when can you tell the difference between a malicious obfuscated JavaScript payload, and a non-malicious one like minified jQuery?
> Comparing programming salaries is a joke at best. While it's certainly not easy to find and hire great antimalware people, it's not easy hiring great developers either. Malware authors simply do not use bottom of the barrel labor- building malware is just as skillful as detecting it as you need to know how to detect it to evade detection.
Yet we see piles upon piles of malware written in VB6 or Delphi 7, most of which are crappy trojans and keyloggers. Are they the number one super massive threat? No. Are they something to be worried about? Yes. A crappy keylogger can still steal user credentials. A crappy trojan can still steal files and alter data. Rejecting the salary comparison because high-end malware writers wouldn't use 3rd world outsourcing is like rejecting normal gearboxes because all Lamborghinis use those flappy-paddle ones.
Nobody wants AV to die faster than I do, but these complaints could just as easily have been written in 1995 as in 2013. Polymorphic malware, for instance, is older than many HN readers.
The forces that keep AV chugging along have more to do with how the market for AV software works than with anything fundamental about how effective AV is.
The anti-virus _never_ was anything but a high-pass filter (any illusion to the contrary is propagated by AV stakeholders): who needs to exploit machine-executable code when you can get the users to do it for you? Just promise them dancing hampsters, and voila.
There is no silver bullet, especially not when people are involved.
Well, they've certainly been trying to make it more than an HPF. Which is understandable- I bet there are big bucks to be made if one of the vendors starts reliably blocking even sophisticated exploits.
The anti-virus industry has always been a bit of a con. It is probably hard for people who habitually use Windows to understand since their AV software has probably saved them a lot of times but it is actually a really hit and miss way to filter things and it gives a false sense of security with a big performance hit. In the Windows world it has been necessary but not sufficient for a very long time and people get confused about what you mean when you say this and push back. Proper security practices involve minimising your installed software, only installing from trusted sources, using signed software where supported or checksumming it otherwise, running apps in sandboxes, isolating machines you need to protect, monitoring your systems behaviour and a lot more.
Final line of article: "Now don’t get me wrong, AV still has its place in the security world ... However, it’s no longer much more than a filter for the most basic attacks."
Is the age of seatbelts also over? People die in car accidents by the thousands despite using seatbelts, so they must be useless.
The article almost could've been written in the nineties before the commercial malware arrived, but when polymorphic malware became the standard.
The age of AV is unfortunately anything but over as long as people wish to run software they want to, e.g. unlike the iOS. AV is a good filter for most of the malware that you might accidentally bump into, but that's it. You're silly if you don't have one, and you're silly if you think that you're totally safe with it.
I'm silly, then. :-) I'm on Windows 7 (and XP before that), I've never used anti-virus software, but I'm careful about what I download and run. Many of my friends, who do use anti-virus software, are constantly complaining of malware and the like. I realize this is just an anecdote and I could be caught out one day, but my approach is "don't install junk".
This was written a year ago. Keep in mind that I'm not saying AV isn't useful - it is in some situations. However, I'm of the opinion that the "AV age", where AV companies battle it out to innovate and beat the competition, is pretty much over. It's not useful against any determined attacker, and it's ridiculously easy to bypass AV simply by changing a few bytes here or there, or by running it through whatever random packer you found on some forum.
Yes, general purpose computing does necessitate some form of filtering, but there are much better solutions than AV in most cases. Mobile platforms like iOS / Android can be locked down quite well - install what you want and then lock installations. Desktop OSes like Windows, Linux and OS X are harder to deal with, but there are still protective measures that can be taken, such as whitelisting, that are more effective than any AV.
It's funny how you mention polymorphism in malware. Just recently I came across a modified version of a stock exploit kit which was serving Zeus with each signature being unique. I didn't look into it too much be it seems like there were several thousand precompiled version of the executable on the server and each unique copy was only being loaded for a few hosts to evade anti-virus detection.
There is even open source software that helps evade Antiviruses. If anybody's interested in further reading, I would definitely recommend:
A high percentage of security jobs in the U.S. are government positions. If you can't get a clearance, you can't get a job. It is far more difficult for a foreign national (especially from a place like India) to get a security clearance of any sort, let alone the Top Secret clearance that most security roles would demand.
That's not to say that it's impossible though.
Also, unless I'm mistaken, securitytube.net is owned by Indians. It's a great site and the instructors for their courses are indeed experts.
Note that I wrote this article a year ago, when the lowest-possible-price outsourcing market was rampant in India. These days it's more common in China and Sri Lanka. Yes, security specialists can come from India, China, Sri Lanka, or any country for that matter, and I wouldn't suggest otherwise.
My point was that programmer salaries in India were significantly low enough at the time to make it at least ten-fold cheaper to hire developers over there. These days it's a different country (or set of countries) but the point still stands.
It's unsurprising that the kinds of threats that are most common nowadays are the ones that get around automated security, which is essentially what AV software is. That doesn't mean that automated security has no future. It just means that, barring some sort of strong AI, automated security needs to hand-in-hand with manual security efforts.
Recently i reinstalled Windows 7 on my gaming PC. It was only a week or 2 into my usage when i realised i forgot to install antivirus software. I don't even think i need it anymore.
I use Sandboxie for any potentially dodgy programs. I use Adblock (Chrome) so the chances of being infected by a rogue ad provider is reduced. I keep tabs on my incoming and outgoing network traffic using SMSniff (for curiosity) and i use Malwarebytes for the occasional scan to see if anything slipped by. I used to hear people facetiously saying "Common Sense" was the best antivirus, but i think they were right. As long as you stay away from dodgy files and sites (such as cracks and keygens from P2P groups) and sandbox any programs you don't trust much, you should be fine.
I highly recommend installing Microsoft Security Essentials (which was rolled into Windows Defender as a built-in component in Windows 8, but IIRC for Windows 7 is something you have to download).
It gives you basically the same amount of protection as commercial AV tools but is drastically smarter about resource usage and not getting in your way all the time. Unlike other AV tools that are constantly trying to upsell you (and thus have to appear to be 'doing something'), the only point of MSE/Windows Defender is to make Windows suck less.
Is anyone aware of any documented reports of well-known "reputable" antivirus/antimalware companies being involved in the development or spread of viruses, etc.? I've heard in the past reports (that make sense) about these companies making business for themselves by ensuring a threat exists to fight, but it is tough to believe that this could happen without it eventually coming to light.
Could John McAfee have known about this or even have been involved, and this is one of the reasons for some of his strange behavior (related guilt, involvement with criminals and criminal organizations)? Or is there no basis to any of that?
This has been argument since viruses became well known, they've Turing complete since the beginning:
"Much like an infection, a well-intended but badly designed program to stop viruses can run amok, knocking out thousands of computers or destroying vast amounts of data. Indeed, one program intended to defeat a known virus has destroyed data on personal computers used by businesses and the Government in the United States."
This is a aalient point but somewhat moot. Consider that as nation states deem they want to break into your computer then you are as likely to be able to prevent that as you would if they chose to occupy your home by force. Not many people can fend off a military attack on their residence.
But this does make clear that the future of secure computing will come from the crooks, not from software companies. They are after all just as likely to be penetrated as the next guy and so they will endeavor to build systems that can resist the sorts of threats that they themselves exploit against others.
Maybe, even with that, they wouldn't be persistent enough or would be too easily traceable to a source, or blockable? Or maybe js doesn't allow the level of access that flash or java might, so the ROI isn't worth it.
Although the case might be different for browser plugins (I don't know), it might be more effective to poison one of those than, say, run something directly in a browser.
The anti-virus age may be over, but if the supporting evidence is that host based signature products don't provide an effective defense against a variety of common security threats then the anti-virus age was over a long, long time ago. Like back to when things propagated for moths or years autonomously without any modifications to the main component - the stuff that actually matched the term "virus" that we now use as a synonym for malware.
The last time that such items were anything but an unusual novelty was something like 2003. The last time they were the most substantial threat was sometime in the 1990's. And while it typically wasn't viral, a variety of naive threats produced by amateurs continued to be a good portion of the threat landscape until around the middle of the last decade.
That isn't to say database driven signature systems never stop any attacks. They just provide such a small amount of defense and so consistently unable to identify well publicized threats months after their public use in the wild that there is little to any statistical difference in compromise between a well configured and patched system with an av engine and the same system without an av engine.
But while their product is ineffective, they are far from alone in the security industry. IDS systems are wildly ineffective in any configuration that isn't custom tuned for defending an extremely limited network that exclusively transports a few specific protocols in very predictable ways - mostly backend networks in datacenters. Typical edge firewalls defend against a threat primarily exists because they enable it - clients are so vulnerable on local networks that can't survive that way on open networks. But without them we'd have just reduced the attack surface like we;ve done with public facing servers. As nearly every compromise includes a service that's intentionally exposed or intentionally allowed through the edge, they at best are a limited crutch to avoid having to ensure each computer is as minimally exposed to start with. If your firewall allows you to be an extra soft target once an attacker has established a foothold inside it's arguable that you'd have been better off totally exposed so that you limit the number of additional systems that exist in radically insecure postures.
The only automated system that comes to mind that ive seen provide any real amount of value are the expensive and exclusive block list subscriptions that contain databases of actively operating C&C servers and similar active apt sources. But these would become worthless if any of them ever enjoyed widespread adoption, as they'd simply stop being lazy and using the same servers all the time.
ASLR, DEP and even managed code to a certain extent all are similarly ineffective in that while making exploits more complicated they've had no impact on the rate of compromise.
The simple fact is that offensive security has won for the forseeable future and defensive security has lost entirely, with no real hope of change without dramatic practice shifts.
For client security the only things that have provided clear and practical benefits have been a) reducing the attack surface by mass removal of services and features and b) building the system withe the expectation of regular compromise, and including an easy and reliable way to wipe and restore. Oh and forced automatic patching.
The ChromeOS team gets it. The windowsrt team gets it. ios gets it. Anyone producing a client OS that is feature rich, highly configurable strives for easy out of the box use should be considered systemically insecure at this point. Any motivator attacker will succeed against it 99%+ of the time.
But since there are really no other options for so many people and tasks, it's very uncomfortable to explain to someone that they are able to do little to nothing about it that won't involve draconian systems users would refuse to use, and that compromise is at some point essentially inevitable.
So you tell them to run anti-virus. It's like children hiding under their desks in the event of nuclear war. It helps avoid some amount of existential crisis.
That's why the anti-virus age won't be over for a long, long time. Because if you don't have a replacement that's actually good, and no one even has a clue what that would look like, you still need to tell people to use their AV. Just like you need to tell people there is heaven.
> an average software developer in India gets about 320,000 INR per year, which equates to roughly 5700 USD. Compare that to the price of a malware analyst or systems security analyst, which is 60,000 USD before insurance, pension and other benefit costs are tacked on. That means that for every analyst that an AV company hires, the bad guys can hire 10 developers.
I doubt an average developer from India is capable of writing a polymorphic virus. Or not from India.
Most developers I know only know a few technologies and stay within that bubble, and rarely do any side projects, or code for fun.
The bit about Indian developers is simply bizarre. Firstly, Indian developers are more expensive than they've ever been, so that notion made more sense a decade ago. Secondly, has anyone every heard of outsourced shops developing exploits using low-paid talent? I don't recall that ever being the case, and instead it's a small number of very skilled but unfortunately motivated developers.
Those inexpensive offshore developers can barely sling some Visual Basic together. They aren't developing clever NX circumvention exploits.
I wrote this about a year ago, when the average salary of an Indian developer was significantly less, and there was a huge market in low-quality low-cost development houses out there. These days you can replace "India" with Sri Lanka, China, or any of the other countries with a significant poor minority and an up-and-coming tech market.
My primary point was that there are people with a price-point way below that of your average US or UK worker, so the cost of production is much lower.
[+] [-] tedivm|12 years ago|reply
* When people mention signature based detection as a reason why antivirus or malware is dying I always get a bit confused. It's like saying that the transportation industry is going to die because horses are an inefficient way to transport goods. This is something everyone knows already, followed by a conclusion that to me skips the obvious answer everyone else has come to- use different types of detection.
* The rise in APTs is interesting, and it talked about quite a bit. However, the rise in a new type of threat doesn't mean the decline of the old. The targeted threats need to be protected against, and security software needs to evolve to do that, but that does not be mean the millions of home computers out there aren't a pretty target too.
* HTML5 is really interesting. The example there would be somewhat limited- without exploit it can't escape it's little sandbox, meaning it would be great for things like DDoS but not for stealing private information.
* Focusing on what's going on in memory is not the only way to do this. The network traffic tells all sorts of fun information, and it's possible to hook into programs like the browsers themselves to look for suspicious activity.
* Comparing programming salaries is a joke at best. While it's certainly not easy to find and hire great antimalware people, it's not easy hiring great developers either. Malware authors simply do not use bottom of the barrel labor- building malware is just as skillful as detecting it as you need to know how to detect it to evade detection.
This field of technology is just like any other, in that it's constantly evolving. Old methods will get replaced by new, which will get replaced again soon after.
[+] [-] wglb|12 years ago|reply
[+] [-] _b8r0|12 years ago|reply
May I suggest you take a look at http://www.beefproject.com/ and see what can be done without escaping it's little sandbox. Also if the goal is compromising a host, there will generally be an exploit as part of the toolkit, not necessarily an easily detectable one. At CanSecWest earlier this year there was an interesting Chrome-based pwn2own from the guys at MWR.
[+] [-] gsuberland|12 years ago|reply
This is true, but I've spent a fair bit of time digging into how various AV engines work internally (including yours, if I remember correctly!) and have found a very high percentage of them to use little more than a flat hash for most signatures. I think in one case there was a 95% majority. Yes, there are many other detection methods, but you need to spend the time to actually come up with proper and functional signatures. I just haven't seen it happen yet - not that I've looked much in the year since I wrote the article.
> The rise in APTs is interesting, and it talked about quite a bit. However, the rise in a new type of threat doesn't mean the decline of the old. The targeted threats need to be protected against, and security software needs to evolve to do that, but that does not be mean the millions of home computers out there aren't a pretty target too.
Again, true, but it doesn't stop it from being a "new type" of attack model that is largely impossible to protect from, especially by automated mechanisms like AV. IDS / IPS helps, if you actually bother to review the damn logs, but most people (in my experience) don't.
> HTML5 is really interesting. The example there would be somewhat limited- without exploit it can't escape it's little sandbox, meaning it would be great for things like DDoS but not for stealing private information.
Yup. Doesn't make the AVs any better at detecting it, though!
> Focusing on what's going on in memory is not the only way to do this. The network traffic tells all sorts of fun information, and it's possible to hook into programs like the browsers themselves to look for suspicious activity.
Unless it's HTTPS, or obfuscated. And since when can you tell the difference between a malicious obfuscated JavaScript payload, and a non-malicious one like minified jQuery?
> Comparing programming salaries is a joke at best. While it's certainly not easy to find and hire great antimalware people, it's not easy hiring great developers either. Malware authors simply do not use bottom of the barrel labor- building malware is just as skillful as detecting it as you need to know how to detect it to evade detection.
Yet we see piles upon piles of malware written in VB6 or Delphi 7, most of which are crappy trojans and keyloggers. Are they the number one super massive threat? No. Are they something to be worried about? Yes. A crappy keylogger can still steal user credentials. A crappy trojan can still steal files and alter data. Rejecting the salary comparison because high-end malware writers wouldn't use 3rd world outsourcing is like rejecting normal gearboxes because all Lamborghinis use those flappy-paddle ones.
[+] [-] dnskw|12 years ago|reply
[+] [-] tptacek|12 years ago|reply
The forces that keep AV chugging along have more to do with how the market for AV software works than with anything fundamental about how effective AV is.
[+] [-] Piskvorrr|12 years ago|reply
There is no silver bullet, especially not when people are involved.
[+] [-] sliverstorm|12 years ago|reply
[+] [-] shirro|12 years ago|reply
[+] [-] pjmlp|12 years ago|reply
Anyone old enough here, remembers using AV for Atari, Amiga, MS-DOS and many other home systems.
Lets also not forget the first worms were designed for UNIX systems.
[+] [-] WayneDB|12 years ago|reply
The only anti-virus measure that I take is to upload unknown executables to http://www.virustotal.com/
[+] [-] seldo|12 years ago|reply
Final line of article: "Now don’t get me wrong, AV still has its place in the security world ... However, it’s no longer much more than a filter for the most basic attacks."
So... not really over at all. In fact, escalated.
[+] [-] gsuberland|12 years ago|reply
[+] [-] wmt|12 years ago|reply
The article almost could've been written in the nineties before the commercial malware arrived, but when polymorphic malware became the standard.
The age of AV is unfortunately anything but over as long as people wish to run software they want to, e.g. unlike the iOS. AV is a good filter for most of the malware that you might accidentally bump into, but that's it. You're silly if you don't have one, and you're silly if you think that you're totally safe with it.
[+] [-] benhoyt|12 years ago|reply
[+] [-] gsuberland|12 years ago|reply
This was written a year ago. Keep in mind that I'm not saying AV isn't useful - it is in some situations. However, I'm of the opinion that the "AV age", where AV companies battle it out to innovate and beat the competition, is pretty much over. It's not useful against any determined attacker, and it's ridiculously easy to bypass AV simply by changing a few bytes here or there, or by running it through whatever random packer you found on some forum.
Yes, general purpose computing does necessitate some form of filtering, but there are much better solutions than AV in most cases. Mobile platforms like iOS / Android can be locked down quite well - install what you want and then lock installations. Desktop OSes like Windows, Linux and OS X are harder to deal with, but there are still protective measures that can be taken, such as whitelisting, that are more effective than any AV.
[+] [-] Negitivefrags|12 years ago|reply
Don't install viruses.
[+] [-] xSwag|12 years ago|reply
There is even open source software that helps evade Antiviruses. If anybody's interested in further reading, I would definitely recommend:
[1]https://www.veil-evasion.com/tutorial-veil-payload-developme...
[2]http://blog.webroot.com/2013/02/22/diy-malware-cryptor-as-a-...
[3]https://www.christophertruncer.com/veil-a-payload-generator-...
[4]https://www.net-security.org/secworld.php?id=15173
[+] [-] joss82|12 years ago|reply
[+] [-] phaus|12 years ago|reply
That's not to say that it's impossible though.
Also, unless I'm mistaken, securitytube.net is owned by Indians. It's a great site and the instructors for their courses are indeed experts.
[+] [-] gsuberland|12 years ago|reply
My point was that programmer salaries in India were significantly low enough at the time to make it at least ten-fold cheaper to hire developers over there. These days it's a different country (or set of countries) but the point still stands.
[+] [-] _greim_|12 years ago|reply
[+] [-] coolnow|12 years ago|reply
I use Sandboxie for any potentially dodgy programs. I use Adblock (Chrome) so the chances of being infected by a rogue ad provider is reduced. I keep tabs on my incoming and outgoing network traffic using SMSniff (for curiosity) and i use Malwarebytes for the occasional scan to see if anything slipped by. I used to hear people facetiously saying "Common Sense" was the best antivirus, but i think they were right. As long as you stay away from dodgy files and sites (such as cracks and keygens from P2P groups) and sandbox any programs you don't trust much, you should be fine.
[+] [-] georgemcbay|12 years ago|reply
It gives you basically the same amount of protection as commercial AV tools but is drastically smarter about resource usage and not getting in your way all the time. Unlike other AV tools that are constantly trying to upsell you (and thus have to appear to be 'doing something'), the only point of MSE/Windows Defender is to make Windows suck less.
[+] [-] Kiro|12 years ago|reply
[+] [-] bittired|12 years ago|reply
Could John McAfee have known about this or even have been involved, and this is one of the reasons for some of his strange behavior (related guilt, involvement with criminals and criminal organizations)? Or is there no basis to any of that?
[+] [-] newmana|12 years ago|reply
"Much like an infection, a well-intended but badly designed program to stop viruses can run amok, knocking out thousands of computers or destroying vast amounts of data. Indeed, one program intended to defeat a known virus has destroyed data on personal computers used by businesses and the Government in the United States."
http://www.nytimes.com/1989/10/07/business/computer-virus-cu...
[+] [-] purephase|12 years ago|reply
[+] [-] ChuckMcM|12 years ago|reply
But this does make clear that the future of secure computing will come from the crooks, not from software companies. They are after all just as likely to be penetrated as the next guy and so they will endeavor to build systems that can resist the sorts of threats that they themselves exploit against others.
[+] [-] joeblau|12 years ago|reply
[+] [-] FollowSteph3|12 years ago|reply
[+] [-] krapp|12 years ago|reply
Although the case might be different for browser plugins (I don't know), it might be more effective to poison one of those than, say, run something directly in a browser.
[+] [-] trotsky|12 years ago|reply
The last time that such items were anything but an unusual novelty was something like 2003. The last time they were the most substantial threat was sometime in the 1990's. And while it typically wasn't viral, a variety of naive threats produced by amateurs continued to be a good portion of the threat landscape until around the middle of the last decade.
That isn't to say database driven signature systems never stop any attacks. They just provide such a small amount of defense and so consistently unable to identify well publicized threats months after their public use in the wild that there is little to any statistical difference in compromise between a well configured and patched system with an av engine and the same system without an av engine.
But while their product is ineffective, they are far from alone in the security industry. IDS systems are wildly ineffective in any configuration that isn't custom tuned for defending an extremely limited network that exclusively transports a few specific protocols in very predictable ways - mostly backend networks in datacenters. Typical edge firewalls defend against a threat primarily exists because they enable it - clients are so vulnerable on local networks that can't survive that way on open networks. But without them we'd have just reduced the attack surface like we;ve done with public facing servers. As nearly every compromise includes a service that's intentionally exposed or intentionally allowed through the edge, they at best are a limited crutch to avoid having to ensure each computer is as minimally exposed to start with. If your firewall allows you to be an extra soft target once an attacker has established a foothold inside it's arguable that you'd have been better off totally exposed so that you limit the number of additional systems that exist in radically insecure postures.
The only automated system that comes to mind that ive seen provide any real amount of value are the expensive and exclusive block list subscriptions that contain databases of actively operating C&C servers and similar active apt sources. But these would become worthless if any of them ever enjoyed widespread adoption, as they'd simply stop being lazy and using the same servers all the time.
ASLR, DEP and even managed code to a certain extent all are similarly ineffective in that while making exploits more complicated they've had no impact on the rate of compromise.
The simple fact is that offensive security has won for the forseeable future and defensive security has lost entirely, with no real hope of change without dramatic practice shifts.
For client security the only things that have provided clear and practical benefits have been a) reducing the attack surface by mass removal of services and features and b) building the system withe the expectation of regular compromise, and including an easy and reliable way to wipe and restore. Oh and forced automatic patching.
The ChromeOS team gets it. The windowsrt team gets it. ios gets it. Anyone producing a client OS that is feature rich, highly configurable strives for easy out of the box use should be considered systemically insecure at this point. Any motivator attacker will succeed against it 99%+ of the time.
But since there are really no other options for so many people and tasks, it's very uncomfortable to explain to someone that they are able to do little to nothing about it that won't involve draconian systems users would refuse to use, and that compromise is at some point essentially inevitable.
So you tell them to run anti-virus. It's like children hiding under their desks in the event of nuclear war. It helps avoid some amount of existential crisis.
That's why the anti-virus age won't be over for a long, long time. Because if you don't have a replacement that's actually good, and no one even has a clue what that would look like, you still need to tell people to use their AV. Just like you need to tell people there is heaven.
[+] [-] rorrr2|12 years ago|reply
I doubt an average developer from India is capable of writing a polymorphic virus. Or not from India.
Most developers I know only know a few technologies and stay within that bubble, and rarely do any side projects, or code for fun.
[+] [-] corresation|12 years ago|reply
Those inexpensive offshore developers can barely sling some Visual Basic together. They aren't developing clever NX circumvention exploits.
[+] [-] gsuberland|12 years ago|reply
I wrote this about a year ago, when the average salary of an Indian developer was significantly less, and there was a huge market in low-quality low-cost development houses out there. These days you can replace "India" with Sri Lanka, China, or any of the other countries with a significant poor minority and an up-and-coming tech market.
My primary point was that there are people with a price-point way below that of your average US or UK worker, so the cost of production is much lower.