gsuberland's comments

> When people mention signature based detection as a reason why antivirus or malware is dying I always get a bit confused. It's like saying that the transportation industry is going to die because horses are an inefficient way to transport goods. This is something everyone knows already, followed by a conclusion that to me skips the obvious answer everyone else has come to- use different types of detection.

This is true, but I've spent a fair bit of time digging into how various AV engines work internally (including yours, if I remember correctly!) and have found a very high percentage of them to use little more than a flat hash for most signatures. I think in one case there was a 95% majority. Yes, there are many other detection methods, but you need to spend the time to actually come up with proper and functional signatures. I just haven't seen it happen yet - not that I've looked much in the year since I wrote the article.

> The rise in APTs is interesting, and it talked about quite a bit. However, the rise in a new type of threat doesn't mean the decline of the old. The targeted threats need to be protected against, and security software needs to evolve to do that, but that does not be mean the millions of home computers out there aren't a pretty target too.

Again, true, but it doesn't stop it from being a "new type" of attack model that is largely impossible to protect from, especially by automated mechanisms like AV. IDS / IPS helps, if you actually bother to review the damn logs, but most people (in my experience) don't.

> HTML5 is really interesting. The example there would be somewhat limited- without exploit it can't escape it's little sandbox, meaning it would be great for things like DDoS but not for stealing private information.

Yup. Doesn't make the AVs any better at detecting it, though!

> Focusing on what's going on in memory is not the only way to do this. The network traffic tells all sorts of fun information, and it's possible to hook into programs like the browsers themselves to look for suspicious activity.

Unless it's HTTPS, or obfuscated. And since when can you tell the difference between a malicious obfuscated JavaScript payload, and a non-malicious one like minified jQuery?

> Comparing programming salaries is a joke at best. While it's certainly not easy to find and hire great antimalware people, it's not easy hiring great developers either. Malware authors simply do not use bottom of the barrel labor- building malware is just as skillful as detecting it as you need to know how to detect it to evade detection.

Yet we see piles upon piles of malware written in VB6 or Delphi 7, most of which are crappy trojans and keyloggers. Are they the number one super massive threat? No. Are they something to be worried about? Yes. A crappy keylogger can still steal user credentials. A crappy trojan can still steal files and alter data. Rejecting the salary comparison because high-end malware writers wouldn't use 3rd world outsourcing is like rejecting normal gearboxes because all Lamborghinis use those flappy-paddle ones.

Note that I wrote this article a year ago, when the lowest-possible-price outsourcing market was rampant in India. These days it's more common in China and Sri Lanka. Yes, security specialists can come from India, China, Sri Lanka, or any country for that matter, and I wouldn't suggest otherwise.

My point was that programmer salaries in India were significantly low enough at the time to make it at least ten-fold cheaper to hire developers over there. These days it's a different country (or set of countries) but the point still stands.

The anti-virus age was the era when AV companies battled it out to innovate and keep ahead of the competition. That era is, in my opinion, over.

Author here.

This was written a year ago. Keep in mind that I'm not saying AV isn't useful - it is in some situations. However, I'm of the opinion that the "AV age", where AV companies battle it out to innovate and beat the competition, is pretty much over. It's not useful against any determined attacker, and it's ridiculously easy to bypass AV simply by changing a few bytes here or there, or by running it through whatever random packer you found on some forum.

Yes, general purpose computing does necessitate some form of filtering, but there are much better solutions than AV in most cases. Mobile platforms like iOS / Android can be locked down quite well - install what you want and then lock installations. Desktop OSes like Windows, Linux and OS X are harder to deal with, but there are still protective measures that can be taken, such as whitelisting, that are more effective than any AV.

Hi there, I'm the author of this article.

I wrote this about a year ago, when the average salary of an Indian developer was significantly less, and there was a huge market in low-quality low-cost development houses out there. These days you can replace "India" with Sri Lanka, China, or any of the other countries with a significant poor minority and an up-and-coming tech market.

My primary point was that there are people with a price-point way below that of your average US or UK worker, so the cost of production is much lower.