AV versus no AV?



  • Some Google security researcher argues that antivirus products are crap, mainly because in the process of hooking into the browser they introduce horrible additional vulnerabilities. Another guy, former AV developer, says that despite those few vulns, the user is still much better off with a commercial AV than without one or with a free one or with Defender. And they argue. And argue.

    Twitter is a horrible medium for this kind of conversation, but here it is. Try to read the whole thread trees. This is where it starts I think:


  • SockDev

    Any (respectable) AV is better than no AV


  • SockDev

    @marczellm said in AV versus no AV?:

    Another guy, former AV developer, says that despite those few vulns, the user is still much better off with a commercial AV than without one or with a free one or with Defender.

    AV is BUT ONE LAYER in your cyber security package.

    you enforce network security by restricting who is allowed onto your physical network, you do not let any random yahoo onto your wireless network. (They have their own access point in their pocket FFS), you run security plugins in your browser that shield you from the worst of the browser malware, you put a decent security gateway between you and the rest of the world, you run AV, you practice the 3-2-1 rule for backups and back up EVERYTHING

    and finally, and most importantly: You practice safe browsing habits, because all of that setup and careful preparation won't protect you from running that malicious EXE that is masquerading as a jpg of your one-time-best-friend-but-now-lives-cross-country's new baby.



  • @accalia said in AV versus no AV?:

    you run AV


  • SockDev

    @TimeBandit said in AV versus no AV?:

    @accalia said in AV versus no AV?:

    you run AV

    curious. so they have a physical manifestation of an electromagnetic phenominon?


  • SockDev

    @accalia More than one:



  • @RaceProUK @accalia and how does the user distinguish between respectable and non-respectable AV?

    for example, some years before I was running Norton 360 because I remembered the name from Norton Commander running on my dad's old computer. It took several years of subscriptions before I grew aware of it being a :shit:pool. (Sometimes it just blocked all internet access on a whim.) Then we used ESET, which was fine, but now I switched all of my family to Windows Defender. Now we can argue on whether Defender is respectable or not. Which was also a point of disagreement on the cited Twitter flame.


  • SockDev

    @marczellm said in AV versus no AV?:

    @RaceProUK @accalia and how does the user distinguish between respectable and non-respectable AV?

    I personally find Windows Defender plenty adequate, but I'm not going to claim it's perfect by any means.


  • SockDev

    @marczellm said in AV versus no AV?:

    @RaceProUK @accalia and how does the user distinguish between respectable and non-respectable AV?

    aye, there's the tough question.

    Avast used to be good, not sure if they've stayed on top or not. (They haven't. AVOID)

    I can't personally recommend kaspersky as i don't have personal experience but most techies i know use it.

    for me? i use windows defender for my PCs and ClamAV for my NAS.



  • @RaceProUK said in AV versus no AV?:

    I personally find Windows Defender plenty adequate, but I'm not going to claim it's perfect by any means.

    Always get the worst score in ever AV test I've seen.
    https://www.av-test.org/en/compare-manufacturer-results/


  • SockDev

    @accalia I couldn't possibly comment on Avast being good, they demonstrated a total inability to secure one of their own servers and it had been compromised for a number of months before anyone noticed.

    It was a revelation to me to realise that if they make mistakes that large on their own stuff, why the hell should I trust them with my stuff?


  • SockDev

    @Arantor said in AV versus no AV?:

    It was a revelation to me to realise that if they make mistakes that large on their own stuff, why the hell should I trust them with my stuff?

    ah..... well i did say that they were good.

    apparently they aren't anymore.


  • SockDev

    @accalia my experience is 2014. I don't know if they learned how to fix things since then.


  • SockDev

    @Arantor said in AV versus no AV?:

    @accalia my experience is 2014. I don't know if they learned how to fix things since then.

    E_TRUST_EASIER_TO LOSE_THAN_TO_EARN

    also my last experience with them was in in the 2011ish time frame


  • Grade A Premium Asshole

    @RaceProUK said in AV versus no AV?:

    Any (respectable) AV is better than no AV

    Common sense is better than any AV on the market.


  • area_pol

    Once a friend asked me for help because his "browser was broken" as it showed "failure to establish SSL connection" on google.com.
    We tried updating, then reinstalling the browser, looked at settings but to no avail.
    Finally we found that this was a known problem: he had some AV installed which performed a MITM attack on the connection, and the browser correctly prevented it.
    So that guy from Twitter was right in saying that AV sabotages existing security in other programs.


    I believe security (against malware) could be significantly increased if fine-grained permissions were added to OSes, instead of the current "admin or nothing" approach. After all, the user/kernel division is specifically for this purpose.

    For example, an installer would have permission to write some files to the chosen install location and add a menu shortcut, but adding programs to autostart would not be allowed by default.
    Or if a program wanted to open or save a file (outside its default area), it would ask the OS to display a file dialog, the user would choose location, and OS would only allow access to the chosen file.

    There are such projects in progress (Flatpak, Snapcraft on Linux, UWP on Windows) but as far as I understand, these require the program to be repackaged in a new format.

    Of course that is not perfect, the isolation mechanism can have flaws. But OS flaws require a lot of work to find and can get patched easily.



  • @Polygeekery I use the default Windows defender. But I use common sense as well. The rest of my machines are Linux or MacOSX.

    I also run with UAC on high while a PITA it will stop things from running as Administrator without me knowing.


  • SockDev

    @Polygeekery said in AV versus no AV?:

    @RaceProUK said in AV versus no AV?:

    Any (respectable) AV is better than no AV

    Common sense is better than any AV on the market.

    And both are vital layers of defence on the Internet of today



  • @RaceProUK Debatable since I had loads of AV programs either cause massive performance problems so it was as bad as having a virus. Especially at work.

    The big one is a decent firewall for Windows. That does 95%, and if you don't download porno.exe (like my little sister did) or some dodgy torrent you are fine.


  • Grade A Premium Asshole

    @lucas1 said in AV versus no AV?:

    The big one is a decent firewall for Windows.

    When are you not behind NAT and a firewall already?

    I hate firewalls on Windows. I have yet to find one that I did not immediately turn off. I also have yet to find one that does not cause headaches when printing.



  • @Polygeekery said in AV versus no AV?:

    I also have yet to find one that does not cause headaches when printing.

    or installing fonts

    :headdesk:



  • @Polygeekery I got one on my router and one on Windows. Everything else is using Linux or MacOSX and they have either iptables or whatever the fuck MacOSX wants to call it.

    So yes, but I don't trust EE, to keep my router updated.



  • @Polygeekery said in AV versus no AV?:

    When are you not behind NAT and a firewall already?

    Don't trust that pesky home router to protect you.

    I use this, no cost for home use


  • Grade A Premium Asshole

    @TimeBandit said in AV versus no AV?:

    Don't trust that pesky home router to protect you.

    I don't.

    I roll my own.


  • :belt_onion:

    @Polygeekery said in AV versus no AV?:

    @lucas1 said in AV versus no AV?:

    The big one is a decent firewall for Windows.

    When are you not behind NAT and a firewall already?

    I hate firewalls on Windows. I have yet to find one that I did not immediately turn off. I also have yet to find one that does not cause headaches when printing.

    I've used AVG's firewall (as part of their "Internet Security" package) for quite some time and I've never had a problem printing or installing fonts or anything else.

    One time I was on a web page and a message popped up asking for permission to run a Java applet. In a moment of stupidity I clicked OK. A few seconds later, the firewall alerted me that a program was trying to connect out and wanted to know if it should be allowed. Turns out that the Java applet had downloaded and launched a small executable.

    This is why the most important part of a firewall is blocking unwanted outgoing connections. Something that the Windows firewall is completely useless for (at least the Windows 7 version, anyway).

    Also works good for blocking a lot of Windows 10 telemetry crap.



  • @RaceProUK said in AV versus no AV?:

    @marczellm said in AV versus no AV?:

    @RaceProUK @accalia and how does the user distinguish between respectable and non-respectable AV?

    I personally find Windows Defender plenty adequate, but I'm not going to claim it's perfect by any means.

    Windows Defender has frequently deleted files I needed for work (various BuildMaster installers, for example) and likes to use up 100% of my CPU and disk time when I'm using software that's CPU and disk intensive. It has never found a single virus that wasn't a false positive.

    I really don't want anything more aggressive than Windows Defender.



  • @El_Heffe said in AV versus no AV?:

    One time I was on a web page and a message popped up asking for permission to run a Java applet. In a moment of stupidity I clicked OK. A few seconds later, the firewall alerted me that a program was trying to connect out and wanted to know if it should be allowed. Turns out that the Java applet had downloaded and launched a small executable.

    This is why the most important part of a firewall is blocking unwanted outgoing connections.

    Ok, let's say the Java applet's executable had, instead of opening a connection, gone through your documents folder and encrypted all your files and then displayed a ransomware message on your screen. How does blocking an outgoing connection help you? If you've run the malicious program on your computer with permission to access all your files, you're already screwed.


  • Discourse touched me in a no-no place

    Apparently, AV software is one of the main ways of attacking modern systems. Why? Because AV software is very highly privileged and frequently has very poor internal security. (I forget which thread here that was all discussed in.)

    All that, plus it can significantly degrade system performance in some configurations in really horrible ways. My “favourites” have always related to where a full scan of each file that is opened by any program is performed whenever the file is opened, even if the file has had no modifications from the time it was last scanned or even if the file is already open by any other current HANDLE. That has rather obvious effects when it comes to little things like local databases, program resources, temporary files, etc.

    I'm not saying never run AV, but when the cure is often nearly as bad as the disease and makes catching the disease more likely, is it really worthwhile?



  • @marczellm If it's ever Dan Kaminsky vs anybody else on anything related to computer security, the smart money bets on Kaminsky being correct.



  • @lucas1 said in AV versus no AV?:

    I also run with UAC on high while a PITA it will stop things from running as Administrator without me knowing.

    It really won't. If any part of software you've got from elsewhere has ever been allowed to run elevated - as is almost universal for installers - then it can install a service, a scheduled task or even a driver that allows any other part of itself to do likewise.


  • area_pol

    @marczellm

    Some Google security researcher argues that antivirus products are crap

    This seems to illustrate the argument well:

    Justin Schuh said in twitter:

    You misunderstand your own ignorance. AV is my single biggest impediment to shipping a secure browser.



  • @El_Heffe said in AV versus no AV?:

    This is why the most important part of a firewall is blocking unwanted outgoing connections. Something that the Windows firewall is completely useless for (at least the Windows 7 version, anyway).

    With default settings, yes, but if you go to the Windows Firewall with Advanced Security console, you'll find you can create outgoing rules and filter down to what service in an svchost is initiating the connection, which is wildly helpful for not opening up things more than you want them. I'd almost say it's the equal of commercial offerings like McAfee HIPS in some respects.



  • @marczellm said in AV versus no AV?:

    despite those few vulns, the user is still much better off with a commercial AV than without one or with a free one or with Defender.

    The difference between commercial and free AV from any given vendor, as far as I can tell, is that the commercial versions generally include some kind of firewall and some kind of "web safety" component.

    Firewalls - meh. Windows Firewall is quite adequate, and has the compatibility advantage that most software will have been tested against it to some extent. It's also at least as easy to configure to lock down outgoing traffic as any of the third-party firewalls I've seen, if that's your thing, though this isn't the default setting.

    "Web safety" components are generally best avoided, to my way of thinking, because they're almost always implemented as a local MITM proxy, those almost always include SSL bumping, and that's almost always done badly enough to rip huge holes in the security of SSL.

    As for the usefulness of scan-on-file-open anti-malware scanners: I used to think they were completely essential, but I no longer think that. This is based on years of experience administering a school network, with 120 workstations running Panda Free Antivirus (unusually for a free AV, Panda's license allows unrestricted use within any non-profit organization).

    This scanner consistently scores very highly on AV comparative tests, with excellent detection rates as well as very low false-positive rates, so I'm quite prepared to believe it's good at finding threats when they arise. It's also very unobtrusive if properly installed (uncheck all optional features offered by the installer; once installed, find your way into its Settings and turn off "Panda News").

    However, over the past five years not one of my school workstations has reported finding a single piece of malware. Over the same period, I've had to work around four issues caused by AV false positives and several more caused by self-update failures.

    The thing I did five years ago that cut malware detection rates to zero was block advertising sites at our campus Internet gateway. I now consider this to be a far stronger security measure for machines in frequent use by naive users than running an AV.

    I'm still running Panda on the school workstations because the trouble it causes is remarkably rare, as AV products go. But if I were forced to a choice between removing that and removing the ad blocking, I'd be far less unhappy to remove the AV.



  • @TimeBandit said in AV versus no AV?:

    @RaceProUK said in AV versus no AV?:

    I personally find Windows Defender plenty adequate, but I'm not going to claim it's perfect by any means.

    Always get the worst score in ever AV test I've seen.
    https://www.av-test.org/en/compare-manufacturer-results/

    Windows Defender is just like the Malicious Software Removal Tool. It has to be lightweight so it is designed to protect you against the most common infections only.

    If you need anything beyond that, consider buy some other antivirus.


  • Grade A Premium Asshole

    @flabdablet said in AV versus no AV?:

    It really won't. If any part of software you've got from elsewhere has ever been allowed to run elevated - as is almost universal for installers - then it can install a service, a scheduled task or even a driver that allows any other part of itself to do likewise.

    Yep. That is how we silently update our backup software. We deploy an update installer to our update site, the next time a backup finishes it does a version compare and if the update site has a newer version then it downloads it and installs it without user intervention at all.

    UAC is a placebo. A really annoying placebo.


  • Grade A Premium Asshole

    @heterodox said in AV versus no AV?:

    I'd almost say it's the equal of commercial offerings like McAfee HIPS in some respects.

    So shit is almost equal to a shit sandwich?

    I won't argue with you there.


  • Grade A Premium Asshole

    @cheong said in AV versus no AV?:

    Windows Defender is just like the Malicious Software Removal Tool. It has to be lightweight so it is designed to protect you against the most common infections only.
    If you need anything beyond that, consider buy some other antivirus.

    The Mailicious Software Removal tool kind of makes sense. MS finds a vulnerability, they patch it, then they release an update to MSRT in order to catch any machines that are infected before the patch. Makes sense. Got it.

    Windows Defender on the other hand...not so much. Windows Defender is like them saying, "We could patch our shit so that stuff like this doesn't happen, and make our systems secure. But instead, let's release a prophylactic measure instead of patching our shit."

    Why don't they just roll all the Windows Defender work in to Windows as security patches that don't max out all my CPU usage for no fucking reason? You get antivirus software because the OS vendor is slagging off on their job on security. What does that say when an OS vendor releases an antivirus product?

    That is tantamount to a mafioso saying, "You have a nice place here...be a real shame if something were to happen to it..."

    Also, why the hell doesn't Windows Defender pop a gigantic flashing box that says, "THERE IS A PROGRAM TRYING TO ENCRYPT EVERY SINGLE FILE YOU HAVE ACCESS TO, DO YOU WANT TO ALLOW THIS?"



  • @Polygeekery said in AV versus no AV?:

    What does that say when an OS vendor releases an antivirus product?

    They have no clue how to make the OS secure, so they put bandages on it.



  • @Polygeekery said in AV versus no AV?:

    why the hell doesn't Windows Defender pop a gigantic flashing box that says, "THERE IS A PROGRAM TRYING TO ENCRYPT EVERY SINGLE FILE YOU HAVE ACCESS TO, DO YOU WANT TO ALLOW THIS?"

    That's Kaminsky's point: working out what an exe file does in time to stop it doing it is hard.



  • @Polygeekery said in AV versus no AV?:

    Windows Defender on the other hand...not so much. Windows Defender is like them saying, "We could patch our shit so that stuff like this doesn't happen, and make our systems secure. But instead, let's release a prophylactic measure instead of patching our shit."

    Note that most malicious softwares nowadays are not equivalent to bugs to be patched.

    Afterall, the Windows Firewall is on by default and most inbound connections will be blocked. Most malicious softwares are spreaded as dancing bunnies that you need to open an email attachment or go to specific website in order to get infected. Windows Defender is protects you from "the absolute most common" infections before you get a real antivirus.

    Not to mention that from software's perspective, the OS cannot possibly tell between those ransomewares or archivers with password protection. That's the job of antivirus softwares.



  • @cheong said in AV versus no AV?:

    Windows Defender is protects you from "the absolute most common" infections before you get a real antivirus.

    That's essentially Panda Free's strategy as well, which is what makes it so lightweight. Instead of checking everything against a massive local database of signatures for every piece of malware that's ever been circulated, it caches a restricted set of signatures based on what the Panda servers have seen in circulation recently.

    Like any other decent AV tool it also does assorted kinds of heuristic behavior-based analysis on top of that, in an attempt to catch polymorphic malware designed to evade signature-based detection, which in 2016 is actually most of it.

    Behavior-based detection is where most of its false positives, such as they are, come from: most of what it's spuriously detected as malware at the school has been stuff like custom Ninite installers or admin stuff I've written myself, which have hashes the Panda servers haven't seen before.

    Panda's main by-design weakness is that it relies on a service that can be turned off using the same API used by services.msc and sc.exe and net.exe. Doing that requires elevation. There's also a "disable antivirus" feature available from the system tray UI; unlike some of the competition there's no timeout on that disabling, the underlying API for which (I'm guessing) does not require elevation. In fact the effect of this control even persists across reboots.

    I'm sure it also has the usual complement of not-by-design vulnerabilities, but at least it doesn't require you to install a MITM SSL bumper.


  • Impossible Mission Players - A

    @accalia said in AV versus no AV?:

    Avast used to be good, not sure if they've stayed on top or not. (They haven't. AVOID)

    Yeah.... :person_frowning_tone2:


  • area_pol

    @flabdablet said in AV versus no AV?:

    That's Kaminsky's point: working out what an exe file does in time to stop it doing it is hard.

    The OS is in the perfect position to stop it at the exactly right time - when it fires the syscall that is supposed to make the malicious changes.

    The challenge is to determine which action is malicious without asking the user too much. But the majority of users run a rather small set of popular programs - the OS developer can cooperate with those projects to create a reasonable set of permissions they should have by default.
    And for other cases it can just ask once and remember the rule (like: this program you just installed is allowed to access files in these directories).


  • kills Dumbledore

    @ben_lubar said in AV versus no AV?:

    Ok, let's say the Java applet's executable had, instead of opening a connection, gone through your documents folder and encrypted all your files and then displayed a ransomware message on your screen. How does blocking an outgoing connection help you?

    If it can't dial out, the encryption key is still on your machine. If it has dialled out it could have sent it and deleted it



  • @Adynathos said in AV versus no AV?:

    for other cases it can just ask once and remember the rule (like: this program you just installed is allowed to access files in these directories).

    Panda Free Antivirus had this kind of thing built in as a beta feature ("Panda Data Shield") circa 2012. It subsequently got enabled by default, then moved out of the free version into the pro one; not sure if it's still there.

    Turned out to be such a PITA for my population of naive users that I disabled it school-wide a year before Panda took it away.

    It's really hard for software - be that the OS or some third-party addon - to distinguish malicious activity from ordinary usage. Asking the users doesn't help in 90% of cases, because 90% of users have a deer-in-the-headlights freeze response when asked questions by pop-up message boxes. Most users will refuse even to attempt to understand the question being put to them, and will simply guess a default response, based on feelz, which will be inappropriate at least half the time.



  • @Jaloopa said in AV versus no AV?:

    If it can't dial out, the encryption key is still on your machine

    which does you precisely no good at all, because all of the extant ransomware uses public-key encryption. You need the matching private key to decrypt, and only the black hat has that until you buy it from them.


  • area_pol

    @flabdablet said in AV versus no AV?:

    Asking the users doesn't help in 90% of cases, because 90% of users have a deer-in-the-headlights freeze response when asked questions by pop-up message boxes.

    I can imagine more convenient solutions, very similar to what the user already does.

    For example, if a program wants to save a file, it will ask the OS to display a "Save As" dialog. The user will choose the file location and the OS will mark it as allowed for the program.
    Or the files would be saved by default to a "workspace location for this program" (many programs have that already).

    An installer/updater would have permission to write to a chosen/default installation directory for the software, but nowhere else.



  • @flabdablet an honest question, not trying to incite anything: do you think ransomware comes with a pre-generated pubkey and C&C is able to match a particular infected PC to the appropriate privkey upon call? While possible, it seems a little silly to consider that the Bad Guys (tm) have a few privkeys and launch malware to replicate, all armed with the same pubkey; especially since a couple years ago someone found that some Android (I think it was) ransomware has a vulnerability letting them extract the privkey from its memory (I'm sorry, details elude me at the moment and can't really go search).



  • @Adynathos said in AV versus no AV?:

    The OS is in the perfect position to stop it at the exactly right time - when it fires the syscall that is supposed to make the malicious changes.

    Okay, so let's take the encryption example. The syscall is write. Huh, well that doesn't tell us much. So let's read over everything that's going to be written to see if it looks like encrypted data. Oh, by design it's impossible to tell encrypted data from random data. Also you're now way over your syscall time limit; users will no longer use your operating system because it's "too slow".

    0_1480687380671_Trump-Youre-Fired-300x300.jpg


  • area_pol

    @heterodox said in AV versus no AV?:

    Okay, so let's take the encryption example. The syscall is write. Huh, well that doesn't tell us much.

    It tells us the location of the file with all the metadata the OS might store about it.
    Was there any user action leading to this program processing the file?
    Was this program selected to deal with files in this location or of this type?
    Which program was used to create this file in the first place?

    For example, if a program wants to save a file, it will ask the OS to display a "Save As" dialog. The user will choose the file location and the OS will mark it as allowed for the program.
    Or the files would be saved by default to a "workspace location for this program" (many programs have that already).


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.