Bruce Schneier: "Is Anti-Virus Dead?"

[Tom T.]

Interesting article by world-class cryptographer and security expert Bruce Schneier: http://www.schneier.com/blog/archives/2 ... us_de.html , containing links to many others, discussing whether AV is still worthwhile as viruses proliferate and mutate, and signature-based detection systems lag behind. He discusses pros and cons. Schneier's conclusion:

Bottom line: antivirus software is neither necessary nor sufficient for security, but it's still a good idea. It's not a panacea that magically makes you safe, nor is it is obsolete in the face of current threats. As countermeasures go, it's cheap, it's easy, and it's effective. I haven't dumped my antivirus program, and I have no intention of doing so anytime soon.

This came from a debate with Marcus Ranum, CSO of Tenable Network Security, whose opposing viewpoint is here: http://searchsecurity.techtarget.com/ma ... 62,00.html

Both points of view, as well as the articles linked in the Schneier essay, are good food for thought. There is no "magic bullet"; complacency is the enemy; defense in depth and best practices will do the most to protect us, but the users are still the weakest link and must take responsibility.

Highly-recommended reading. All comments welcome.

[GµårÐïåñ]

Great summary post Tom, thank you.

[luntrus]

Hi forum friends,

That is a recurring discussion. Some say that experts have no need for av solutions. For the traditional part of the scanning one could do with the occasional combination of non-resident scanners. Then I would not recommend this for the average user. Advanced users will drop their rights when their online activities do not need full admin rights. That curbs down 97% of the known Windows malcode to do harm to the OS (what you cannot do to system32 - malware cannot either).
Another thing is active webshield scanning for infested webpages (a simalr issue for which we all here use NS to be protected). http://www.itsecurity.com/features/do-y ... re-050808/

What has made av solutions less effective is that malcode is ever changing and won't last longer than 24 hours to be detected and countered by anti-malware proggies, so the malcreants are on the winning side, and the vulnerability window is left open wide during a short specific critical time.

Update, upgrade, protect through layered protection, in the cloud protection like ImmunetProtect, whitelisting rather than blacklisting against the ever expanding ocean of malicious software being constantly kept to go under the radar are new ways to protect. We have to leave the old paradigms, my dear forum friends. We want to sandbox, we want to curb all (mal)code we do not need, we want to refrain from requests that are not made on our behalves (RP). I like to hear about more ideas to come to new ways of layered protection, and for some situations alas we still need good old fashioned resident av, see the conclusion at this link: http://www.brighthub.com/computing/wind ... /3034.aspx

luntrus

[Tom T.]

Hi luntrus:

Schneier pretty much agreed with what you said (as do I). The only point I'd like to add is in response to this:

Advanced users will drop their rights when their online activities do not need full admin rights. That curbs down 97% of the known Windows malcode to do harm to the OS (what you cannot do to system32 - malware cannot either).

Not all malware needs system32 access. The malware in question resided solely in a folder in the "hidden" (by default) location, \username\local settings\application data. And since I run sandboxed, when I was able to reproduce the issue, the malware folder would have gone into a cloned, virtual location of the above. It was deleted when the sandbox was emptied, so I couldn't reproduce it the next day. No system32 access was needed.

But otherwise, I agree with you.

Tom T.

[luntrus]

Hi Tom T.,

I was too specific here, well if I have to rephrase it, I would say if a user uses just user rights the malware cannot get access to specific system files (as a portion of malware does as per my example) or make changes to the registry or make specific hooks or hijack certain processes. So what I cannot do to the OS of the machine with normal user rights, 97% of the malware cannot perform either. So one major advice to Windows users would be to drop their rights when they go online.
Another way to do this on Window XP SP3 is a program like SafeXP. If a next step would be to use in-browser security with an extension to enhance security like NS and RP the user has acquired far more security and if the user is given the advice to fully update and patch and keep his thid party critical applications up to date with Secunia PSI this user has learned another essential step towards security. There are some more things to top this off, but these are some basic measurements evryone could take,

luntrus

[Tom T.]

Hi luntrus,

Yes, I understand you now. You were just using s32 as a metaphor for administrative access to the system, and of course I agree with you that browsing as a limited user greatly reduces risk versus browsing as Admin.

Are you familiar with the DropMyRights utility, which will allow *any* browser to be run in limited-user mode? In other words, you can be logged on to Windows as Admin, so that you can do any necessary chores, etc., yet still run the browser in limited mode. It merely strips off the admin privilege token as the browser launches. The developer, Michael Howard of msdn, does not seem to have the page up any more, possibly because he figured that Vista's user access controls would do the same thing. But the last I saw, XP still had almost three times the market share of Vista, so it could be useful. You can probably find it archived on the Web somewhere, but if not, I'll dig out the documentation from a backup, and if necessary, send you the installer. Possibly your site could host it for your users, as it was freeware and the code was right there on the page. The .exe is only 56k and zips smaller. No "installation" is required; you just extract the zip files to the desired directory, then make a new shortcut to your browser that goes through DropMyRights first.

I used to use it all the time, but now that I run sandboxed 100% of the time, it's kind of redundant, because Sandboxie doesn't let *anything* write to the HD, unless you modify the configuration file to allow, say, bookmarks and user prefs, which I do. This is another level of defense in depth that achieves your worthwhile goal of denying web sites administrative access to your system.

Cheers,
Tom

[computerfreaker]

Hi!

Just a couple of thoughts here...

* First, admin access isn't required for destruction - I have a program (won't post the link unless someone requests it) that is designed to keep little kids from screwing something up on the computer. The program hooks into the keyboard and blocks certain keystrokes, even as a limited user. Of course, my program isn't malware, and the hooks are opt-in, but...

* Next, even though DropMyRights might not be publicly available anymore, Process Explorer from SysInternals has the same feature. "Run with limited privileges" or something like that...

* Finally, I think AV software is still a necessary thing, even for tech-savvy users. No, AV sw can't catch everything - what can? - but it can provide some valuable protection. As humans, we're vulnerable to being tricked by all kinds of scams; even if someone recognizes 99% of those scams, all it takes is one successful scam to install Trojans, empty a bank account or worse.
The key here is multiple layers of defense, and AV software, IMHO, comprises an effective & potent layer.
I recently saw a "hacklog" - the transcript of a black-hat's successful assaults on several people's computers. In that hacklog, the blackhat wrote something along the lines of "Why bother with all these elaborate defenses if you're leaving the simple attack routes open? As long as we can do something simple, we'll leave the complex stuff alone." Many viruses are ancient ones, targeting vulnerabilities that have been fixed long ago - except for the people who haven't bothered to patch their systems.
The point is, yes, viruses are constantly evolving, but not as quickly as some people think. Old viruses are still out there, and any effective AV will catch those and destroy them even if the user doesn't realize they're there.
Until the day when all viruses are like Conficker, AV software will still be needed & used... and heck, by that point AV will probably have evolved to a similar point. The race will probably go on forever...

Just MHO.

[dhouwn]

* Finally, I think AV software is still a necessary thing, even for tech-savvy users. No, AV sw can't catch everything - what can? - but it can provide some valuable protection.

What about false-positives? Is there any easy way for non-tech-savy users to recognize false alarms? I don't think so.

Anti-virus software might lull people into a false sense of security.
An anecdote: There was this application (it was actually a game) which – when on Vista/Win7 – requested rights elevation (admin rights) before the start, otherwise it wouldn't run. This was because in its embedded manifest file it had a certain flag set. After unsetting the flag through modification the executable file (which could have been detected as cheating BTW) and throughout testing, I came to the conclusion that the application was running fine without admin rights except when in need of updating itself. So I posted at the official support forum asking them to change the change the behaviour so that the elevation request would be triggered through API calls instead and only before updating itself. While I didn't get any answer from the developers, members at the board told me that I shouldn't care so much, just deactivate UAC, get a desktop firewall and AV software and everything would be alright. This was at the same time when at a similar game, mostly undetected malware came through an open security hole infecting fellow players…

Also, it is also always nice to hear about Windows-powered voting machine being protected by AVs, because if someone would have the plan to manipulate an election, he surely wouldn't afford a custom-built malware software now, would he?…
(I wouldn't be surprised if some ATM machines [which AFAIK are mostly OS/2- or Windows-based] were 'protected' in the same manner)

The point is, yes, viruses are constantly evolving, but not as quickly as some people think. Old viruses are still out there, and any effective AV will catch those and destroy them even if the user doesn't realize they're there. The race will probably go on forever...

The classical functioning of an AV software is signature based. Do you compare creating signatures for malware (and non-malware in case of false positives) to running a race? Quite uneven race tracks, eh?

[computerfreaker]

* Finally, I think AV software is still a necessary thing, even for tech-savvy users. No, AV sw can't catch everything - what can? - but it can provide some valuable protection.

What about false-positives? Is there any easy way for non-tech-savy users to recognize false alarms? I don't think so.

I doubt it. Especially when prominent, well-trusted software makers such as PortableApps.com get their apps flagged, non-tech-savvy users probably wonder if they can trust anyone.
However, I liken this to a deadbolt on the front door - sure, it's eventually going to lock a legitimate person (friend, relative, even spouse) outside. But it's sure as heck better than letting in a bunch of gorilla-like goons with guns, right?

Anti-virus software might lull people into a false sense of security.
An anecdote: There was this application (it was actually a game) which – when on Vista/Win7 – requested rights elevation (admin rights) before the start, otherwise it wouldn't run. This was because in its embedded manifest file it had a certain flag set. After unsetting the flag through modification the executable file (which could have been detected as cheating BTW) and throughout testing, I came to the conclusion that the application was running fine without admin rights except when in need of updating itself. So I posted at the official support forum asking them to change the change the behaviour so that the elevation request would be triggered through API calls instead and only before updating itself. While I didn't get any answer from the developers, members at the board told me that I shouldn't care so much, just deactivate UAC, get a desktop firewall and AV software and everything would be alright. This was at the same time when at a similar game, mostly undetected malware came through an open security hole infecting fellow players…

hmm, that's disturbing... still, AV software could possibly catch that.
Here's one of my AV experiences: I was doing a music search a few years ago (when I was still idiotic enough to use IE) and stumbled onto a "loaded" site. I never knew it was "loaded" until McAfee popped up a warning saying "such-and-such virus has been detected and deactivated"; to this day, I don't know what website hit me, but it no longer matters. AV saved my hide when I wasn't smart enough to.

Also, it is also always nice to hear about Windows-powered voting machine being protected by AVs, because if someone would have the plan to manipulate an election, he surely wouldn't afford a custom-built malware software now, would he?…

Interesting. Reminds me of a recent story about how a couple of programmers managed to trigger a buffer overflow in an incredibly secure voting system (wish I could find the link... the stuff those guys had to do to even get their code running, let alone trigger an overflow, was absolutely insane) and used that overflow to change the votes cast in the machine. Fortunately, these were white-hats working on some retired voting machines, so nothing evil came of it... still interesting though.

(I wouldn't be surprised if some ATM machines [which AFAIK are mostly OS/2- or Windows-based] were 'protected' in the same manner)

I should hope so... AV won't stop the pinstripe readers though.

The point is, yes, viruses are constantly evolving, but not as quickly as some people think. Old viruses are still out there, and any effective AV will catch those and destroy them even if the user doesn't realize they're there. The race will probably go on forever...

The classical functioning of an AV software is signature based. Do you compare creating signatures for malware (and non-malware in case of false positives) to running a race? Quite uneven race tracks, eh?

Some AV's are upgrading to behavior-based tactics... but yes, I agree about the evenness - and lack thereof - of the race tracks. By its very nature, AV is stuck playing second fiddle... and my guess is it will always be that way.
My original point remains though - AV isn't perfect (what is?), but it does provide a valuable layer of defense IMHO.

Cheers!

[therube]

hackademix.net 22 05 2008: Stating the Obvious Heresy

[Tom T.]

hackademix.net 22 05 2008: Stating the Obvious Heresy

More interesting points of view. And who knew that Cisco's chief security officer was also host of The Daily Show? (cleverly altering the spelling of his first name).

The other side of the argument is that there are still old threats out there, and that many users still do dumb things like open e-mail attachments from strangers, etc. If interested, please read Bruce Schneier's response, in which he said he wasn't going to dump his AV any time soon.

The viewpoint at the link-from-link was for a corporate environment, which might have much different needs and priorities from the home user. For one thing, home AV is available at no cost. And there are far fewer users to educate as to safe surfing practices. So the downside is less.

I'm aware that you choose not to use AV, and I have no problem with that, though I'd still recommend it for most home users (despite a recent thread showing a dramatic failure of detection). There is no one answer, and thanks for posting that article from Giorgio's blog.

[luntrus]

Hi Tom T.

I agree with you that the amount of users that can protect themselves through secure online practices and layered protection (not using full rights when not absolutely necessary, be fully updated and patched, check on everything that land on the machine, keep an eye on logs, processes, dll's, hooks, API's, BHO's. ActiveX, malcode and scripts to see if they are legit and not malcoded, and use script and ads/tracking and request blocking where appropriate or use whitelisting and blacklisting for malicious or dubious hosts is too small to generally preach to abandon the use of a common av solution (signature-heuristic-in the cloud-IP-blocking-webshield etc. etc.), additional anti-spyware and a two-way software firewall on a Windows OS.
Even for the experts it is hard to know the obscure corners of the ever changing malware landscape to close the vulnerability gap far enough just on safe practices and limiting risks. On the other hand educating people to no longer use a browser a la default, an OS a la default and to educate them where the real risks are (online threats, social engineering, holes and vulnerabilities of software and websites alike, malicious script as a main route to infestations of all sorts) is a task that weighs heavy on our shoulders not withstanding the fact that this task seems immense and in the mean time users will get infected by the millions, bot armies growing also due to the reluctance of ad-launchers, clickstream sellers, profilers, and other adversaries to find proper solutions. We have NoScript to cling to, but the vast majority just live on hope not to encounter malicious code...

luntrus

[Tom T.]

Agree with luntrus.

As a real-world example, I have a zero-tech-knowledge friend who sent me a Word doc. I saw a strange thing in it: a green half-circle that just ran around in a circle.
I looked at File >Properties > Statistics > Objects and saw *one* object. There was no reason for any embedded objects to be in this document, and I don't believe this person would know how to add one (or what one was). I suspected infection, said so, and asked about any other "strange happenings".

The user then described a few: sometimes running extremely slow, Fx freezes or crashes, and IIRC, an occasional BSOD.

I was certain the machine was infected. It had Norton AV installed, and while I don't like to knock specific products, I've seen other complaints about Norton. In fairness, I don't think it was up-to-date anyway -- there's some annual "subscription charge" that hadn't been paid, IIRC.

So I gave the list of detection tools to try. Bottom line: Over *200* infected files, mostly adware, a few spyware, and a Trojan or two. They eventually got them all removed using the recommended suite of tools.

I've seen surveys that show that 80=90% of home computers have at least one infection. Here's a real-world example. An effective, up-to-date AV might not have prevented them all, as we know from other experience, but could have cut that number drastically, at least. And there are plenty of useful AV tools out there that cost nothing for non-commercial home use, like our friend luntrus' Avast. So it seems that for most users, one of the good freeware AV tools, with free and automatic updating, is a no-brainer. Power-users who can make all the choices that luntrus describes can make their own decision on this matter, but that's probably less than 1% of the population. For the other 99%, no cost, no effort (self-updating), maybe a general machine scan scheduled monthly, has almost no downside.