What a joke.

I thought that big corps were getting wise to the fallacy of AV
protection 5 years ago. Seems they were only getting dumber if today
they're shelling out for $1 million+ contracts for AV garbage-ware.

Because as we all know, AV products today are really good at telling you
that your system got hacked - a few weeks ago.

----------------------------

http://news.techeye.net/security/ant...start-up-again

Anti-virus wars start up again
Its time to party like its the 1999
27 Jan 2012 09:16

It is starting to look like the anti-virus wars are starting up again.

For those who came in late, the 1990s were a time where AV companies
were engaged in hand-bag warfare which was as ruthless as it was
entertaining. It was a time when there was a lot of competition in the
marketplace and hacks were taken to secret briefings to explain why the
other side were such rubbish. It was a time when you used to get press
releases like "McAfee has asked Dr Solomon's Software to reduce the
virus detection rate of Dr Solomon's product because McAfee is unable to
keep up with the volume of viruses, and can't achieve the same level of
virus detection."

These days it has been comparatively quiet. Network Associates which
famously slagged off Dr Solomon during a staff barbecue, is now McAfee
again and part of Intel. It seems that only Kaspersky has managed to
retain the bile which was a trademark of those times.

Still, imagine our surprise, when Reuters ran a story this morning where
McAfee rejected a claim that several large corporate customers had
recently switched over to using products from rival Symantec. Needless
to say the comment came from Symantec Chief Financial Officer James Beer
who claimed that his outfit was taking share in the anti-virus software
market away from McAfee, which was bought by Intel.

====================
http://www.reuters.com/article/2012/...80P23S20120126

Intel bought McAfee in a $7.7 billion deal meant to spur growth at the
world's top chipmaker and also help it better protect its products from
hackers. Investors are still waiting to see whether that bet will yield
results.

McAfee laid off about 3 percent of its workers, or about 250 employees,
in December.
====================

This was vintage 1990s stuff, and once upon a time we would have said
"yeah right" and probably ignored it. This was mostly because Beer
declined to identify who the customers were.

But now McAfee Senior Vice President for Finance and Accounting Edward
Hayden has struck back saying that the claim was false. He pointed out
that his company had booked a record amount of business in its December
quarter, signed its biggest deal ever and closed more sales over $1
million than it had in any single period.

He said he was "not aware of any major account" that lost to Symantec
during the quarter.

Again, all unprovable stuff and vintage "he said, we say" stuff from
1997. Would the vice president of finance know if he had lost any major
customers anyway?

Virus Guy wrote:
> What a joke.
>
> I thought that big corps were getting wise to the fallacy of AV
> protection 5 years ago. Seems they were only getting dumber if today
> they're shelling out for $1 million+ contracts for AV garbage-ware.
>
> Because as we all know, AV products today are really good at telling you
> that your system got hacked - a few weeks ago.

AV is still useful for preventative (albeit reactive) protection against
most *viruses*. As for hacks and general malware it seems to have taken
more of a removal after-the-fact role as viruses become less prevalent.
IMO this has led to them being more of an enabling influence on those
bad behaviors that users always tend toward.

It's the damned marketing schemes that are a joke.

[...]

On 1/28/2012 7:51 AM, FromTheRafters wrote:
> Virus Guy wrote:
>> What a joke.
>>
>> I thought that big corps were getting wise to the fallacy of AV
>> protection 5 years ago. Seems they were only getting dumber if today
>> they're shelling out for $1 million+ contracts for AV garbage-ware.
>>
>> Because as we all know, AV products today are really good at telling you
>> that your system got hacked - a few weeks ago.
>
> AV is still useful for preventative (albeit reactive) protection against
> most *viruses*. As for hacks and general malware it seems to have taken
> more of a removal after-the-fact role as viruses become less prevalent.
> IMO this has led to them being more of an enabling influence on those
> bad behaviors that users always tend toward.
>
> It's the damned marketing schemes that are a joke.
>
> [...]

Yes, things shifted re-markedly a while back. As a result, I shifted my
strategies from reaction to recovery.

I make a factory (with MS Upates) and pristine image and use the
pristine image. As time goes on and enough MS Updates have happened or I
decide to make a permanent change to my system I reload the pristine
image make the updates and changes and re=image that which becomes the
new pristine image and keep the old one as a backup. I continue this
approach but only keep the two latest images (the factory clean image is
permanent.

The pristine image is the factory image with all MS and other updates
and all of your data and programs. Every now and then, I load the
factory image and load the new MS updates and re-image that.

This insures, as well as can be, that you always have a clean system.
This means you keep at least three images. If you run into malware
re-actively, simply re-load your most current pristine image. Such takes
30 minutes or less - usually much less time than it takes to react
properly to malware.

IMO, most discussion about how to deal with malware is made moot with
this approach. This doesn't mean prevention attempts aren't important!



--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

Bear wrote:
> On 1/28/2012 7:51 AM, FromTheRafters wrote:
>> Virus Guy wrote:
>>> What a joke.
>>>
>>> I thought that big corps were getting wise to the fallacy of AV
>>> protection 5 years ago. Seems they were only getting dumber if today
>>> they're shelling out for $1 million+ contracts for AV garbage-ware.
>>>
>>> Because as we all know, AV products today are really good at telling you
>>> that your system got hacked - a few weeks ago.
>>
>> AV is still useful for preventative (albeit reactive) protection against
>> most *viruses*. As for hacks and general malware it seems to have taken
>> more of a removal after-the-fact role as viruses become less prevalent.
>> IMO this has led to them being more of an enabling influence on those
>> bad behaviors that users always tend toward.
>>
>> It's the damned marketing schemes that are a joke.
>>
>> [...]
>
> Yes, things shifted re-markedly a while back. As a result, I shifted my
> strategies from reaction to recovery.
>
> I make a factory (with MS Upates) and pristine image and use the
> pristine image. As time goes on and enough MS Updates have happened or I
> decide to make a permanent change to my system I reload the pristine
> image make the updates and changes and re=image that which becomes the
> new pristine image and keep the old one as a backup. I continue this
> approach but only keep the two latest images (the factory clean image is
> permanent.
>
> The pristine image is the factory image with all MS and other updates
> and all of your data and programs. Every now and then, I load the
> factory image and load the new MS updates and re-image that.
>
> This insures, as well as can be, that you always have a clean system.
> This means you keep at least three images. If you run into malware
> re-actively, simply re-load your most current pristine image. Such takes
> 30 minutes or less - usually much less time than it takes to react
> properly to malware.
>
> IMO, most discussion about how to deal with malware is made moot with
> this approach. This doesn't mean prevention attempts aren't important!
>
IMO, disaster recovery should take a back seat to prevention. The reason
being that some types of malware can hose your recovery scheme. That is,
all but the original pristine image as laid out in your stated scheme
are at risk - even updates of that original pristine image are
susceptible to corruption.

Everyone should have disaster recovery plans for the kind of disasters
that cannot be outright prevented. These just *happen* - they don't lurk
and data diddle for months before being discovered and pose a threat to
even your off-site backups.

Backup/restore/recovery schemes are for disaster recovery and general
security (risk reduction) and not an antimalware or antivirus scheme
which are IMO *supposed to be* preventative in nature.

First, prevent infestation of malware as best you can, then treat what
*will still* get through (there are no 100% effective detectors) as a
disaster and hope that your disaster recovery plan wasn't infiltrated.

On Jan 28, 12:40*pm, FromTheRafters <erra...@nomail.afraid.org> wrote:
> Bear wrote:
> > On 1/28/2012 7:51 AM, FromTheRafters wrote:
> >> Virus Guy wrote:
> >>> What a joke.
>
> >>> I thought that big corps were getting wise to the fallacy of AV
> >>> protection 5 years ago. Seems they were only getting dumber if today
> >>> they're shelling out for $1 million+ contracts for AV garbage-ware.
>
> >>> Because as we all know, AV products today are really good at telling you
> >>> that your system got hacked - a few weeks ago.
>
> >> AV is still useful for preventative (albeit reactive) protection against
> >> most *viruses*. As for hacks and general malware it seems to have taken
> >> more of a removal after-the-fact role as viruses become less prevalent..
> >> IMO this has led to them being more of an enabling influence on those
> >> bad behaviors that users always tend toward.
>
> >> It's the damned marketing schemes that are a joke.
>
> >> [...]
>
> > Yes, things shifted re-markedly a while back. As a result, I shifted my
> > strategies from reaction to recovery.
>
> > I make a factory (with MS Upates) and pristine image and use the
> > pristine image. As time goes on and enough MS Updates have happened or I
> > decide to make a permanent change to my system I reload the pristine
> > image make the updates and changes and re=image that which becomes the
> > new pristine image and keep the old one as a backup. I continue this
> > approach but only keep the two latest images (the factory clean image is
> > permanent.
>
> > The pristine image is the factory image with all MS and other updates
> > and all of your data and programs. Every now and then, I load the
> > factory image and load the new MS updates and re-image that.
>
> > This insures, as well as can be, that you always have a clean system.
> > This means you keep at least three images. If you run into malware
> > re-actively, simply re-load your most current pristine image. Such takes
> > 30 minutes or less - usually much less time than it takes to react
> > properly to malware.
>
> > IMO, most discussion about how to deal with malware is made moot with
> > this approach. This doesn't mean prevention attempts aren't important!
>
> IMO, disaster recovery should take a back seat to prevention. The reason
> being that some types of malware can hose your recovery scheme. That is,
> all but the original pristine image as laid out in your stated scheme
> are at risk - even updates of that original pristine image are
> susceptible to corruption.
>
> Everyone should have disaster recovery plans for the kind of disasters
> that cannot be outright prevented. These just *happen* - they don't lurk
> and data diddle for months before being discovered and pose a threat to
> even your off-site backups.
>
> Backup/restore/recovery schemes are for disaster recovery and general
> security (risk reduction) and not an antimalware or antivirus scheme
> which are IMO *supposed to be* preventative in nature.
>
> First, prevent infestation of malware as best you can, then treat what
> *will still* get through (there are no 100% effective detectors) as a
> disaster and hope that your disaster recovery plan wasn't infiltrated.

the first step is prevention, certainly agree with you there. if you
can prevent going through the following cycle at the first stage,
that's a lot of effort you don't have to expend.

next is detection of preventative failures, because no prevention can
ever be perfect.

next is diagnosis of what you failed to prevent, because you need to
know everything it did in order to know what steps need to be taken in
recovery. you also need to know where it came from if you're going to
involve the authorities as well as what files to send to vendors so
they can improve their products. you also need to know how the
compromise was able to succeed for when you re-evaluate your defenses.

next is reporting to authorities, because if nothing is done about the
person responsible for the compromise they will most likely continue.
home users may not consider this a meaningful step, since their
individual losses aren't likely to be enough to warrant the
authorities' time, but their compromise could be part of something
much bigger. of course for enterprises, reporting to authorities
becomes much more meaningful. additionally, reporting to authorities
can include reporting malware samples to vendors. this has meaningful
benefits to all sectors.

after that is recovery (don't want to do it before reporting to
authorities as you may be compromising opportunities to gain valuable
intelligence about the person or people involved, or lose access to
the malware samples). with the kinds of malware out there these days,
recovery can easily extend beyond the confines of your hard drive, so
while good backups and/or drive images are a must, they are only the
beginning.

finally there's re-evaluation of your defenses, because there may be
improvements you can make so that prevention will work even better the
next time.

this is a feedback loop that has the potential to make prevention
incrementally better with each iteration, as well as taking select
attackers out of the equation in the future. making prevention better
with each iteration is important because you don't want to expose the
same vulnerabilities to attackers over and over again - you'll just
get pwned the same way over and over again.

there once was this concept of the PDR triad (prevention, detection,
recovery), but laziness has turned that into something that is done on
automatic, without thought or rigor, and without any of the implicit
steps that lead to improvements - that's why i expand it out to
explicitly list those steps.

On 1/28/2012 11:40 AM, FromTheRafters wrote:
> Bear wrote:
>> On 1/28/2012 7:51 AM, FromTheRafters wrote:
>>> Virus Guy wrote:
>>>> What a joke.
>>>>
>>>> I thought that big corps were getting wise to the fallacy of AV
>>>> protection 5 years ago. Seems they were only getting dumber if today
>>>> they're shelling out for $1 million+ contracts for AV garbage-ware.
>>>>
>>>> Because as we all know, AV products today are really good at telling
>>>> you
>>>> that your system got hacked - a few weeks ago.
>>>
>>> AV is still useful for preventative (albeit reactive) protection against
>>> most *viruses*. As for hacks and general malware it seems to have taken
>>> more of a removal after-the-fact role as viruses become less prevalent.
>>> IMO this has led to them being more of an enabling influence on those
>>> bad behaviors that users always tend toward.
>>>
>>> It's the damned marketing schemes that are a joke.
>>>
>>> [...]
>>
>> Yes, things shifted re-markedly a while back. As a result, I shifted my
>> strategies from reaction to recovery.
>>
>> I make a factory (with MS Upates) and pristine image and use the
>> pristine image. As time goes on and enough MS Updates have happened or I
>> decide to make a permanent change to my system I reload the pristine
>> image make the updates and changes and re=image that which becomes the
>> new pristine image and keep the old one as a backup. I continue this
>> approach but only keep the two latest images (the factory clean image is
>> permanent.
>>
>> The pristine image is the factory image with all MS and other updates
>> and all of your data and programs. Every now and then, I load the
>> factory image and load the new MS updates and re-image that.
>>
>> This insures, as well as can be, that you always have a clean system.
>> This means you keep at least three images. If you run into malware
>> re-actively, simply re-load your most current pristine image. Such takes
>> 30 minutes or less - usually much less time than it takes to react
>> properly to malware.
>>
>> IMO, most discussion about how to deal with malware is made moot with
>> this approach. This doesn't mean prevention attempts aren't important!
>>
> IMO, disaster recovery should take a back seat to prevention. The reason
> being that some types of malware can hose your recovery scheme. That is,
> all but the original pristine image as laid out in your stated scheme
> are at risk - even updates of that original pristine image are
> susceptible to corruption.

I think images should be made first, not after and most people can do
this much easier than trying to clean their computer which is iffy. As
for the Pristine images becoming corrupt is a possibility which /is/ the
reason for keeping a factory image with MS updates, though your pristine
images are made from your factory image and no surfing/use time is on
them which makes it more unlikely - thus the name pristine. Your factory
recovery disks or a factory image stored on your computer is nice - but
MS updates can mount up to the point of days to add them though that
/is/ the last recourse.
>
> Everyone should have disaster recovery plans for the kind of disasters
> that cannot be outright prevented. These just *happen* - they don't lurk
> and data diddle for months before being discovered and pose a threat to
> even your off-site backups.

Very true.
>
> Backup/restore/recovery schemes are for disaster recovery and general
> security (risk reduction) and not an antimalware or antivirus scheme
> which are IMO *supposed to be* preventative in nature.

I list a myriad of reasons for maintaining images, on my website = hard
drive crashes etc. You can't depend on prevention. There is no silver
bullet. This ideology is wrong IMO but prevalent among mostly techs or
very experienced users. It might be good for them/us, but not average users.
>
> First, prevent infestation of malware as best you can, then treat what
> *will still* get through (there are no 100% effective detectors) as a
> disaster and hope that your disaster recovery plan wasn't infiltrated.
>
NO! First make your images. Then prevent as best you can. If you get
infected and unless you are an expert at cleaning malware or want to pay
one, reload your image. Self-sufficient.

Even experts (I know this as fact) miss malware and /think/ they got it all.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

On 1/28/2012 1:27 PM, kurt wismer wrote:
> the first step is prevention, certainly agree with you there. if you
> can prevent going through the following cycle at the first stage,
> that's a lot of effort you don't have to expend.

This is wrong. What are you going to do? Wait till you are infected than
make an image? First make your recovery plan before you go out into the
wild. Then work on prevention.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

On 1/28/2012 1:27 PM, kurt wismer wrote:
> next is diagnosis of what you failed to prevent, because you need to
> know everything it did in order to know what steps need to be taken in
> recovery. you also need to know where it came from if you're going to
> involve the authorities as well as what files to send to vendors so
> they can improve their products. you also need to know how the
> compromise was able to succeed for when you re-evaluate your defenses.

This takes hours and more in many cases. Most average users will never
be able to do such. Your advice may work for expert users but they are
few and far between. It takes less than 30 minutes to restore a clean image.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

On 1/28/2012 1:27 PM, kurt wismer wrote:
> after that is recovery (don't want to do it before reporting to
> authorities as you may be compromising opportunities to gain valuable
> intelligence about the person or people involved, or lose access to
> the malware samples). with the kinds of malware out there these days,
> recovery can easily extend beyond the confines of your hard drive, so
> while good backups and/or drive images are a must, they are only the
> beginning.

So you are going to recover from factory images or media? Because you
haven't made your recovery images yet.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

On Jan 28, 3:33 pm, Bear <bearbottoms1+...@gmail.com> wrote multiple
posts:

maybe, in future, you could read my posts all the way through and let
them sink in a bit before you replied. that way you wouldn't need to
reply multiple times to the same post, and i wouldn't have to try and
piece your thoughts back together into a cohesive whole.

> On 1/28/2012 1:27 PM, kurt wismer wrote:
>
> > the first step is prevention, certainly agree with you there. if you
> > can prevent going through the following cycle at the first stage,
> > that's a lot of effort you don't have to expend.
>
> This is wrong. What are you going to do? Wait till you are infected than
> make an image? First make your recovery plan before you go out into the
> wild. Then work on prevention.

if i tell you to first drive to your parents house and then nail shut
the doors and windows, i would normally think it goes without saying
that you must first acquire a car, a hammer, and some nails.

however, since i was critical of leaving other steps in the
traditional PDR triad as implicit, i suppose it's only fitting that
"prepare" be made explicit too. so the 0th step is to prepare for your
next malware encounter. now my hexad is a septad.

On Jan 28, 3:35 pm, Bear <bearbottoms1+...@gmail.com> wrote:
> On 1/28/2012 1:27 PM, kurt wismer wrote:
>
> > next is diagnosis of what you failed to prevent, because you need to
> > know everything it did in order to know what steps need to be taken in
> > recovery. you also need to know where it came from if you're going to
> > involve the authorities as well as what files to send to vendors so
> > they can improve their products. you also need to know how the
> > compromise was able to succeed for when you re-evaluate your defenses.
>
> This takes hours and more in many cases. Most average users will never
> be able to do such. Your advice may work for expert users but they are
> few and far between. It takes less than 30 minutes to restore a clean image.

in the same vein, one could also say it takes less than 30 minutes to
destroy information that could have:
a) warned the victim that his bank account was in jeopardy
b) informed the victim wich vulnerable subsystem needed to be patched,
reconfigured, or disabled in order to prevent getting compromised by
similar malware in the future
c) identified which cloud-based email needed to be deleted to avoid
accidentally re-compromising the machine with the exact same malware
in the future

is this really the lesson you want to teach people? from my
perspective, this is precisely the thoughtless, lazy, half-arsed
approach i complained about before. simply restoring an image just
sets you up to get pwned again in exactly the same way. the best proof
of learning from your mistakes is to change direction - if you keep
doing the same thing you keep making the same mistake. pretending
there's an easy answer (just restore a clean image!) breeds laziness
and complacency and gives people a false sense of security.

now i realize that there are limits to what people are capable of, but
i never said they had to do it alone. they can get help if they need
to. they can also cut corners, but the more thorough their knowledge
of how their prevention failed this time, the better equipped they'll
be to improve it and not fail the next time.

On Jan 28, 3:37 pm, Bear <bearbottoms1+...@gmail.com> wrote:
> On 1/28/2012 1:27 PM, kurt wismer wrote:
>
> > after that is recovery (don't want to do it before reporting to
> > authorities as you may be compromising opportunities to gain valuable
> > intelligence about the person or people involved, or lose access to
> > the malware samples). with the kinds of malware out there these days,
> > recovery can easily extend beyond the confines of your hard drive, so
> > while good backups and/or drive images are a must, they are only the
> > beginning.
>
> So you are going to recover from factory images or media? Because you
> haven't made your recovery images yet.

yes, yes, recovery needs preparations. guess what - so does
prevention, so does detection, so does diagnosis, etc. making images
is an implementation detail, just like updating anti-virus software,
preparing a whitelist, generating a behavioural baseline for installed
software, collecting file integrity information, and so on and so
forth. you raised an important point (in your single-minded sort of
way) about the importance of preparedness, but you don't have to keep
banging that drum.