AVG AntiVirus or AVAST?

[cquirke (MVP Windows shell/user)]

On Sun, 19 Jun 2005 08:01:03 -0700, xpmark

**** Contains *BONUS* drag-and-drop quiz! ****

Paying for anti-virus software is like contributing to a conspiracy. If
Microsoft would make a decent operating system, all this security software
would not be needed.

Less sware would be needed, perhaps. Actually, I'm more inclined to
wish MS would provide better tools to reclaim ownership from malware,
given that it's so easy for malware to own the system.

There are several ways malware can run and own the system:
- user deliberately infects the system
- user accidentally initiates behavior that infects the system
- software accidentally initiates behavior that infects the system

That's it; that's the only way it happens. Now let's look at
"accidentally". The core of this is that the expected risk is lower
than the actual risk - and *that* is what malware is all about.

Now what goes into this failure to match expected vs. actual risk?

Firstly, the software may act without any initiation from the user.
In such cases, the software vendor is fully responsable, and the user
bears no blame at all - unless the user deliberately increased the
automatic risk level, which is the same decision in a different place.

Secondly, the software may misrepresent the risk level to the user,
e.g. making no distinction between viewing a data file and running a
code file, by hiding the difference between data and code (e.g. hiding
extensions while allowing code to wave data-like icons at the user,
and using the meaningless generic term "open" for both actions).

Thirdly, the software may display one level of risk to the user, but
then take a significantly greater risk. For example, an RTF file
should contain no macros and thus be safe, but having displayed the
file as a "safe" RTF, Word will run Word macros in it, even though
they should not be there. Or the code may be designed to handle the
data safely, but be exploitable via code defect, as was the case with
JPEG files handled by GDIPlus.dll

Here's a list of screwups; sort 'em into Firstly, Secondly and Thirdly
- raw .exe code within a .pif file
- not showing any file type information at all (*NIX)
- always-hidden .pif extension
- allowing web sites to generate fake "system" dialog boxes
- allowing web dialogs to OK an action when cancel or [x] is clicked
- HTML fake URL text over a different actual URL
- passing BHOs through firewall egress as part of IE
- waving RPC and LSASS at the Internet
- hidden admin shares that expose the entire HD
- running an Autorun.inf dropped into a HD root
- booting 1.44M or CD before HD by default
- Sun Java "updates" that leave old versions available for use
- generically "opening" executable attachments in HTML
- running scripts within email "message text"
- running scripts from a folder's "Web View" .htt
- automatically binding File and Print Sharing to TCP/IP on DUN
- automatically binding File and Print Sharing to TCP/IP on WiFi
- hiding attachments within mailboxes, where av can't scan them
- allowing code within ADS, but providing no UI to see ADS
- running startup items and screensaver within "Safe" mode
- exploitable indexing service touching files in the background
- exploitable icon extraction code that runs whenever icon's shown
- running code within .CPL files when listing Control Panel
- allowing scripts within "text" cookies
- Cmd.exe running raw code irrespective of file name extension

Ah well, that's a long enough list for now - half of that stuff is "by
design" and not acknowledged as problems to patch by the relevant
vendors. Which means your risk management has to go beyond patching,
and seating a firewall in front and an av as goalie to catch the flak.

Bonus exercise; apply the above list to this list of the basic things
a user needs to understand, and thus know about content:
+ whether it's from the local PC, the network, or the Internet
+ whether it's data or code
+ whether an action will "run" or "view" something
+ whether something is shared or not shared

I do not believe that complex software can be free of defects. I do
believe that complex software can be designed to take fewer risks,
with the possibility of defects in mind. And I do believe we do a
VERY poor job of displaying the level of risk to the user in a way
that is easy to understand, and of ensuring software acts purely
within the level of risk displayed.

This isn't rocket science that needs computing to be re-invented in
terms of Trustworthy Computing hardware, hard and verifiable
identities, or even devolving security down to the file system. It's
not even security as such; it's safety.

It's meaningless to know that Mary did X, if a lack of safety means
that while Mary really mean to do X, what she actually did was Z.

We also lack "depth". If we accept that "if a bad guy can run code,
then it's not your system anymore", and then proceed to allow every
web site, banner ad, unsolicited email "message" and "document" file
to run code, then we should accept the need for a platform and tools
to regain ownership of the PC from whoever we threw it away to.

------------ ----- --- -- - - - -

Drugs are usually safe. Inject? (Y/n)

 

[NoStop]

I appreciate the feedback, responses, etc. on my questions, but I get
frustrated towards M$ because they are not correcting the virus, malware,
etc. problem. The malicous software and anti-virus software that
Microsoft is bringing out should not require a subscription nor the
software itself. Microsoft is demostrating that it can solve the problem
through more
software. If they can do that, just fix the OS!

Easier said then done. It would require a major rewrite of that OS to make
it secure against viruses. It would need to be written as a multi-user OS
that had privilege levels that offered real security to the OS itself ala
the *NIX method of doing things.

 

[Peter A. Stavrakoglou]

I appreciate the feedback, responses, etc. on my questions, but I get
frustrated towards M$ because they are not correcting the virus, malware,
etc. problem. The malicous software and anti-virus software that
Microsoft
is bringing out should not require a subscription nor the software itself.
Microsoft is demostrating that it can solve the problem through more
software. If they can do that, just fix the OS!

If the Mac OS was the predominently used OS instead of Windows then we's be
saying the same thing about the Mac OS. The viruses and other malware are
aimed at the most-used OS, not the one that has such a small market share.

 

[Bob I]

Humm, you been living under a rock? Why do you think Microsoft is
publishing security updates? Microsoft is the biggest return on
investment as far as the malware writers ar concerned. Would you target
something where you get 10 hits or 1000 hits? Apple just isn't a big
enough target to bother shooting at. Suggest looking around at reality
before you start posting fiction.

 

[cquirke (MVP Windows shell/user)]

Humm, you been living under a rock? Why do you think Microsoft is
publishing security updates? Microsoft is the biggest return on
investment as far as the malware writers ar concerned.

Not sure what you are rhetorically expecting as the answer there.

Consider the cost of developing and testing those updates;
non-trivial, and 3 years of that may start to look like as much work
as writing the OS in the first place.

Now, what's the return on investment there, given that patches are
free? There's no further revenue, folks get fed up with having to
patch, and it draws attention to the defects in the first place. The
only ROI is that it avoids even further damage from having the
unpatched OS shot to pieces by malware.

Would you target something where you get 10 hits or 1000 hits?
Apple just isn't a big enough target to bother shooting at.

That's the crux, and it demonstrates the value of security by
obscurity, such as it is. Less drive-by shootings, though if someone
was specifically after an Apple target and made the effort, they'd
prolly get it right. They'd have to do more original work, because
there isn't that wealth of "how to hack Apple" source code floating
around, but then there'd be less expectation of attack by the victim
too, because after all, "that can't happen here".

You'd prolly get more market share for your malware by targetting
commonly-used 3rd-party add-ons for Windows, than alternative
platforms such as *NIX or MacOS.

It depends what you want, though. If you just want to spam though
zombie machines, or gather CC, SSN, product keys etc. then you'd chase
Windows broadband consumers. If you want server or web stuff, you
might go after Linux, but there's more variability there (multiple
dialects of Linux, users are more hands-on so installations are likely
to be more divergent). If you wanted a fresh source of CC and SSN,
you might take an interest in Apple after all.

xpmark wrote:

MS can't "correct the problem" as it's outside their scope - it's like
blaming the US army for not ending war, blaming the police for not
ending crime, or blaming medicine for not eradicating disease.

MS could and should do more to counter the problem, starting with a
pervasive awareness of this, instead of writing software as if we
lived in a malware-free worlds, as they did in the past.

MS are getting better at that - there's less stupidity such as
automatically running scripts in unsolicited email message "text" and
then going "Wow, who'd have thought they'd do that?" when BubbleBoy,
Kak, Valentine, San, BleBla etc. climb in.

XP SP2 represents a retreat under fire from such previor dumbness,
such as the whole IE4 "give web devs total power over visitor's PCs,
they'll like that so we can get them deving for IE instead of
Netscape" thing. SP2 makes fairly modest attempts to get the horse
back in the stable and close the door, and when these changes broke
existing apps and sites, MS toughed out the criticism. Good.


What we haven't seen yet, is MS fully absorb the notion that if ANY
code might have exploitable holes, NO code should expose itself to
possibly hostile material unless the user initiates this.

That's going to mean less convenience; no more autorunning of CDs, no
more background indexing, or tooltips that tell you information pulled
out of a file, or even showing you different icons for files on the
same time, such as we currently expect with .EXE files and shortcuts.

So I don't expect MS to follow this clue throughout the OS. What I'd
like to see is this clue followed throughout Safe Mode, and the
maintenance OS we currently don't have. I also expect it to be a
selectable option within the "normal" OS, both as a View that can be
selected on the fly, and as a setting that can be applied to
particular drive letters, folders or subtrees.

I'd also like to see this as the automatic default ("safe by default",
remember?) whenever new drive letters or disks are seen for the first
time - that, too, could be made controllable via Options.


What we also haven't seen yet, is provisions made for WHEN the system
is "owned" by malware. Giving up and wiping the system is as
dumb-assed as not having backups and retyping all your data, and is a
similar problem in that there's a wealth of implicit data in the way a
"live" installation is set up and how it's evolved since.

The provision of a maintenance OS (so far, totally absent as far as MS
is concerned) and a truly malware-safe Safe mode is the starting
point. With a decent foundation, the specific tools will follow, but
av and other vendors need a solid platform to develop for.

I would not say they are demonstrating that - I welcome these
initiatives, but I don't expect them to "solve the problem".

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

 

[Roy Coorne]

.... Mac OS X on the other hand is a great
OS and it would easily replace Windows if Apple would allow it to install on
existing x86 hardware.

Well, it's close to... we will see...

<http://www.apple.com/pr/library/2005/jun/06intel.html>

Roy