Desktop antivirus - it's dead

[George Orwell]

PC World
http://elfurl.com/qympl

Some industry analysts are proclaiming the traditional antivirus method
for detecting and eradicating viruses, trojans, spyware and other
baneful code by matching it against a signature
http://snipurl.com/crapware to be "dead."

They say signature-based checking can't keep up with the flood of virus
variants manufactured by a criminal underworld that is beating the
antivirus vendors at their own game. And they are arguing it's time for
companies to adopt newer approaches, such as whitelisting or behavior-
blocking, to protect desktops and servers.

"It's the beginning of the end for antivirus," says Robin Bloor,
partner at consulting firm Hurwitz & Associates, in Boston, who adds he
began his "antivirus is dead" campaign a year ago and feels even more
strongly about it today. "...The approach antivirus vendors take is
completely wrong. The criminals working to release these viruses
against computer users are testing against antivirus software. They
know what works and how to create variants."

...Instead of antivirus software, he says, users should be investing in
whitelisting software that prevents viruses from running because it
only allows authorized applications to run.

Whitelisting products are available from SecureWave, Bit9, Savant,
AppSense and CA, the first traditional antivirus vendor to see the
light, in Bloor's view.

 

[Virus Guy]

And they are arguing it's time for companies to adopt newer
approaches, such as whitelisting or behavior- blocking,
to protect desktops and servers.

Why aren't we talking about a whole-sale disconnection of the China IP
space so that NS and web-hosts located in China aren't a threat any
more?

Why aren't we talking about ICANN growing some balls and de-listing
the registrars that are giving throw-away domains to spammers and
hackers? (yes, they GIVE them away - it's called domain "tasting").

 

[Dustin Cook]

PC World
http://elfurl.com/qympl

Some industry analysts are proclaiming the traditional antivirus method
for detecting and eradicating viruses, trojans, spyware and other
baneful code by matching it against a signature
http://snipurl.com/crapware to be "dead."
*yawn*


They say signature-based checking can't keep up with the flood of virus
variants manufactured by a criminal underworld that is beating the
antivirus vendors at their own game. And they are arguing it's time for
companies to adopt newer approaches, such as whitelisting or behavior-
blocking, to protect desktops and servers.

Behavior blocking isn't new, and for that matter, neither is
whitelisting. They aren't in widespread use due to the annoyances each
option presents. Behavior blockers are bad about blocking legitimate
applications as well, annoying users to the point where they just turn it
off.

Whitelisting is nice n all, but How does one get the software authorized?
Who has control over this autorization? How does the whitelisting system
ensure the programs are legitimately whitelisted, and one of them didn't
add itself?

"It's the beginning of the end for antivirus," says Robin Bloor,
partner at consulting firm Hurwitz & Associates, in Boston, who adds he
began his "antivirus is dead" campaign a year ago and feels even more
strongly about it today. "...The approach antivirus vendors take is
completely wrong. The criminals working to release these viruses
against computer users are testing against antivirus software. They
know what works and how to create variants."

This is very deceptive and shady. Virus scanners have always been tested
by the other guys, Both sides know this. It's called knowing thy enemy.
Your just trying to scare people with this recycled crap of yours.

..Instead of antivirus software, he says, users should be investing in
whitelisting software that prevents viruses from running because it
only allows authorized applications to run.

This will not prevent all viruses from running. Trojans, rootkits, etc.
It's a very misleading comment and may lead users into a very real false
sense of security.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - V2.2
web: http://bughunter.it-mate.co.uk - email:
(e-mail address removed)
Pad: http://bughunter.it-mate.co.uk/pad.xml

 

[Far Canal]

George Orwell wrote


Snip the same old bollocks you've posted before.

Here's a clue, we ain't interested

 

[Virus Guy]

Snip the same old bollocks you've posted before.

Here's a clue, we ain't interested

What's your problem?

The article is right. AV software is not catching exploits as they
enter the typical system via browsing, and they are not able to keep
up in real time with new varients. The best they can do now is alert
you to the odd miscellaneous leftover files that got onto your system
->a month ago<-, and more and more they either can't get at access to
them to get rid of them, or they come back at your next start-up.

 

[Dustin Cook]

What's your problem?

The article is right. AV software is not catching exploits as they
enter the typical system via browsing, and they are not able to keep
up in real time with new varients. The best they can do now is alert

Your right, Av usually doesn't catch exploits as they enter? the system...
Why would they?



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - V2.2
web: http://bughunter.it-mate.co.uk - email:
(e-mail address removed)
Pad: http://bughunter.it-mate.co.uk/pad.xml

 

[Far Canal]

Virus Guy wrote

What's your problem?

The article is right. AV software is not catching exploits as they
enter the typical system via browsing, and they are not able to keep
up in real time with new varients. The best they can do now is alert
you to the odd miscellaneous leftover files that got onto your system
->a month ago<-, and more and more they either can't get at access to
them to get rid of them, or they come back at your next start-up.

Exploits/viruses don't come from casual browsing of 'normal' websites.
They come from wank/warez sites & spam mail. If people are stupid
enough to visit those sites/open spam mail they're gotta get shit, time
after time.

 

[Virus Guy]

Exploits/viruses don't come from casual browsing of 'normal'
websites. They come from wank/warez sites & spam mail.

Why are you so ignorant and stupid?

Many "normal" web sites have been, and currently are hacked and do
serve up exploits.

The Asus website is one current example.

http://isc.sans.org/diary.html?storyid=2582

 

[Dustin Cook]

Why are you so ignorant and stupid?

Many "normal" web sites have been, and currently are hacked and do
serve up exploits.

The Asus website is one current example.

http://isc.sans.org/diary.html?storyid=2582

Exploits are not viruses. They are holes in the operating system and/or
applications. Why do you feel it's the job of the antivirus now to ensure
your computer doesn't have system level flaws?




--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - V2.2
web: http://bughunter.it-mate.co.uk - email:
(e-mail address removed)
Pad: http://bughunter.it-mate.co.uk/pad.xml

 

[kurt wismer]

What's your problem?

The article is right. AV software is not catching exploits as they
enter the typical system via browsing,

if they have a signature for it, they'll catch it when it's written to
disk...

and they are not able to keep
up in real time with new varients.

it's true that they often can't detect new/unknown malware, but novelty
is one of the few advantages malware can have that expires over time...

The best they can do now is alert
you to the odd miscellaneous leftover files that got onto your system
->a month ago<-, and more and more they either can't get at access to
them to get rid of them, or they come back at your next start-up.

the problem here is that of mismatched expectations... people have, for
quite some time, operated under the delusion that known virus/malware
scanning was the be-all and end-all of anti-malware... however just
about every single anti-virus professional to have participated in
alt.comp.virus (and that includes a number of company heads like dr.
solly and frisk) has made it clear that known-virus scanning alone was
not complete protection and that people would be better off using
multi-layered approaches...

the people perpetuating the ridiculous notion that av was supposed to
protect you from everything are shifty-eyed marketroids and hack
reporters like the author of that article...

 

[cbgerry]

PC Worldhttp://elfurl.com/qympl

Some industry analysts are proclaiming the traditional antivirus method
for detecting and eradicating viruses, trojans, spyware and other
baneful code by matching it against a signaturehttp://snipurl.com/crapwareto be "dead."

They say signature-based checking can't keep up with the flood of virus
variants manufactured by a criminal underworld that is beating the
antivirus vendors at their own game. And they are arguing it's time for
companies to adopt newer approaches, such as whitelisting or behavior-
blocking, to protect desktops and servers.

"It's the beginning of the end for antivirus," says Robin Bloor,
partner at consulting firm Hurwitz & Associates, in Boston, who adds he
began his "antivirus is dead" campaign a year ago and feels even more
strongly about it today. "...The approach antivirus vendors take is
completely wrong. The criminals working to release these viruses
against computer users are testing against antivirus software. They
know what works and how to create variants."

..Instead of antivirus software, he says, users should be investing in
whitelisting software that prevents viruses from running because it
only allows authorized applications to run.

Whitelisting products are available from SecureWave, Bit9, Savant,
AppSense and CA, the first traditional antivirus vendor to see the
light, in Bloor's view.

========================>

They mean "heurisitics" in all descent antivirus paid protection ?
Duh.... heurisitics. This is activated meaning real time protection in
paid subscription antivirus software programs. Heurisitics is the
ability to identifiy the malware threat by typical behavior without
having the definitions yet written for removal and blocking of the
particular threat - worm, virus, many trojans.

""QUOTE""

They say signature-based checking can't keep up with the flood of virus

""UNQUOTE""

....and it never did and never will. For newbies these idiot editors
are writing to (and I am not the only one recognizing this) - for
newbies / novice information here, the writer is calling a system scan
with your antivirus as "signature-based checking" - like duh a-hole.
Why would you do a scan, find and remove malware and then turn around
and say that the PC was protected in the beginning as "signature-based
checking" ??? How the h*ll was the PC ever protected by "sinature-
based checking"?"?? Duh !!!

So where's the distinction that something is or did die ???? Idiot
Editors playing with new people's minds. Malicious bad information
even intentionally. I have caught some of the4se creeps before giving
out bad information and responded to it.

""QUOTE""
they are arguing it's time for companies to adopt newer approaches,
such as ... behavior- blocking
""UNQUOTE""

....You mean BUY some antivirus protection ??? to activate real time
protection - - Duh !!!

This is the result of trolls, criminal elements, idiots, plain
newbies, and bragging rights malicious persons giving the constant
idea of freeware security as your silver bullet. That is absurd and
even for the most new person. Anybody new to computers instantly
realizes that the software business is a multi-million and multi-
billion dollar industry. You can't even miss that one on TV News
always informing the public of the amount of trade done over the
internet if you are not a computer owner/operator. I believe it is in
the neighborhood of 16 billion dollars yearly or more. So point is the
"newbie" knows better and are taking their chances and they know it.
They know you are only getting what they pay for in the worst
ignorance of software or computers.

A little knowledge spread around stops all of this in a very, very
great degree.

 

[cbgerry]

What's your problem?

The article is right. AV software is not catching exploits as they
enter the typical system via browsing, and they are not able to keep
up in real time with new varients. The best they can do now is alert
you to the odd miscellaneous leftover files that got onto your system
->a month ago<-, and more and more they either can't get at access to
them to get rid of them, or they come back at your next start-up.

==========================>

Do you know what "heurisitics" is in antivirus ? For the early years
of 2000 on, Norton antivirus hjas always been kinown for this feature
and as part of it's selloing feature and track record for blocking
virtually all viruses and worms. All descent antivirus (paid
subscription) has this and is knwon for it as whether it is rated well
and trusted by consumers for protection choices.

If you don't know what this is, perhaps the next time you may see the
pop up "your antivirus has just blocked or quarantined such and such
threat" - - - when you are browsing the web - it is a very good chance
that is exactly waht just ocurred. Your paid antivirus protection
using heurisitics (detecting unknown threats) has just caught and
either deleted the severe threat as unable for it to be cleaned or
caught and instantly deleted what serves no purpose but malicious
intent such as a trojan.

That can also happen when downloading email. Not the regular cleaning
emails of threats and reports - but when there is a specific threat
activated by simply downloading the email to your computer. That was
"heurisitics" 99 percent of the time quarantining or immediately
deleting the virus/worm/trojan - and that is what the pop up message
was again - "your antivirus deleted or quarantined such and such a
threat".

In other words heurisitics in antivirus is half of the real time
protection at all times 24/7 - even when the computer is shut down.

 

[cmsix]

========================>

They mean "heurisitics" in all descent antivirus paid protection ?
Duh.... heurisitics. This is activated meaning real time protection in
paid subscription antivirus software programs. Heurisitics is the
ability to identifiy the malware threat by typical behavior without
having the definitions yet written for removal and blocking of the
particular threat - worm, virus, many trojans.

""QUOTE""
""UNQUOTE""

...and it never did and never will. For newbies these idiot editors
are writing to (and I am not the only one recognizing this) - for
newbies / novice information here, the writer is calling a system scan
with your antivirus as "signature-based checking" - like duh a-hole.
Why would you do a scan, find and remove malware and then turn around
and say that the PC was protected in the beginning as "signature-based
checking" ??? How the h*ll was the PC ever protected by "sinature-
based checking"?"?? Duh !!!

So where's the distinction that something is or did die ???? Idiot
Editors playing with new people's minds. Malicious bad information
even intentionally. I have caught some of the4se creeps before giving
out bad information and responded to it.

""QUOTE""
they are arguing it's time for companies to adopt newer approaches,
such as ... behavior- blocking
""UNQUOTE""

...You mean BUY some antivirus protection ??? to activate real time
protection - - Duh !!!

This is the result of trolls, criminal elements, idiots, plain
newbies, and bragging rights malicious persons giving the constant
idea of freeware security as your silver bullet. That is absurd and
even for the most new person. Anybody new to computers instantly
realizes that the software business is a multi-million and multi-
billion dollar industry. You can't even miss that one on TV News
always informing the public of the amount of trade done over the
internet if you are not a computer owner/operator. I believe it is in
the neighborhood of 16 billion dollars yearly or more. So point is the
"newbie" knows better and are taking their chances and they know it.
They know you are only getting what they pay for in the worst
ignorance of software or computers.

A little knowledge spread around stops all of this in a very, very
great degree.

Hell, you don't even have to buy any. You can download avast for free and it
does real time checking, even scans incoming email.

Of course the most common path of infection can be easily blocked by simply
turning off html rendering in your mail client. No text message has ever
infected a machine without the help of that machine's user.

cmsix

 

[cbgerry]

==========================>

Do you know what "heurisitics" is in antivirus ? For the early years
of 2000 on, Norton antivirus hjas always been kinown for this feature
and as part of it's selloing feature and track record for blocking
virtually all viruses and worms. All descent antivirus (paid
subscription) has this and is knwon for it as whether it is rated well
and trusted by consumers for protection choices.

If you don't know what this is, perhaps the next time you may see the
pop up "your antivirus has just blocked or quarantined such and such
threat" - - - when you are browsing the web - it is a very good chance
that is exactly waht just ocurred. Your paid antivirus protection
using heurisitics (detecting unknown threats) has just caught and
either deleted the severe threat as unable for it to be cleaned or
caught and instantly deleted what serves no purpose but malicious
intent such as a trojan.

That can also happen when downloading email. Not the regular cleaning
emails of threats and reports - but when there is a specific threat
activated by simply downloading the email to your computer. That was
"heurisitics" 99 percent of the time quarantining or immediately
deleting the virus/worm/trojan - and that is what the pop up message
was again - "your antivirus deleted or quarantined such and such a
threat".

In other words heurisitics in antivirus is half of the real time
protection at all times 24/7 - even when the computer is shut down.

=================================</.
Maybe from the "horse's mouth" will help:

Excerpt: (HEURISITICS)
http://www.symantec.com/home_homeoffice/transactsafely/ncobetafaq.jsp


Size matters.
Symantec is the largest provider of security software and services to
the consumer and enterprise market. Norton Confidential protection
benefits from the information provided by hundreds of millions of
users who encounter these "unknown" threats over time. Not only does
this scale help Symantec's capability to "know" about threats earlier,
but it helps improve the HEURISITICS engine to intelligently detect
more "unknown" threat variants.

What are "known" and "unknown" threats, and why is this so
important?.....
"Known" and "unknown" threats. A threat is "known" when a security
software provider learns of the particular threat, analyzes it and
develops a "signature" to protect against it. Until that time, the
threat is considered to be "unknown." Several hours, days (or longer)
may pass between a criminal launching a new attack and you being
protected from it as a "known" threat.

Protection from "unknown" threats.
Norton Confidential is the first available solution to protect you
from both known and unknown phishing/pharming Web sites and crimeware.
In addition to using traditional signature-based protection from known
threats, Norton Confidential applies sophisticated "HEURISITIC" or
"behavior-based" technology to detect suspicious "unknown" threats
which haven't been seen before. This type of protection is essential
for online banking, shopping and other activities where you are
sharing passwords, account numbers or other confidential information.

/.End.

 

[cbgerry]

Hell, you don't even have to buy any. You can download avast for free and it
does real time checking, even scans incoming email.

Of course the most common path of infection can be easily blocked by simply
turning off html rendering in your mail client. No text message has ever
infected a machine without the help of that machine's user.

cmsix

========================>
And what protection does free antivirus offer when browsing the
internet ? Free open source Clam AV has an Outlook plug-in to scan
email. But you are only talking about being protected with email
scanning. What about browsing ? That is absurd to just use a computer
for email - cell phones do that. I have never heard of such a thing
that someone pays up to and over 2 thousand dollars for a computer and
then not use it because free antivirus only scans email. Strange
answer.

 

[Far Canal]

Virus Guy wrote

Why are you so ignorant and stupid?

Many "normal" web sites have been, and currently are hacked and do
serve up exploits.

The Asus website is one current example.

http://isc.sans.org/diary.html?storyid=2582

You are clueless. The site you refer has used a shitload of AVP's
(http://www.virustotal.com/) to discover what virus has been loaded to
that site. Totally destroying your claim that AVP's are useless.

 

[cbgerry]

==========================>

Do you know what "heurisitics" is in antivirus ? For the early years
of 2000 on, Norton antivirus hjas always been kinown for this feature
and as part of it's selloing feature and track record for blocking
virtually all viruses and worms. All descent antivirus (paid
subscription) has this and is knwon for it as whether it is rated well
and trusted by consumers for protection choices.

If you don't know what this is, perhaps the next time you may see the
pop up "your antivirus has just blocked or quarantined such and such
threat" - - - when you are browsing the web - it is a very good chance
that is exactly waht just ocurred. Your paid antivirus protection
using heurisitics (detecting unknown threats) has just caught and
either deleted the severe threat as unable for it to be cleaned or
caught and instantly deleted what serves no purpose but malicious
intent such as a trojan.

That can also happen when downloading email. Not the regular cleaning
emails of threats and reports - but when there is a specific threat
activated by simply downloading the email to your computer. That was
"heurisitics" 99 percent of the time quarantining or immediately
deleting the virus/worm/trojan - and that is what the pop up message
was again - "your antivirus deleted or quarantined such and such a
threat".

In other words heurisitics in antivirus is half of the real time
protection at all times 24/7 - even when the computer is shut down.

==========================>
/.End. (And don't introduce the idiotic caveman whitelisting again !
Yeah.... let's whitelist infected programs to run idiot !)

 

[kurt wismer]

Exploits are not viruses. They are holes in the operating system and/or
applications.

sorry, but it's vulnerabilities that that are the holes... exploits are
the things that *use* those holes...

Why do you feel it's the job of the antivirus now to ensure
your computer doesn't have system level flaws?

virus guy's contention that anti-virus products don't detect exploits on
their way in is demonstrably false - there are products that do have
technology for scanning things as they come off the wire (nod32 is one
of the ones that implements a layered service provider, for example) and
further have signatures for some known exploits...

 

[kurt wismer]

==========================>

Do you know what "heurisitics" is in antivirus ?

unfortunately, heuristic technology is not the savior you seem to think
it is... retrospective testing by the likes of av-comparatives.org have
revealed that heuristics are generally not all that good at detecting
new/unknown malware (which is the very class of malware it's supposed to
help with)... last time i checked i think the highest detection rate was
somewhere in the 50th percentile... of course that's better than
nothing, but it still falls far short of the claim of detecting
"virtually all viruses and worms" you made further on...

For the early years
of 2000 on, Norton antivirus hjas always been kinown for this feature

2000? heuristics predate that by a rather wide margin...

and as part of it's selloing feature and track record for blocking
virtually all viruses and worms.

someone has been filling your head with lies, i'm afraid...

 

[cbgerry]

unfortunately, heuristic technology is not the savior you seem to think
it is... retrospective testing by the likes of av-comparatives.org have
revealed that heuristics are generally not all that good at detecting
new/unknown malware (which is the very class of malware it's supposed to
help with)... last time i checked i think the highest detection rate was
somewhere in the 50th percentile... of course that's better than
nothing, but it still falls far short of the claim of detecting
"virtually all viruses and worms" you made further on...


2000? heuristics predate that by a rather wide margin...


someone has been filling your head with lies, i'm afraid...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"- Hide quoted text -

- Show quoted text -

============================>
That's some expected reply. Did you know that these independent test
centers lie and not me and they lie for illicit gain like magazines
they sell ??? If anybody is lying it would be them and if anybody's
head is full of it (lies) it would have to be you and not me..... and
I will tell you why.

This is easily going round and round - a round robin - and you are a
part of that. If there were labrotories with all these "unknown
threats" they use as tests to prove the weaknesses of software - any
type of test program - it would have been stolen and used a long time
ago by the underworld in malware spybots that are currently
responsible for up to 70 percent of world spam and 4 percent annually
of ID Theft in just America and are currently clocked in control of 4
to 11 percent of world computers.

The security industry is well aware of that and do know everything
possible that is used by these independents and for two reasons. Are
they attempting at some time to be running extortion by producing a
proof-of-concept scenario. Number two - are they "selling" to the
underground and what ? Would it surprise you that security software
can purposely give "false readings" to test equipment for these very
reasons ? Are you aware of anti-cracking technology that is software
as well that can be purchased and how this protects security products
against "probes" for reverse engineering and piracy ?

What you are replying to basically is the part of the discussion about
heurisitics fail maybe 50 percent of the time - even if for sake of
arguement you might call that a worst case scenario as opposed to a
conservative estimate. Specific products I have used for over four
years now were Norton Antivirus - 2 years Webroot Spysweeper and Trend
Micro Antispyware which also have heurisitics technology for spyware
and related malware. Several times I have manually inspected every
single file and registry entry in my computer looking for malware.
None was ever found though I have been hit hundreds of times.

Now according to your perspective that heuristics don't work - I
should have found at least 150 malware applications. The hits I am
talking about are not malwares that were removed after scans. I am
talking about drive by installations. Were are they ? There is not so
much as a trace present.

You said...
""QUOTE""

someone has been filling your head with lies, i'm afraid...

"UNQUOTE""

....well you can be afraid all you want but here you can stop telling
LIES as you are doing. There is NO ONE filling my head with lies - not
even me. What I have posted here is the truth - I don't lie where pc
security is concerned. I do know what I am talking about and I am a
groups owner specializing in malware removal and webmaster/creator of
the www.BlueCollarPC.Net/ website for the same which is approaching
one million hits by people who look towards information and advice I
provide as a source of their computing security needs. Not one of my
Visitors and Website Users believes I am a liar.

Now the bottom line here is that I am positively sure you will agree
that any traces or variants of threats from a couple of years ago
would finally have had defintions written for them to remove them in a
scan, that for sake of argument where "missed by heurisitics" ? Okay,
for sake of arguement ? This is what I am telling you - there is no
such thing. The products ARE that good.

You had some kind of problem with the statement about these products's
heurisitics catch virtually ALL malwares. Well they do and did. Why
would I - me as who I am with nothing to gain - why would I lie or be
wrong about that ? Who would believe YOU ?