Anybody who's ever thought about how an antivirus product works has come to this conclusion: Antivirus will detect software that does things that are known to be bad, but not software that does things in a new way. Depending on the level of sophistication of the antivirus solution, that either means a completely black-and-white distinction between what matches what is essentially a rainbow table of MD5 signatures and what doesn't, or more complex binary analyses like what kinds of actions an application binary performs, or what IP address ranges it attempts to establish a connection to.
Now, this doesn't mean that antivirus is useless, or that the antivirus era is over--by the logic of this post, the antivirus era was over the minute it began. What it means is that antivirus is a tool that helps protect you against "stupid"/mass malware, but not a tool that gives you any kind of "complete" or "100%" protection (although every AV vendor will certainly try to convince you that their products do), and this is particularly true--today as it was 10 years ago--when it comes to malware that isn't widely distributed, or, put more fashionably, "targeted malware" and "advanced persistent threats" (hence: malware which belongs to a "family" that hasn't been caught, analyzed, and added to a binary/behavioral signature/heuristic database of some kind beforehand.)
I've had an IT consultancy for 7 years. There was a time when I would recommend a certain antivirus because I observed that it was consistently able to cleanly intercept in-the-wild badware attacks or even clean out something that already had a foothold. Eset, Prevx and even Norton had solid, effective, best-in-class products at one time or another. However, based on what I've seen over the last year or so, there's been a sea change; the badware that gets on a machine typically does what it wants, antivirus or no, the majority of the time. Detection has become much more the exception and much less the rule.
Sure, antivirus has never been 'complete' protection but, speaking from a lot of firsthand experience, some of it used to be pretty darn good compared to lately. Now even 10-15% protection from AV sounds like a stretch. Hence, in terms of the soho PC segment I've dealt with day to day, I'd say The Antivirus Era Is Over And It Has Been For Awhile.
I'm going to guess that a lot of these were the fake AV and similar rogueware. Most of these were pretty good at changing regularly to avoid naïve signature detection, and most vendors acted really slowly because it wasn't "malware." They're not really special in any way that requires a fundamental change to allow detection, though.
I'm not going to dispute that AV vendors have become complacent recently, but 10-15% is on the low side. Most families of widespread malware are detected by most solutions within a few months (yes, that slowly.) It's probably around 80-85%, but, at the same time, 90%+ of the really dangerous (and especially targeted) malware is more often than not in the remaining 15-20%.
Ultimately, what this article and your comment insinuate is that you can uninstall antivirus and be "just as safe." That is not true (except in rare cases where the AV software itself is vulnerable and provides a way to escalate privileges.) I'm all for getting rid of shoddy blacklisting, but we need a replacement, such as innovations in OS security models (a la Chromium OS.)
Clarification: by my saying "10-15% protection" I mean I'm guessing that 85-90% of the time my clients' machines come across badware in the wild, their AV misses it and they are compromised. Not a hard number, but my impression over the last year.
> "Ultimately, what this article and your comment insinuate is that you can uninstall antivirus and be "just as safe." That is not true..."
Agreed, but at the same time it's hard to recommend paid AV solutions that don't really work for what people perceive as 'a virus'. What I've come to do is:
* de-emphasize the importance of AV to my clients; tell them it may help but don't count on it
Your first paragraph is not entirely true. Antivirus software does much more than that. For example watching over IO operations, boot, memory management, interprocess communication and so on. "Scanning files" is the basic thing to do but it does not stop there.
Correct me if I'm wrong, but I think what they're getting at is that they're expecting an evolution in malware because of this. i.e. your typical "stupid"/mass malware will slowly grow obsolete, maybe even drop off the map and be replaced with more intelligent forms of the same thing, using concepts from that of Flame or better.
So should malware authors all figure out what Flame (or other more advanced malware) is doing, and how to do it themselves, eventually current day AV _will_ be useless.
Current antivirus solutions can detect Flame, Duqu, Stuxnet, et al, they just need to know about them and/or what they do. That's the problem with blacklisting.
It's probably more helpful to think of these classes of malware as being "obscure" or "wide-spread" than "smart" or "stupid" (I apologize for my previous analogy.) "Advanced persistent threats" don't really exist on a higher plane than common, boring malware (although these have included some impressive payloads), they're just tailored toward something specific in most cases.
I think it's a logical impossibility that all malware should suddenly become as obscure as these were. The payload can certainly be shuffled around, but nothing stops AV from recognizing and stopping whatever mechanism decrypts and runs them. That doesn't, in any way, make AV a panacea--but that's the way it's always been.
Woah, thank for the explanation. You're right, and that makes sense. However I'm of the "anything is possible" mindset, so I do still have to wonder if signature matching is nearing its end. Though I admit, given what you've just clarified, it seems unlikely.
I've been using computers since the 80's. I haven't used anti-virus software since the 90's. And yes, I have been using Windows until somewhere in the 00's, including Windows 95, which is about as vulnerable as it gets.
When I was using antivirus software, it never set off any alarms once. I still occasionally install and run antivirus software, it doesn't find anything, so I remove it again. I've sat in the middle of major virus outbreaks inside companies and not be affected.
I have no idea how people manage to get infected. Every time I read about some malware scare, I look at how it spreads and think to myself "but... why would you do that?".
In the 80s we had boot sector viruses that would bite you as soon as you inserted a disk, and disks where the only way of exchanging data. You couldn't protect against those without antivirus.
But today most malware seems self-inflicted, and only spreads through naivety, ignorance and laziness.
Sure, I could still get infected tomorrow. After 25 years of computing it's bound to happen to me at some point. But it will most likely be because I did something I shouldn't have, not because I don't have adequate anti-malware protection.
But today most malware seems self-inflicted, and only spreads through naivety, ignorance and laziness.
I assert that stereotypical "stupid users" were indeed the cause of most virus spreading in the 1980's and 1990's. There is still a fair amount of "stupid user" stuff happening these days, such as clicking on a link in an email to log into your bank account. (1)
However, these days, I'm also worried about exploits against browsers. If you have your system infected by just by visting a webpage, I don't consider that the user's fault.
Every year that goes by, the browser gets more complex (like recent support for 3-D rendering), and the attack surface increases. I'm glad that most browsers are fairly secure, but they're not perfect now, nor are they likely to be in the near future.
(1) It continues to annoy me that two of my banks will send out legitimate emails (new bill, etc.) that have clickable links in them. If the banks would stop putting links in their emails, and try to educate their users to not click on links in emails, that would reduce the problem.
However, these days, I'm also worried about exploits against browsers. If you have your system infected by just by visting a webpage, I don't consider that the user's fault.
I'm starting to consider a lot of these exploits and security problems to be the developer's fault. Too many attack vectors are well-known, and should be accounted for in the design of software.
For example, overflow exploits: Why, in this day and age, do we still default to writing software that works with untrusted data in languages that don't enforce bounds checking? C++ has many virtues in many situations, but it's not a language for writing web browsers. For performance-critical modules that are small enough to make serious code auditing feasible, sure. But as the primary implementation language it's just one big vector for attack that pervades the entire codebase.
used to think more-or-less the same thing: antiviruses are unneeded resource hogs...
until I connected my laptop to the network at school.
I didn't notice anything strange until a month later when I reinstalled WinXP (was doing it regularly for speed).
My mistake was that I installed Winamp and other software from kits on a shared folder (full access for everybody) on my laptop, before installing the AV.
That's when all hell broke loose: the kits were injected by some virus and got activated only when were run
tl;dr: Thing is even "power-users" can get it wrong. Is it really worth it risk so much, for so little?
PS: referring here strictly to platforms that need AVs
Frankly, my computer has not had a virus in years. It has been on the web, it has downloaded stuff from dubious websites, it has installed stuff. But no viruses.
That is not to say that there is no malware any more, but the infection vectors have changed. More often than not, malware will be explicitly installed by the user. More broadly, it will trick the user into doing something that is not in his best interest.
In other words: In the current age, malware is targeting users, not computers. Now we have to install virus scanners, by educating ourselves about how to spot viruses. This is a very different game from a few years ago!
I guess you are asking this question in reference to "my computer has not had a virus in years".
By the naïve measure of "my antivirus did not ever find a virus", which might not be 100% reliable, as the article points out. However, it should identify viruses eventually, though possibly too late. But it didn't.
The antivirus era will never be over, as evidenced by the antivirus apps for smartphones. It provides the same purpose as the TSA: it inconveniences people just enough to make them feel like something is being done to protect them. It doesn't matter how ineffective an antivirus is, as long as it pops up a message every couple days saying "your computer is protected", it has served its purpose.
Anybody who has worked consumer IT can tell you, it doesn't matter how many times a person's computer has been infected despite running kaspersky, they still absolutely depend on the messages from their av program to tell them it's all good.
I don't know if there has been a thorough test on capabilities of smartphone antivirus apps but I know there has been a lot of reports of malicious apps, basically viruses for smartphones. Protection is necessary (for majority at least).
Flame was signed by a trusted signer (Microsoft in this case) due to a bug that allowed code to be signed with a Microsoft key that was meant for something else.
People would like to make behavioral stuff, but it's quite difficult. Sandboxing sounds great, but it requires more processing power to run a VM, and the biggest complaint most people have about AV software right now is that it slows down the computer, so running in a VM with a behavioral model...yeah good luck. It looks great on paper, but has no been put into good use yet.
If you like to be secure, run 2 boxen, one that has no service except a logger, log everything from your main box, only log into the logger box from console when you want to look through the logs to see if something has gone awry.
FD: I work for a security company, and no, none of our products works like that. Most (all?) customers have a higher priority on useability of their network and computers than on security.
You need a good antivirus program to clean up computers if discovered malware becomes widespread.(Like Stuxnet, Flashback Trojan). Since Windows Security Essentials/Defender Windows 8 I don't really think about other anti virus vendors however it is very important that all of them remain active. One antivirus company would be a dream for malware creators. Personally I think severe global penalties for creating malware/'social engineering' or a chip+software breakthrough is needed to change the current situation. Antivirus software has actually become pretty good at cleaning known attacks which is really all you can ask for at this point in the game considering how advanced malware has become.
The fundamental problem is that anti-virus software operates on the principle of enumerating badness: a list of known viruses and their signatures, a list of suspicious patterns in binaries such as obfuscation techniques.
OSes should move to the opposite strategy, enumerating exactly what is allowed, and dropping anything else by default. The challenge here is that the granularity should be small enough for this to be effective, but on the other hand this gives configuration overhead for the user. For example, the firewall could enforce that only the user's preferred email application is allowed to send and receive mail. Currently the permissions in plugins and smartphone apps are too broad to be meaningful, but they're already experienced as a nuisance, so it's a difficult problem.
The problem that most of the complaining is about (from what I've seen) over current sandboxing solutions is not that you need to enumerate what your application can do. Rather, it's that the OS makers decide that certain functionalities are not allowed by apps (running downloaded code, etc) and just don't allow them. I think a lot of people would prefer that all functionalities be available, but each one need to be specifically allowed by the user.
That being said, that makes life harder for the user.
The most fundamental problem is that perfect anti-virus is impossible.
According to Rice's theorem, you cannot in the general case prove any run-time property of a program solely by looking at its code, which means that can't 100% reliably detect viruses simply by looking at the code.
This is a better approach, but as you say it does put the configuration overhead on the user - and many users will just click "yes" when asked whether to allow something.
So user eduction is important, but hard to ensure across a whole organisation for example.
If what you're trying to prevent is something in sandbox A messing with something in sandbox B, sure. If you want to prevent is malicious behavior generally, like connecting to a botnet or exploiting a vulnerability in a system service, not so much. Then you need a mixture of sandboxing and whitelisting (rather than blacklisting), a combination that's unwelcome in most environments (a notable exception being app stores.)
Part of the 'standard' model for security is to make every component as sandboxed as possible. The problem is, programs need to be able to access the system, and if the attack compromises the program it can do whatever the program can. For example, most web browsers have the ability to show html pages that are stored anywhere on your file-system. This means that if your web-browser gets infected, the attacker has full read access to you files. You can (and I do) sandbox your browser to only its files, however you then loose the features that depend on full read access.
Of course, the instance of the javascript VM that is running the javascript from the website does not need filesystem access, so it can be, and normally is, sandboxed.
> The problem is, programs need to be able to access the system
Not necessarily: to be on the Mac App Store, an application must access only files in its own resources (configuration and so on) or through user interaction (open file dialog). If your web browser gets infected, it gets full read access on every file you willfully want it to read. Problem, you cannot have a multimedia player that opens m3u playlist files in this model: see http://mplayerx.org/leave-mas.html
this has been done by a company called Advanced Computer Research in the 1990s - it has been proven to be working very well, so well that it was taken off the market (with force / criminal means). Officially the company was sold to an US conglomerate and immediately all products were taken off the market.
It was - in difference to the snake oil antivirus software sold commercially otherwise since then - also able to protect against unknown threats by creating a security focused virtual machine inside the PC and a sandbox around applications. This was the first VM available for PCs (1995)
What you're describing is whitelisting vs. blacklisting. Whitelisting will always be the better solution, but it presents far more usability and "approval process" problems than blacklisting does.
I have not used an antivirus in years, I use a firewall which allows me to control behavior of every process with allow/deny rule creation. It's blocked java exploits and trojans on my system that were not yet in antivirus databases. Antivirus is cool for a monthly just in case checkup and for scanning suspect files before executing.
Now, this doesn't mean that antivirus is useless, or that the antivirus era is over--by the logic of this post, the antivirus era was over the minute it began. What it means is that antivirus is a tool that helps protect you against "stupid"/mass malware, but not a tool that gives you any kind of "complete" or "100%" protection (although every AV vendor will certainly try to convince you that their products do), and this is particularly true--today as it was 10 years ago--when it comes to malware that isn't widely distributed, or, put more fashionably, "targeted malware" and "advanced persistent threats" (hence: malware which belongs to a "family" that hasn't been caught, analyzed, and added to a binary/behavioral signature/heuristic database of some kind beforehand.)