Schneier on Security
A blog covering security and security technology.
« Updating the Traditional Security Model |
| Brute Forcing Combination Locks »
August 2, 2006
Why the Top-Selling Antivirus Programs Aren't the Best
The top three antivirus programs -- from Symantec, McAfee, and Trend Micro -- are less likely to detect new viruses and worms than less popular programs, because virus writers specifically test their work against those programs:
On Wednesday, the general manager of Australia's Computer Emergency Response Team (AusCERT), Graham Ingram, described how the threat landscape has changed -- along with the skill of malware authors.
"We are getting code of a quality that is probably worthy of software engineers. Not application developers but software engineers," said Ingram.
However, the actual reason why the top selling antivirus applications don't work is because malware authors are specifically testing their Trojans and viruses to make sure they can bypass these applications before releasing them in the wild.
It's interesting to watch the landscape change, as malware becomes less the province of hackers and more the province of criminals. This is one move in a continuous arms race between attacker and defender.
Posted on August 2, 2006 at 6:41 AM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Also Norton sucks so badly that to install is to cause a self inflicted DoS.
How do the usage figures for the popular free AV packages (AVG, Avast) compair?
Are the 3 mentioned only the top AV programs because they are the most likely to be installed on a new machine and then probably never updated again?
The article can be dangerously misinterpreted.
"If you do then I suggest investing in yet another -- but whatever you do, stay well away from the bestseller shelf."
Someone like my parents (they know they need an up-to-date virus scanner) could read this and misinterpret it and buy some bargain bin anti-virus software that offers no protection at all.
Where is that 80% failure figure coming from? I'd believe it on a never updated OEM install, but on a correctly maintained system I'm skeptical.
Actually I'm not surprised.
From the 2006 Deloitte Global Security Survey
99% of the respondents are using antivirus and still 63% of them had "external virus/worm breaches" and 31% had "internal virus/worm breaches".
This one just sounds too broad to me. What is the time frame here? Does the malware get past on initial release and then gets picked up by the big three within 24 hours? Or are we saying that the big three never are able to detect the threat?
However, in these games, if the cost is right, there is no reason to not put some money on one of the alternative players.
This reminds me of an older question: what happened to the open source anti-virus projects? ClamAV? OpenAV? They dropped off the map in 2003-2004...
The convergence of these two groups of people, malware authors and security software, is probably to be found in this community of developers.
The 80% is a weird number and it's given out in a somewhat irresponsible way.
It probably means that 80% of some handpicked set of zero-day malware got through. However nothing is said about how it works if you patch it every time new patch is available - how likely it is your computer actually is hit by zero-day malware. It makes it sound like 80% of all malware gets through which I very very seriously doubt is the case.
Also, how much better or faster (if at all) do the 'big three' patch their clients? That also is very relevant.
Very one-dimensional article, although it has a point. But not every virus hits every computer on the planet in the first 15 minutes of it's lifespan.
If i must use windows i never install a virus checker. Why--becuase they are a virus. Oh and i have never had a virus, but then i don't use MS outbreak or IE x.xx so most attact points are gone. Also i usally have a external firewall.
Fact is most ppl have a virus checker and most ppl get malware and viurs.... Its a real easy risk/cost/benifit trade off.
It is 80% of *new* attacks. But this number doesn't mean anything unless you know what percent of current attacks are "new". Graham Ingraham mistakenly concludes:
"So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in," said Ingram.
Incorrect. The vast majority of attacks happening at any given moment are not new.
Look at virus statistics from Kaperskey (considered one of the better anti-virus products):
The #1 (29%) was detected in March 2005. The #2 (16%) was detected in January 2006.
In summary: the important aspect of anti-virus software is the ability block current threats, which are not (currently) the newest threats.
AV and Anti-Spyware can all but be eliminated. Why is EVERONE is forgetting the Principal of Least Privilege! I'm conducting a brief study on my own findings. My wife uses windows, she is in the Users group, no ActiveX installed malware, no viri on her PC for over 2 years. I do a weekly scan with all the standard tools, no rootkits. Sony's root kit won't install, nor will anything else.
I use the admin group and user for their intended purpose, for admin tasks, not day-to-day activities. In Vista, M$ is finally seeing that IE has to be run in a lower privileged and protected mode of some sort. AV is a band-aid on a cancer, no matter what maker. Naturally there are exceptions, the M$ WMF vuln for one, but she uses my(waste of)space, and stays fully patched so she doesn't have the spyware/adware. Say it with me! Security isn't a PROGRAM, it's a Process!
Yes, a lot of stuff can be prevented or at least the damage severly limited by running as a regular user. There are some good tools and resources for managing user privileges here:
Of course another interesting fact is that certain anti-virus programs until recently --and hopefully this has changed--wouldn't update if the user wasn't logged in as admin ;-). That's like paying money to make yourself insecure.
ClamAV's still on the map: http://www.clamav.net/
I was using it for a long while on my home machine and for work-- their POP3 proxy is excellent.
Baseless comments from people like Olaf and grossly mis-quoting popular surveys like gal_sec only confuse the matter.
The critical component of malware control/management that people are missing is the fact that picking the right product is only half the battle. The other half is how operationally effective your AV controls are. Even if some survey respondents say that their organization has deployed some sort of AV across the enterprise, that does not mean that their architecture as well as their operational and management controls are effective. I have seen many companies who have deployed any number of AV software, but fail at their operations, e.g. timely deployment of definititions, regular audit for systems missing AV, etc.
Top-Selling Antivirus Programs and Best Practices are never the answers. But no one has the courage to say that :)
Great timing on the article! A visitor just infected my home machine with ConHook, and Norton/Trend/Ewido were powerless to stop it. I tried Kaspersky and it found it immediately. Norton is worthless!
Statistics are like a bikini. What they reveal is suggestive, but what they conceal is vital.
I've found that AV updates can be setup as scheduled tasks with a variety of vendors over the years, and scheduling those tasks as the system account or other higher privileged account can be done. AV companies do not make this easy for your typical end user, that's for certain. Nor do Anti-Spyware vendors.
Again, LUP/PLP isn't the end-all-be-all, but one must admit that it is indeed a Best Practice.
Agreed, ideally users should run with the least privilege they can get away with.
The problem, though, is that too much Windows software (particularly older programs) refuses to run if the user doesn't have excessive privileges. My house usually runs Linux, but we boot up Windows XP on rare occasions for the increasingly smaller set of things we can't do on Linux. My daughter was given a game for her birthday, for example, and I had to make her an administrator to get it to run. Fortunately she didn't like it (and she particularly didn't like the experience of Windows XP as packaged by HP, when the computer keeps advertising products and services from HP and its partners while you're trying to do something else; I hadn't gotten around to killing all that stuff yet).
you're absolutely right, it's 80% of new malware that is getting missed and of course new is generally synonymous with unknown... why anyone should be surprised that known-malware scanning would have difficulty with UNknown malware is beyond me but apparently some people think it's worth making a big deal over...
ClamAV hasn't dropped off the map - there's Windows and MacOS/X versions of it, for local scanning and it's in common use on mail servers and virus scanning proxies - the per user/per server licensing costs are hard to beat.
It's also somewhat effective against phishing, as phishing emails are added as 'viruses' and are picked up by mail servers using it to scan.
http://www.ranum.com/security/computer_security/... is an article I recall about the 6 dumbest ideas in internet security. While its ideas may work better in theory, it does offer a good insight into the reasons why all anti-virus is flawed.
Why enumerate everything that can cause problems. Instead enumerate the things that are allowed. You just need to have a better interface/intelligence than most software firewalls... or homeland security initiatives ;).
"stay well away from the bestseller shelf"
Actually, that advice works for both AV and OS. There are many fewer viruses/exploits for *nix/Linux and OS X than there are for Windows. There are even fewer viruses/exploits for BeOS, BSD, etc. As you go down the popularity list, you also lose access to a lot of software, some of which is also exploitable. Unfortunately, your productivity tends to drop when you can't access or manipulate your data through an incompatible OS.
I experienced a similar situation recently when some trojan horse sw prevented me from installing spybot and adaware on a heavily infected childrens' laptop. The German Antivir (available at no cost at www.free-av.com/ with regular updates and everything) did the job. It deactivated the autoload @ startup -> reboot -> and then deleted the trojan and everything else from the disk...
My combination for my many patients' Win systems: Antivir, ZoneAlarm, FireFox/No Java -- saves a lot of hassle!
...and norton is a virus by itself! Like a giant squid it sticks its tentacles into everything on your system, which in return becomes slower and slower. I always get the feeling of complete loss of control when I try a machie with this bloated fatware on it...
norton utilities for dos - this was something!
You are treading into flamewar territory, but you're right. Risk goes down once you move away from the major targeted platforms. That is a somewhat controversial statement because it only works when your main concern is garden variety attackers who are trying to build botnets and the like. If someone specifically targets your machines and your data, being on a minority platform doesn't help much.
"Why enumerate everything that can cause problems. Instead enumerate the things that are allowed."
there are far, far more good things in the world than there are bad things... if you're going to have a vendor-defined whitelist that vendor has to enumerate them all...
an end-user defined whitelist is obviously much more managable size-wise (since they only care about the good things they actually encounter) but end users are much worse and deciding what belongs on a whitelist and what doesn't...
for a vendor-defined *list, a blacklist really makes more sense... personally, though, i think using both vendor-defined blacklists and user-defined whitelists at the same time is a good idea...
That makes perfect sense. This is no different from making the same statement 50-150 years ago that 'top selling locks' are not always the best because crooks attempt to crack them more often.
This is a perfectly natural aspect of competition. Let the lesser known programs compete, and diversity itself will limit this problem. Of course diversity goes against 'standards', so the tradeoff must always be made. There is no neat one true way to mitigate this problem - other than to handle the criminal side of the equation. I can't get into that side of the equation without getting a warning from the moderator.
For more on why one should run as a regular user see:
First link has a nice summary of an eWeek test comparing two Windows PCs one running with user privileges and one as admin. The admin machine was very good at accumulating malware.
The second link has a nice list of all the nasty thinks malware can do to your machine when you ran as admin that aren't possible if you run as user.
"Unfortunately, your productivity tends to drop when you can't access or manipulate your data through an incompatible OS."
Productivity and freedom tends to drop when you can't access or manipulate data through every OS in open formats.
Closed formats are the death of freedom, true productivity, and humanity.
I agree that the "big three" AV makers are not as good as some lesser-used programs. We at Simplelogic.org use (free) Grisoft AVG, which not only works flawlessly, but I understand is in fact a "benchmark" that the "big three" use to test their own products. If it's god enough to test the commercial products, it is centainly good for users.
"Closed formats are the death of freedom, true productivity, and humanity."
In what sense?
I agree that closed formats are pain in the ass and stifle productivity, but how do they limit your freedom? or humanity in general?
Surely this principle sounds absurd once we apply it in other aspects of life:
Gates are the death of freedom, because I can't play football on my neighbor's lawn.
Store closing hours are the death of freedom and should be prosecuted for restraint of trade, unless it's Sunday.
Somewhere in your analysis you are forgetting that those who make close formats are humans too, and their freedom is not less important than yours.
Closed formats is not analogous to closed gates and closed stores. I think a more appropriate analogy would be the the store hours fluctuate daily. So monday open 8am - 6pm, the next day its 3pm - 4am, etc. etc. then the next monday its 2am-9am. Never the same.
Let's say you have your entire writing collection that you wrote in Microsoft Word and saved as MS Word documents. In X years lets say Microsoft is unseated as supreme rulers of the corporate market and in fact go away completely. Now how are you going to read/manipulate/whatever your writings? Sure I know there is Open Office, etc. but what if they didn't exist or could not handle the version of word doc? Now your documents are lost forever?
What happens, in X years, to your data stored on DVD or ? Oh, wasn't that a silly optical drive format?
Ok, these are just examples I thought of right now. Maybe not the best but they get the idea across I hope.
Think of web pages too. If a web page is coded to a certain standard, it should look the same in browsers that adhere to the standard, right? Plus come on, why did MS set IE to ignore ?
No matter what AV software that is used, they can not stand up against a teen that is an avid gamer, instant messenger and downloader. My nephew uses a computer that has Windows 2000 Pro on it. He plays games, downloads games and music, and chats with friends while being an Administrator. Several of his games need him to have that high status. Before he recieved the computer I installed all service packs, AVG and anti-adware software. The computer was setup to download and install all updates. Plus, the computer is behind a Linksys router. Because of my nephews computing behavior, the computer still has viruses and malware. There is not much I can do until my nephew changes his behavior.
Sometimes technology is not the answer.
"Closed formats is not analogous to closed gates and closed stores."
No they are not exactly the same, but what they all share in common is SOMEONE (usually the property owner) chooses to have them, and any interference with such a choice is not freedom.
" In X years lets say Microsoft is unseated as supreme rulers of the corporate market and in fact go away completely. Now how are you going to read/manipulate/whatever your writings?"
So what? You, and only you has the choice to make decisions, if you choose wrong there are consequences to pay. You have made an honest entrepreneurial mistake.
Luckily such is not a problem, because the software is already out there, despite the existence of MS.
Business don't just vanish into thin air, they tend to decrease in scope and sell off their assets to reduce losses.
Whatever patents they hold will either expire, or someone will purchase them before they fizzle out and make a CONVERSION tool to bring it up to speed with whatever else is popular.
This process may be costly, but not impossible, and such is the outcome of most entrepreneurial mistakes.
"What happens, in X years, to your data stored on DVD or ? Oh, wasn't that a silly optical drive format?"
It's not like all the drives disappear, or all the methods to convert it to a suitable media fade away.
There are small niche companies that make good business updating and restoring old formats. For the right price you can burn your mp3s onto a vinyl record.
"Ok, these are just examples I thought of right now. Maybe not the best but they get the idea across I hope."
I understand where you are coming from, I felt the same way long ago, and you did make a good effort for some examples. But the only failure was that of not realizing that where there is a DEMAND, there will typically be a SUPPLY (or at least the opportunity to make a nice profit in creating the supply), unless it's forbidden by law.
Human progress does not rest on MS's shoulders.
However when MS starts going down, expect them to pitch that kind of rhetoric so that they can lock into the subsidies every other industry-in-decline has managed to achieve: steel, auto, agriculture, radio, television, railroads, airlines, etc...
"Plus come on, why did MS set IE to ignore ?"
Industry standards are voluntary. It is not conclusive whether IE was even a net financial gain for MS, even when considered indirectly in relation to their other products.
I don't suppose anyone has a URL for the actual complete results of the AusCERT tests? I looked quickly on http://www.auscert.org.au/, but didn't immediately see anything. They mentioned Kaspersky had a 90% hit rate; I'm curious to know whether they tested AVG, and if so, how well it did.
Norton Antivirus isn't itself a virus, because viruses are small, efficient, and don't cost anything (in the first place).
The idea of whitelists seems not that bad.
I got about 2000 binaries in /usr/bin and don't know how many programs exist on a normal windows-installation.
Of course most of them where initially installed and could be included in the initial white-list.
To be secure, the whitelist couldn't only contain the name of the program - otherwise all viruses would be called outlook.exe etc.
Name + md5sum could be a way.
As developer, when you test your software in 5 minute intervals, it would be annoying to update the register that often.
Q: How can scripts and macros be handled?
On the other side: How do the viruses infect the system today? Don't most of them need the user to confirm execution? Or do a lot of them use vulnerabilities? A user who starts an attachment will add the virus to the whitelist too.
recommending 'No Java'?
I'm developing with java a lot of years and therefore I'm sensible for informations regarding Java security.
There have been only very few problems with java over the years. And on the other side, java-programs aren't vulnerable to buffer-overflows. I don't understand that recommendation.
Their software assets are bought by Computer Associates. Ever dealt with them?
There are multiple things going on in the original article and it helps to split them out and deal with them seperately:
1. Increasing malware code quality. This fits with the move of 'malware for financial gain'. As malware development moves from a hobby to a business this is to be expected.
2. A Genetic Diverstity argument on the risks of market domination by a small number of vendors. A good point and one that has been taken up by others here in areas other than AV. But, if we accept the first point above, we should not be surprised to find an increased level of testing, just like any software development group, and hence specifically testing against particular AV products seems like an obvious thing to do.
2. Questioning the ability of AV to cope with NEW threats (the earlier story at http://www.zdnet.com.au/news/security/soa/... actually makes the story clearer). This has always been an issue for AV and vendors have made efforts here but in reality they are a reactive technology and unable to deal with new attacks - no signature, no protection.
'"stay well away from the bestseller shelf"
Actually, that advice works for both AV and OS.'
This is a particularly silly point as it relies on people not following your advice. Use Linux instead of Windows, you say?? Ok then...
Run your argument through the Kantian Categorical Imperative filter before posting.
> To be secure, the whitelist couldn't only contain the name of the program - otherwise all viruses would be called outlook.exe etc.
> Name + md5sum could be a way.
It's probably better to sign or encrypt the binaries themselfes.
A short search at google for signing ELF binaries:
Paper of DigSig http://www.usenix.org/events/lisa04/tech/...
Attacks on DigSig http://icsa.cs.up.ac.za/tiki-download_file.php?...
Solaris' 'elfsign' http://blogs.sun.com/roller/page/darren?...
And than there are the administrator's one-liners in perl, bash, awk or whatever. I might err, but I guess it will decrease usability a bit if you need to sign all one-liners before hitting the enter-key, so it will only work more-or-less easy for thin clients.
To avoid crossposting: signing/encrypting binaries and scripts is a quite easy way to diversify the software. The user can click on paris_hilton_naked.jpg.exe as hard and often as he wants but the trojan wouldn't run.
"Their software assets are bought by Computer Associates. Ever dealt with them?"
What is the point?
I was pointing out the obvious: businesses sell of their assets to reduce losses.
Why would you assume that all the assets will be sold to CA? That is not competitive bidding, and therefore will command a lower price.
And how does your anecdotal evidence paint this as a problem even in the hypothetical situation that CA did acquire all the assets.
"He plays games, downloads games and music, and chats with friends while being an Administrator. Several of his games need him to have that high status."
You can be logged in as user and run certain programs with admin privileges or login as admin and run programs with user privileges. There are lots of good free utilities around that help manage program user rights.
I have these nasty, ruthless and conniving companys suck as, spyaxe and others who actually plant a virus on your computer, while posiing as as "spyware" removal company. Fuc---- ruthless.
Avira, Avast, AVG, Kaspersky and GDATA are the real ones that stop all viruses and malware. I believe mcafee, norton and trend micro are way behind them.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.