Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Danger Side of Antivirus


  • Please log in to reply
8 replies to this topic

#1 Smsec

Smsec

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 AM

Posted 12 March 2016 - 10:25 PM

Tavis Ormandy, a Google information security researcher tweeted today:  "I get asked constantly what av to use. You're missing the point; av creates more problems than it solves, and we're overdue an av slammer."  https://twitter.com/taviso/status/708719788302831616?refsrc=email&s=11

 

Tavis has been finding vulnerabilities in a number of major Antivirus products over the last year or so. He just posted a blog about Security Software Certification in which he discusses how Comodo got certified yet he's found quite a few problems:  http://blog.cmpxchg8b.com/2016/03/security-software-certification.html

 

Give that antivirus software has to have full privileges to do what it does, a security flaw potentially gives an attacker the ability to run anything they want. This looks like it could be pretty devastating if hackers start going after AV products and use them to install whatever they want.

 

I'm not ready to abandon AV but this is concerning. I'd like to hear what others think.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:54 AM

Posted 12 March 2016 - 10:36 PM

I would agree that leaning on AV as a crutch is a bad idea, and that people put too much trust into it as their golden armor. Almost every single customer that comes in with an infection doesn't believe me and says "but I had *insert AV here*". Having the best AV in the world and paying top dollar for it won't help the biggest security hazard: the person behind the keyboard. Sometimes though, it's all too hard to teach grandma to stop clicking on everything and trusting every ad she sees... AV should act as a final stance against anything that does/will make it past the user. As discussed many times, a multi-layered defense is best (anti-virus, anti-malware, anti-exploit, ad blocker, user education, etc.).

 

In the words of Ron White: "You can't fix stupid".  :guitar:


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:54 AM

Posted 13 March 2016 - 07:07 AM

Among the ~800 pages of new threat intelligence is a new study that attempts to quantify the benefit of running up-to-date anti-virus (AV) software. The study leveraged data from over a billion systems worldwide and it turns out that systems that do not have up-to-date AV are 5.5 times more likely to be infected with malware than systems that are protected...

Anti-virus Software is Dead...Really?

...if you are counting on your antivirus to save you or your co-workers from the latest threats, you may be in for a rude awakening down the road. Does this mean antivirus software is completely useless? Not at...antivirus remains a useful if somewhat antiquated and ineffective approach to security. Security is all about layers, and not depending on any one technology or approach to detect or save you from the latest threats.

Antivirus is Dead: Long Live Antivirus!

Thus, a multi-layered defense using an anti-malware and anti-exploit solution to supplement your anti-virus combined with common sense and following Best Practices for Safe Computing provides the most complete protection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 rp88

rp88

  • Members
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:54 AM

Posted 14 March 2016 - 08:26 PM

One of the most important things thesedays is preventing drive-by infections. These can occur siply by visitng a website, it doesn't even have to be a bad website, many large and legitimate sites may display adverts that can trigger drive-bys. By the time the big legitimate site relaises what's happened the malvertiser has already infected thousands of vistors. Protection against these requires: maintaining an up-to-date brpwser, decativating plugins (or setting those which you might occasionally use to "ask to activate" so you can run them on the sites you REALLY trust and NOWHERE else) and ideally the use of scriptblocking software (noscript is a good extension for firefox which will do this) and antiexploit software (malwarebytes anti-exploit is a good exmaple). Adblockers can also help, against sites where adverts are doing the malicious stuff. But adblockers are no protection if you visit a site where the main site itself is either designed to cause drive-bys and spread infections or has been compromised to become infectious. An anti-virus program, and some second opinon scanners, then reside behidn these forward layers, acting as a line of defence primarily there to deal with the few things that get past those layers and to scan any files you deliberately download.

Edited by rp88, 14 March 2016 - 08:27 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:54 AM

Posted 15 March 2016 - 03:41 PM

You could rely on a simple anti-virus. The less (extra) features an AV offers, the smaller the attack surface.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:54 AM

Posted 15 March 2016 - 06:01 PM

You could rely on a simple anti-virus. The less (extra) features an AV offers, the smaller the attack surface.

Plus it is cheaper than full featured suites and generally much easier on system resources.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:02:54 AM

Posted 15 March 2016 - 07:51 PM

 

Plus it is cheaper than full featured suites and generally much easier on system resources.

 

Even free (MSE/Defender, Avast! Free)!

 

Though of course the best defense is a series of dedicated layers:

Dedi AV, Dedi FW (windows firewall is fine), Dedi AM (Malwarbytes / EAM), maybe even MBARW or an anti-execution tool if you are paranoid.


Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#8 Smsec

Smsec
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 AM

Posted 20 March 2016 - 03:33 PM

So to summarize points made here:

  • We still need AV as systems without it are at up to 5.5 times greater risk
  • Choose a simpler AV that does't include bells and whistles such as browser plugins
  • Use a "Defense in Depth"  or layered strategy that includes patching, antivirus, anti-malware etc

Thanks for the good discussion and I agree with these points.

 

I like the idea of using separate AV and anti-malware tools so if product A becomes targeted with a 0-day than product B has a chance to protect if from being exploited. Like using Malwarebytes Anti-exploit with Emsisoft. 



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:54 AM

Posted 20 March 2016 - 07:13 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users