Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Testing Free English Anti-Malware On Non-English Threats

Soulskill posted more than 3 years ago | from the may-you-direction-me-to-the-ham dept.

Security 78

An anonymous reader writes "Brazilian technology news site O Globo posted an interesting comparison on how free anti-malware behaves against non-English threats (Google translation of Portuguese original). By using a database of over 3000 samples from Brazil's Security Incident Contact Center, the numbers are quite different from all US anti-malware reviews. While Avira achieved the best score, 78%, Microsoft Security Essentials stopped less than 14%. This can be a headache for some large multinational corporations, whose IT departments deploy US anti-malware on the entire network, but have network segments outside US with many 'unknown' threats roaming around. I wonder what the results would be in other countries."

cancel ×

78 comments

Wait... (1)

Anonymous Coward | more than 3 years ago | (#35275744)

So it can be as simple as getting your malware translated into another language?

What about (2)

Aerorae (1941752) | more than 3 years ago | (#35275768)

paid solutions?

Re:What about (-1)

Anonymous Coward | more than 3 years ago | (#35275896)

Brazil does not use paid solutions.

Re:What about (2)

MrEricSir (398214) | more than 3 years ago | (#35275954)

In my experience, the vendor makes more difference than whether you get the paid or free version.

Generally the free version is for home use only, whereas the paid version is for commercial use and comes with support.

However, some vendors offer more frequent updates with the paid versions than with the free versions. This might play a role here, but probably not; chances are the location of the R&D lab and the language spoken by the virus submitters makes a larger difference.

Re:What about (2)

_0xd0ad (1974778) | more than 3 years ago | (#35279218)

Still, some vendors get left out entirely. I use ESET. Since they don't have a free version, they weren't included. I'd like to know how they measure up, though... hell, whoever's testing could just install their 30-day trial and not even have to buy it.

Re:What about (1)

RockDoctor (15477) | more than 3 years ago | (#35293420)

hell, whoever's testing could just install their 30-day trial and not even have to buy it.

But ... it's a fairly safe assumption that the people doing the study were doing it for some commercial purpose (even it were only trapping of advertising victim's eyeball-seconds). So that would render them ineligible for most non-commercial-use versions of most software that I've read the EULAs for (yes, someone does read the damned things, even if incompletely and inconsistently ; [Henry 6 P2, A4S2, get it said and done]). And some other EULAs I've seen have explicitly banned installation of unpaid versions for the process of comparison, reporting etc.

Surely it is wrong to use software in contravention of the terms and conditions it is licensed for. Isn't that what part of the recent (and recurring) row about unlicensed (or license-contravening) use of GPL software components is about?

They don't even remove the biggest US threat (-1, Flamebait)

antifoidulus (807088) | more than 3 years ago | (#35275772)

These programs don't even remove the biggest English language security threat. After you run them Windows is STILL installed meaning you are STILL vulnerable to getting pwned. Big rip off if you ask me.

Re:They don't even remove the biggest US threat (1, Insightful)

Flyerman (1728812) | more than 3 years ago | (#35275814)

A free program that uninstalls your OS is a virus, not a security program.

You are hilarious though, don't let anyone tell you otherwise.

Re:They don't even remove the biggest US threat (0)

LingNoi (1066278) | more than 3 years ago | (#35275880)

A free program that uninstalls your OS without your permission is a virus, not a security program.

fixed that for you

Re:They don't even remove the biggest US threat (1)

Anonymous Coward | more than 3 years ago | (#35275898)

Actually no it isn't, but nice try.

A virus needs some sort of self-replicating mechanism - if it simply disabled the host OS then it would basically kill itself. I'd categorize it as malware if it didn't announce that it was going to trash my OS, but it's no more than that.

Re:They don't even remove the biggest US threat (5, Interesting)

Enter the Shoggoth (1362079) | more than 3 years ago | (#35276024)

Actually the installer for OS/2 (warp iirc) would do a virus scan before installing and would come up with the messge

"windows found, remove: (y/y)?"

so someone at IBM shares your sense of humor... or maybe it was you?

Re:They don't even remove the biggest US threat (1)

shadowbearer (554144) | more than 3 years ago | (#35276380)

  What if it saves all your data to the cloud (best encryption), uninstalls your broken OS, installs a better OS, ports all your settings and themes over (as close as possible, given proprietary format angst) and then presents you with a better deal overall?

  What sort of definition would one give to that sort of virus, Vir.Benev.BashScript? ;-)

SB

Re:They don't even remove the biggest US threat (0)

Anonymous Coward | more than 3 years ago | (#35275848)

Acne soaked, snort-laughing virgins from 2002 called -- they want their joke back.

Re:They don't even remove the biggest US threat (-1)

Anonymous Coward | more than 3 years ago | (#35275918)

lolololo fap fap fap

Re:They don't even remove the biggest US threat (0)

Anonymous Coward | more than 3 years ago | (#35275942)

There's a bigger security threat, the one sitting in front of the computer.

Re:They don't even remove the biggest US threat (1)

Dracos (107777) | more than 3 years ago | (#35276012)

I believe Secunia is calling this one antifoidulous.pebkac.2011A.

Re:They don't even remove the biggest US threat (2)

mlts (1038732) | more than 3 years ago | (#35276062)

Devil's advocate here:

I beg to differ, especially with Windows 7. Windows has its issues, but its security features are on par with everyone else.

The problem oftentimes is with the third party developers which don't allow the OS to enforce DEP, much less ASLR. Heck, Microsoft was accused of acting like a tyrant because they decided to force programs to have a separate user/admin priv model, just like every other mainstream OS out there.

Of course, Windows has problems, but saying it is fundamentally insecure isn't accurate.

Re:They don't even remove the biggest US threat (1)

Alex Belits (437) | more than 3 years ago | (#35276494)

Security "features" of a typical desktop OS is not what makes it secure -- it's what annoys the user while pretending to make the computer less vulnerable. UAC and antivirus are "security features", and so are Window Firewall, ACLs, etc.

What makes OS secure is secure design and lack of vulnerabilities, Windows has none of that and never will.

Re:They don't even remove the biggest US threat (1)

mlts (1038732) | more than 2 years ago | (#35282770)

Agreed. There are "features" which constitute little more than security theater, like the annoying firewalls of times past.

However, there are true security features that operating systems must have.

UAC can be debated. In reality, UAC is a good thing, although how MS got a patent on a "graphical sudo" is beyond me.

There are features that are needed, and not theater though. A couple:

1: Filesystem encryption, either file by file like AIX's EFS, Window's EFS, EncFS/FUSE, raw image level like TrueCrypt, LUKS, encrypted disk images on OS X [1], or even hardware level encryption like on IronKeys, IBM disk arrays like the DS5100s and up, or encrypted drive controllers. This is the court of last resort if a blackhat gets physical access to a machine and decides to pull media, be it tapes from a silo, or drives out of a RAID enclosure.

2: ASLR, DEP, and other memory protection. By making sure that data is not executable with a NX bit, this protects the OS against a lot of buffer overflow attacks. Combine this with a malicious program not knowing where the stack is using ASLR, and this slams the door on a whole type of attacks.

3: Limited application context. This is called different on different operating systems, but essentially it means an application does not have the full privs of the user it is running under. This can be done via policies (SELinux, AppArmor), jail(), or Microsoft's low priv functionality (how IE7 and IE8 are run under). It can even be done by a third party program like SandboxIE [2]. This is a definite security feature because it limits the damage malware can do if it gets the ability to execute in the context of a browser add-on or a browser (which is one of the most common infection vectors these days.)

4: Ability to deny access after "x" amount of bad password guesses. This is important to prevent brute forcing of either local access (via a hardware device that guesses passwords), or from remote.

5: Ability to check for unauthorized modifications to the operating system. AIDE/Samhain/TripWire are good tools for that, but I'm sure there are always ways to get around those. The only real way to detect modifications even with rootkits present is to boot the OS from other media, check the hashes of the programs on the system against a known good list, and discard false positives.

6: The ability to have audit logs sent to another machine. Having this ability may mean the difference between an investigation of a breach being unable to commence versus being able to backtrack to the next link in the chain.

So, I agree -- there are security theater "features", but general use operating systems have to have true security features to deal with today's attack vectors as well.

[1]: IronKeys in my experience are the only game in town when it comes to on-board hardware encryption for USB flash drives. They are expensive, but worth it, assuming the machine its used on is not compromised.

[2]: SandboxIE may not be perfect, but it definitely goes a long way for helping priv isolation. It also is easier to use than keeping your web browser in a separate VM.

Re:They don't even remove the biggest US threat (1)

Alex Belits (437) | more than 3 years ago | (#35287532)

UAC can be debated. In reality, UAC is a good thing, although how MS got a patent on a "graphical sudo" is beyond me.

It may be a "good thing" for Microsoft, considering what a disaster it was before and what a slightly lesser disaster it is with that. In reality, when security is concerned, "if you have to ask, the answer is no". Please note that Linux desktops mostly moved from sudo to PolicyKit, and use password prompts not to verify if potentially security-breaking operation is started by an authorized user but to check if the user really wants to perform an administrative operation, so he won't just press OK. I expect that cached permissions in sudo will be completely disabled after that transition will be complete.

1: Filesystem encryption,

This is only justified for non-removable media when user has to deal with attacker having access to hardware AND attacker is interested in reading or altering data instead of destroying it, AND computer is always off when attacker can access it. Never in my life I was in a situation when I could benefit from this, or seen someone who can. With removable media it is somewhat justified because it's shipped and carried in all kinds of potentially hostile environments.

[1]: IronKeys in my experience are the only game in town when it comes to on-board hardware encryption for USB flash drives. They are expensive, but worth it, assuming the machine its used on is not compromised.

There is no way in Hell I will trust unknown implementation of unknown encryption algorithm on a media type known to move data around its physical addresses.

2: ASLR, DEP, and other memory protection.

Useful, but only marginally because almost everything that was exploitable is still exploitable with a more convoluted exploit.

3: Limited application context.

This is a part of design. Windows has such a hard time using it (cutting IE away from the rest of the system that you mentioned being the only feasible, and extremely inconvenient for the user who has to download files, example).

4: Ability to deny access after "x" amount of bad password guesses. This is important to prevent brute forcing of either local access (via a hardware device that guesses passwords), or from remote.

Absolutely worthless for any purposes other than being an easy DoS target. "Locking out" of this kind needs an override to restore access after it happens, and access to such override is protected by... another password!

5: Ability to check for unauthorized modifications to the operating system.

This can not be possibly a part of the system because it has to be performed in a known-unmodified environment outside of the system. Otherwise it's no better than antivirus.

The only real way to detect modifications even with rootkits present is to boot the OS from other media, check the hashes of the programs on the system against a known good list, and discard false positives.

The only real way to detect modifications is to boot from a read-only media. There is no requirement for OS being the same as OS being booted -- in fact, it's better to keep checker the Hell away from the image that is normally booted, lest the user will be tempted to run it from there.

6: The ability to have audit logs sent to another machine. Having this ability may mean the difference between an investigation of a breach being unable to commence versus being able to backtrack to the next link in the chain.

The existence of such logging is a part of design -- to be in any way effective it has to be used by everything worth being monitored, OR it has to log every system call.

Re:They don't even remove the biggest US threat (1)

deniable (76198) | more than 3 years ago | (#35276794)

Heck, Microsoft was accused of acting like a tyrant because they decided to force programs to have a separate user/admin priv model, just like every other mainstream OS out there.>

They started that back in about '95. By Vista, they'd given up asking nicely. It was as bad as the MS-DOS tricks that continued until XP came out.

Re:They don't even remove the biggest US threat (0)

Anonymous Coward | more than 3 years ago | (#35277334)

Delve deeper under the hood...

Networking protocols that can be authenticated using password hash instead of having to crack the password...
Weak encryption for user passwords...
Network services running by default that are difficult to turn off (so most people firewall them - a kludge at best)...
Unnecessarily complex (ie poorly designed) network services, microsoft-ds on port 445 provides access not only to file/printer sharing but all manner of features such as accessing the registry remotely, manipulating services etc. If you want to open up one piece of functionality, you are left opening up huge amounts of functionality you do not necessarily want exposed.
Layers upon layers of backwards compatibility cruft, many functions have multiple versions which are selected at compile time depending on which sdk version you use, lots of cruft is present for compatibility with win9x which had no concept of security whatsoever.
No centralised update system, you can only update ms stuff centrally, third party apps are left out in the cold.
Even tho there is a centralised update system for ms apps, it is broken - find a largeish network running wsus, verify that wsus thinks every machine is up to date, now go and manually check the file versions installed on those machines against the versions contained within patches (the ms security advisory page contains such lists), or use an automated tool like nessus to do this for you... You will find that on any moderately sized network, wsus fails to update a handful of machines despite claiming that it has.
Software installed by default that is difficult/impossible to remove, even if you don't need such software or choose to replace it with an alternative.
Client side security in many areas which is trivially bypassed, eg command prompt restrictions or certificate export restrictions, access to view certain dirs is restricted in the gui but can be bypassed in the command prompt etc. (the worst part here is not that these trivial things can be bypassed, its that they give people a false sense of security).
Depends on file extensions, and yet hides them by default.
Needs lots of third party software, eg av software, software to restrict access to usb devices, software to restrict execution of arbitrary binaries etc etc... Then also needs third party software to update the third party software!

Re:They don't even remove the biggest US threat (1)

JonySuede (1908576) | more than 2 years ago | (#35285250)

No centralised update system, you can only update ms stuff centrally, third party apps are left out in the cold.

no, in an enterprise setting you can setup your own WSUS server and you can push msi centrally. And you can create your own msi to update application like firefox.

Most of your arguments are outdated; you are resorting to FUD just like ms did between 1998-2008

please mod me down I suffer from ADD today (1)

JonySuede (1908576) | more than 2 years ago | (#35285314)

please mod me down I suffer from ADD today, I did not read the part about nessus and WSUS....

Re:They don't even remove the biggest US threat (1)

evilviper (135110) | more than 3 years ago | (#35296202)

Yes, windows is fundamentally insecure.

WPAD, UPNP, and Shatter attacks. End of story. Microsoft happily releases patch after patch to hide the most apparent symptoms, but the disease continues merrily along.

Interesting... (4, Interesting)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#35275784)

It isn't really news that AV products rely fairly heavily on canned signatures and that heuristic detection of evil lags behind evil by a fair margin.

What does surprise me, though, about these results, is that they suggest a fairly high level of geographic discrimination in the customization and targeting of malware. My (naive) expectation would have been that, aside from trivial stuff like trying to get the language of your spam/phishing/social engineering emails correct, the market for good exploits, well-crafted viruses, and so forth would be a fairly global one. Also, given that some malware attempts to propagate itself, rather than being delivered by a bugged website or other external mechanism, I would expect a fair amount of "splash" from malware spreading to any vulnerable hosts it can find, not bothering with any sort of geolocation, or from expats who live in country A, but still visit websites from home country B.

I would have expected a much more homogeneous(from the perspective of the mechanics of the exploit mechanism, evasion techniques, and payload) worldwide population of malware.

Re:Interesting... (0)

Anonymous Coward | more than 3 years ago | (#35276206)

My (naive) expectation would have been that, aside from trivial stuff like trying to get the language of your spam/phishing/social engineering emails correct, the market for good exploits, well-crafted viruses, and so forth would be a fairly global one.

Malware is driven by money. There is little money to be made by Malware outside the US and European market.

Also, given that some malware attempts to propagate itself, rather than being delivered by a bugged website or other external mechanism, I would expect a fair amount of "splash" from malware spreading to any vulnerable hosts it can find, not bothering with any sort of geolocation, or from expats who live in country A, but still visit websites from home country B.

You are confusing Malware (software designed to steal information or take control of a computer) with Virii (software designed to propogate and cause the three Ds--denial, damage, destruction).

Re:Interesting... (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#35278554)

My naive expectation was, as it turned out, wrong; but what I had in mind by "the market for good exploits, well crafted viruses, and so forth would be a fairly global one" was the expectation that once an exploitable bug is found, it would first be exploited by "tier 1" attackers, either against specific high value targets or regions with a high GDP/cluefullness ratio. Once in the wild, the value of the exploit would go down over time, both as patches and AV updates filter out, and as assorted tier 2 and below attackers obtain copies of the attack package and produce minor variants with their own payloads to exploit less lucrative, or slower-to-patch markets.

Obviously, most of the highest-quality malware R&D would go into producing attacks either for targeted use against specific high-value entities, or general use in high value regions; but I would have expected that those attacks would either soon be pirated, or(once high value targets and legitimate Windows systems were patched) sold at reduced prices to the bottom feeders, who would then exploit less valuable markets. The really good money is probably in targeted ops, followed by wealthy nations; but I suspect that a decent living can be made, in a country with low cost of living index, if the attack tools you are using are all stolen or heavily discounted...

That is why I was surprised. I would have expected the malware in less lucrative locations to be mostly bargain priced or stolen versions of malware that had already made the rounds elsewhere, rather than something novel enough to frequently escape detection...

Re:Interesting... (1)

AmiMoJo (196126) | more than 3 years ago | (#35277092)

Most malware does not spread by looking for vulnerable hosts. Ever since they turned on the firewall by default in Windows XP and especially now that most people have routers with a built in firewall that technique has long been abandoned.

Instead most viruses use some social engineering to spread. Fake emails sent to contacts of the infected user, free crapware downloads, browser exploits and so on.

These kinds of tests are not that useful when evaluating AV software. The focus is on prevention of infection and removal rather than detection of individual files. It doesn't matter if the software can't pick up every infected file as long as it can kill the core of the virus. AV software got bloated because it tried to have detection rules for everything, and the rules had to be very specific for each file to avoid false positives. Now they just go after the head so really the best test would be to visit an infected site in Internet Explorer and see what happens.

Blacklisting is a losing battle (2)

Mathinker (909784) | more than 3 years ago | (#35275822)

This only proves what people have been saying since day 1: fighting malware via blacklisting is a losing battle.

Eventually some company will come up with a business plan which is the opposite: if you are interested to run an application, you can pay them to do a security review on it. If the company worked on a "we do the review once $X dollars have been raised" basis, popular applications would be reviewed for small change per user, and niche applications would be expensive to have reviewed.

Unfortunately, that's also a losing battle because of the noncomputablity of the stopping problem, but it's less so --- developers who want their application to be reviewed quickly would supply source code to the reviewing company and the developers would have an interest to have the code be as "clean"-looking as possible, raising the bar for slipping in "underhanded" side effects (and hopefully making malware with complex behavior difficult to pass muster).

Re:Blacklisting is a losing battle (1)

JustOK (667959) | more than 3 years ago | (#35275888)

uh, something like an "app store", perhaps?

Re:Blacklisting is a losing battle (0)

Anonymous Coward | more than 3 years ago | (#35275908)

app stores are just plain losing... never gonna get tied down to one company's idea of what's "right for me"... they're clueless neanderthals trying to second guess what I want, and how I want it. besides, with all the data theft occurring within the app-store apps (yup, they steal your data left and right but claim it was theirs to begin with), ain't no way I'm ever getting any of that losercrapnoshit

Re:Blacklisting is a losing battle (1)

mlts (1038732) | more than 3 years ago | (#35276002)

How about not just "app stores", but a repository system?

The OS can include the app store, a place for OS updates, and a well secured repo for F/OSS software. The updating programs can grab a list of packages, see what needs updating, then grab those via curl or wget. Further repos can be added by the user, assuming they click through a dialog that one can't just walk into Mordor, other repositories may not be trustworthy, do at own risk, etc.

Oh, of course, all install packages (RPM, MSI, installp, .deb, etc.) are all cryptographically signed, and the signatures are checked before the package is installed. This way, a break-in to the repo server doesn't mean the files stored can be tampered with.

Repositories have served the F/OSS community well for over a decade, and have proven to be historically clean (with an exception here and there, of course that gets fixed posthaste.) I just wish Apple and Microsoft would build this in, and not just "App Store or install manually" functionality.

Re:Blacklisting is a losing battle (1)

Anonymous Coward | more than 3 years ago | (#35276102)

Repositories have served the F/OSS community well for over a decade, and have proven to be historically clean (with an exception here and there, of course that gets fixed posthaste.) I just wish Apple and Microsoft would build this in, and not just "App Store or install manually" functionality.

Can you imagine how badly people would complain about Microsoft abusing their monopoly if they did any such thing?

Not to mention you forget the biggest problem...getting developers to go along. Given how many unsigned packages and programs I have, even some from relatively high profile open source groups, and well...I don't see it happening.

See, most people don't get the reason why Microsoft lets Windows be so vulnerable and even crotchety. It's not because they can't do things better, but because they can't deal with the bitching when they close the doors. It's like getting people to lock their doors and windows. Some will do it. Some simply won't.
 

Re:Blacklisting is a losing battle (1)

Khyber (864651) | more than 3 years ago | (#35277250)

"Can you imagine how badly people would complain about Microsoft abusing their monopoly if they did any such thing?"

They could complain all they want but since other OS have this feature Microsoft would not be abusing the monopoly position in any manner. If anything they're keeping with the state of software distribution.

Re:Blacklisting is a losing battle (1)

mlts (1038732) | more than 2 years ago | (#35282564)

The good news is Windows 8 (from a previous /. article) is getting an "App Store". What it will be like when it gets released, who knows. However, it is a step in the right direction.

Re:Blacklisting is a losing battle (1)

deniable (76198) | more than 3 years ago | (#35276818)

Yes, but repos fall down on small details like payment and copy protection. I know, open source is the best thing ever, but we haven't convinced the large manufacturers yet. Speaking of manufacturers, I can think of several that need to use a common OS updater. Adobe updates, ick.

Re:Blacklisting is a losing battle (0)

Anonymous Coward | more than 2 years ago | (#35282552)

I wish everyone would use the OS updater for their apps. This way, in Windows I don't have to worry about Java updates trying to sting me with toolbars, Adobe updates, Apple software updates, PGP updates, and many more. Microsoft should make a standard application update mechanism, and the third party vendors should have MSI or MSP files that are installed via the msiexec mechanism. This isn't perfect, but this is a lot better than random mechanisms that are run from executables.

Ideally there should be one, or perhaps two mechanisms: The OS update mechanism which has heavy safeguards in place to ensure packages are not tampered with even if a mirror gets violated, and a code update mechanism that can not just update applications, but Web plugins, and other modules.

Windows isn't the only one that has this problem. OS X has a great mechanism for OS updates, and the App Store is good for programs that come from there. However, it would be nice for Apple to have a mechanism similar to MacPorts with cryptographic signature functionality [1], some big name repositories there by default, and the ability to add more repos. This way, users really never would have to manually download a file, chmod +x it, and run it, which forces Trojan makers to have to attack the repositories, the code signing machines, or pursuade users to turn on functionality which is off by default and sets off big alerts when flipped on about untrusted code.

[1]: MacPorts might have gpg signatures, didn't see much mention of it though.

Re:Blacklisting is a losing battle (1)

Mathinker (909784) | more than 3 years ago | (#35277026)

> uh, something like an "app store", perhaps?

Interesting, I hadn't thought of the relationship to that existing model.

The answer is: not really, because

  • in "app stores" the platform controllers are taking a cut, not being paid to do security reviews and nothing else
  • in (some) "app stores" the platform controllers are actively censoring applications which do things they don't like (in my suggestion, the consumer is controlling what gets reviewed based on his needs).
  • most(?) existing "app stores" prevent the user from running other applications, in my suggestion people are free to run "unsafe" applications if they choose to do so
  • most existing "app stores" are monopolies, in my suggestion people are free to choose between competing companies doing these kinds of reviews (or use more than one of them, or use a different model totally like buying an anti-virus product)

Re:Blacklisting is a losing battle (1)

mehrotra.akash (1539473) | more than 3 years ago | (#35275900)

So, you are advocating Apple's app store strategy??

Re:Blacklisting is a losing battle (2)

CosmeticLobotamy (155360) | more than 3 years ago | (#35275924)

This idea is so insanely bad and competition-murdering that I'm surprised Microsoft hasn't quietly spun off some security firm to make this happen.

Re:Blacklisting is a losing battle (1)

gad_zuki! (70830) | more than 3 years ago | (#35275936)

I love how the default in your head is this anti-MS fantasy, yet what he describes is more or less the very real Apple app store.

Re:Blacklisting is a losing battle (2)

CosmeticLobotamy (155360) | more than 3 years ago | (#35276010)

This bears no resemblance to the Apple App Store. Apple doesn't audit for security, they audit for boobies and giving the user the ability to run software they didn't audit for boobies and take 30% of.

Re:Blacklisting is a losing battle (0)

Anonymous Coward | more than 3 years ago | (#35276174)

I love how the default in your head is that your operating system isn't broken. (hint: it is, quite)

Re:Blacklisting is a losing battle (2)

mlts (1038732) | more than 3 years ago | (#35275934)

What antivirus/antimalware is good at is stopping the stuff after the first wave, and the companies get updates out. However, the blackhats know this, so they know their moneymaking is during the 0 day wave, before Patch Tuesday and the Malicious Software Removal Tool is run.

True resistance to malware requires a defense in depth philosophy, and until recently, this was not implemented in a significant fashion. For example, the usual setup of Windows XP would give Admin rights to any process by default that would get on as a user. This can be fixed, but most users wouldn't create limited users, nor run the Web browser with the Run As... command.

In reality, there needs to be a number of levels before malware gets to execute with a root/admin context. The first starts with browser add-ons, the browser, the OS's security in a jail or other restricted context. Ideally there should be a HIPS present in the OS that can catch unknown intrusions, but a HIPS does cost CPU cycles and can give false positives.

Ultimately, what one group can secure, another can break. However, OS and program design that is in primary use now can really be made much better. AppArmor, SELinux, and having app profiles built into every program telling the minimum, best, and maximum privs it should have would go a long way into isolating issues.

Re:Blacklisting is a losing battle (2)

afidel (530433) | more than 3 years ago | (#35276036)

Stop it before it ever gets to the client, IDS/IPS and an intelligent filtering proxy running a different engine than the desktop. It's not foolproof but it blocks the vast, vast majority of threats. Same with email (though that seems to be dying as a vector) use a different AV engine on the email gateway than you run on the desktop and servers.

Re:Blacklisting is a losing battle (2)

mlts (1038732) | more than 3 years ago | (#35276100)

This makes me wonder about having NICs with an embedded firewall OS. Of course, this can be a target for remote flashing of malware, but this can be minimized with both signatures, and having a DIP switch that has to be physically pressed before a write to the OS can be done.

With the NIC handling the IDS/IPS capability, as well as being able to handle enterprise network configurations, the OS can be isolated and happily think it is receiving a DHCP address while in reality, an enterprise server has it on a static IP. This way, someone compromising the OS can't get another IP, or change the subnet mask.

The NIC with this capability can be also used on the enterprise for security, regardless of the OS running on the machine. The enterprise admin or an IPS can tell the box not to connect to the corporate net for "x" amount of time, or if it does connect, route all traffic to a remediation server. Perhaps (with enough flash space) it can even store an image of the OS, so re-imaging the box can happen quickly without any network traffic.

Re:Blacklisting is a losing battle (1)

drinkypoo (153816) | more than 3 years ago | (#35277754)

It would certainly be trivial to put a firewall on a NIC. I'd rather shrink the firewall to a dongle, though, and let it hang out of the back of the system. That shouldn't be too difficult.

Re:Blacklisting is a losing battle (1)

Anonymous Coward | more than 3 years ago | (#35276040)

The whole halting problem thing is largely mitigated by the fact that we only execute code pages that are marked as executable and that they're write only. I'd agree there's a whole world of "evil-code(TM)" out there though - p-code based systems that emit code on the fly. I think these are the ones you want to audit and subject to intense scrutiny. Alas there is no simple way to take a piece of code and prove that it does X and ONLY X; at least not for anything more than "Hello World!".

I think our short term answer is going to be a whitelist system coupled with the law of least privilege. I mean, you'd think they'd make it a little harder to mess around with the guts of the operating system. There aren't many applications out there that even have a clean install/uninstall behavior so you can never be 100% sure that something in your OS didn't just get caned by "Relatively Harmless App 2011". Maybe a pay-per-privilege model is needed where I can submit an application for review in order to get (e.g.) user-mode driver privileges. There's certainly no reason I'd expect something trivial I just downloaded to be able to patch the kernel and hook all I/O calls or anything sinister like that. In the end there's no system we can build that doesn't involve someone making choices on your behalf, and that's the scary thing. We've already seen what happens when you let uninformed users run whatever they want, even with a barrage of "This might not be safe" prompts - people just keep clicking Ok and complaining that their computer got nerfed and their bank account is empty and "OMGITSYOURFAULT!!1!oneone!1". Give the control of the platform to a single entity and you end up with the App Store debacle we're seeing now - tyrannical software dictatorship.

I've been using Windows since 3.1 and I have to say I think it's basically at the end of its useful life right now - the Windows model is pretty much dead outside the enterprise.

Re:Blacklisting is a losing battle (1)

Mathinker (909784) | more than 3 years ago | (#35277068)

> their computer got nerfed and their bank account is empty and "OMGITSYOURFAULT!!1!oneone!1 ....
> the Windows model is pretty much dead outside the enterprise

Personally I don't use Windows for anything financial or for sensitive personal information, but I have a feeling that the problems with Windows which I understand you are assuming will cause consumers to stop using it will end up being "fixed" in a different way, where personal liability for the kind of losses you are talking about is limited by legislation (kind of like how credit card losses are).

Re:Blacklisting is a losing battle (1)

hairyfeet (841228) | more than 3 years ago | (#35276168)

Or you could just get Comodo AV or Internet Security [comodo.com] which is free for BOTH business and personal use and which uses a default deny policy [comodo.com] along with default sandboxing of ALL apps helps keep the crap from ever getting in and doing damage in the first place.

I have some customers that are SERIOUSLY click happy, we are talking some serious PEBKAC here, ones that would pick up more viruses than a Bangkok Whore. Since switching them to Comodo AV they've been clean as a whistle and everything "just works".

Now if you are setting up a new PC I'd suggest a quick trip to Ninite [ninite.com] first just to get the basics installed, and if you are wanting to install any bloated drivers like Realtek or seriously funky ones like DaemonTools SPTD drivers I'd go ahead and do those first, as Comodo naturally doesn't like the way certain drivers like Realtek splatter files all over the place and you'll have to click through multiple warnings otherwise.

But once you have a machine set up you can just drop in Comodo AV or Comodo IS and it "just works" with no hassle. And if you want the PC to be pretty much break proof short of hardware failure just add Comodo Time Machine [comodo.com] which makes daily snapshots and gives the user an easy way to restore even if they manage to somehow bork booting (for those users that can kill a Sherman tank with a toothbrush) and with CTM getting it back up is as easy as push F11> choose snapshot to restore > let it reboot and you're back up and running.

So I'd say its not real hard to keep most bugs off the machine, just use software that by default deny policies and sandboxes everything. Sadly NO AV is 100% perfect, especially if they use the right bait, as I have sat there in shock and watched as a user refused to listen to me OR the AV and shut it down so that he could "see free blockbuster movies with this super(tm)codec!" Sometimes even the best tools and advice just can't stop the stupid.

What about the other way around? (3, Interesting)

_133MHz (1556101) | more than 3 years ago | (#35275926)

In my experience it's pretty easy to spot malware when English menu options and stuff start appearing on a non-English Windows installation, such as "Open" or "Open folder to view files" for thumbdrives while the rest of the options show up in the local language, sometimes malware can even bork the system because of it (like in the olden days of Windows 9x when installing IE in a different language caused all sorts of havoc in the OS)

Even with such a blatant language mismatch most users simply won't notice anything wrong with their systems until it bites them really hard.

Re:What about the other way around? (1)

Peeteriz (821290) | more than 3 years ago | (#35275968)

Yeah, it's quite hard to imagine for even 100% clueless people to fall for e-mails from Joe saying 'here... look at the funny movie attached' if they don't know a single Joe personally, and none of their friends would even think of commenting on a funny picture in english.

Re:What about the other way around? (0)

Anonymous Coward | more than 3 years ago | (#35278666)

I don't think people need to know someone personally to want to be 'in on the joke'. For example, offline, one might overhear a stranger (let's call him Joe) say to his friend "Hey, look at the funny [something] over there". While you don't know Joe personally, and also know he isn't talking to you specifically, you might still be compelled to look.

Re:What about the other way around? (1)

sourcerror (1718066) | more than 3 years ago | (#35276902)

I don't know what language you speak, but a lot of software (even some commercial ones) have a half assed Hungarian localisation. So I have a lot of mixed language software on my computer.

Re:What about the other way around? (0)

Anonymous Coward | more than 3 years ago | (#35279730)

Maybe this is a Hungarian legal issue rather than a software design one. Iran software also has "...a half assed [Persian] localisation." Iranian law does not follow international copyright, and software companies avoid the Iranian market.

2011 New arrival fashionable style fashion accesso (-1, Offtopic)

UseeTrading (2001120) | more than 3 years ago | (#35275944)

2011 New arrival fashionable style fashion accessories A wonderful website to shop online.It is specialize in supplying discounted hot designers and top brand clothings, such as:Coach,Gucci, Prada, Fendi, ED-Hardy,Chanel and much more! Many fresh kinds of accessories are here, waiting for you to find out. Ture Religion Skinny Jean,Gucci diaper bag,Timberland boot,A&F shirts ... ... Website: http://useetrading.com/ [useetrading.com]

Re:2011 New arrival fashionable style fashion acce (1)

deniable (76198) | more than 3 years ago | (#35276838)

Spamming /. with fashion accessories. Mod parent funny and then visit the link.

A few corrections (5, Informative)

Leafheart (1120885) | more than 3 years ago | (#35275982)

O Globo is one of the biggest newspapers on the country. But it is not a technology news site as the summary implies. Although yes, this was posted on the tech area of the site, it is hardly the focus of the newspaper.

Regarding the testing itself. This is just a report on a test made by an external firm (www. clavis.com.br) which was commissioned by the site. The test focused on the quality of free antivirus only. With implications that the issue lies in the fact that they are free, not that all antivirus are plagued by these issues (I will let you decide on what was the exactly aim of the article). Besides that, the test is devoid of crucial information. The database they used is a great one, the CAIS is maintained by our best scientific network, RNP (site in English: http://www.rnp.br/en/ [www.rnp.br] ), so I trust the info there. But nowhere does it say that the threats are in Portuguese.

They used a list of 3.269 threats among virus, trojan horses, spywares, keyloggers, and etc. We don't know how many of each. Before the article they praise pay security suites, because they are a suite and not an antivirus only. There is no data on these threats, nor how many of each type, how old each one was, nor how they have threats which are not on the known list of each antivirus. Much less the language of the code.

Let me repeat it: NOTHING on the test implies that antivirus have a problem with non-English threats. It only said that those antivirus had that percentage of correct matches on either Heuristics or non-threads. But we don't know the exactly content of the database or the code used to test it. Much less the quality of the test.

Again: Language was not a part of the test!!!

Re:A few corrections (0)

Anonymous Coward | more than 3 years ago | (#35276258)

Great post. I like how this post providing context for the story gets modded a 3, but the "Interesting..." post above that is gutted by this post gets a 4.

Re:A few corrections (0)

Anonymous Coward | more than 3 years ago | (#35277670)

While the article follows the journalistic tradition of bad statistics reporting, your vehemence is misplaced. Maybe you work for M$ :)

AV products in general will have problems with local variants of malware. Just try using your US av in china and you'll see.

Re:A few corrections (1)

Leafheart (1120885) | more than 2 years ago | (#35283428)

While the article follows the journalistic tradition of bad statistics reporting, your vehemence is misplaced. Maybe you work for M$ :)

Funny, but no. My vehemence is just to reiterate that they tested the "quality" of free antivirus against an unknown sample of threads. Which is completely different than what the summary tried to paint.

Re:A few corrections (1)

spedrosa (44674) | more than 3 years ago | (#35277696)

Perfect. Please move quickly to the chamber-lock, as the effects of prolonged
exposure to the button are not part of this test.

Re:A few corrections (0)

Anonymous Coward | more than 3 years ago | (#35279176)

o globo is the biggest news corp in the country and as said previously they are not a about tech, they are about popularity.

the article is biased about free versions of popular antivirus, they begin it by stating that free antivirus are popular and asking if they really protect, so they hired this firm to test them.

Title incorrect (0)

Anonymous Coward | more than 3 years ago | (#35279286)

The O Globo article doesn't mention language issues but only free AV quality.

Moreover, in Brazil we have much Banker malwares, that are malwares specialized in faking home banking web pages and stole user passwords.

Re:A few corrections (1)

snowgirl (978879) | more than 2 years ago | (#35284882)

Not to mention, Avira is a German company, and a German product. That they provide an English localization does not make it "English Anti-Virus" software.

Mentioned antivirus (1)

DrYak (748999) | more than 2 years ago | (#35285684)

With implications that the issue lies in the fact that they are free, not that all antivirus are plagued by these issues (I will let you decide on what was the exactly aim of the article).

Yup.
It's strongly tuned to make reader buy commercial antivirus.

For a start, it only mentions popular commercial antiviruses which happen to have a free version.
It does not mention the freesoftware ClamAV, for example, which could have been a nice addition. Specially because ClamAV accepts lots of community input in its database. So malware more frequent in some less marketed countries (like suggested by the /. entry and mentionned elsewhere in this discussion), has better chance to get covered.

Jumping to conclusions (0)

juventasone (517959) | more than 3 years ago | (#35276008)

Right, because a multinational is going to be using a basic security product with no management features like Microsoft Security Essentials.

Re:Jumping to conclusions (2)

mlts (1038732) | more than 3 years ago | (#35276028)

I don't see any multinational company doing this because of what you said (no ability to manage/audit workstations), plus the EULA would be violated as MSE is for personal/home use and defines it.

This is what Forefront is for. Forefront is essentially MSE, but it has enterprise-level features, as well as that MS advertised that a few years ago that it can deter zombie invasions. Just the fact that the undead won't be attacking the workplace alone makes Microsoft's offering worth getting on an enterprise level.

Re:Jumping to conclusions (5, Informative)

afidel (530433) | more than 3 years ago | (#35276044)

MSSE and Forefront Endpoint Protection are the same base engine and since MS is giving it away to companies with an enterprise agreement you can bet companies are at least considering it.

Comodo (2)

Neil Boekend (1854906) | more than 3 years ago | (#35276152)

I can't read the article: blocked by company policy.
But I would like to know whether they tested with Comodo in the "auto sandbox" setting [comodo.com] . Since the virus would run sandboxed, it should not matter what the language was.
I am thinking of switching from MSSE to Comodo, and if they tested it and it failed then Comodo would not be an option for me.

Windows and the state of computing TODAY. (0)

Anonymous Coward | more than 3 years ago | (#35276364)

It seems that at least in my assessment that Microsoft will have to come with some way of changing their operating system completely and then adding an application support layer to the new one for the old applications the way OSX did. This would be a very large undertaking and an extremely difficult one. The application support layer would have to be sand-boxed and would still represent a security challenge. I feel like computing is going to a more distributed utility type service model in the near future which would be enabled by faster more secure fiber-optic communications. I suspect that apple has this in mind with its new datacenter(s). If this is the case Windows may become quickly overtaken as Apple leverages open technologies, those already in OSX and ones already being developed for it. I think that OSX is headed for an iMakeover. Hint: the termination and or possible re-purposing for internal use of of the xServe line. And the interesting coincidence that the price of OSX server is the same as a machine installed with it (the Mac Mini Server) which is fast enough but not front end heavy leaving windows to to poorly copy it yet again. Maybe some day Apple will just acquire Microsoft and deal with the mess for them. They will probably be able to afford it at some point but I doubt is something that a company like Apple would take on. ;-) I want to be PERFECTLY clear that I am ONLY speculating here but this future seems inevitable if not highly plausible. Label me as a "troll" if you want.

Brazilian threats.... (0)

Anonymous Coward | more than 3 years ago | (#35276678)

.... are a HUGE number of threats....

Posted AC due to incredibly old and lame joke.

Nevertheless, why should Soviet Russia be the only one to get it's own meme?

Re:Brazilian threats.... (0)

Anonymous Coward | more than 3 years ago | (#35295310)

What? No Samba? No fu... er, "soccer"? No sugar-cane spirits (cachaça), no macumba (Brazilian voodoo-light(ish) - the heavy stuff is called candomblé)? And, foremost : acarajé, vatapá and feijoada (traditional snack and dishes) in Bahia (a hallmark state), usually from traditional street-vendors in typical garb. Un-for-get-table. Just ask Montezuma (even though he's Aztec - now in Mexico. A vengeful gutsy type.).

English only program behaving (0)

seeker_1us (1203072) | more than 3 years ago | (#35276954)

Do you speak English?

Silence

Do you speak English?

Silence

(This time with Hand gestures and really loud) Do YOOOOOO SPEEEAAAAAAAKKKKK Englissshhhh?

One world... (1)

Bert64 (520050) | more than 3 years ago | (#35277234)

Thanks to the Internet, there is no reason that malware written in one place cannot easily spread across the world...

anti-malware == selling rocks (1)

doperative (1958782) | more than 3 years ago | (#35278808)

anti-malware, about as much use as selling rocks ...

I've noticed this problem with spam (1)

JavaRob (28971) | more than 3 years ago | (#35280762)

Not exactly the same thing, but I've been getting a lot of spam in Greek for some reason -- and I have no idea how to filter it out (I could just capture any message with a common Greek word, but it's... gibberish to me). It's clearly spam, and probably all from the same sender, because the formatting is always similar, though of course the links vary.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...