The AntiVirus Era

For the last 30 years the computer security industry has been dominated by antivirus. Companies like Symantec are worth billions of dollars, and their products are deployed across millions of enterprise machines. For the average home user products like your typical antivirus may be enough, though I wouldn’t count on it alone. When it comes to an enterprise environment AV technology is critically flawed, and incapable of handling the threats presented to it.

An antivirus is based on the idea that if you can analyze malware from the past you can detect malware in the future. It’s a simple idea, and it can be effective for massive campaigns that are meant to be spread out across as many users as possible, because attackers only have time to create one payload, and then ‘crypt’ it, and try to avoid detection through automated means.

Basing security on research having to do with ‘in the wild’ malware is something I’ve talked briefly about on Twitter. I’d like to expand on that. When you build a security product around the threat landscape, and when you focus your research on the current threat landscape, it will probably be outdated by the time you publish it. For one thing, malware campaigns change drastically from country to country – trying to average it out or boil it all down is going to be way too broad to be useful. On top of that, malware is constantly changing. We see new threats, drastically new threats even, every year. In the last few years some of the most advanced atypical malware has been discovered, and there are many people who believe this will continue. So for research to talk about ‘the now’ in a field that is so fast paced, to me, is a waste of time.

In the case of what has been dubbed ‘Advanced Persistent Threats’ (APT), an oft overused term, the threats are targeted to the intended victims. Instead of attacking the world you go after a company. The effort involved in a targeted attack is greater, and it may take more time, but the payout can be estimated as ’10x’ what a mass campaign would be. Beyond pure monetary gain there’s also other motivators, such as belief in a cause – hacking as a form of activism is referred to as ‘hacktivism‘, and it has become far more prominent over the last few years.

If we take what we know about an AV, that it must rely on detection, and that the detection it uses relies on analyzing past malware, it isn’t difficult to see how a highly targeted attack would bypass it. Simply by virtue of being targeted, and new, an attacker will have a massive advantage against any antivirus. This has been shown many times, but most recently we can see this demonstrated through the New York Times. As some of you may know the New York Times was recently hacked, and they reported on the findings surrounding the incident. One highlight from the piece:

Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

To put it bluntly, Symantec failed somewhat miserably. But you can’t really blame a product like theirs for being ill equipped at dealing with something so outside of what it’s meant to deal with. And I don’t think any other antivirus would have done all that much better – they’re simply not able to deal with these situations.

This is one in quite a few cases. Zero-Day exploits are being sold to governments, and those governments are in turn hacking each others citizens. There has been evidence in the past that exploits shown by Vupen, and purchased by their customers, have been used in the wild. Stuxnet, Duqu, Flame,  all advanced pieces of malware delivered through advanced exploits, and they infected numerous users. And it took a very long time for antivirus vendors to catch on to them and create definitions for them.

So this really begs the question – is this ‘era of antivirus’ finally over? The antivirus industry has been dominated by a very specific type of program, is that really going to change?

The answer is complicated, it’s one of those annoying ‘yes and no’ situations. Obviously antivirus is a terrible addition to your security, and in my own opinion it’s far more of a burden than a benefit, but that doesn’t mean it’s going anywhere. There are no decent replacements. If we dump the antivirus we’re left with, god forbid, Firewalls – another massive waste of money that companies like to pour resources into.

Some replacements have cropped up. Nothing impressive… at all. Various products take different approaches, a few even implement sandboxes, but they’re pretty pathetic and feel very ‘thrown together’. Comodo Internet Security is a very ‘different’ product – it’s a HIPS and AV built around their Firewall. While it can in theory be used to prevent against APT there is absolutely no way it will in practice, anyone who has tried using it will be able to attest to that. And most other products suffer from the same issues, OK in theory, horrible in practice.

Beyond all of that, companies aren’t run by security experts. Hell, even IT teams aren’t run by security experts. I happen to go to a school that has a focus on computer security, and even it focuses on the wrong topics (though it’s far better than most). Reflecting this is the culture surrounding security incidents. You generally have two responses:

1) Blame some user somewhere for clicking something

2) Invest in more expensive Firewalls and other useless security software that has failed time and time again (I don’t hate Firewalls, I hate Firewall businesses)

So I wouldn’t expect the response to actually be, you know, productive in some way. So even if there were products to fill the gap that AV would leave it would make no difference, IT is broken.

I hope to personally kill the AV one day, and I’ll be happy when it’s dead. Detection isn’t a bad thing, testing against current threats isn’t a bad thing, but god damn do not make it the core of your product. I’ve seen so many pathetically insecure products touting how great they are just because, oh my god, they can block some generic malware – not too impressive.

Security is, as always, about principals. Some things are universal – entropy, uncertainty, least privilege. You know what makes APT hard? When an attacker doesn’t know what they’re up against, when a remote attack might fail. There is nothing scarier to a hacker than a potentially failed attack – if a system gets accidentally DOS’d, as opposed to hacked, the IT team is going to be on alert. Security research should focus on further implementation of these principals, not on how to stop yesterdays malware using techniques from the late 80’s.

Security Software Usage Of Mitigation Techniques With Slopfinder

I recently read a post that used static analysis of executable files to see which applications were using DEP/ASLR and to what extent. This inspired me to perform the same analysis with the same tool, but on security software.

Antivirus software runs with very high privileges on a system, and it deals directly with malicious, attacker controlled code. Ensuring that modern mitigation techniques are enabled is essential when designing security software, as your code is inherently exposed to an attacker. In other words, the code here should be held to the highest standard. A

nalysis performed in a Windows 8 64bit VM using slopfinder in Chrome Stable. Slopfinder is a tool that performs static analysis on executable files to check their security flags, whether or not they make use of DEP / ASLR.

Using Slopfinder is as simple as dragging/ dropping a folder full of executables and then looking through the results, which is what I’ve done here.

Default installations – trial software used if available for Pro versions. Some of these programs install “web guards” that are actually glorified Ask Toolbars or some other BS toolbar- these are included in results, they’re part of the ‘security’ package and they’re entirely relevant.

If I don’t specify DEP/ASLR it means both are disabled. This is the case for the majority, which I’m assuming has to do with ‘permanent’ DEP, as I’d be very surprised if DEP were really disabled so frequently – but who knows! UPDATE: Here is an explanation for the DEP.

Keep in mind that just because some files don’t support ASLR or DEP doesn’t mean you’re vulnerable. Some of these files won’t ever interact with ‘attacker code’ – there’s little reason for program uninstallers to support ASLR, for example, and the same goes for installers.

If anyone has more information to add (for example if one of these offending DLLs is particularly critical, like if it’s loaded into the browser) I’ll happily add it in.

Microsoft Security Essentials/ Windows Defender

I found no executable files not compiled with DEP/ASLR.

Avast! Pro Trial (25)

/Avast/aswRegSvr.exe

/Avast/aswRegSvr64.exe

/Avast/aswRunDll.exe

/Avast/defs/12103100/Sf.bin

/Avast/Setup/INF/aswFw2k.sys

/Avast/Setup/INF/aswKbs.sys

/Avast/Setup/INF/aswMon.sys

/Avast/Setup/INF/aswMon2.sys

/Avast/Setup/INF/aswMonFlt.sys

/Avast/Setup/INF/aswNdis.sys

/Avast/Setup/INF/aswFsBlk.sys

/Avast/Setup/INF/aswNdis2k.sys

/Avast/Setup/INF/aswRdr.sys

/Avast/Setup/INF/aswSnx.sys

/Avast/Setup/INF/aswSP.sys

/Avast/Setup/INF/aswTdi.sys /

Avast/Setup/INF/Aavmker4.sys

/Avast/Setup/INF/aswFw.sys

/Avast/Setup/INF/aswNdis2.sys

/Avast/Setup/INF/x64/aswNdis.sys

/Avast/Setup/INF/x64/Aavmker4.sys

/Avast/Setup/INF/x64/aswFsBlk.sys

/Avast/Setup/INF/x64/aswFW.sys

/Avast/Setup/INF/x64/aswKbs.sys

/Avast/Setup/INF/x64/aswMon2.sys

/Avast/Setup/INF/x64/aswMonFlt.sys

/Avast/Setup/INF/x64/aswNdis2.sys

/Avast/Setup/INF/x64/aswRdr.sys

/Avast/Setup/INF/x64/aswsnx.sys

/Avast/Setup/INF/x64/aswSP.sys

/Avast/Setup/INF/x64/aswTdi.sys

/Avast/Setup/INF/x64/aswnet.sys

/Avast/Setup/INF/x64/aswRdr2.sys

/Avast/Setup/INF/x64/aswnet.sys

/Avast/Setup/INF/x64/AswRdr2.sys

/Avast/sfzone/wow_helper.exe

Avira Premium Trial + Toolbar (41)

 

/Ask.com/CallingIDSDK/CIDCoreLight.dll

/Ask.com/CallingIDSDK/CIDGlobalLight.exe

/Ask.com/CallingIDSDK/CIDGlobalLightPS.dll

/Ask.com/CallingIDSDK/CIDWPADLight.exe

/Ask.com/CallingIDSDK/CIDWPADLightPS.dll

/AntiVir Desktop/aecore.dll

/AntiVir Desktop/aeemu.dll

/AntiVir Desktop/aeexp.dll

/AntiVir Desktop/aegen.dll

/AntiVir Desktop/aehelp.dll

/AntiVir Desktop/aeheur.dll

/AntiVir Desktop/aeoffice.dll

/AntiVir Desktop/aepack.dll

/AntiVir Desktop/aerdl.dll

/AntiVir Desktop/aesbx.dll

/AntiVir Desktop/aescn.dll

/AntiVir Desktop/aescript.dll

/AntiVir Desktop/aevdf.dll

/AntiVir Desktop/avacl.dll

/AntiVir Desktop/avevtrc.dll

/AntiVir Desktop/aebb.dll

/AntiVir Desktop/libapr-1.dll

/AntiVir Desktop/libapriconv-1.dll

/AntiVir Desktop/libaprutil-1.dll

/AntiVir Desktop/libdb44.dll

/AntiVir Desktop/rchelp.dll

/AntiVir Desktop/unacev2.dll

/AntiVir Desktop/FAILSAFE/aebb.dll

/AntiVir Desktop/FAILSAFE/aeemu.dll

/AntiVir Desktop/FAILSAFE/aeexp.dll

/AntiVir Desktop/FAILSAFE/aegen.dll

/AntiVir Desktop/FAILSAFE/aehelp.dll

/AntiVir Desktop/FAILSAFE/aeheur.dll

/AntiVir Desktop/FAILSAFE/aeoffice.dll

/AntiVir Desktop/FAILSAFE/aepack.dll

/AntiVir Desktop/FAILSAFE/aerdl.dll

/AntiVir Desktop/FAILSAFE/aesbx.dll

/AntiVir Desktop/FAILSAFE/aescn.dl

/AntiVir Desktop/FAILSAFE/aescript.dll

/AntiVir Desktop/FAILSAFE/aevdf.dll

/AntiVir Desktop/FAILSAFE/aecore.dll

AVG Internet Security Pro (27)

/AVG Secure Search/13.3.0.17

/AVG Secure Search_toolbar.dll (Browser componnent it would seem)

/AVG2013/HtmLayout.dll (Also possible browser component)

/AVG2013/Drivers/avgboota.sys

/AVG2013/Drivers/avgbootx.sys

/AVG2013/Drivers/avgfwd6a.sys

/AVG2013/Drivers/avgfwd6x.sys

/AVG2013/Drivers/avgidsdrivera.sys

/AVG2013/Drivers/avgidsdriverx.sys

/AVG2013/Drivers/avgidsha.sys

/AVG2013/Drivers/avgidshx.sys

/AVG2013/Drivers/avgidsuniversaldda.sys

/AVG2013/Drivers/avgldx64.sys

/AVG2013/Drivers/avgldx86.sys

/AVG2013/Drivers/avgloga.sys

/AVG2013/Drivers/avglogx.sys

/AVG2013/Drivers/avgmfx64.sy

/AVG2013/Drivers/avgmfx86.sys

/AVG2013/Drivers/avgrkx64.sys

/AVG2013/Drivers/avgrkx86.sys

/AVG2013/Drivers/avgwfpa.sys

/AVG2013/Drivers/avgwfpx.sys

/AVG2013/Tuneup/GainDiskSpace.dll

/AVG2013/Tuneup/RegistryCleaner.dll

/AVG2013/Tuneup/ShortcutCleaner.dll

/AVG2013/Tuneup/TUMicroScanner.exe

/AVG2013/Tuneup/TuneUpCore.bpl

McAfee All Access – Total Protection (14)

Note: McAfee became increasingly unstable on my system. I uninstalled it before I could analyze the Chrome extension that it installs.

/McAfee/Gkp/hiphandlers.dll

/McAfee/Temp/qxz2281/CompatibilityTester.exe

/McAfee Online Backup/MOBKbackup.exe

/McAfee Online Backup/MOBKconf.exe

/McAfee Online Backup/MOBKshell.dll

/McAfee Online Backup/MOBKstat.exe

/McAfee Online Backup/backup.dll

/McAfee Online Backup/oem.dll

/McAfee Online Backup/MOBK.sys

/McAfee Online Backup/librs2.dll

/McAfee/Gkp/hiphandlers.dll

/McAfee/MSC/CompatibilityTester.exe

/McAfee/MPF/HipsBkup/hiphandlers.dll

/McAfee/MPF/HipsBkup/hiphandlers32.dll

Norton (17)

/Norton 360/Engine/20.1.0.24/diFVal.dll

/Norton 360/Engine64/20.1.0.24/buShell.dll

/Norton 360/Engine64/20.1.0.24/buVssXP.dll

/Norton 360/Engine64/20.1.0.24/buComm.dll

/Norton 360/Engine/20.1.0.24/x64/DIFxAPI.dll

/Norton 360/Engine64/20.1.0.24/SymIM/symimv.sys

/Norton 360/MUI/20.1.0.24/IMAGES/diFVal.dll

/Norton 360/Branding/20.1.0.24/09/01/diFVal.dll NO ASLR

/Norton 360/Engine/20.1.0.24/x86/x86/GEARAspiWDM.sys

/Norton 360/Engine/20.1.0.24/x64/x64/GEARAspiWDM.sys

/Norton 360/MUI/20.1.0.24/09/01/coActMgr.loc NO ASLR

/Norton 360/MUI/20.1.0.24/09/01/coIDSafe.loc NO ASLR

/Norton 360/MUI/20.1.0.24/09/01/coMCPlug.loc NO ASLR

/Norton 360/MUI/20.1.0.24/09/01/coSfShre.loc NO ASLR

/Norton 360/MUI/20.1.0.24/09/01/coUICtlr.loc NO ASLR

/Norton 360/MUI/20.1.0.24/09/01/diFVal.dll NO ASLR

/2013.1.0.32_0/npcoplgn.dll NO ASLR (browser plugin)

Sophos Antivirus (No Firewall) (F-)

It doesn’t seem that any of the executable files support ASLR. Many do not support DEP as well, including quite a few that seem to interact with the web. When your “xmlparser.dll” doesn’t show DEP/ASLR support… yikes. There’s no point listing them all. Sophos gets an F- here.

Panda Cloud AV Pro (42)

/pandasecuritytb/pandasecurityDx.dll (Possibly part of the browser extension)

/pandasecuritytb/pandasecuritytb.dll (Possibly part of the browser extension)

/Toolbar Cleaner/ToolbarCleaner.exe

/pandasecuritytb/uninstall.exe

/Toolbar Cleaner/uninstall.exe

/Panda Security/Panda Cloud Antivirus/cc3290mt.dll

/Panda Security/Panda Cloud Antivirus/bcbie120.bpl

/Panda Security/Panda Cloud Antivirus/MiniCrypto.dll

/Panda Security/Panda Cloud Antivirus/PAV2WSC.exe

/Panda Security/Panda Cloud Antivirus/Pavsddl.dll

/Panda Security/Panda Cloud Antivirus/PSBoot.dll

/Panda Security/Panda Cloud Antivirus/PSBoot.sys

/Panda Security/Panda Cloud Antivirus/pskmad.sys

/Panda Security/Panda Cloud Antivirus/PSUAAlerts.dll

/Panda Security/Panda Cloud Antivirus/PSUNConsole.dll

/Panda Security/Panda Cloud Antivirus/PSUNCtrl.bpl

/Panda Security/Panda Cloud Antivirus/PSUNFwConfig.dll

/Panda Security/Panda Cloud Antivirus/PSUNMsg.dll

/Panda Security/Panda Cloud Antivirus/PSUNPnlConfig.dll

/Panda Security/Panda Cloud Antivirus/PSUNProcMon.dll

/Panda Security/Panda Cloud Antivirus/PSUNReports.dll

/Panda Security/Panda Cloud Antivirus/PSUNScan.dll

/Panda Security/Panda Cloud Antivirus/PSUNSuspects.dll

/Panda Security/Panda Cloud Antivirus/putczip.dll

/Panda Security/Panda Cloud Antivirus/putsig.dll

/Panda Security/Panda Cloud Antivirus/puturar.dll

/Panda Security/Panda Cloud Antivirus/putuzip.dll

/Panda Security/Panda Cloud Antivirus/borlndmm.dll

/Panda Security/Panda Cloud Antivirus/RKPavProc64.sys

/Panda Security/Panda Cloud Antivirus/rtl120.bpl

/Panda Security/Panda Cloud Antivirus/SetupUI.dll

/Panda Security/Panda Cloud Antivirus/bspatch.exe

/Panda Security/Panda Cloud Antivirus/USBVacineDLL.dll

/Panda Security/Panda Cloud Antivirus/vcl120.bpl

/Panda Security/Panda Cloud Antivirus/vclactnband120.bpl

/Panda Security/Panda Cloud Antivirus/vclie120.bpl

/Panda Security/Panda Cloud Antivirus/vclx120.bpl

/Panda Security/Panda Cloud Antivirus/WinSkinc2009.bpl

/Panda Security/Panda Cloud Antivirus/xmlrtl120.bpl

/Panda Security/Panda Cloud Antivirus/DG/MsiZap.Exe

/Panda Security/Panda Cloud Antivirus/DG/PAV2WSC.exe

/Panda Security/Panda Cloud Antivirus/Tools/PandaSecurityTb.exe

Panda left its god damn blekko crapware in my browser.

Comodo CIS (71)

.cav files are definition files, they shouldn’t matter. I realized this partway through and stopped logging them.

/Comodo/Dragon/wow_helper.exe

/Comodo/Dragon/uninstall.exe

/COMODO/COMODO GeekBuddy/uninstall.exe

/COMODO/COMODO Internet Security/cmdagent.exe

/COMODO/COMODO Internet Security/cmdcomps.dll

/COMODO/COMODO Internet Security/cmdhtml.dll

/COMODO/COMODO Internet Security/cmdinstall.exe

/COMODO/COMODO Internet Security/crashrep.exe

/COMODO/COMODO Internet Security/framework.dll

/COMODO/COMODO Internet Security/cfpupdat.exe

/COMODO/COMODO Internet Security/inspect.sys

/COMODO/COMODO Internet Security/msica.dll

/COMODO/COMODO Internet Security/platform.dll

/COMODO/COMODO Internet Security/cfpconfg.exe

/COMODO/COMODO Internet Security/cfp.exe

/COMODO/COMODO Internet Security/cavshell.dll

/COMODO/COMODO Internet Security/signmgr.dll

/COMODO/COMODO Internet Security/cavscan.exe

/COMODO/COMODO Internet Security/7za.dll

/COMODO/COMODO Internet Security/scanners/pe32.cav

/COMODO/COMODO Internet Security/scanners/dosmz.cav

/COMODO/COMODO Internet Security/scanners/dunpack.cav

/COMODO/COMODO Internet Security/scanners/extra.cav

/COMODO/COMODO Internet Security/scanners/gunpack.cav

/COMODO/COMODO Internet Security/scanners/heur.cav

/COMODO/COMODO Internet Security/scanners/mach32.dll /

COMODO/COMODO Internet Security/scanners/mem.cav

/COMODO/COMODO Internet Security/scanners/pe.cav

/COMODO/COMODO Internet Security/scanners/common.cav /

COMODO/COMODO Internet Security/scanners/pkann.dll

/COMODO/COMODO Internet Security/scanners/rkdenum.dll

/COMODO/COMODO Internet Security/scanners/rkdhive.dll

/COMODO/COMODO Internet Security/scanners/rkdntfs.dll

/COMODO/COMODO Internet Security/scanners/script.cav

/COMODO/COMODO Internet Security/scanners/white.cav

/COMODO/COMODO Internet Security/repair/guard32.dll

/COMODO/COMODO Internet Security/repair/7za.dll

/COMODO/COMODO Internet Security/repair/cavscan.exe

/COMODO/COMODO Internet Security/repair/cavshell.dll

/COMODO/COMODO Internet Security/repair/cfp.exe

/COMODO/COMODO Internet Security/repair/cfpconfg.exe

/COMODO/COMODO Internet Security/repair/cfpupdat.exe

/COMODO/COMODO Internet Security/repair/cmdagent.exe

/COMODO/COMODO Internet Security/repair/cmdcomps.dll

/COMODO/COMODO Internet Security/repair/cmderd.sys

/COMODO/COMODO Internet Security/repair/cmdGuard.sys

/COMODO/COMODO Internet Security/repair/cmdhlp.sys

/COMODO/COMODO Internet Security/repair/cmdhtml.dll

/COMODO/COMODO Internet Security/repair/cmdinstall.exe

/COMODO/COMODO Internet Security/repair/common.cav

/COMODO/COMODO Internet Security/repair/crashrep.exe

/COMODO/COMODO Internet Security/repair/default.set

/COMODO/COMODO Internet Security/repair/dosmz.cav

/COMODO/COMODO Internet Security/repair/dunpack.cav

/COMODO/COMODO Internet Security/repair/extra.cav

/COMODO/COMODO Internet Security/repair/framework.dll

/COMODO/COMODO Internet Security/repair/guard64.dll

/COMODO/COMODO Internet Security/repair/gunpack.cav

/COMODO/COMODO Internet Security/repair/heur.cav

/COMODO/COMODO Internet Security/repair/inspect.sys

/COMODO/COMODO Internet Security/repair/mach32.dll

/COMODO/COMODO Internet Security/repair/mem.cav

/COMODO/COMODO Internet Security/repair/msica.dll

/COMODO/COMODO Internet Security/repair/pkann.dll

/COMODO/COMODO Internet Security/repair/platform.dll

/COMODO/COMODO Internet Security/repair/rkdenum.dll

/COMODO/COMODO Internet Security/repair/rkdhive.dll

/COMODO/COMODO Internet Security/repair/rkdntfs.dll

/COMODO/COMODO Internet Security/repair/signmgr.dll

Webroot SecureAnywhere Complete

ASLR/DEP seem to be enabled on all three executable files (including the Chrome extension). Can’t seem to find any others.   If anyone has more info please share.

The Importance Of Detection

I received a comment on one of my articles recently about antiviruses being useless and I’d like to talk a bit about that. I personally do not run any antivirus software – not on Linux Ubuntu 12.04 and not on my Windows 8 Release Preview despite the fact that Windows 8 comes with Microsoft Security Essentials by default.

Antiviruses are often considered a staple for security. The average user has an antivirus installed and that’s pretty much the central piece of security for them. It’s simply the most widely used method for security. But a lot of people, especially those with some knowledge about computer security, will tell you that antiviruses are not enough or even, as n=n+1 stated, entirely useless.

Why I Don’t Use Antivirus

I’m one of many users who doesn’t use antivirus software, and not just because I’m on Linux. The fact is that current antiviruses are stupid, the entire basis for their model is “If I don’t know it’s bad, I assume it’s good”, which isn’t inherently wrong but you should never really assume anything is good. It should be “If I don’t know it’s bad, I assume it’s bad and take precautions when running it.” Basically if the AV doesn’t flag the software the software has full access to my /user/ or /home/ folders and can potentially escalate.

Antiviruses are also a bit heavy. New on-access AVs are better about this but compared to other solutions that simply hook specific APIs and otherwise use virtually no resources it’s a lot. Disk and file access goes up and I just like to keep things shaved down.

Every antivirus relies on updates. If your AV isn’t up to date you’re vulnerable, it’s like trying to stay patched except attackers are creating malware 1000x an hour. And heuristics isn’t an answer with the current model, you’re either so low it’s useless or so high you’re bothering the user every 5 seconds with false positives.

Speaking of false positives, they all have them, and as soon as a user gets one single false positive the entire antivirus becomes virtually useless when protecting against social engineering. Social engineering is all about trust and if a user downloaded the file they already trust the file, the antivirus’s job is to be trusted more and every false positive seriously degrades that trust.

Why I Like The Idea

The idea of an antivirus is noble and I believe inherent to a proper security policy (which doesn’t exist currently.) Antiviruses attempt to make decisions about things that users are incapable of. As I said above if a user has downloaded a file that means they trust it. An antivirus tries to get the user to stop trusting it. It’s a good thing, just a horrible horrible implementation that hasn’t gotten better despite years of issues.

Heuristics is necessary for true security. Decision making is inherent to all security because everything comes down to a users decisions – visit the website or not, download the file or not, run the file or not, admin rights or not, etc. Users are not (and never ever will be, no matter how much education) capable of making these decisions. Heuristics act on a level that we can not, they can perform code analysis and behavioral analysis and correlate trends in malware with what they see. Our brains are amazing learning beautiful things but we’re better at the whole survival reproduction – leave file analysis to the experts.

So while I absolutely think that heuristics is not just important, but necessary, I wouldn’t touch an AV with a ten foot poll right now. They’re useless for a targeted attack, not all that useful even with automated attacks, and generally a pain in the ass.

That said, I also wouldn’t ever tell an average user to turn their AV off. Not on Windows at least.

You Don’t Need An Antivirus With Windows 8

With Windows 8 out a lot of users are wondering whether they need antivirus with Windows 8, or if they need to pay for an antivirus, or do something else entirely. In my opinion if you’ve been paying for an antivirus for Windows XP, Vista, or 7, you can consider cancelling that next subscription if you’re moving to 8. In my last post about Windows 8 security I glazed over Microsoft Security Essentials and I wouldn’t call what I said ‘positive.’ For my quick non-security oriented review of Windows 8 Release Preview click here.

This post will highlight why MSE is the type of antivirus a consumer needs and why it might be the right choice for Windows 8 users.

Microsoft Is Best Suited For The Job

The fact is that Microsoft created Windows. It’s a closed source project and antivirus companies spend a ton of money just trying to figure it out. Microsoft has a massive advantage here. They know what their code is like, they know where there’s most likely to be a hole, they have the ability to “tap” systems with crash reports or opt-in data collection on a level no antivirus company can ever match. They simply have the most data.

The fact that only Microsoft has access to the source code is one major reason why you should be trusting them to secure your system.

Years Of Practice

We’re a long way away from Windows XP. Windows is not so full of holes as it used to be, Vista brought many security mitigation techniques and a new MAC system to the operating system and Windows 8 expands further on that with new techniques and a new MAC system.

The Windows system has been hacked and torn apart for years and Microsoft has not sat idly by. The company has created new tools such as EMET, which are very effective at what they do. They’ve seriously improved their patch response time and there simply is no comparison between Windows 8 security and Windows XP.

Microsoft has seen years of malware. They know what they’re up against and at this point you’d better believe they know a few ways to fight back.

Reinforced Throughout The Operating System

Microsoft has made it clear that Microsoft Security Essentials is just one layer. Windows 8 also includes SmartScreen, a reputation based heuristics filter that acts system wide to inform and protect users from unknown files that are potentially dangerous. The focus of SmartScreen is on 0day malware and samples that an antivirus might normally not catch.

Where MSE stops SmartScreen begins, picking up slack. Antiviruses are inhibited by their inability to deal with the unknown, something that they will always struggle with. SmartScreen aims to specifically deal with the unknown using heuristics based on file reputation. File reputation essentially checks how “popular” the file is – how many systems it’s been seen on. Only a major company could pull off something like this and Microsoft is absolutely the best company for it – no antivirus can be installed on more Windows systems than exist.

Windows 8 Was Built With MSE In Mind

The fact is that Microsoft didn’t built Windows 8 thinking “let’s create a system that works great with Sophos and Mcafee” they built a system to work with MSE and they built MSE to work with the system. Layered security means understanding which layers are important and which needs to be covered, having full control over every layer leads to a potentially more secure system.

Consistent Heuristic Scores And Low False Positives

AV-comapratives.com “grades” antivirus software and Microsoft Security Essentials does fairly well. It’s not amazing but it’s not terrible, and that’s fine because it’s reinforced by other areas of Windows. What it is, consistently, is quiet. Heuristics is basically a way of “guessing” something – you use heuristics for spam filters, antivirus, language analysis, anything where you need to guess. Naturally this is going to lead to wrong guesses and in an antiviruses case that’s a false positive. MSE has very few false positives, often the lowest or second lowest compared to other antiviruses. Almost all of the antiviruses that get higher heuristic detection scores also have tons of false positives (you can see the correlation) and I think that having few false positives is just as important as having high detection rates.

If my AV is constantly telling me that files that I know are good are actually bad I won’t trust it. And when the time comes and the file I think is good is actually bad and my AV alerts me I simple won’t believe it. We’re all familiar with The Boy Who Cried Wolf, same principal here.

So Is Windows 8 Impregnable?

Well, while I’m very pleased that Microsoft has stepped up its security I think there is still need for some set up to get the system closer to where it should be. I still don’t consider Windows 8 to be as secure as my own configured Linux system but there are significant improvements and for the average user I think we can expect things to go smoothly.

Much of what’s in Windows 8 is untested and may not work out well in the real world. I’m optimistic about some features and not so much about others. Time will tell. I’ve had the Windows 8 Developer Preview, Consumer Preview, and now Release Preview all installed so I have a fair bit of experience with it though.

And, of course, as Windows 8 popularity rises so will hackers interest in bypassing its features so it’s still important to take the extra measures and to keep up with patches. MSE has consistently had decent heuristics with low false positives, which I think is very important.

Dealing With Advanced Threats – Where AV Fails

If the Flame malware gets one message to the masses it should be that antiviruses are a failure.

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. [1]

Yeah, no kidding.

The fact is that, at best, a few antiviruses would give a warning about generic heuristic detection for Flame and obviously that wasn’t enough because it’s been around for years. Potentially quite a few years, actually. And it’s not the first, Stuxnet went undercover sometime as well as various others.

Antiviruses, in terms of blacklists and heuristics, are actually a necessary part of security. I currently wouldn’t touch a single one of them out there but I appreciate the principal, that I as a human am not capable of knowing whether a file is malicious or not therefor an AV automates the process on a level only achievable programatically.

The point is, whether AVs can or can’t be great in some ideal world, the current security solutions aimed at users are not enough and trying to lock a users computer down beyond that is impractical with the tools we have been provided with. If we’re ever going to see improvement we need something radically new.

First Reboot Into Safe Mode

I do some informal virus removal type stuff once in a while on various forums and I often come across a  topic where the first thing I see is “Reboot into safe mode, run your antivirus.” Obviously this isn’t from one of those cool forums where those guys know how to use all those crazy tools and whatnot, it’s just some guy trying to help and that’s cool but he is very wrong.

Rebooting isn’t a good idea when you’ve just been infected. It’s one of the worst. Thing about how every time you install Windows Updates you need to restart and any time you install a new driver you have to restart. Basically, every time software wants to get deep into the machine you end up restarting.

So does it really make sense to restart?

The fact is, if you haven’t restarted your machine it’s probably going to be fairly simple to remove the malware. 95% of malware executes from your /user/appdata/ folder. I’ve cleaned so many machines just by navigating to that folder, finding what’s out of place, and deleting it. It’s not gonna work every time but if the machine hasn’t been reset and it’s 64bit Windows Vista/7 your chances are very very good.

Registry settings also need a reboot to stick. So before you restart you can (or someone who knows what they’re doing if you don’t) go to your */run and remove potentially malicious stuff. There are also Firewall and AV settings in the registry that a virus might mess with.

Basically…

The first step should never be to reboot. In my opinion the first step is to flip the switch on your internet (prevents information being sent/ payloads received) and start deleting what you can. If you have another computer go download an AV to a USB stick and bring it over and run it.