Jump to content
Sign in to follow this  
Count

No protection

Recommended Posts

I disagree here. If you have an understanding of your system, and pay attention to it and good security practices, then yes, you can be reasonably certain that you don't have an infection. You can't be 100% certain, but then you can't with an AV scanner either. Generally, using an AV will lead to a false sense of security more than actually understanding and monitoring your system yourself.

Having an AV scanner will let you know what you don't have, that's something.

 

AV only leads to a false sense of security when you are one of those people who think having an AV makes you secure - i.e. those people who do not have security as a state of mind.

 

Your stance on "understanding and monitoring your system yourself" assumes a complete knowledge of a proprietary system. Now if you said that about linux or *bsd, I might agree. However you are talking about windows, there is no way you can understand it in it entirety unless you happen to work for microsoft and have had time to review all the code.

 

Further, AV allows you leverage the experience and expertise of others in "understanding and monitoring your system". Security researchers who have an understanding of viruses, of how windows works, and how defend against viruses on windows wrote software to do it so they don't have to, so you don't have to. If you chose your own experience and expertise over theirs, then that is your right. Personally I am more than happy to leverage their experience and skills since I have other things to do than go over my system with a fine hairbrush every time I want to use it.

 

 

You are of course 110% correct that security is a state of mind. Now, most users who rely on AV software become dependant on their AV software, which can lead to the wrong behaviour, and a false sense of security. Specifically, that if their AV does not detect anything, they will think they are safe. Now, contrast this with someone who knows what they are doing, and is familiar with the system they use and able to detect abnormal behaviour. By having a greater understanding and monitoring their system, they have as good a chance to detect a virus, if not better.

People who rely on their own expertise and understanding become encouraged by the lack of positive detections, which can leads to the wrong behaviour and a false sense of security. Specifically, if they do not detect anything, they will think they are safe. Now, contrast this with someone who is running AV, and understands that not all malware is easily detected. By having a greater understanding and taking a proactive approach to securing their system, they have a much better chance of detecting a virus.

 

The main concern with this approach is specialised types of attack, or infections that could be very hard to detect without specialised software..i.e. a Blue Pill type of scenario or an MBR infection. Typically however, these types of attacks/infections tend to be targeted attacks, rather than viruses, and so an AV will not help anyway. The best defence is user education, not reliance of software.

On the contrary, they come on Sony discs now days. The best defence is education and deployment of software tools. Note that I never once advocated relying on AV software alone.

 

Indeed. This comes down to defence in depth. However, instead of needing an AV installed, it's perfectly acceptable to use an online checker every so often.

So you do use AV. Pray tell, how to you know some one hasn't hijacked your http, poisoned your dns, compromised the website? This is worst than having no AV in my opinion. Every so often you are giving an online checker access to your computer. At least if you had AV which is known to be good, you can keep it that way.

 

To further this, I'm going to attempt to use an analogy of involving car maintenance. For people who know nothing about the internals or workings of a car, it's important for us to take it to a mechanic to do regular checkups and maintenance, both for our own safety, and the safety of others on the road. However, if you have a sufficient understanding yourself, there is nothing wrong with maintaining your car yourself. This approach may in fact keep the car in better shape, with less problems then semi regular visits to a mechanic. There is the possibility the self mechanic may miss something, but there is also the possibility a hired mechanic could miss the problem as well. Those who do not know what there doing and think they do, without taking the car to a mechanic pose the biggest problem of all.

If you think you have a sufficient understanding yourself, it might be OK maintaining your car yourself. This approach may in fact keep the car in better shape, with less problems than semi-regular visits to a mechanic. Or it may not. It may in fact turn the car into a death trap for the driver and the passengers, or shorten the working life of components. There is the possibility of the self mechanic missing something, but the probability of a hired mechanic missing the same thing is much lower. Those who do not know what there doing and think they do, without taking the car to a mechanic pose the biggest problem of all... wait you were actually making the same point I was going to make with this sentence - you should get your car (system) checked over by as many different people (methods) as possible.

 

It can be. It can also be proactive. Generally, I would consider people who simply rely on the AV software to be more complacent than those who bother to learn to understand what's actually happening.

I consider people who simply rely on their own understanding and expertise of the system to be more complacent and arrogant than those who bother to understand what is actually happening, then realise they can not win an arms race against malware authors single handed, and call in reinforcements by the way of installing, or at least using, AV.

 

If you have security updates applied, are aware of the risks, able to notice abnormal behaviour etc, then you can deal with threats as they come. The viruses I won't be able to detect, won't necessarily be able to be detected by an AV either. On the other hand, I will be able to detect (some)viruses that the AV can't detect. These days, the risk has changed from viruses seeking notoriety to silent installs, for profit. These can be harder to detect, and work much harder not to be detected than viruses of the 90's/early 2000's. With risks such as Conflicker and Gumbler, it would seem that being proactive is a greater defence than classic AV software.

If you have security updates applied, are aware of the risks, and is able to notice abnormal behaviour, you are still vulnerable to 0day exploits or those security problems for which the vendor has not released a patch (especially true when running windows or other proprietary operating systen) . The viruses you won't be able to detect are more likely detected by AV since it can do a lot more checks and don't need to take toilet breaks when monitoring your system. It also works faster so it can look at all the files, etc.

 

I would like to see you detect a virus a modern heuristic-enabled AV can't.

 

I like the last few sentences you wrote. You basically acknowledged that is much harder to detect malware now days, and yet persist in not using whatever tools you have to defend yourself. You also appear to have adopted a false dichotomy: it is either AV or proactive, it is either AV or education. In reality none of these are sufficient by themselves, and they work best together.

Edited by freespace

Share this post


Link to post
Share on other sites

Having an AV scanner will let you know what you don't have, that's something.

 

AV only leads to a false sense of security when you are one of those people who think having an AV makes you secure - i.e. those people who do not have security as a state of mind.

 

Your stance on "understanding and monitoring your system yourself" assumes a complete knowledge of a proprietary system. Now if you said that about linux or *bsd, I might agree. However you are talking about windows, there is no way you can understand it in it entirety unless you happen to work for microsoft and have had time to review all the code.

 

Further, AV allows you leverage the experience and expertise of others in "understanding and monitoring your system". Security researchers who have an understanding of viruses, of how windows works, and how defend against viruses on windows wrote software to do it so they don't have to, so you don't have to. If you chose your own experience and expertise over theirs, then that is your right. Personally I am more than happy to leverage their experience and skills since I have other things to do than go over my system with a fine hairbrush every time I want to use it.

Having an AV scanner might let you know what you do have.

 

The fact is, most people don't have security as a state of mind, which is why there is such a need for AV in the first place. If you do have security as a state of mind, aside from the massive decrease in risk, in conjunction with a good understanding of the system, then that is just as good, if not better than an AV scanner.

 

Why do you think that reviewing the source code of windows is relevant to an understanding of the system in the context of detecting viruses? By your logic here, an AV scanner won't be that useful in the first place, if a virus is making use of some specialised API's..

 

As it is, with a good understanding of Windows, an ability to monitor processes, file handles, file and registry activity, access logs, system integrity etc, then you can detect viruses. An AV scanner will not detect a virus that, using a secret API or technique due to the propeitary nature of WIndows is able to avoid being detection. On the other hand, actual monitoring of the system will have a better chance.

 

For what it's worth, I am a security researcher. I do have an understanding of viruses, how windows works, and how to defend against them. I'm only putting forward that a lack of AV software is fine for those who do understand the system. This does not mean they have to be security researchers either. Ane experienced(senior, +10 years or so) Windows admin can be just as proficient at detecting a virus.

 

If you're interested in learning more about how windows works, I heartily recommend the book Windows Internals, the 5th edition of which should be out soon. The strength of AV software is for people who don't know better, for convenience, for management etc. For a personal user who has a detailed understanding, it is not necessary, or advantageous.

 

Out of curiosity, which AV do you run?

 

People who rely on their own expertise and understanding become encouraged by the lack of positive detections, which can leads to the wrong behaviour and a false sense of security. Specifically, if they do not detect anything, they will think they are safe. Now, contrast this with someone who is running AV, and understands that not all malware is easily detected. By having a greater understanding and taking a proactive approach to securing their system, they have a much better chance of detecting a virus.

What? Where are you getting this from? It's a logical fallacy. People who have expertise and a detailed understanding will understand the risks, and will be more vigilant in monitoring. It is this approach which is by it's very nature proactive. They are far less likely to have a false sense of security through a better understanding. No, it is indeed the people who rely solely on AV software that become complacent, and that approach is anything but proactive.

 

On the contrary, they come on Sony discs now days. The best defence is education and deployment of software tools. Note that I never once advocated relying on AV software alone.

That's a bad example. The Sony incident was well publicised, and easily averted and fixed. This is a case where user education, understanding and awareness would avert that problem, where an AV scanner would very well let it slide. Indeed, many did. I am aware that you have not advocated relying on AV software alone, but your argument above(and I apologise if I have misinterpreted it) seems to imply that you think it makes more sense to let AV software do the brunt of the work. Yet, you've failed to show why it is advantageous, or even necessary for a user with a detailed understanding to run one.

 

So you do use AV. Pray tell, how to you know some one hasn't hijacked your http, poisoned your dns, compromised the website? This is worst than having no AV in my opinion. Every so often you are giving an online checker access to your computer. At least if you had AV which is known to be good, you can keep it that way.

Personally? No, I don't. There could conceivably be situations where I may have to. No, I was instead showing that, as per my argument, there is no inherent need to run AV software. Your argument is also flawed here. How can you have AV software which is known to be good? Every AV scanner has viruses it cannot detect. What about 0day's? What if someone compromised your system locally? How can you know???

 

Also, why do you think an AV scanner will detect against website compromises and DNS poisoning?

 

If you think you have a sufficient understanding yourself, it might be OK maintaining your car yourself. This approach may in fact keep the car in better shape, with less problems than semi-regular visits to a mechanic. Or it may not. It may in fact turn the car into a death trap for the driver and the passengers, or shorten the working life of components. There is the possibility of the self mechanic missing something, but the probability of a hired mechanic missing the same thing is much lower. Those who do not know what there doing and think they do, without taking the car to a mechanic pose the biggest problem of all... wait you were actually making the same point I was going to make with this sentence - you should get your car (system) checked over by as many different people (methods) as possible.

OK..your making the same argument I made above. You concede that if you have a sufficient understanding, then you can maintain the car yourself, and it may n fact be in better shape. As in my argument, yo acknowledge the case that it may not. This would likely be because the self mechanic in that case didn't actually know what they were doing, which is a possibility I raised.

 

Why do you think the probability of a hired mechanic missing something is less than that of a self mechanic? You're a programmer, and from what I gather very skilled at what you do. Now, I don't know your situation, but for the sake of argument, let's assume you are not in fact employed, and a hobbyist. I've come across many developers in industry who really didn't know what they were doing..at all. These people get paid, and trust is placed upon them. In this case, I would trust the hobbyist, over the paid professional.

 

There is no reason a self mechanic would do a worse job than a paid mechanic, as long as the self mechanic had a detailed/sufficient understanding. Indeed, as is often the case with computing, hobbyists/students etc can often have a much greater understanding than those who work in the industry. The requirement of understanding is the main basis for my argument, it is in fact the only case in which my argument applies. People who do self maintenance without such an understanding, as we agree, are a much bigger problem.

 

I consider people who simply rely on their own understanding and expertise of the system to be more complacent and arrogant than those who bother to understand what is actually happening, then realise they can not win an arms race against malware authors single handed, and call in reinforcements by the way of installing, or at least using, AV.

OK....

 

1. I am not talking about people who rely on their own understanding and alleged expertise, but rather people who do have a detailed understanding and expertise, in which case they will understand what is happening, probably a lot better than those who rely on AV software.

2. An AV scanner is not effective against all malware, nor is it intended to be. The second part of your argument refers to malware in general, not viruses.

 

For a rough analogy, which has flaws but should illustrate my point sufficiently...

 

Consider a hobbyist auto collector, with a rare car. I don't know enough about cars..but lets say..... a 57 chevy? If this car is his passion, then he will learn it and understand it better than a run of the mill mechanic. He will understand the slight differences in different noises, the different feels etc, and will have a much better overall understanding and ability to detect problems. What would be gained by taking this car to a mechanic semi regularly, if that kind of attention was being paid, except if there was a particularly specialised problem that he could not fix alone, the occurrence of which is rare?

 

If you have security updates applied, are aware of the risks, and is able to notice abnormal behaviour, you are still vulnerable to 0day exploits or those security problems for which the vendor has not released a patch (especially true when running windows or other proprietary operating systen) . The viruses you won't be able to detect are more likely detected by AV since it can do a lot more checks and don't need to take toilet breaks when monitoring your system. It also works faster so it can look at all the files, etc.

 

I would like to see you detect a virus a modern heuristic-enabled AV can't.

OK..that's just rubbish.

 

Your argument that you are still vulnerable to 0day exploits and unpatched vulnerabilities is true for any platform. Now, think about what you're saying. If there is a virus exploiting a 0'day vulnerability, then it won't be detected by an AV. When it is, there will likely be a security update made available. If you get exploited via a 0day exploit, then having a detailed understanding of the system will allow you to counter that threat far, far, far better than an AV ever will. This is also ignoring the fact that in general, a 0day exploit will be a targeted attack, and not a virus, in which case an AV becomes moot.

 

I don't think you understand how monitoring a system works. When doing so constantly, it does not require 100% constant attention all of the time. As it is, most AV's will generally be slower when doing a full scan. Someone with a detailed knowledge will be able to pinpoint the virus much quicker. I know, I've done it.

 

I have actually detected viruses that both AVG and Avast failed to detect. I was disappointed with Avast in particular, as I sent them samples and posted messages on their forums, and the failed to acknowledge the threat. Which Avira did, and does. Not all AV scanners will be able to detect all viruses. An expert user will be able to detect many viruses. Given this, there is quite often a cross over where a user may detect a virus, but a given AV will not.

 

I like the last few sentences you wrote. You basically acknowledged that is much harder to detect malware now days, and yet persist in not using whatever tools you have to defend yourself. You also appear to have adopted a false dichotomy: it is either AV or proactive, it is either AV or education. In reality none of these are sufficient by themselves, and they work best together.

I certainly have not adopted a false dichotomy. I'm not sure how you got that. I believe in whatever is best for the situation. For myself personally, and other sufficiently skilled users, proactive would be fine. For most users, an AV and education, so they can one day be proactive. I have nothing against utilising AV as a resource, as it certainly can help. In general, I don't find it to be beneficial, advantageous, or necessary. This does not mean there are not sitatuions where it may be, and in those situations I would use it happily.

Edited by TheSecret

Share this post


Link to post
Share on other sites

Having an AV scanner might let you know what you do have.

Which is much better than not having a scanner at all.

 

The fact is, most people don't have security as a state of mind, which is why there is such a need for AV in the first place. If you do have security as a state of mind, aside from the massive decrease in risk, in conjunction with a good understanding of the system, then that is just as good, if not better than an AV scanner.

Let say each of the 3 things: state of mind, understanding, and AV scanner each detect some percentage of malware, and the probability of a malware getting around each is P_s, P_u and P_av respectively.

 

The probability of a malware infecting your computer is now P_s * P_u when you only have security as a state of mind and understanding, and P_s * P_u * P_av when you have all 3. The only case when P_s * P_u is <= P_s * P_u * P_av is when P_av is 1 or greater, which means a malware will have 100% (or better, but it doesn't make sense to have better than 100% success rate) success rate of not being picked up by the AV scanner.

 

Personally I think it is unlikely for P_av to be 1, and if it is 1, I would think P_s and P_u would be 1 as well.

 

Why do you think that reviewing the source code of windows is relevant to an understanding of the system in the context of detecting viruses? By your logic here, an AV scanner won't be that useful in the first place, if a virus is making use of some specialised API's..

By detecting hidden APIs that every operating system has, which are possibly not as heavily audited. An AV scanner can maintain a list of known API calls, and red flag unknown ones.

 

As it is, with a good understanding of Windows, an ability to monitor processes, file handles, file and registry activity, access logs, system integrity etc, then you can detect viruses. An AV scanner will not detect a virus that, using a secret API or technique due to the propeitary nature of WIndows is able to avoid being detection. On the other hand, actual monitoring of the system will have a better chance.

An AV scanner does what you said, and more. One example would be to detect rootkits or hidden processes by looking for discrepancies between results returned by different system calls, because it is likely a rootkit won't replace _all_ the system calls to mask its presence. Monitoring processes, file handles, file and registry access etc are all useless when the function that return those results having been compromise. If you did it yourself, you would end up writing your own AV tool, since you can only invoke those system calls by writing a program.

 

For what it's worth, I am a security researcher. I do have an understanding of viruses, how windows works, and how to defend against them. I'm only putting forward that a lack of AV software is fine for those who do understand the system. This does not mean they have to be security researchers either. Ane experienced(senior, +10 years or so) Windows admin can be just as proficient at detecting a virus.

I am curious then - being a security researcher, do your colleagues run AV? What is your company's AV policy?

 

The strength of AV software is for people who don't know better, for convenience, for management etc. For a personal user who has a detailed understanding, it is not necessary, or advantageous.

I respectfully disagree - AV can only improve security, and any one who is detailed understanding of malware would know it is a constant arms race a single person can not hope to win alone.

 

 

Out of curiosity, which AV do you run?

AntiVir on windows.

 

What? Where are you getting this from? It's a logical fallacy. People who have expertise and a detailed understanding will understand the risks, and will be more vigilant in monitoring. It is this approach which is by it's very nature proactive. They are far less likely to have a false sense of security through a better understanding. No, it is indeed the people who rely solely on AV software that become complacent, and that approach is anything but proactive.

I said nothing about relying solely on AV software. I would say thinking you don't need AV because you know what you are doing is by definition, having a false sense of security. That is because that position can only be claimed by some one who has no doubts about their own ability. 2 kind of people are like that in my opinion: the arrogant and the omniscient.

 

That's a bad example. The Sony incident was well publicised, and easily averted and fixed. This is a case where user education, understanding and awareness would avert that problem, where an AV scanner would very well let it slide. Indeed, many did. I am aware that you have not advocated relying on AV software alone, but your argument above(and I apologise if I have misinterpreted it) seems to imply that you think it makes more sense to let AV software do the brunt of the work. Yet, you've failed to show why it is advantageous, or even necessary for a user with a detailed understanding to run one.

My argument isn't to let AV do most of the work, my argument is simply to add AV to the list in addition to security as a state of mind and understanding. The sony incident was well publicised after the fact, and only because they botched it. The example was to merely illustrate how seemingly innocent things can be the carrier of malware.

 

Personally? No, I don't. There could conceivably be situations where I may have to. No, I was instead showing that, as per my argument, there is no inherent need to run AV software. Your argument is also flawed here. How can you have AV software which is known to be good? Every AV scanner has viruses it cannot detect. What about 0day's? What if someone compromised your system locally? How can you know???

 

Also, why do you think an AV scanner will detect against website compromises and DNS poisoning?

Ah, I didn't make myself clear. The DNS poisoning and such was meant to say, how can you trust the website that is doing the scan for you.

 

To me, if you run any kind of software to look for malware on your computer, you are running AV software - doesn't matter if it runs in the background, or you break it out once a blue moon - you are running it. That's my definition, which I realise might be different to yours, as by my definition, you are advocating running AV software, just not continuously.

 

When I say AV software known to be good, I mean one which has not been compromised. If you know your existing setup is good, then you can sign the application with your private key. If you take care when updating and verify signatures, then it continues to be "known to be good". I didn't mean "known to be good" to say "it has 100% detection rate".

 

Continued since I seem to have hit the quote block limit :P

Edited by freespace

Share this post


Link to post
Share on other sites

Why do you think the probability of a hired mechanic missing something is less than that of a self mechanic? You're a programmer, and from what I gather very skilled at what you do. Now, I don't know your situation, but for the sake of argument, let's assume you are not in fact employed, and a hobbyist. I've come across many developers in industry who really didn't know what they were doing..at all. These people get paid, and trust is placed upon them. In this case, I would trust the hobbyist, over the paid professional.

The possibility of 2 people missing the same problem is smaller than the possibility of each person missing the problem individually.

 

There is no reason a self mechanic would do a worse job than a paid mechanic, as long as the self mechanic had a detailed/sufficient understanding. Indeed, as is often the case with computing, hobbyists/students etc can often have a much greater understanding than those who work in the industry. The requirement of understanding is the main basis for my argument, it is in fact the only case in which my argument applies. People who do self maintenance without such an understanding, as we agree, are a much bigger problem.

There is no reason a paid mechanic would do a worst job, as long as the paid mechanic had a detailed/sufficient understanding.

 

My argument is that regardless of your level of understanding or proficiency, having an AV can only help, not harm, your security.

 

1. I am not talking about people who rely on their own understanding and alleged expertise, but rather people who do have a detailed understanding and expertise, in which case they will understand what is happening, probably a lot better than those who rely on AV software.

So your saying everyone who relies on their own expertise and gets infected has "alleged" expertise, but those who don't are "do have a detailed understanding and expertise"?

 

If so, I refer you to the logical fallacy of no true scotsman.

 

2. An AV scanner is not effective against all malware, nor is it intended to be. The second part of your argument refers to malware in general, not viruses.

I guess you haven't installed any AV recently. Antivir for one states it will look for more than viruses and will detect rootkits, jokes, "unusual compression techniques", etc.

 

For a rough analogy, which has flaws but should illustrate my point sufficiently...

 

Consider a hobbyist auto collector, with a rare car. I don't know enough about cars..but lets say..... a 57 chevy? If this car is his passion, then he will learn it and understand it better than a run of the mill mechanic. He will understand the slight differences in different noises, the different feels etc, and will have a much better overall understanding and ability to detect problems. What would be gained by taking this car to a mechanic semi regularly, if that kind of attention was being paid, except if there was a particularly specialised problem that he could not fix alone, the occurrence of which is rare?

Unless this hobbyist has all the tools a mechanic has for detecting problem, then the answer is simple: the mechanic can detect problems the hobbyist can't, because he has tools which the hobbyist doesn't. If the hobbyist has the same tools, then you have a mechanic whose hobby is to collect rare cars.

 

OK..that's just rubbish.

 

Your argument that you are still vulnerable to 0day exploits and unpatched vulnerabilities is true for any platform. Now, think about what you're saying. If there is a virus exploiting a 0'day vulnerability, then it won't be detected by an AV. When it is, there will likely be a security update made available. If you get exploited via a 0day exploit, then having a detailed understanding of the system will allow you to counter that threat far, far, far better than an AV ever will. This is also ignoring the fact that in general, a 0day exploit will be a targeted attack, and not a virus, in which case an AV becomes moot.

Not true. With heuristics you can detect some 0days because they are similar to existing exploits. Example: if some 0day author was lazy enough to reuse shellcode, but via a new injection vector, an AV can pick up on the shellcode and detect it, even though it has never seen this particular virus before.

 

I don't think you understand how monitoring a system works. When doing so constantly, it does not require 100% constant attention all of the time. As it is, most AV's will generally be slower when doing a full scan. Someone with a detailed knowledge will be able to pinpoint the virus much quicker. I know, I've done it.

Antivir will scan all files on read/write, it is monitoring your system for you 100% of the time. Further, that you have done it before, only means in that specific incidence you were quicker than AV. It doesn't mean you are still quicker than AV. Further, how many times has been the AV been faster?

 

I have actually detected viruses that both AVG and Avast failed to detect. I was disappointed with Avast in particular, as I sent them samples and posted messages on their forums, and the failed to acknowledge the threat. Which Avira did, and does. Not all AV scanners will be able to detect all viruses. An expert user will be able to detect many viruses. Given this, there is quite often a cross over where a user may detect a virus, but a given AV will not.

And how many times have AVG and Avast detect viruses you failed to detect? I would expect there is a cross over where a given AV will detect a virus, but user won't.

 

I certainly have not adopted a false dichotomy. I'm not sure how you got that. I believe in whatever is best for the situation. For myself personally, and other sufficiently skilled users, proactive would be fine. For most users, an AV and education, so they can one day be proactive. I have nothing against utilising AV as a resource, as it certainly can help. In general, I don't find it to be beneficial, advantageous, or necessary. This does not mean there are not sitatuions where it may be, and in those situations I would use it happily.

I got the the impression you have adopted a false dichotomy because you continue to say things along the lines of "but a person with detailed understanding would do so much better than AV", which suggests you see the choice as either detailed understanding, or AV.

 

The way I see it, a person with detailed understanding and AV is better off than a person with detailed understanding and no AV, which is also my argument.

 

I also should study, not debate online :P

Edited by freespace

Share this post


Link to post
Share on other sites

I run AV-less and havent had a problem.

 

Though I once tried infecting an x64 install and the virus wouldn't work, based on system variables it went to one system directory and tried to load from a different one.

 

Though I do run ClamWin for when I download stuff to scan it, but I dont run performance sucking live protection.

 

The last time I had a problem, Windows Defender &/or Windows Malicious Software Remover thingy did the job.

Edited by Athiril

Share this post


Link to post
Share on other sites

For what it's worth, I am a security researcher. I do have an understanding of viruses, how windows works, and how to defend against them. I'm only putting forward that a lack of AV software is fine for those who do understand the system.

Just for shits and giggles I have a couple of rather simple questions for you that I have faith you will answer without googling:

 

To what registry key should one add a value in order to have a "bad executable" start on boot?

 

What Win32 API calls are used to perform DLL injection?

 

Rob.

Share this post


Link to post
Share on other sites

Which is much better than not having a scanner at all.

Not necessarily, since with the proactive approach, you can know what have just as well.

 

Let say each of the 3 things: state of mind, understanding, and AV scanner each detect some percentage of malware, and the probability of a malware getting around each is P_s, P_u and P_av respectively.

 

The probability of a malware infecting your computer is now P_s * P_u when you only have security as a state of mind and understanding, and P_s * P_u * P_av when you have all 3. The only case when P_s * P_u is <= P_s * P_u * P_av is when P_av is 1 or greater, which means a malware will have 100% (or better, but it doesn't make sense to have better than 100% success rate) success rate of not being picked up by the AV scanner.

 

Personally I think it is unlikely for P_av to be 1, and if it is 1, I would think P_s and P_u would be 1 as well.

I don't really see the usefulness of your logic here as applying to the real world, since the probabilities you define are going to fluctuate wildly depending on each particular piece of malware. Generally, given someone with sufficient a understanding, P_s * P_u can be equivalent to P_s * P_u * P_av. My point is, why add in P_av if it's not necessarily advantageous or beneficial?

 

By detecting hidden APIs that every operating system has, which are possibly not as heavily audited. An AV scanner can maintain a list of known API calls, and red flag unknown ones.

Indeed...I still don't see why you think reviewing the source code of windows is necessary for detecing viruses, or why you feel the above is not possible without an AV scanner..., you may want to take a look at some of the system internals set of tools.

 

An AV scanner does what you said, and more. One example would be to detect rootkits or hidden processes by looking for discrepancies between results returned by different system calls, because it is likely a rootkit won't replace _all_ the system calls to mask its presence. Monitoring processes, file handles, file and registry access etc are all useless when the function that return those results having been compromise. If you did it yourself, you would end up writing your own AV tool, since you can only invoke those system calls by writing a program.

What you have said is somewhat true for kernel level rootkits, however you wouldn't use an AV to detect one anyway. Usermode rootkits, generally relying on DLL injection, definitely do not require an AV to detect, nor are they the best tool for the job. I refer you again to the sysinternals set of tools. I would never want to rely on an AV to detect a rootkit. It's worth noting, a lot of AV software these days have additional programs components for detecting rootkits, which break quite away from just having an AV installed.

 

I am curious then - being a security researcher, do your colleagues run AV? What is your company's AV policy?

Well, we were only talking about personal use on a personal machine, right?

 

We run Debian on the work stations, AV on the servers, and windows in a virtual machine without AV.

 

I respectfully disagree - AV can only improve security, and any one who is detailed understanding of malware would know it is a constant arms race a single person can not hope to win alone.

An AV will not necessarily improve security at all. This assertion is false. It has nothing to do with trying to win an arms race, but simply by having a good understanding of the system and following good security practices. I concede that in some situations, an AV can improve security, but the frequency of such a situation occurring is proportional the the level of understanding and proficiency of the user.

 

I said nothing about relying solely on AV software. I would say thinking you don't need AV because you know what you are doing is by definition, having a false sense of security. That is because that position can only be claimed by some one who has no doubts about their own ability. 2 kind of people are like that in my opinion: the arrogant and the omniscient.

OK. You run AV on your gaming machine. How often do you actually check and mionitor your system, as opposed to just letting AntiVir handle the job? My position is not to be claimed by one who has no doubts, only by people who have sufficient understanding[/i]. Quite a big difference. I'm not sure why you would consider people with a sufficient understanding to be arrogant and/or omniscient.

 

My argument isn't to let AV do most of the work, my argument is simply to add AV to the list in addition to security as a state of mind and understanding. The sony incident was well publicised after the fact, and only because they botched it. The example was to merely illustrate how seemingly innocent things can be the carrier of malware.

It doesn't matter that they botched it, it would have been found. Because of people being proactive. In your example, of the sony rootkit, are you aware it was not detected by AV software?

 

Perhaps to settle this argument, you could do me a favour. AntiVir has the highest detection rates according to independent testing, so perhaps you could find say...5 examples of viruses that AntiVir would detect, that a human with a sufficient and detailed understanding would be unable to?

 

Ah, I didn't make myself clear. The DNS poisoning and such was meant to say, how can you trust the website that is doing the scan for you.

 

To me, if you run any kind of software to look for malware on your computer, you are running AV software - doesn't matter if it runs in the background, or you break it out once a blue moon - you are running it. That's my definition, which I realise might be different to yours, as by my definition, you are advocating running AV software, just not continuously.

I would trust the website doing the scan for me by authenticating it's SSL certificate(assuming it has one, which they tend to).

 

OK, that's a big difference. I don't consider any kind of software to look for malware to be AV software. I guess under your definition you would consider something like spybot to be an AV? My argument has only ever been that I see no need to run a traditional AV locally and continuously. There are certainly situations where it may be advisable to run AV software, as per my mechanic example.

 

 

The possibility of 2 people missing the same problem is smaller than the possibility of each person missing the problem individually.

Indeed...but then it comes down to the factors involved, and the actually chances of the more knowledgeble person missing a problem.

 

Using your argument however, surely you would be well advised to take your pc to a repair shop for a checkup every so often? It's another set of eyes, another chance to detect etc...

 

Quote limit indeed...

Share this post


Link to post
Share on other sites

There is no reason a paid mechanic would do a worst job, as long as the paid mechanic had a detailed/sufficient understanding.

 

My argument is that regardless of your level of understanding or proficiency, having an AV can only help, not harm, your security.

Well, that's the thing. I wouldn't be confident the mechanic necessarily had a detailed/sufficient understanding. I don't think that is always the case, given that(from what I know) the mechanic trade has no kind of official accreditation program, nor does the IT industry. If I go to a doctor or lawyer, I can be reasonably sure they do have a sufficient and detailed understanding.

 

It should be noted your argument only applies to a good AV, as opposed to just an AV.

 

My argument that is given a sufficient and detailed understanding, running AV has no noticeable benefit, except in rare situations.

 

So your saying everyone who relies on their own expertise and gets infected has "alleged" expertise, but those who don't are "do have a detailed understanding and expertise"?

 

If so, I refer you to the logical fallacy of no true scotsman.

Ahh, no, that is not what I am saying at all.

 

There are people who consider themselves to have a sufficient understanding and expertise, when this is not the case. These people, due to the false sense of security and lack of AV software are more likely to get infected. This is distinct from people who do have asufficient understanding and expertise and happen to get infected.

 

Sorry for not being clear.

 

I guess you haven't installed any AV recently. Antivir for one states it will look for more than viruses and will detect rootkits, jokes, "unusual compression techniques", etc.

I install AV for clients on a semi regular basis..., I simply said that an AV scanner is not effective against all malware, nor is it intended to be. I think Avira is a very impressive piece of software, but it's going to miss things that Spybot or Rootkit Revealer will pick up instead, being more specialised for the job. Using specialised software tends to beat using general coverall approach, which is why I prefer AV's for detecting viruses, not for malware in general.

 

Unless this hobbyist has all the tools a mechanic has for detecting problem, then the answer is simple: the mechanic can detect problems the hobbyist can't, because he has tools which the hobbyist doesn't. If the hobbyist has the same tools, then you have a mechanic whose hobby is to collect rare cars.

Why would a mechanic necessarily have more tools than the hobbyist? Considering the hobbyist is still a mechanic, just not as a profession...

 

Not true. With heuristics you can detect some 0days because they are similar to existing exploits. Example: if some 0day author was lazy enough to reuse shellcode, but via a new injection vector, an AV can pick up on the shellcode and detect it, even though it has never seen this particular virus before.

That's a good point. I still would consider this to be a very unlikely possibility. Do you have an example of this happening?

 

Antivir will scan all files on read/write, it is monitoring your system for you 100% of the time. Further, that you have done it before, only means in that specific incidence you were quicker than AV. It doesn't mean you are still quicker than AV. Further, how many times has been the AV been faster?

I'm not sure I understand your question. I was talking about doing a full scan, not on access monitoring. If you rely on on access monitoring without doing a full system scan, then your argument for using an AV becomes less valid.

 

And how many times have AVG and Avast detect viruses you failed to detect? I would expect there is a cross over where a given AV will detect a virus, but user won't.

Indeed, I've only attempted to detect the virus when I knew something was fishy and the AV software failed. This does not mean that had the AV software failed to detect it, so too would a sufficiently skilled user..

 

For the purposes of this debate, I propose we take user from now on to mean a sufficiently skilled user with sufficient expertise, unless referring to an unskilled user...

 

I got the the impression you have adopted a false dichotomy because you continue to say things along the lines of "but a person with detailed understanding would do so much better than AV", which suggests you see the choice as either detailed understanding, or AV.

 

The way I see it, a person with detailed understanding and AV is better off than a person with detailed understanding and no AV, which is also my argument.

 

I also should study, not debate online :P

It's important to understand my point.

 

A person with a detailed understanding and expertise, taking a proactive approach, will be better than someone only relying on an AV. I don't see the choice as either detailed understanding or AV. Indeed, a person with a proactive approach and an AV will in some instances be better off. I just think that those instances are rare, and not enough to warrant the running of an AV.

 

You seem to have security as a state of mine. Without knowing how proactive you are, it's probably safe to assume you follow good security practices..keeping updated and such. How many viruses have you gotten, that AntiVir has detected?

 

I should be doing work instead of debating online...aye :P

 

Just for shits and giggles I have a couple of rather simple questions for you that I have faith you will answer without googling:

Do your own damn homework.

Edited by TheSecret

Share this post


Link to post
Share on other sites

An AV will not necessarily improve security at all. This assertion is false.

Words can not express how wrong this is. I don't think a fist to the face could even express it properly :P

 

If you are willing to take on the risk (as I am) of not running an AV due to your mindsets and knowledge set then all the power to you, but surely you're not a terribly good "security researcher" if you really believe what you are saying.

 

Oh, and I can answer the first question off the top of my head (although I'm not quite certain which way the brackets go :P) HKLM\Software\Microsoft\Windows\Current Version\Run.

 

As for the second question, while I have quite a few code examples sitting on my hard drive (including one extraordinary one that accomplishes it in VB6) I do not know the API calls off the top of my head. To claim to be a "security researched" and not know these simple mechanisms of execution leaves me somewhat surprised, though.

 

Rob.

Share this post


Link to post
Share on other sites

Words can not express how wrong this is. I don't think a fist to the face could even express it properly :P

 

If you are willing to take on the risk (as I am) of not running an AV due to your mindsets and knowledge set then all the power to you, but surely you're not a terribly good "security researcher" if you really believe what you are saying.

 

Oh, and I can answer the first question off the top of my head (although I'm not quite certain which way the brackets go :P) HKLM\Software\Microsoft\Windows\Current Version\Run.

 

As for the second question, while I have quite a few code examples sitting on my hard drive (including one extraordinary one that accomplishes it in VB6) I do not know the API calls off the top of my head. To claim to be a "security researched" and not know these simple mechanisms of execution leaves me somewhat surprised, though.

 

Rob.

If you believe that my stance is wrong, then words can express how wrong it is. That's what they do. So go ahead, give it a try, considering I'm talking about a specific instance and context. Additionally, you are mistaking not needing to prove anything to you, with not knowing the answers to the questions you posed. This would seem to be a decent indication of your reasoning skills.

Edited by TheSecret

Share this post


Link to post
Share on other sites

If you believe that my stance is wrong, then words can express how wrong it is. That's what they do. So go ahead, give it a try, considering I'm talking about a specific instance and context.

Perhaps this might be a better way to tackle this particular point... suggest to me a scenario, and I'll tell you how AV will necessarily [sic] improve security.

 

Additionally, you are mistaking not needing to prove anything to you, with not knowing the answers to the questions you posed. This would seem to be a decent indication of your reasoning skills.

I'll leave that up to the readers :P

 

Rob.

Share this post


Link to post
Share on other sites

I agree with Freespace. No matter how much you know about your system, you're never going to know enough to protect yourself properly. Some of the leading security experts in the world run an AV program, on top of complex sandboxes and VM setups. They know more than anyone else how security on Windows works, so if they're going to that extent, there's probably a good reason why! For example, Steve Gibson. This guy knows his shit, and has been in the industry for many years. I believe he has his own netcasts that you might want to listen to, they're very informative.

Edited by .:Cyb3rGlitch:.

Share this post


Link to post
Share on other sites

Perhaps this might be a better way to tackle this particular point... suggest to me a scenario, and I'll tell you how AV will necessarily [sic] improve security.

  • Windows 2008 server, used a desktop system.
  • All current security updates applied.
  • A guest account is used.
  • An excellent knowledge of the system
  • Regular monitoring, alerts set in place
  • No untrusted software is consciously installed

For starters...

 

For example, Steve Gibson. This guy knows his shit, and has been in the industry for many years. I believe he has his own netcasts that you might want to listen to, they're very informative.

No, he does not. The guy is full of shit, and considered so by most people actually in the security industry.

Edited by TheSecret

Share this post


Link to post
Share on other sites

*blinks*

 

If a zero-day exploit came along (or even just code that exploits a hole that a developer hasn't released a patch for yet, as seems to be the case all-too-often), and was packaged with detectable malicious code, you really don't think that machine would be compromised?

 

Heck, even with undetectable code, the AVs will publish detection code likely before the analysts have even figured out how the exploit's mechanism of action. (Especially if the the analysts don't even know how dll injection works :P)

 

I can honestly say I wasn't expecting much, but I was expecting better than that :P At the very least I was expecting an offline machine, and that would've been easy enough to throw to shit :P

 

Rob.

Share this post


Link to post
Share on other sites

Of course there is a chance my machine could be compromised. The point is, in the case you describe, an AV will not prevent this. I'm still waiting for you to show that an AV will necessarily improve security, for the configuration I gave. Why do you think an AV will necessarily have detection code before an analyst figures out how it works? You may want to check that line of reasoning....

 

As a great example, if you check the OS X Security thread in the Apple section, and take note of the unpatched Java vulnerability, perhaps you can explain how an AV could help protect against that? As it is, my configuration does....

Edited by TheSecret

Share this post


Link to post
Share on other sites

Of course there is a chance my machine could be compromised. The point is, in the case you describe, an AV will not prevent this. I'm still waiting for you to show that an AV will necessarily improve security, for the configuration I gave.

You're right, I did a terrible of making a point there.

 

Firstly, while the exploit itself might be 0-day, there is a large chance that the malicious code will not be, and failing that there is a further chance that it mimics existing code in such a way that it will be picked up by AV in a jiffy.

 

There we go, I've given you a specific scenario in which your machine was compromised and using AV would have eliminated that risk. If you ran AV there would be no chance that attack would get through.

 

Are you willing to accept that you were 100% unequivocally wrong in saying that "An AV will not necessarily improve security at all. This assertion is false."?

 

Rob.

Share this post


Link to post
Share on other sites

Can you give an example of the situation you have described? Known malicious code combined with a 0day exploit being detected by an AV?

 

Would it be a remote or local exploit? Root, user or DOS? There are quite a few things which may affect if it would in fact be detected by an AV, for my given configuration.

Edited by TheSecret

Share this post


Link to post
Share on other sites

Can you give an example of the situation you have described? Known malicious code combined with a 0day exploit being detected by an AV?

Lol, really? I'm rather stumped that you'd actually require this. Perhaps I'll just give in to your unique take on reality (:P), abandon that event, and suggest another one?

 

Master_Scythe gave a scenario in which the MSY website was compromised with malicious code that his AV picked up. Would your set up not succumb to such an attack?

 

Rob.

Share this post


Link to post
Share on other sites

I don't believe the situation you described is realistic. If it is, it shouldn't be too hard for you to provide an example, right?

 

And no, my setup would not be susceptible to the situation described by Master_Scythe.

 

The trojan in question was Asprox, and the necessary files would not have been able to be created. Got another example?

 

Perhaps this might be a better way to tackle this particular point... suggest to me a scenario, and I'll tell you how AV will necessarily [sic] improve security.

I'm still waiting.....

Edited by TheSecret

Share this post


Link to post
Share on other sites

The trojan in question was Asprox, and the necessary files would not have been able to be created.

You didn't state it as as explicit as I would have liked, but I still can't help but feel that you've taken it hook line and sinker :P

 

I'm sure that you were meaning that the files would not have been created because you were running as an ordinary user, right?

 

The issue is, mate, whatever browser you were running relies heavily on Microsoft's libraries and APIs.

 

So unless you are going to prove to me that Microsoft's libraries and APIs are not susceptible to an escelation of privileges attack you've kind of been blown out of the water, as it was just dumb luck that that's not the type of attack the black hats had access to here. This is the type of thing I would have expected a "security researcher"* to have picked up on.

 

(Just how much do you regret claiming to be a security researcher? :P)

 

Rob.

Edited by robzy

Share this post


Link to post
Share on other sites

Rob,

 

I think your showing a major lack of understanding here. Your mixing up two types of separate attacks, and assuming the presence of one implies the presence of the other. This is not the case. Feel free to show an example of an exploit/virus etc that would affect my setup, and that an AV would succusfully prevent/stop.

 

Otherwise, I think you have to admit that your claim of being able to show how an AV will necessarily improve security for a scenario I give was false, and reliant on hypothetical scenarios. Once again., feel free to give any actual examples. Just one would do it....

 

As it is, I concede that there are cases where running an AV will improve security within the bounds of my argument. This is not the same thing as necessarily improving security.

 

As an aside, it's worth noting that in the Deloitte Global Security Survey from 2006, 99% of the respondents were using AV and 63% had external breaches, with 31% having internal breaches. I had no breaches, and I know that other people who take the same approach that I do, a few of which are on this board, also has no breaches. It's not conclusive, but it is interesting.

 

As another aside on the Sony DRM rootkit, and the effectiveness of AV's, here is Schneier's take on it.

 

http://erratasec.blogspot.com/2007/04/ani-...-detection.html

 

0 day detected due to known malicious code, so it is in fact possible. While snort is IDS, there is no reason why "traditional" AV can't do it as well.

 

Kudos to freespace for referring me to this!

That is not an example. That would not affect my setup, and furthermore, I could not find evidence that it would be detected by an AV before a patch was released.

 

Actually, McAfee were able to detect it from the 29/03/07 while the patch was released on the 03/04/07. Which would have been a good example, had it been able to affect my setup.

Edited by TheSecret

Share this post


Link to post
Share on other sites

As an aside, it's worth noting that in the Deloitte Global Security Survey from 2006, 99% of the respondents were using AV and 63% had external breaches, with 31% having internal breaches. I had no breaches, and I know that other people who take the same approach that I do, a few of which are on this board, also has no breaches. It's not conclusive, but it is interesting.

Lmfao. Do you really not understand what I am saying THAT much?

 

That does nothing to further your claim that "An AV will not necessarily improve security at all. This assertion is false." Because that study does nothing to show that if they were not running AV their breaches would show the same figures. And the fact that you, a single tiny statistic, had no breaches means absolutely zero.

 

While I would love to accuse you of being thick for bringing such statistics into the mix I am fairly sure that you've done it as a diversionary tactic. To prevent it from working I will not be replying to any response on this particular issue. We have much more pressing things to discuss.

 

I think your showing a major lack of understanding here. Your mixing up two types of separate attacks, and assuming the presence of one implies the presence of the other.

You're full of laffs today :P Let me break it down for you...

 

What if the attack was just as MasterS described, except they had found a esc-of-priv instead of whatever they actually used? I eagerly await your explanation as to why your system is not vulnerable to a 0day esc-of-priv attack :P

 

Surely now you're ready to admit what is slowly (but surely :P) becoming the idiocy of "An AV will not necessarily improve security at all. This assertion is false." is bullocks? :P

 

Rob.

Share this post


Link to post
Share on other sites

Lmfao. Do you really not understand what I am saying THAT much?

 

That does nothing to further your claim that "An AV will not necessarily improve security at all. This assertion is false." Because that study does nothing to show that if they were not running AV their breaches would show the same figures. And the fact that you, a single tiny statistic, had no breaches means absolutely zero.

 

While I would love to accuse you of being thick for bringing such statistics into the mix I am fairly sure that you've done it as a diversionary tactic. To prevent it from working I will not be replying to any response on this particular issue. We have much more pressing things to discuss.

I said it was interesting, not conclusive. In the overall number of windows users, the subset sufficiently skilled enough not to need an AV probably is very small.

 

I did not put it forward as a diversionary tactic, I just thought it was interesting. If it shows anything, it's that education is far more important than simply running an AV.

 

How about showing me an actual non hypothetical example where my setup will be affected, and where an AV would have necessarily improved security?

 

What if the attack was just as MasterS described, except they had found a esc-of-priv instead of whatever they actually used? I eagerly await your explanation as to why your system is not vulnerable to a 0day esc-of-priv attack :P

I did not say my system is not vulnerable to a 0day privilege escalation attack, at all. Perhaps you could explain how an AV will have helped in this hypothetical instance?

 

I find it quite amusing that for all your veiled insults, you have to rely on hypothetical examples, being unable to produce a single example of an instance where my system could be affected, and that an AV would have prevented.

 

An AV can improve security. It will not necessarily improve security. It's a distinction you have yet to understand.

Share this post


Link to post
Share on other sites

What if the attack was just as MasterS described, except they had found a esc-of-priv instead of whatever they actually used? I eagerly await your explanation as to why your system is not vulnerable to a 0day esc-of-priv attack :P

I did not say my system is not vulnerable to a 0day privilege escalation attack, at all. Perhaps you could explain how an AV will have helped in this hypothetical instance?
Because even if they get the privs to execute the code, an AV will recognise the code as malicious and prevent it being executed.

 

Do you now see the error in saying "An AV will not necessarily improve security at all. This assertion is false."?

 

Rob.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×