|
Wiggly Wayne DDS posted:Do you have selective hearing, or are just wilfully dense at this point? I don't know, what would replace AV but be really expensive? That's not a viewpoint I've argued. AV is cheap, it's <$5 per box per year for a multi-license of a top-shelf AV (BitDefender/Kaspersky/ESET/F-Prot). My Kaspersky licenses consume less than 1% of a circa-2010 processor and once you get them set they don't ever waste your time, while having top-shelf signature/heuristic rates. I've done and it's caught suspect files every time. I also bought a Malwarebytes lifetime license for $20 a couple years ago and that's my second layer. It ain't expensive.
|
# ? May 2, 2016 06:36 |
|
|
# ? May 13, 2024 08:17 |
|
Paul MaudDib posted:I don't know, what would replace AV but be really expensive? That's not a viewpoint I've argued. Cheap snakeoil is still snakeoil. and like patent medicines, most av is actually worse than doing nothing
|
# ? May 2, 2016 06:36 |
|
Trabisnikof posted:most av is actually worse than doing nothing OK cool, 95% of everything is poo poo. So can we agree that having something in the top 5% is worth something?
|
# ? May 2, 2016 06:38 |
|
Paul MaudDib posted:I actually don't have plat and can't look up where he posts. Unlike the guy from this thread who stalked my posts so he could argue with me in another forum. I just could tell because he's a shitposter. quote:All anti-virus products at their core operate the same and how they all update is as well. Anti-virus typically relies on signatures to know what is potentially malicious from what is not. However, this is its biggest flaw as those signatures can easily be thwarted by malware creators. As such, a determined attacker can easily create 2,000 different copies (in a single day no less) of the same malicious software and that may require the anti-virus vendor to create multiple signatures in order to successfully thwart it. The vendors know this and last year, Symantec admitted that at best they detect up to 45% of threats although there are suggestions that catching any new threats is at best 5% successful. also he wasn't seriously suggesting you install gentoo for your aunt you idiot every single time you post in this thread you make an idiot out of yourself and i'm fairly certain that everyone is tired of it
|
# ? May 2, 2016 06:38 |
|
online friend posted:also he wasn't seriously suggesting you install gentoo for your aunt you idiot Did I misclick into YOSPOS or is this the serious forum for actual advice? The concept that re-encoding malware disrupts detection goes along with the fact that signatures detect bit-patterns in memory/files. But not everything is brand new, and you have heuristics for the stuff that is. (USER WAS PUT ON PROBATION FOR THIS POST)
|
# ? May 2, 2016 06:41 |
|
^ Hint: it was listed as a hyperbolic example along with giving users ipads instead of computers. Learn to read. Paul MaudDib posted:OK cool, 95% of everything is poo poo. So can we agree that having something in the top 5% is worth something? You quote that figure like it matters. The fact is catching 95% (according to a firm funded by AV companies) of old poo poo doesn't help when re-encoding is a service anyone can buy with bitcoin. gently caress you can get pretty far just using mfsvenom. But really this: quote:All anti-virus products at their core operate the same and how they all update is as well. Anti-virus typically relies on signatures to know what is potentially malicious from what is not. However, this is its biggest flaw as those signatures can easily be thwarted by malware creators. As such, a determined attacker can easily create 2,000 different copies (in a single day no less) of the same malicious software and that may require the anti-virus vendor to create multiple signatures in order to successfully thwart it. The vendors know this and last year, Symantec admitted that at best they detect up to 45% of threats although there are suggestions that catching any new threats is at best 5% successful.
|
# ? May 2, 2016 06:41 |
|
Oh gee 2000 copies. My computer could create at least 3000. How long does it take to generate a differently-optimized output via any random compiler? Like one optimization step? You could make LLVM dump like a million per hour. And you accuse me of posting breathless clickbait poo poo. Again, that's why we have heuristics. Paul MaudDib fucked around with this message at 06:47 on May 2, 2016 |
# ? May 2, 2016 06:44 |
|
Paul MaudDib posted:Did I misclick into YOSPOS or is this the serious forum for actual advice? jesus christ how do you have such little self-awareness? how has it not occurred to you that maybe, just maybe the person you're arguing with is smarter than you, or at the very least knows a lot more about this poo poo than you do? at what point do you decide that maybe it's time to cut your losses, swallow your pride and just shut up? i guarantee you if you survey security professionals they'll tell you the exact same thing- AV is dead, and the focus has shifted to educating users on how to protect themselves against the myriad threats that they'll come across on a regular basis.
|
# ? May 2, 2016 06:47 |
|
Paul MaudDib posted:Top-tier antivirus software (Kaspersky, BitDefender, etc) consistently picks off 99.9%+ of known threats, 95%+ of unknown threats via heuristics, and 98%+ of malicious sites. That's pretty effective in my book. Paul MaudDib posted:One rule will never catch 99.9% of anything. You're an idiot who's trying to score points by making an impossible request. Paul MaudDib posted:Again, that's why we have heuristics. Here's a post I wrote last year when dealing with a similar argument: OSI bean dip posted:Traditionally, anti-virus works through a few ways: Now please stop it with the heuristics nonsense and if you want to argue in this thread, stop calling people and actually contribute to the conversation because this is in fact not YOSPOS. Hopefully the above was too long for you to read because apparently you've had some trouble reading other things and have assumed I am talking about the NSA here.
|
# ? May 2, 2016 06:49 |
|
online friend posted:jesus christ Probably about the time you post an actual argument that isn't "trust me" or conspiracy theories or some clickbait poo poo. And just for the record, Baxta posted:It's been alleged (but not proven) that NSA put backdoors in Dual_EC_DRBG. For latest news check out the Juniper stuff from last year. This is the only plausible vector that's actually been published. The NSA is not backdooring your AV to get ahold of your grandma's emails. Mass wiretapping and opportunistic decryption, sure, but they can get caught deploying targeted malware or MITMing exactly one time before a security researcher takes them apart.
|
# ? May 2, 2016 06:50 |
|
Paul MaudDib posted:Probably about the time you post an actual argument that isn't "trust me" or conspiracy theories or some clickbait poo poo. nobody's posting conspiracy theories? where are you getting this?
|
# ? May 2, 2016 06:52 |
|
online friend posted:nobody's posting conspiracy theories? where are you getting this? A lack of reading comprehension skills tends to lead to this belief that we're concerning ourselves with the NSA backdooring anti-virus products I guess.
|
# ? May 2, 2016 06:54 |
|
online friend posted:nobody's posting conspiracy theories? where are you getting this? This is literally a conspiracy theory about antivirus. The NSA is not targeting you personally, that is not a realistic threat vector. If they do, there is absolutely nothing you can do to defend against it, they can absolutely deploy something on the level of Equation Group or (hypothetically) BadBios and you will never know it. OSI bean dip posted:https://blog.kaspersky.com/equation-hdd-malware/ However he just made a good post with an actual explanation. Re-encoding does disrupt the signatures that AV looks for. The signatures are there for picking off the low-hanging fruit - most threats are lazy poo poo that's multiple months old and that keeps someone (not naming names but she's my GF) from picking up viruses on streaming sites. For unknown threats we have heuristics - they aren't 100% but they are the best defense against unknown threats. That's the current standard for picking off unknown threats. Shoot me whatever numbers you want from a real-world test, but it's a lot better than nothing. Between MBAM and Kaspersky we haven't had any breaches despite a lot of sketch behavior. Group protections absolutely do work - herd strategies are viable as proved by evolution. If one of us is getting hosed by a virus, find the attacker and mark it as hostile. You may be the first person on the whole internet to encounter a threat, but you're probably not, particularly if you do behave safely on the whole. There are a lot of people on the internet or any given AV platform. A couple million PCs is viable as a perspective onto the world's infection threats. I also think there's extra heuristics to be picked off here via deep learning of the virus code and behavior characteristics too. Paul MaudDib fucked around with this message at 07:07 on May 2, 2016 |
# ? May 2, 2016 07:02 |
|
Paul MaudDib posted:This is literally a conspiracy theory about antivirus. The NSA is not targeting you personally, that is not a realistic threat vector. If they do, there is absolutely nothing you can do to defend against it, they can absolutely deploy something on the level of Equation Group or (hypothetically) BadBios and you will never know it. nobody ever said antivirus is poo poo because the NSA is loving with it antivirus is poo poo because it's poo poo, and it can't detect poo poo Paul MaudDib posted:(not naming names but she's my GF) why did you post this
|
# ? May 2, 2016 07:07 |
|
hey guys [shouting into next room] MY BOYFRIEND just got some adware on his laptop
|
# ? May 2, 2016 07:08 |
|
online friend posted:why did you post this For some reason she refuses to use the Sonarr system I set up, idgi either
|
# ? May 2, 2016 07:09 |
|
For real though I appreciate that antivirus is a layer that can have its own vulnerabilities, but the number of critical vulnerabilities in a given antivirus package is much less than the number of vulnerabilities in software that is corralled within an AV perimeter. There's been like what, 2 escalation or escape attacks within a year? It's probably less than a half-dozen total. Versus how many exploits of software installed on client endpoints? There's what, that one Xen escape, and like one Norton escape that got posted a while back, or something? How many peripheral Windows escalation/escape exploits and poo poo have been discovered within the same timeframe? And how many exploits of random applications? Paul MaudDib fucked around with this message at 07:36 on May 2, 2016 |
# ? May 2, 2016 07:15 |
|
My virus-repelling rock keeps my computer safe, I know it works because I've never seen a computer virus. -- "Heuristic" is literally just a fancy word for a slightly more complex type of signature. They have most of the same drawbacks as signatures, for example "a malicious attacker can just permute their virus a bit until it no longer gets flagged". Talking about how well something defends against "unknown threats" is utter bullshit, and the only way it could conceivably make sense is if you've gone balls-deep into the bacteriophage analogy and literally think that computer viruses are created via evolution and natural selection.
|
# ? May 2, 2016 07:18 |
|
Jabor posted:My virus-repelling rock keeps my computer safe, I know it works because I've never seen a computer virus. No, I've had viruses try before and my girlfriend has as well. Hello logfiles. Jabor posted:"Heuristic" is literally just a fancy word for a slightly more complex type of signature. They have most of the same drawbacks as signatures, for example "a malicious attacker can just permute their virus a bit until it no longer gets flagged". Talking about how well something defends against "unknown threats" is utter bullshit, and the only way it could conceivably make sense is if you've gone balls-deep into the bacteriophage analogy and literally think that computer viruses are created via evolution and natural selection. Well, they can't until they break whatever characteristic the heuristic is looking for. If you just re-encode a given virus it'll still trip most of the same heuristics as the old one. Assuming they worked in the first place.
|
# ? May 2, 2016 07:26 |
|
Paul MaudDib posted:For real though I appreciate that antivirus is a layer that can have its own vulnerabilities, but the number of critical vulnerabilities in a given antivirus package is much less than the number of vulnerabilities in software that is corralled within an AV perimeter. There's been like what, 2 escalation or escape attacks within a year? Versus how many exploits of software installed on client endpoints? It's probably less than a half-dozen total.
|
# ? May 2, 2016 07:26 |
|
Paul MaudDib posted:No, I've had viruses try before and my girlfriend has as well. Hello logfiles. Are you literally running software with known vulnerabilities that known viruses are trying to exploit? While simultaneously telling security professionals that you know better than them about security?
|
# ? May 2, 2016 07:30 |
|
Paul MaudDib posted:For real though I appreciate that antivirus is a layer that can have its own vulnerabilities, but the number of critical vulnerabilities in a given antivirus package is much less than the number of vulnerabilities in software that is corralled within an AV perimeter. There's been like what, 2 escalation or escape attacks within a year? Versus how many exploits of software installed on client endpoints? It's probably less than a half-dozen total. I'm afraid this hasn't been true for at least 5 years, if not a whole lot longer. The problem is that if you're a security person who can write solid, correct, secure code you're in extreme demand and you're not going to stick around at an AV company getting paid trash for boring work. Operating systems have improved extremely since what you learned starting out in tech and they've long surpassed in quality the AV software that claims to protect them.
|
# ? May 2, 2016 07:30 |
|
apseudonym posted:I'm afraid this hasn't been true for at least 5 years, if not a whole lot longer. The problem is that if you're a security person who can write solid, correct, secure code you're in extreme demand and you're not going to stick around at an AV company getting paid trash for boring work. Not disagreeing with you directly but can you provide some comparative numbers on this? Like critical/severe vulnerabilities in client software versus the AV layers?
|
# ? May 2, 2016 07:40 |
|
Paul MaudDib posted:Not disagreeing with you directly but can you provide some comparative numbers on this? Like critical/severe vulnerabilities in client software versus the AV layers? Keep in mind that vulnerability counts are not a great metric for security (1 remote code is as good as 20), what scope are you talking? "The client software" is pretty vague, and you need to kind in mind that most malware doesn't actually need exploits to do anything on a lot of platforms where AV is common (aka Windows). If you'd like details on the AV side of horrible vulns I recommend looking into Project Zero and Tavis Ormandy's continued thrashing of all AV platforms out there, there are many vulns there are demonstrably make the device worse off than if the AV wasn't there at all.
|
# ? May 2, 2016 07:45 |
|
apseudonym posted:Keep in mind that vulnerability counts are not a great metric for security (1 remote code is as good as 20), what scope are you talking? "The client software" is pretty vague, and you need to kind in mind that most malware doesn't actually need exploits to do anything on a lot of platforms where AV is common (aka Windows). Thrashing any given platform doesn't prove that it's more vulnerable than an unthrashed platform. I highly encourage you to consider the medical problem of detection rates of (eg) thyroid nodules versus actual cancerous nodules. A vulnerability is not the same thing as a virus, just the same as a benign nodule is not the same as a cancerous nodule. Not that the things he's finding aren't real, but once a professional goes looking for problems they find them. What he's doing is good, but that doesn't prove that he's finding more in AV relative to other stuff unless he actually looks at the other stuff. Also, like I said - ransomware is a type of virus that advertises the fact that you've been infected. Comparing reported rates of ransomware versus stealth/botnet viruses is not valid either for the same reason. 100% of ransomware users know they have it, <10% of botnet users (probably <1%) know they have it. Also, the fact that Windows is vulnerable is not relevant to AV vulnerabilities (unless they catch it). You were claiming that AV itself exposes extra vulnerabilities - platform vulnerabilities themselves do not count as AV vulnerabilities. Paul MaudDib fucked around with this message at 08:03 on May 2, 2016 |
# ? May 2, 2016 07:54 |
|
This thread was nice and informal but now it sucks.
|
# ? May 2, 2016 07:58 |
|
Paul MaudDib posted:Also, the fact that Windows is vulnerable is not relevant to AV vulnerabilities (unless they catch it). You were claiming that AV itself exposes extra vulnerabilities - platform vulnerabilities themselves do not count as AV vulnerabilities. Perhaps you should actually read the stuff people are asking you to read, because "the AV itself exposes extra vulnerabilities" is literally true and you would be aware of that if you'd even glanced at the linked stuff.
|
# ? May 2, 2016 08:27 |
|
Boris Galerkin posted:This thread was nice and informal but now it sucks. Yep.
|
# ? May 2, 2016 08:49 |
|
Paul MaudDib posted:Well, they can't until they break whatever characteristic the heuristic is looking for. Lol, this is literally what they do, in an automated fashion against multiple AV systems at once. People even offer this as SaaS even.
|
# ? May 2, 2016 09:00 |
|
we live in a world where "sleep(30)" is enough to bypass a lot of av's attempts at sandboxing, yet that kid who had malwarebytes on a usb stick at school still thinks heuristics is a magic spell paul misspelled reference, your name is a boring word, please stop
|
# ? May 2, 2016 10:31 |
|
We run AV because one client requires the "has antivirus" box ticked if you want to do business with them, and lying about it was probably a step too far.
|
# ? May 2, 2016 11:29 |
|
what's the problem with using AV on idiot computers to quell the flow of blackshades/darkcomet hackforums trojans they try to run. really. it's known that users can't be taught. extremely common trojans like these don't crypt their on disk persistence and they'd be swept up because of this. it exposes them to LPE occasionally but it's not like malware authors are trying to implement that for specific AV vendors when UAC bypasses are way more public and easy. yeah the point I've heard is "users will disable AV just to run it" but that's less the case if they remember uncle jimmy saying that's how they get you. even if they do, hey, maybe they don't next time after you DBAN their poo poo. for idiots it seems like the cost is some LPE issues that nobody's going to give a gently caress about trying to exploit on random idiots while the gain is not being infected by xxxDarkSlayer666xxx but instead someone who put effort into crypting and keeping their botnet in memory w registry persistence. it's better for an idiot to be infected by a professional with a moneymaking agenda than a teenager who just wants to gently caress with ppl tbh
|
# ? May 2, 2016 14:24 |
|
I haven't run AV on my personal machines for about 4 years and have not had any problems. Mostly because in the previous 12 it only ever caught two things. Both of those were direct results of me doing things that I knew full well I shouldn't have been doing. In my experience AV is slow, costs money I would rather spend elsewhere (only $35 for one year of Kaspersky on three machines, but still), and doesn't provide much actual protection. Not being an idiot is far more useful for the security of your machine than any AV ever will be.
Antillie fucked around with this message at 14:28 on May 2, 2016 |
# ? May 2, 2016 14:26 |
|
If you've not paid attention to AV vulns lately we're pointing at zero interaction pre-auth rces to system - not lpes. That or destroying any concept of cert validity. Worse than the disease.
|
# ? May 2, 2016 14:30 |
|
Daman posted:yeah the point I've heard is "users will disable AV just to run it" but that's less the case if they remember uncle jimmy saying that's how they get you. uncle jimmy should just tell people to install their software updates
|
# ? May 2, 2016 15:05 |
|
Wiggly Wayne DDS posted:If you've not paid attention to AV vulns lately we're pointing at zero interaction pre-auth rces to system - not lpes. That or destroying any concept of cert validity. Worse than the disease. Yeah. Like just look at this list of really loving dumb vulnerabilities: Remote debugger in TrendMicro left enabled Comodo forwards to non-mutable API calls on the host Comodo disables aspects of Chrome's sandbox TrendMicro has RCE problems Kaspersky buffer overflow And these are just a random sampling of vulnerabilities from that Project Zero page. Or you can see Tavis' Sophail presentation from 2011, which covers issues like XSS in the web protection module amongst others. This presentation is really what started the rabbit hole for him to go down on how loving dumb AV is designed. And lastly we have a bug for Symantec coming our way.
|
# ? May 2, 2016 15:34 |
|
my takeaway is that if you sell a product with the promise of security and it actually makes your computer less secure, it's not worth it if all it does it catch "the low hanging fruit". (if it even does that)
|
# ? May 2, 2016 15:36 |
|
Wells posted:my takeaway is that if you sell a product with the promise of security and it actually makes your computer less secure, it's not worth it if all it does it catch "the low hanging fruit". (if it even does that) the vendor's literal job is to sell you a product, and they do that by giving you numbers that make you feel all warm and fuzzy but don't really have much of a basis in reality if the vendor doesn't sell you a product, they don't get paid
|
# ? May 2, 2016 15:39 |
|
sorry, I'm dumb and meant "buy" instead of "sell". the thing you said is 100% correct e: though the context I was thinking of it wasn't corporate/business, it was w/r/t the idiot family member person. but I guess the same thing applies though to all endpoint consumers of antivirus- if you give them some AV, they're going to be emboldened to open up stupid junk attachments because they think they are being protected. even if the av catches some of them, it won't get all of them. the only real solution is education, but I imagine that's a shitshow too. Wells fucked around with this message at 15:46 on May 2, 2016 |
# ? May 2, 2016 15:43 |
|
|
# ? May 13, 2024 08:17 |
|
the focus has 100% shifted from recommending antivirus to recommending adblockers and the like because, as has been said over and over and over again, there's way too much poo poo for even the best antivirus to catch nowadays "you are your own adversary" is completely true, the worst threat to your security is your own activities AV will catch the relatively benign stuff, like adware, but the poo poo that you actually need to be concerned about is a whole hell of a lot harder to catch i would recommend reading the talos blog (shameless plug) because there's a lot of insanely cool poo poo in there about how modern malware works, and the efforts to detect and block it
|
# ? May 2, 2016 15:46 |