Firewall Wizards mailing list archives
Re: Antivirus vendor conspiracy theories
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Thu, 2 Dec 2004 23:09:23 +0530
On 28/11/04 10:57 +0100, Ben Nagy wrote: Apologies for the late reply on this, but I have been away from the computer for a bit.
-----Original Message-----[MHawkins]Antivirus vendors have painted themselves into their ownconspiracy theoriedcorner by purveying a product that is based on technologythat is purelyreactive and for the last ten years they've use one methodof protectionthereby enabling other attack vectors to be repeatedly successful.And this is a bad thing WHY, exactly? AV does a very good job, in general, at looking at dodgy things as they enter and leave the filesystem. That was the original job of AV and remains the core of the products. A firewall, for example, does a generally good job of allowing or declining traffic at layer 3/4, but a generally crappy job at looking at layer 7. That doesn't mean that firewall vendors are hopeless and that they haven't evolved over the last ten fifteen years.
A packet filter is one component of, but not a complete firewall solution by any means. There are these things termed as proxies ;), and then you have host based security as well to add to the mix. As a piece of host based security, AV is useful. As for the systems which make it necessary, I share MJR's opinion on those (see the archives for May/June/July for that thread).
The problem starts when "the market" start expecting FW+AV to protect them from all current threats - well they don't. You may as well get mad at your fire alarm when the pipes burst in your roof.
Well, all /known/ current threats.
At a host level malware is using a bunch of different attack vectors which were never in-spec for AV. Worms work by hijacking execution somehow, which is all happening in memory, before the AV gets a shot at it. They require no user interaction to spread, whereas AV have typically looked at Viruses (gasp) which _do_ require user interaction. Spyware, adware and all those tasty browser malwares work by exploiting the security identity of IE, making it impossible for an AV to tell that the functions are not what was intended.
And I would say that preventing spyware and spamware from operating is not in the purview of the antivirus software. I would prefer that the A/V vendors do their job of fighting the viruses and related worms well, rather than trying to do everythign and do it badly. The Unix philosophy of do one thing and do it well is applicable everywhere.
[MHawkins]after year major infections spread and the consumer, faced with the cognitive dissonance between antivirus vendor marketingspin and the realityof a system rebuild, crashes, deleted files etc, wakes upand realizes thatthe antivirus vendors are peddling an awful product thatreally doesn'tprotect their system at all.[Paul]AV works against almost 100% of existing in-the-wild viruses, and probably greater than 90% of new viruses, that's not "doesn't protect their systems at all."[...] Exactly. AV protects well against viruses. Do the vendors call it "anti all kinds of malware"? No. Do they claim that it bakes muffins? No. In fact, everyone is scrambling to get products ready for a market that is thinking exactly what you are saying, Mike - that the simple fact is that FW/AV doesn't protect well against current malware. To a large extent, that's because said malware is specifically designed to bypass those kinds of protection.
Wouldn't it be far easier for the A/V vendors to just ship an alternative browser, and recommend its installation and usage instead of the malware spreading vectors?
[Paul]The market won't accept better mechanisms, just like better firewalls are disdained in favor of IDS, which is also a reactive technology.I don't think that's the case. What the market won't accept are _ideal_ mechanisms. Pretty much all the major players are betting they'll buy Yet
Actually, IMHO, what the market isn't accepting is a separation between the active and passive components of a defense system. Active components like packet filters, proxies and other components which sit in the path of the traffic and take decisions on whether to allow or deny the traffic are either too simplistic or too restrictive in terms of the featureset they offer. Passive components like IDS systems detect failures of the active components, but do not acively participate in the defense of the system. What the market desires is a feature in the passive components which allows them to react to malicious events going past the active components and prevent the events from occuring, in essence converting the passive components to active ones. The vendors of such products market these as a replacement for the active components rather than as supportive components of a defense in depth system. An IDS sitting behind a restrictive proxy firewall watching out for malicious events and restricting those from propagating is a good idea (eg, an antivirus sitting on a filtering system behind a gateway MTA stopping viruses which can bypass the simple checks offered by a MTA -- zip files for example).
Another Type Of Protection Software in droves. Personally, I think it should be called YATOPS, but vendors think H-IPS (Host Intrusion Prevention Systems) is more exciting - presumably by virtue of being tantalisingly vague.
Hardening every host is not a bad idea. However, this needs to be designed into the system and not patched in from above as a bandaid. MAC are a good idea, but in those cases where they are too complex, simplistic ACLs can be used instead. These MUST be built into the OS kernel and not used as bandages on top of a broken system. As MJR argued in the above mentioned thread, trying to fix a broken system is a waste of time and not worth the effort.
We went around this turnstile a few months back, with mjr ready to hold down the current state of OS / Software and hammer a stake through it's heart. YATOPS vendors think we can keep it limping along for another few years. [Paul]As an industry, we've failed in getting vendors to go the "this is now allowed to work" have it blessed first mode, so we're left with picking up the pieces reactively.Right. Maybe in ten years every PC will just be one big mobile code interpreter with proper sandboxing. Who knows.
A similar idea was proposed by MJR earlier, and argued for and against on this list. I just had a discussion today with someone who makes money cleaning the computers of home users from viruses/spamware/crapware. He objected to my advice of giving the users an alternative browser and MUA with the simple claim that having users keep using IE and OE and unpatched XP kept him in business. This is the type of service vendor we need to get rid of. However, his arguments boiled down to (users == home users): 1> Users want to keep using what they know and get cheap support for (in this case, Microsoft Windows). 2> Users do not want to learn to protect their systems, and expect systems as complicated as Turing complete computers to behave like simple electronic devices (because they use the computer that way). 3> Users do not want the trouble caused by viruses and malware, but are not willing to pay a premium (in terms of time/money/functionality) for systems which will not have such trouble. On the other hand, they are perfectly willing to shell out small sums of money regularly to have these viruses and malware removed. This is totally different from what a large corporate wants, but this particular segment is currently causing the most pain on the Internet. Is any vendor offering a usable fix for this type of market (small but regular payments from a large volume of customers)? Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Antivirus vendor conspiracy theories Ames, Neil (Dec 02)
- Message not available
- RE: Antivirus vendor conspiracy theories Mark Teicher (Dec 05)
- Message not available
- <Possible follow-ups>
- Re: Antivirus vendor conspiracy theories Danny (Dec 05)
- Re: Antivirus vendor conspiracy theories Devdas Bhagat (Dec 05)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Ben Nagy (Dec 07)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Devdas Bhagat (Dec 07)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Ben Nagy (Dec 11)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Devdas Bhagat (Dec 11)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Paul D. Robertson (Dec 12)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Marcus J. Ranum (Dec 12)
- Book of rants (was Re: How to Save The World (was: Antivirus vendor conspiracy theories)) Devdas Bhagat (Dec 12)
- Re: Book of rants Jason Lewis (Dec 12)
- Re: Re: Book of rants Devdas Bhagat (Dec 12)
- Re: Re: Book of rants Christopher Hicks (Dec 12)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Ben Nagy (Dec 07)