Firewall Wizards mailing list archives
Re: Antivirus vendor conspiracy theories
From: Danny <nocmonkey () gmail com>
Date: Thu, 2 Dec 2004 15:33:24 -0500
On Sun, 28 Nov 2004 10:57:47 +0100, Ben Nagy <ben () iagu net> wrote:
[MHawkins]Antivirus vendors have painted themselves into their ownconspiracy theoriedcorner by purveying a product that is based on technologythat is purelyreactive and for the last ten years they've use one methodof protectionthereby enabling other attack vectors to be repeatedly successful.And this is a bad thing WHY, exactly? AV does a very good job, in general, at looking at dodgy things as they enter and leave the filesystem. That was the original job of AV and remains the core of the products.
You are referring to host-based AV, of course.
A firewall, for example, does a generally good job of allowing or declining traffic at layer 3/4, but a generally crappy job at looking at layer 7. That doesn't mean that firewall vendors are hopeless and that they haven't evolved over the last ten fifteen years.
Two words: Fortinet's Fortigate. (No, I do not work for Fortinet. I work in the IT dept. of a food processing company). I am sure there are many upper-layer-aware firewalls, but for the price, I haven't found much competition.
The problem starts when "the market" start expecting FW+AV to protect them from all current threats - well they don't. You may as well get mad at your fire alarm when the pipes burst in your roof.
FW+AV in one, works well here.
At a host level malware is using a bunch of different attack vectors which were never in-spec for AV. Worms work by hijacking execution somehow, which is all happening in memory, before the AV gets a shot at it. They require no user interaction to spread, whereas AV have typically looked at Viruses (gasp) which _do_ require user interaction.
Concentrate on the perimeter with upper-layer-aware Firewalls if you can't rely (we don't) on host-based AV
Spyware, adware and all those tasty browser malwares work by exploiting the security identity of IE, making it impossible for an AV to tell that the functions are not what was intended.
Security through obscurity combined with a wee bit of education works here. You are very pessimistic, sir. :) ...D _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Antivirus vendor conspiracy theories Ames, Neil (Dec 02)
- Message not available
- RE: Antivirus vendor conspiracy theories Mark Teicher (Dec 05)
- Message not available
- <Possible follow-ups>
- Re: Antivirus vendor conspiracy theories Danny (Dec 05)
- Re: Antivirus vendor conspiracy theories Devdas Bhagat (Dec 05)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Ben Nagy (Dec 07)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Devdas Bhagat (Dec 07)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Ben Nagy (Dec 11)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Devdas Bhagat (Dec 11)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Paul D. Robertson (Dec 12)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Marcus J. Ranum (Dec 12)
- Book of rants (was Re: How to Save The World (was: Antivirus vendor conspiracy theories)) Devdas Bhagat (Dec 12)
- Re: Book of rants Jason Lewis (Dec 12)
- Re: Re: Book of rants Devdas Bhagat (Dec 12)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Ben Nagy (Dec 07)