Re: Antivirus vendor conspiracy theories

[Devdas Bhagat <devdas () dvb homelinux org>]

On 28/11/04 10:57 +0100, Ben Nagy wrote:

Apologies for the late reply on this, but I have been away from the
computer for a bit.

> > -----Original Message-----
> [MHawkins]
> > > Antivirus vendors have painted themselves into their own 
> > conspiracy theoried
> > > corner by purveying a product that is based on technology 
> > that is purely
> > > reactive and for the last ten years they've use one method 
> > of protection
> > > thereby enabling other attack vectors to be repeatedly successful.
>
> And this is a bad thing WHY, exactly? AV does a very good job, in general,
> at looking at dodgy things as they enter and leave the filesystem. That was
> the original job of AV and remains the core of the products.
>
> A firewall, for example, does a generally good job of allowing or declining
> traffic at layer 3/4, but a generally crappy job at looking at layer 7. That
> doesn't mean that firewall vendors are hopeless and that they haven't
> evolved over the last ten fifteen years.
A packet filter is one component of, but not a complete firewall
solution by any means. There are these things termed as proxies ;), and
then you have host based security as well to add to the mix.

As a piece of host based security, AV is useful. As for the systems
which make it necessary, I share MJR's opinion on those (see the
archives for May/June/July for that thread).

> The problem starts when "the market" start expecting FW+AV to protect them
> from all current threats - well they don't. You may as well get mad at your
> fire alarm when the pipes burst in your roof.

Well, all /known/ current threats. 

> At a host level malware is using a bunch of different attack vectors which
> were never in-spec for AV. Worms work by hijacking execution somehow, which
> is all happening in memory, before the AV gets a shot at it. They require no
> user interaction to spread, whereas AV have typically looked at Viruses
> (gasp) which _do_ require user interaction. 
>
> Spyware, adware and all those tasty browser malwares work by exploiting the
> security identity of IE, making it impossible for an AV to tell that the
> functions are not what was intended. 

And I would say that preventing spyware and spamware from operating is
not in the purview of the antivirus software. I would prefer that the
A/V vendors do their job of fighting the viruses and related worms well,
rather than trying to do everythign and do it badly. The Unix philosophy
of do one thing and do it well is applicable everywhere.

> [MHawkins]
> > > after year major infections spread and the consumer, faced with the
> > > cognitive dissonance between antivirus vendor marketing 
> > spin and the reality
> > > of a system rebuild, crashes, deleted files etc, wakes up 
> > and realizes that
> > > the antivirus vendors are peddling an awful product that 
> > really doesn't
> > > protect their system at all.
> [Paul]
> > AV works against almost 100% of existing in-the-wild viruses, 
> > and probably
> > greater than 90% of new viruses, that's not "doesn't protect 
> > their systems
> > at all."
> [...]
>
> Exactly. AV protects well against viruses. Do the vendors call it "anti all
> kinds of malware"? No. Do they claim that it bakes muffins? No.
>
> In fact, everyone is scrambling to get products ready for a market that is
> thinking exactly what you are saying, Mike - that the simple fact is that
> FW/AV doesn't protect well against current malware. To a large extent,
> that's because said malware is specifically designed to bypass those kinds
> of protection.

Wouldn't it be far easier for the A/V vendors to just ship an
alternative browser, and recommend its installation and usage instead of
the malware spreading vectors?

> [Paul]
> > The market won't accept better mechanisms, just like better
> > firewalls are disdained in favor of IDS, which is also a reactive
> > technology.
>
> I don't think that's the case. What the market won't accept are _ideal_
> mechanisms. Pretty much all the major players are betting they'll buy Yet

Actually, IMHO, what the market isn't accepting is a separation between
the active and passive components of a defense system. Active components
like packet filters, proxies and other components which sit in the path
of the traffic and take decisions on whether to allow or deny the
traffic are either too simplistic or too restrictive in terms of the
featureset they offer. Passive components like IDS systems detect
failures of the active components, but do not acively participate in the
defense of the system.

What the market desires is a feature in the passive components which
allows them to react to malicious events going past the active
components and prevent the events from occuring, in essence converting
the passive components to active ones. The vendors of such products
market these as a replacement for the active components rather than as
supportive components of a defense in depth system. 

An IDS sitting behind a restrictive proxy firewall watching out for 
malicious events and restricting those from propagating is a good idea 
(eg, an antivirus sitting on a filtering system behind a gateway MTA 
stopping viruses which can bypass the simple checks offered by a MTA -- 
zip files for example).

> Another Type Of Protection Software in droves. Personally, I think it should
> be called YATOPS, but vendors think H-IPS (Host Intrusion Prevention
> Systems) is more exciting - presumably by virtue of being tantalisingly
> vague.

Hardening every host is not a bad idea. However, this needs to be
designed into the system and not patched in from above as a bandaid.
MAC are a good idea, but in those cases where they are too complex,
simplistic ACLs can be used instead. These MUST be built into the OS
kernel and not used as bandages on top of a broken system.

As MJR argued in the above mentioned thread, trying to fix a broken
system is a waste of time and not worth the effort.

> We went around this turnstile a few months back, with mjr ready to hold down
> the current state of OS / Software and hammer a stake through it's heart.
> YATOPS vendors think we can keep it limping along for another few years.
>
> [Paul]
> > As an industry, we've failed in getting vendors to go the
> > "this is now allowed to work" have it blessed first mode, so 
> > we're left with picking up the pieces reactively.
>
> Right. Maybe in ten years every PC will just be one big mobile code
> interpreter with proper sandboxing. Who knows.

A similar idea was proposed by MJR earlier, and argued for and against on 
this list.

I just had a discussion today with someone who makes money cleaning the
computers of home users from viruses/spamware/crapware. He objected to
my advice of giving the users an alternative browser and MUA with the
simple claim that having users keep using IE and OE and unpatched XP
kept him in business. This is the type of service vendor we need to get 
rid of. However, his arguments boiled down to (users == home users):

1> Users want to keep using what they know and get cheap support for (in
this case, Microsoft Windows).
2> Users do not want to learn to protect their systems, and expect systems
as complicated as Turing complete computers to behave like simple
electronic devices (because they use the computer that way).
3> Users do not want the trouble caused by viruses and malware, but are
not willing to pay a premium (in terms of time/money/functionality) for
systems which will not have such trouble. On the other hand, they are
perfectly willing to shell out small sums of money regularly to have
these viruses and malware removed.

This is totally different from what a large corporate wants, but this
particular segment is currently causing the most pain on the Internet.

Is any vendor offering a usable fix for this type of market (small but 
regular payments from a large volume of customers)?

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards