RE: [fw-wiz] Antivirus vendor conspiracy theories

From: Ben Nagy (ben_at_iagu.net)
Date: 11/28/04

  • Next message: Shimon Silberschlag: "Re: [fw-wiz] Security of HTTPS" 
    To: "'Paul D. Robertson'" <paul@compuwar.net>, <MHawkins@TULLIB.COM>
Date: Sun, 28 Nov 2004 10:57:47 +0100

    > -----Original Message-----
    [MHawkins]
    > > Antivirus vendors have painted themselves into their own
    > conspiracy theoried
    > > corner by purveying a product that is based on technology
    > that is purely
    > > reactive and for the last ten years they've use one method
    > of protection
    > > thereby enabling other attack vectors to be repeatedly successful.

    And this is a bad thing WHY, exactly? AV does a very good job, in general,
    at looking at dodgy things as they enter and leave the filesystem. That was
    the original job of AV and remains the core of the products.

    A firewall, for example, does a generally good job of allowing or declining
    traffic at layer 3/4, but a generally crappy job at looking at layer 7. That
    doesn't mean that firewall vendors are hopeless and that they haven't
    evolved over the last ten fifteen years.

    The problem starts when "the market" start expecting FW+AV to protect them
    from all current threats - well they don't. You may as well get mad at your
    fire alarm when the pipes burst in your roof.

    At a host level malware is using a bunch of different attack vectors which
    were never in-spec for AV. Worms work by hijacking execution somehow, which
    is all happening in memory, before the AV gets a shot at it. They require no
    user interaction to spread, whereas AV have typically looked at Viruses
    (gasp) which _do_ require user interaction.

    Spyware, adware and all those tasty browser malwares work by exploiting the
    security identity of IE, making it impossible for an AV to tell that the
    functions are not what was intended.

    [MHawkins]
    > > after year major infections spread and the consumer, faced with the
    > > cognitive dissonance between antivirus vendor marketing
    > spin and the reality
    > > of a system rebuild, crashes, deleted files etc, wakes up
    > and realizes that
    > > the antivirus vendors are peddling an awful product that
    > really doesn't
    > > protect their system at all.
    [Paul]
    > AV works against almost 100% of existing in-the-wild viruses,
    > and probably
    > greater than 90% of new viruses, that's not "doesn't protect
    > their systems
    > at all."
    [...]

    Exactly. AV protects well against viruses. Do the vendors call it "anti all
    kinds of malware"? No. Do they claim that it bakes muffins? No.

    In fact, everyone is scrambling to get products ready for a market that is
    thinking exactly what you are saying, Mike - that the simple fact is that
    FW/AV doesn't protect well against current malware. To a large extent,
    that's because said malware is specifically designed to bypass those kinds
    of protection.

    [Paul]
    > The market won't accept better mechanisms, just like better
    > firewalls are disdained in favor of IDS, which is also a reactive
    > technology.

    I don't think that's the case. What the market won't accept are _ideal_
    mechanisms. Pretty much all the major players are betting they'll buy Yet
    Another Type Of Protection Software in droves. Personally, I think it should
    be called YATOPS, but vendors think H-IPS (Host Intrusion Prevention
    Systems) is more exciting - presumably by virtue of being tantalisingly
    vague.

    We went around this turnstile a few months back, with mjr ready to hold down
    the current state of OS / Software and hammer a stake through it's heart.
    YATOPS vendors think we can keep it limping along for another few years.

    [Paul]
    > As an industry, we've failed in getting vendors to go the
    > "this is now allowed to work" have it blessed first mode, so
    > we're left with picking up the pieces reactively.

    Right. Maybe in ten years every PC will just be one big mobile code
    interpreter with proper sandboxing. Who knows.

    Cheers,

    ben
    (Disclaimer, I work for a YATOPS vendor, which may affect my point of view)

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Shimon Silberschlag: "Re: [fw-wiz] Security of HTTPS"

    Relevant Pages

    • RE: [fw-wiz] Antivirus vendor conspiracy theories
      ... others have repositioned their marketing as ... >doesn't mean that firewall vendors are hopeless and that they haven't ... >At a host level malware is using a bunch of different attack vectors ... >of protection. ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Antivirus vendor conspiracy theories
      ... > of protection ... doesn't mean that firewall vendors are hopeless and that they haven't ... The problem starts when "the market" start expecting FW+AV to protect ... At a host level malware is using a bunch of different attack vectors ...
      (Firewall-Wizards)
    • Re: A question about licencing
      ... Manny, I did think about my reply. ... With a comment like this, "And BTW, our government is wonderful. ... Certain vendors either care about thier customers or employ reasonable ... copy protection technology and do allow you to return thier software. ...
      (microsoft.public.windowsxp.general)
    • Re: A question about licencing
      ... Certain vendors either care about thier customers or employ reasonable copy ... protection technology and do allow you to return thier software. ... problem returning the item for a full refund with minimal inconvinience. ...
      (microsoft.public.windowsxp.general)
    • RE: IPS comparison
      ... Information Security, etc.) of both of the vendors that you are ... as well as anomaly based protection. ... opposed to a GIG throughput IPS for a deep LAN deployment (at the core, ...
      (Pen-Test)