Re: [fw-wiz] Antivirus vendor conspiracy theories

From: Danny (
Date: 12/02/04

  • Next message: Martin A. Brown: "Re: [fw-wiz] Forward 2 networks"
    Date: Thu, 2 Dec 2004 15:33:24 -0500

    On Sun, 28 Nov 2004 10:57:47 +0100, Ben Nagy <> wrote:
    > [MHawkins]
    > > > Antivirus vendors have painted themselves into their own
    > > conspiracy theoried
    > > > corner by purveying a product that is based on technology
    > > that is purely
    > > > reactive and for the last ten years they've use one method
    > > of protection
    > > > thereby enabling other attack vectors to be repeatedly successful.
    > And this is a bad thing WHY, exactly? AV does a very good job, in general,
    > at looking at dodgy things as they enter and leave the filesystem. That was
    > the original job of AV and remains the core of the products.

    You are referring to host-based AV, of course.

    > A firewall, for example, does a generally good job of allowing or declining
    > traffic at layer 3/4, but a generally crappy job at looking at layer 7. That
    > doesn't mean that firewall vendors are hopeless and that they haven't
    > evolved over the last ten fifteen years.

    Two words: Fortinet's Fortigate. (No, I do not work for Fortinet. I
    work in the IT dept. of a food processing company). I am sure there
    are many upper-layer-aware firewalls, but for the price, I haven't
    found much competition.

    > The problem starts when "the market" start expecting FW+AV to protect them
    > from all current threats - well they don't. You may as well get mad at your
    > fire alarm when the pipes burst in your roof.

    FW+AV in one, works well here.

    > At a host level malware is using a bunch of different attack vectors which
    > were never in-spec for AV. Worms work by hijacking execution somehow, which
    > is all happening in memory, before the AV gets a shot at it. They require no
    > user interaction to spread, whereas AV have typically looked at Viruses
    > (gasp) which _do_ require user interaction.

    Concentrate on the perimeter with upper-layer-aware Firewalls if you
    can't rely (we don't) on host-based AV

    > Spyware, adware and all those tasty browser malwares work by exploiting the
    > security identity of IE, making it impossible for an AV to tell that the
    > functions are not what was intended.

    Security through obscurity combined with a wee bit of education works
    here. You are very pessimistic, sir. :)

    firewall-wizards mailing list

  • Next message: Martin A. Brown: "Re: [fw-wiz] Forward 2 networks"