Re: Antivirus- A Corrective Control?



Todd,

I'm not trying to be confrontational here, but based on numerous mentions of AV being "trivial" and "nearly worthless," how do decision-makers react when you tell them things like that?

Are you saying they shouldn't use AV or invest in AV as part of a blended security posture? (Innocent question, I'm not intending to set up a strawman there.)

Would you think this is nearly (not quite, but nearly) as bad as vendors saying they provide complete defense/prevention?

Didn't you just also say AV can prevent common and older malware?

Don't get me wrong, I fully agree with not being able to prevent all attacks and I agree that AV has weaknesses and shady marketing practices. I just don't like too much hyperbole that reaches non-technical ears and creates chaos for every sec geek out there. Maybe you have a better solution that still meets compliance mandates?


Getting back to the OP, you have to check with official test materials. Whether you disagree with that official stance or not is not really important. You can submit information to the authors or official channels, but be aware the CISSP test sometimes has questions that can be argued, but you'll be wrong unless you stick with what the ISC2 says. So it really doesn't matter what all of us think, in this case.


<- snip ->

As this is security-basics, and because an alarming number of people
believe that there's even a shred of truth to the "should not get
infected at all" myth, as a public service, let's all repeat:

"No, AV won't protect you from all malware. Not even close."

Make sure everyone knows that AV is trivially evaded, and that
essentially all decent malware is tested against all the common AV's
before it's used. Some crimeware kits even come with support and a
guarantee of a new version should AV start detecting the current
version. Freely available exploitation frameworks are built from the
ground up to do AV and IDS evasion at several levels.

If a vendor makes a claim anywhere within 100 kilometers of "should
not get infected at all" they should be summarily discounted from
consideration as a vendor, and possibly flogged in the street.

If you aren't already, spread the word that AV's value (if any) is in
complying with mandates for AV, and for being at least something that
might detect older or more common malware absent any other more
advanced/more reliable detective measures you've been allowed to
purchase. Versus a targetted attack, be sure that decision makers are
aware that AV is very nearly worthless, and should never ever ever be
characterized as something that would keep a machine from getting
"infected at all."

Sandeep, by the way, this isn't directed at you...I suspect you are
well aware of the gulf between vendor claims and reality on this
front.

Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • [NEWS] Wonderware SuiteLink Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Vendor Information, Solutions and Workarounds ... Core sends the advisory draft to Wonderware support team. ...
    (Securiteam)
  • [Full-Disclosure] Security Industry Under Scrutiny: Part 3
    ... > varying degrees of 'faith' in the security industry. ... site admins and other whitehats. ... > architect would be notifying the software vendor alone... ... Full disclosure isn't so much a tool to get vunerability information ...
    (Full-Disclosure)
  • [NT] Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass (MS0
    ... Get your security news from a reliable source. ... Internet Explorer Zone Elevation Restrictions Bypass and Security Zone ... Vendor Information, Solutions and Workarounds: ... Core sends an advisory ...
    (Securiteam)
  • Re: Windows Security Center damaged
    ... This one runs four different "command-line" scanners, ... In the Security Center, ... I'm sure that some malware caused that ... ETrust Internet Security Suite includes a firewall. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Windows Security Center damaged
    ... In the Security Center, ... I'm sure that some malware caused that ... It looks like you recommend having 5 to 6 tools, ... ETrust Internet Security Suite includes a firewall. ...
    (microsoft.public.windowsxp.security_admin)