if you read the linked article the you will notice that they don't dump AV - they just switched to a "AV" product that does away with the signature database completely and replacing it with heuristics - it also sounds like there is some white listing of processes involved as well.
This is something AV products have been doing for quite some time now.
I definitely agree that we need more than anti-virus these days - but I still think anti-virus has a part to play in a multi-layered approach to security.
But in any case the content of the article is rather less sensational that the headline. It seems like Netflix is 'dumping' anti-virus for... well, another anti-virus tool! It's just that SentinelOne is not signature based, and relies on dynamically detecting dubious activities by processes (which some existing anti-virus tools already do, if to a lesser degree).
I'd like to know more about what it's doing and how it works. I can imagine a couple scenarios:
1) It might have a "baseline" time during which it allows and records everything, and then locks down anything outside of that (like the old ZoneAlarm did for firewalls).
2) Or it might only lock down certain APIs? File and registry and network access? Not sure where you'd stop with that. What about when it emails everyone in Outlook?
A more nuanced title would be: "To continue its fight against new viruses, Netflix is dumping classical disk-scanning-fingerprints software for newer technologies such as statistical analysis of anomalies."
Netflix and whoever they hire (e.g. SentinelOne) is still fighting viruses. They're just doing it using more sophisticated algorithms instead of fingerprints. Traditional anti-virus software trying to match file signatures is not effective against 0-day attacks.
What's newsworthy is that a vendor was able to convince important people (e.g. AV-TEST Institute) that algorithms scanning for anomalies is equivalent to, or stronger than, traditional disk-scanning. However, it doesn't look like they've convinced the credit-card industry yet. They're the ones who determine PCI DSS compliance. However, PCI DSS may not apply to Netflix.
Interpreting the story as an ongoing progression of anti-virus technology, it means the industry won't "die" at all. They're just retooling themselves with more algorithmic approaches. Maybe Symantec will add algorithms and also be included in the changing industry of fighting viruses.
PCI-DSS applies to Netflix very much, they probably still will have traditional AV in their CHD environment and any other system in scope of the certification (e.g. the desktops the sysadmins use to administer servers within the CHD environment).
Also the PCI council doesn't define which AV is compliant or not, only states that you need anti-virus protection on all systems commonly affected by malicious software.
It's up to the QSA and acquirer(if that one gets really bored) to accept the solution, neither of which care really. You can use Windows Defender, Clam or the most super duper expensive AV out there it's all the same for them.
The requirement is also worded very carefully "on all systems commonly affected by malicious software" so people could make a case against installing AV on things that AV solutions are not common for, such as Mac's, Linux box's, and even Mainframes (yes there are mainframes in certain PCI-DSS scope's because the QSA wasn't smart enough to find a loop hole to keep it out of scope or the costumer is dumb enough to actually process or store credit cards on it).
I work in digital forensics, and running Volatility against the memory (either online or against a memory dump), helps give a far deeper insight and way higher probability at finding viruses than standard "antivirus" software. You can even find Advanced Persistent Threats (APTs) and "unidentified" viruses, because what you look for are the mechanisms by which a virus resides in memory: hidden processes, hooks to system calls, spurious DLLs, etc.
Ever since I learned about memory analysis, I have considered almost every antivirus useless. I do have the Windows Defender antivirus active, but if I have a real doubt, I turn to memory analysis just to be sure (still clean luckily!).
In general anti-virus is more useful for less educated users. For example, I'd never escalate (sudo, UAC, etc.) a process that I wouldn't expect to need the escalation. This severely limits the control a virus can take (stopping most in their tracks). The only people who really need AV are the type of idiots who run as root, or turn off UAC.
The real concern are advanced worms. Most of these would likely infect a machine regardless of the presence of an AV, either because they are zero-day or because a machine does not have security patches installed. AVs, typically, would struggle to catch an e.g. malicious BIOS flash resulting from an escalation vulnerability.
In the face of security patching, AVs are largely obsolete, irrespective of their detection rates: not 'completely' because human error does exist (which is why I still run one).
My main point was: a virus that uses a 0-day (or unpatched/unfixed 0-day) is likely going to cause problems for an AV:
> AVs, typically, would struggle to catch an e.g. malicious BIOS flash resulting from an escalation vulnerability.
Over-exaggerating to clarify: AVs are like bringing a knife to a gunfight. You might just be actually able to eliminate the weaker opponents (who also brought knives), but you're going nowhere against the veterans.
It takes about 5min to refactor the code of existing malware to avoid detection, heck playing around with compiler settings is enough in many cases.
I've recompiled Netcat probably 200 times by now, small refactoring playing with compiler flags (compile with x64 profile, debug on, add some symbols etc..) and every time it avoids every AV out there.
I usually use Virustotal which means that it will be short lived but i can do it over and over and over again ;)
Well if you actually read the search results you'll see :)
1st result 2012: "If you want to avoid detection, a 60% success rate is not good enough. Remember, our implant was caught by 40% of the products, not 40% of the targets. Assuming the better anti-virus products have a larger market share, our 40% product failure rate could look more like an 80 or 90% detection rate on target machines. - See more at: http://www.digitalthreat.net/2012/02/anti-virus-evasion-choo...
4th result 2014: "There are a couple of built in encoders in Metasploit (shikata ga nai is the most popular one), but these signatures have been updated in many Antivirus solutions, resulting in detection."
Every decent AV out there today has signatures of packers and encoders they are very easy to find since the artifacts of things like PE headers and binary cave of the encoded binaries will be identical every time you use them.
Most people who claim it works are simply rehashing the same old metasploit guides that are not really relevant in the real world anything that is wide used will be singnatured in a second by every AV company.
Yes if you encode it and upload it to VirusTotal even today you might get 50% or more evasion but those 50% of products will have maybe 5% of the market, and pretty much zero enterprise users.
Heuristics is something that AV companies tac on when they mean they don't update their DB too often ;P
In general heuristics work very poorly for binary detection some of them might look for various patterns e.g. block the creation of registry entries from non-installer based malware (which is a large amount of false positives) or look for various interactions like hooking into certain applications or functions but in general I haven't seen a good heuristics engine as of yet.
There are some very interesting machine learning tools but they detect large scale anomalies that could indicate a breach, there are also some machine learning binary analysis tools but they work on a different level and they perform something more akin to reverse engineering.
Signature based detection has it's uses and that's to detect common crap that is here to say. If you look at current trends then 70-90* of malware is unique for each organization (the large gap is due to different verticals) most of that malware when detected won't receive a public signature their AV vendor will release it for that organization only and maybe distribute it among that vertical or to similar organizations. And while you might think well that's bull you don't really want all those signatures anyhow for the AV DB to be effective it needs to be fast so vendors have to limit the amount of signatures they carry, to do that they also tend to remove malware which all of it's exploit have been patched or outdated malware which is no longer relevant (e.g. very small amount of infections). The signatures vary from time to time and if there will be an outbreak of old malware that has been removed the vendors will introduce those signatures again into the DB and they became quite good at predicting outbreaks of common malware.
Now if AV's only detect 10-30% of stuff what detects the rest? Sandboxing doesn't really work, Windows isn't really built for that and to implement a security solution that actually provides true sandboxing for all applications is a nightmare, so you are left pretty much with detecting anomalies across the network. The malware it self is usually then discovered once a breach or an incident has been detected, the most common point of detection is when a breach is ongoing and you discover the egress, sometimes if you have really good monitoring across the board than your FIM(file integrity monitoring) or your user activity monitoring will start yelling very quickly.
Now AV's still have their role they are quick and dirty an they usually work for most (home) users for stuff like thumb drives and simple mail attachment crap, and they are still one of the only tools that can provide real time on-excute/write binary detection most of the new heavy weights are based on detecting the malware post exploit.
Some security solutions now claim to be "anti-exploit" the claim part is because their success rate varies they usually are much more focused for example will only protect browsers, office suits, and common PDF reader and what they do is a couple of things: 1 they know how an existing known exploit will look like when it's being triggered in the application and they will terminate it before the payload is executed (hopefully ;)), 2 they have the ability to detect various exploit oriented artifacts like ROP detection, 3 they do some behavior analysts as they usually only protect 10 or less applications they can application specific heuristics rather than attempt at creating general ones.
Like AV's they usually excel at 1, 2 is tricky especially on 64bit applications because the virtual memory now is so large that it's hard (well impossible blindly) to look through it so ironically enough some "anti-exploits" apps actually require you to disable ASLR (a security feature randomized the memory address of an application across the entire/most of 64bit virtual address space to make it harder to exploit B/O's), and some of them are be...
Some time ago, I went and grabbed all the quarantined executable attachments from our mail system. I was shocked there were so many, given how long it's been that blocking zip files containing .exe files has been a standard.
I uploaded 30 to virustotal to see what would happen, and I can't recall exact numbers, but I believe we'd be looking at about 25 that has detection rates of 0/51.
Since then, I'd been a staunch advocate of the argument AV just wasn't worth the effort.
Meanwhile, I walk into organisations and every single person has 15 different toolbars clouding up half there screen real estate, and popups hitting them constantly. And you scan with an antivirus and the majority of players end up claiming this sort of thing is legitimate software.
Then they landed a big contract with Netflix and got a sucker at Forbes to write some PR like it was news, and now it's been picked up by HN and being discussed as though it had some substance.
Just wanted to chime in to clarify that I contacted Netflix directly without having ever spoken to SentinelOne. When I contacted SentinelOne after the interview they said they couldn't even go on the record about the Netflix contract. Much love, Sucker at Forbes.
Can you say what prompted you to contact Netflix then? The article really reads like a love letter to SentinelOne, and includes some pretty odd bits that work well with their marketing for their endpoint product, like describing it as not an anti-virus product.
Sure. So it turns out Netflix is this really big company, and I met one of their security architects at Black Hat. I thought, hey, I wonder if they're up to anything interesting at Netflix. I'll give them a call.
A love letter? You send love letters like this to people? Are you like a post-modern Keats?
OK, so then you talked to someone at Netflix, and they said, what, "umm... well, we just replaced our anti-virus product with this other thing called SentinelOne that isn't really an anti-virus product", and then you looked at their site and called them and decided they totally weren't an anti-virus product? And that the real story here was that this was the death knell for anti-virus, or the beginning of "post-AV anti-malware", or something?
Clearly you have technical chops. But the most technical part of your article, concerning whatever technology somehow separates this product from the rest of the industry (let alone makes it "not anti-virus"), is this single line:
"Its end-point security doesn’t rely on signatures, it monitors every process on a device to check for irregularities and does not perform on-system scans or require massive updates like anti-virus..."
If SentinelOne is doing something truly new, something that merits coverage from tech journalists, it would be nice to read about it.
And btw, you said earlier, "When I contacted SentinelOne after the interview they said they couldn't even go on the record about the Netflix contract", which is an odd thing for them to have told you, since they have a Netflix logo and an official statement from them under the testimonials section of http://www.sentinelone.com/?show_epp=true -- wait a minute, in fact the quote from your article is a word-for-word match for the testimonial on SentinelOne's site: "The direction we decided to go was with a company called SentinelOne, who we’ve been working with for year and a half. They were a true replacement for end-point protection".
Your contact at Netflix must've been reading from Rob Fry's script...
I disagree with the statement that it reads like a love letter, but I very much agree that you should clarify what's meant by "the post-AV anti-malware game"..
It comes across as a wannabe-buzzword, and something of a contradiction. Further, I can't find any reference elsewhere.
Perhaps I'm just not privy to this terminology - but to me this sounds like "kernels suck, and don't really do much to run your PC. Post-kernel operating systems do better."
Calling it post-AV just doesn't seem to offer anything. That's what's making this sound like PR for SentinelOne - maybe they do have a better offering than anybody else, but drawing an arbitrary line (the 'post-AV' line, where everyone else is 'left behind in AV-land') doesn't lend any credibility.
Another timeline: Reporter writes story, company sees story, takes it and uses it for marketing. This is a common occurrence across teh interwebz.
We could get into the nitty-gritty of what anti-virus is and isn't, but frankly I don't think we'll agree. Because what else is HN for other than to argue points ad infinitum until we all realize we've wasted a significant portion of our lives that should have been spent to more altruistic, worthwhile ends?
Thomas, I suspect that thaumaturgy is responding at least indirectly to writing like this:
In 2014, Lastline Labs discovered only 51 per cent of AV scanners were able to detect new malware samples.
Let's unpack this statement.
First, consider that for some definition of "new" you can get that number up to 100% or down to 0 (stuxnet). Second, the fact that over half of a crowded, very uneven field accomplish something really difficult is remarkable, and yet you use the word "only" as if all antivirus should detect modern threats. Third, you somehow manage to imply that it's rational to dump any AV because 51% of your options fail at doing something hard.
Perhaps I'm old-fashioned but I think reporters should work hard to avoid spin. In this case, removing the "only" and fully explaining what the take-away is (and isn't) would help a lot.
So the author just replied below claiming that it wasn't PR hit. I don't actually believe that, but on the off chance that this isn't a PR hit then it has to be something worse: he did a bunch of googling, saw a spate of news stories about the death of AV (thanks, PR guys!), and was like "hey, the story here is the death of AV... I have a news hook!"
In other words, it was self-pwnage. He did the PR firm's work for them, and nobody at that firm even owes him one.
Also, whatever I might speculate, I do know this for a fact: a screenshot of that article is going on a PowerPoint slide and will be victoriously displayed in a meeting at some point soon.
Edit: Also, I wanted to stab myself in the eye when I read this howler:
"Because Netflix, a well-known innovator in the tech sphere, is the first major web firm to openly dump its anti-virus, FORBES has learned. And where Netflix goes, others often follow; just look at the massive uptick of public cloud usage in recent years, following the company’s major investment in Amazon Web Services."
So everyone uses "the cloud" (whatever that is) because Netflix uses AWS. I don't remember the last time I saw a reach like that on a site like Forbes.
Here's a timeline: journalist speaks to Netflix, Netflix says it's ditching anti-virus, journalist gets further comment, reports. Don't be mad Jon. It'll all be OK.
Ok, fair enough. If the writer insists this is a legitimate piece, I'll believe him.
You have to admit though, this certainly reads like a native content article. In the current business climate, you can't fault people for assuming this was paid for.
Oh, I certainly do. I wasn't arguing it was a well-thought-through and genuine article, and that the company it talks about is genuinely doing something new and better.
post AV means you are not blacklisting by signature/iocs. since it poor method to detect a virus.
sentinelone are using behavioural engine for malware detection, assuming a malware will do malicious things which can be detected.
I wonder how the equivalence is shown for the certification. Do they use something similar to bioequivalence tests (TOST etc.) over the mean number if infections/issues detected?
The real question is why Netflix needs anti-virus at all. Whether it be the old signature style or the new (as of about 2002) heuristic analysis style. Presumably they're turning off UAC, giving out admin privs to everyone, disabling automatic updates, and hiring delinquents that run every .exe email attachment?
The trend in malware right now is not to even target administrator/root, and instead to steal information/blackmail/send spam+DDoS from the user's context.
Anti-virus software is a scourge that I'd be happy to see disappear. For the most part, its business model is to prey on the ignorant - I can't even count how many times I've been asked why a computer is running slowly, only to discover that there are three or more competing anti-virus products running, every one of them hooked into every single file read or write. Just yesterday I had to turn off Windows Defender real-time scanning, because it had gone out to lunch and leaked memory to the tune of 2.1 GB. Hot garbage.
It seems like the popular thing lately is to bitch and moan and question the morality of using ad-blockers, but using an ad-blocker is the single most important thing you can do to improve security on your machine for the average user. Blocking Flash, or, should you happen to still encounter it, Java, from autoplaying comes in second. Blacklisting SourceForge in your hosts file might be up there, if they are still bundling crapware with the few legitimate downloads that haven't moved elsewhere.
I disagree. I used to run a huge population of PCs. AV isn't a silver bullet, and shouldn't be the only security measure in place. But it does catch stuff, and isn't a scourge if you're rolling it out correctly.
> Blacklisting SourceForge in your hosts file might be up there, if they are still bundling crapware with the few legitimate downloads that haven't moved elsewhere.
ublock origin has a "Badware risks" filter list with sourceforge in it.
So who cares what Netflix does for anti-virus? Their business is about running servers with almost read only data that can't normally propagate a virus infection.
Further still, I'd describe it as an advert more than an article. Seems to lack substance and has a clickbait title, and the only purpose of the article is to sell you SentinelOne.
The dumbest part is that the title isn't even right, Netflix still absolutely do anti-virus/anti-malware, they've just given up on ineffective signature scanning, and are moving to a dynamic scanning engine.
I actually think signature based AV sucks and would be happy to see the industry move away from it, but cannot condone such dumb submarine articles as this.
<TL;DR> SentinelOne, creators of anti-virus software no one has heard of, don't use the term "anti-virus" for their anti-virus software. Somehow that landed a sucker at Forbes to write a shoddy PR article about the death of anti-virus software. End game; If their PR stunt is wildly successful then no one will need to buy SentinelOne's software either...
Interestingly, no matter what the user-agent string, I am not able to view this without Javascript.
Precluding cautious web users from reading is somewhat ironic given that this article is about web security, if indeed that is what this is about. It's probably not intentional, just oversight on Forbes' part.
Hijacking this: how does the ordinary solo user go about finding malware if AV is so bad at it? As a Mac user, I know there are rootkits and other nasties out there but I have no idea how to go about detection.
I like tools that rather than scan for signatures (which can be polymorphic in nature and bypass AV), they can look for out-of-place behaviour on the OS. The Sysinternals Suite is great for malware hunting: https://technet.microsoft.com/en-us/sysinternals/bb842062
Malware has grown up and is now residing in hardware and can survive entire OS re-installs. I feel sorry for Windows users these days because malware has grown up and it is not as obvious you have malware. In the past there were obvious signs you were infected and the malware made itself known (sort of stupid when you're an attacker really).
Also some of the 'second opinion' tools are interesting too:
74 comments
[ 0.14 ms ] story [ 161 ms ] threadProbably cost them no more than a decent lunch while they dictated it to the hack who's name is in the byline.
But in any case the content of the article is rather less sensational that the headline. It seems like Netflix is 'dumping' anti-virus for... well, another anti-virus tool! It's just that SentinelOne is not signature based, and relies on dynamically detecting dubious activities by processes (which some existing anti-virus tools already do, if to a lesser degree).
1) It might have a "baseline" time during which it allows and records everything, and then locks down anything outside of that (like the old ZoneAlarm did for firewalls).
2) Or it might only lock down certain APIs? File and registry and network access? Not sure where you'd stop with that. What about when it emails everyone in Outlook?
Unless I'm completely off base.
Isn't that the main thesis of the attack-driven defense?
Wat?
I didn't agree at first, but this smells more and more like PR - there seems to be very little understanding of the news in the article.
What is "the post-AV anti-malware game", and why on Earth would Netflix's end-users benefit from the company's staff computers entering said game?!
How is that "ditching anti-virus", then? Wouldn't a better title be "Netflix is switching anti-virus providers"?
Netflix and whoever they hire (e.g. SentinelOne) is still fighting viruses. They're just doing it using more sophisticated algorithms instead of fingerprints. Traditional anti-virus software trying to match file signatures is not effective against 0-day attacks.
What's newsworthy is that a vendor was able to convince important people (e.g. AV-TEST Institute) that algorithms scanning for anomalies is equivalent to, or stronger than, traditional disk-scanning. However, it doesn't look like they've convinced the credit-card industry yet. They're the ones who determine PCI DSS compliance. However, PCI DSS may not apply to Netflix.
Interpreting the story as an ongoing progression of anti-virus technology, it means the industry won't "die" at all. They're just retooling themselves with more algorithmic approaches. Maybe Symantec will add algorithms and also be included in the changing industry of fighting viruses.
Also the PCI council doesn't define which AV is compliant or not, only states that you need anti-virus protection on all systems commonly affected by malicious software.
It's up to the QSA and acquirer(if that one gets really bored) to accept the solution, neither of which care really. You can use Windows Defender, Clam or the most super duper expensive AV out there it's all the same for them.
The requirement is also worded very carefully "on all systems commonly affected by malicious software" so people could make a case against installing AV on things that AV solutions are not common for, such as Mac's, Linux box's, and even Mainframes (yes there are mainframes in certain PCI-DSS scope's because the QSA wasn't smart enough to find a loop hole to keep it out of scope or the costumer is dumb enough to actually process or store credit cards on it).
Ever since I learned about memory analysis, I have considered almost every antivirus useless. I do have the Windows Defender antivirus active, but if I have a real doubt, I turn to memory analysis just to be sure (still clean luckily!).
The real concern are advanced worms. Most of these would likely infect a machine regardless of the presence of an AV, either because they are zero-day or because a machine does not have security patches installed. AVs, typically, would struggle to catch an e.g. malicious BIOS flash resulting from an escalation vulnerability.
In the face of security patching, AVs are largely obsolete, irrespective of their detection rates: not 'completely' because human error does exist (which is why I still run one).
My main point was: a virus that uses a 0-day (or unpatched/unfixed 0-day) is likely going to cause problems for an AV:
> AVs, typically, would struggle to catch an e.g. malicious BIOS flash resulting from an escalation vulnerability.
Over-exaggerating to clarify: AVs are like bringing a knife to a gunfight. You might just be actually able to eliminate the weaker opponents (who also brought knives), but you're going nowhere against the veterans.
I've recompiled Netcat probably 200 times by now, small refactoring playing with compiler flags (compile with x64 profile, debug on, add some symbols etc..) and every time it avoids every AV out there.
I usually use Virustotal which means that it will be short lived but i can do it over and over and over again ;)
(Japanese for "it can't be helped")
The might work on some binaries in some cases but if you want to avoid evasion refactor the malware yourself.
Encoders and compactors are intended to modify existing binaries only :)
Seems like it's pretty effective for bypassing AV according to how everyone is using it.
1st result 2012: "If you want to avoid detection, a 60% success rate is not good enough. Remember, our implant was caught by 40% of the products, not 40% of the targets. Assuming the better anti-virus products have a larger market share, our 40% product failure rate could look more like an 80 or 90% detection rate on target machines. - See more at: http://www.digitalthreat.net/2012/02/anti-virus-evasion-choo...
4th result 2014: "There are a couple of built in encoders in Metasploit (shikata ga nai is the most popular one), but these signatures have been updated in many Antivirus solutions, resulting in detection."
Every decent AV out there today has signatures of packers and encoders they are very easy to find since the artifacts of things like PE headers and binary cave of the encoded binaries will be identical every time you use them.
Most people who claim it works are simply rehashing the same old metasploit guides that are not really relevant in the real world anything that is wide used will be singnatured in a second by every AV company.
Yes if you encode it and upload it to VirusTotal even today you might get 50% or more evasion but those 50% of products will have maybe 5% of the market, and pretty much zero enterprise users.
In general heuristics work very poorly for binary detection some of them might look for various patterns e.g. block the creation of registry entries from non-installer based malware (which is a large amount of false positives) or look for various interactions like hooking into certain applications or functions but in general I haven't seen a good heuristics engine as of yet.
There are some very interesting machine learning tools but they detect large scale anomalies that could indicate a breach, there are also some machine learning binary analysis tools but they work on a different level and they perform something more akin to reverse engineering.
Signature based detection has it's uses and that's to detect common crap that is here to say. If you look at current trends then 70-90* of malware is unique for each organization (the large gap is due to different verticals) most of that malware when detected won't receive a public signature their AV vendor will release it for that organization only and maybe distribute it among that vertical or to similar organizations. And while you might think well that's bull you don't really want all those signatures anyhow for the AV DB to be effective it needs to be fast so vendors have to limit the amount of signatures they carry, to do that they also tend to remove malware which all of it's exploit have been patched or outdated malware which is no longer relevant (e.g. very small amount of infections). The signatures vary from time to time and if there will be an outbreak of old malware that has been removed the vendors will introduce those signatures again into the DB and they became quite good at predicting outbreaks of common malware.
Now if AV's only detect 10-30% of stuff what detects the rest? Sandboxing doesn't really work, Windows isn't really built for that and to implement a security solution that actually provides true sandboxing for all applications is a nightmare, so you are left pretty much with detecting anomalies across the network. The malware it self is usually then discovered once a breach or an incident has been detected, the most common point of detection is when a breach is ongoing and you discover the egress, sometimes if you have really good monitoring across the board than your FIM(file integrity monitoring) or your user activity monitoring will start yelling very quickly.
Now AV's still have their role they are quick and dirty an they usually work for most (home) users for stuff like thumb drives and simple mail attachment crap, and they are still one of the only tools that can provide real time on-excute/write binary detection most of the new heavy weights are based on detecting the malware post exploit.
Some security solutions now claim to be "anti-exploit" the claim part is because their success rate varies they usually are much more focused for example will only protect browsers, office suits, and common PDF reader and what they do is a couple of things: 1 they know how an existing known exploit will look like when it's being triggered in the application and they will terminate it before the payload is executed (hopefully ;)), 2 they have the ability to detect various exploit oriented artifacts like ROP detection, 3 they do some behavior analysts as they usually only protect 10 or less applications they can application specific heuristics rather than attempt at creating general ones.
Like AV's they usually excel at 1, 2 is tricky especially on 64bit applications because the virtual memory now is so large that it's hard (well impossible blindly) to look through it so ironically enough some "anti-exploits" apps actually require you to disable ASLR (a security feature randomized the memory address of an application across the entire/most of 64bit virtual address space to make it harder to exploit B/O's), and some of them are be...
I uploaded 30 to virustotal to see what would happen, and I can't recall exact numbers, but I believe we'd be looking at about 25 that has detection rates of 0/51.
Since then, I'd been a staunch advocate of the argument AV just wasn't worth the effort.
Meanwhile, I walk into organisations and every single person has 15 different toolbars clouding up half there screen real estate, and popups hitting them constantly. And you scan with an antivirus and the majority of players end up claiming this sort of thing is legitimate software.
They recently hired a new PR company (http://www.mgpr.info/) who's been spamming articles to Reuters on SentinelOne's behalf (https://www.google.com/?gws_rd=ssl#q=site:reuters.com+sentin...), and then reaching out to hacks to write submarine articles (http://paulgraham.com/submarine.html) about the death of anti-virus -- which just happens to be the marketing lede of SentinelOne's endpoint protection product.
Then they landed a big contract with Netflix and got a sucker at Forbes to write some PR like it was news, and now it's been picked up by HN and being discussed as though it had some substance.
And what does "post-AV anti-malware" mean?
A love letter? You send love letters like this to people? Are you like a post-modern Keats?
Clearly you have technical chops. But the most technical part of your article, concerning whatever technology somehow separates this product from the rest of the industry (let alone makes it "not anti-virus"), is this single line:
"Its end-point security doesn’t rely on signatures, it monitors every process on a device to check for irregularities and does not perform on-system scans or require massive updates like anti-virus..."
If SentinelOne is doing something truly new, something that merits coverage from tech journalists, it would be nice to read about it.
And btw, you said earlier, "When I contacted SentinelOne after the interview they said they couldn't even go on the record about the Netflix contract", which is an odd thing for them to have told you, since they have a Netflix logo and an official statement from them under the testimonials section of http://www.sentinelone.com/?show_epp=true -- wait a minute, in fact the quote from your article is a word-for-word match for the testimonial on SentinelOne's site: "The direction we decided to go was with a company called SentinelOne, who we’ve been working with for year and a half. They were a true replacement for end-point protection".
Your contact at Netflix must've been reading from Rob Fry's script...
It comes across as a wannabe-buzzword, and something of a contradiction. Further, I can't find any reference elsewhere.
Calling it post-AV just doesn't seem to offer anything. That's what's making this sound like PR for SentinelOne - maybe they do have a better offering than anybody else, but drawing an arbitrary line (the 'post-AV' line, where everyone else is 'left behind in AV-land') doesn't lend any credibility.
Another timeline: Reporter writes story, company sees story, takes it and uses it for marketing. This is a common occurrence across teh interwebz.
We could get into the nitty-gritty of what anti-virus is and isn't, but frankly I don't think we'll agree. Because what else is HN for other than to argue points ad infinitum until we all realize we've wasted a significant portion of our lives that should have been spent to more altruistic, worthwhile ends?
First, consider that for some definition of "new" you can get that number up to 100% or down to 0 (stuxnet). Second, the fact that over half of a crowded, very uneven field accomplish something really difficult is remarkable, and yet you use the word "only" as if all antivirus should detect modern threats. Third, you somehow manage to imply that it's rational to dump any AV because 51% of your options fail at doing something hard.
Perhaps I'm old-fashioned but I think reporters should work hard to avoid spin. In this case, removing the "only" and fully explaining what the take-away is (and isn't) would help a lot.
In other words, it was self-pwnage. He did the PR firm's work for them, and nobody at that firm even owes him one.
Also, whatever I might speculate, I do know this for a fact: a screenshot of that article is going on a PowerPoint slide and will be victoriously displayed in a meeting at some point soon.
Edit: Also, I wanted to stab myself in the eye when I read this howler:
"Because Netflix, a well-known innovator in the tech sphere, is the first major web firm to openly dump its anti-virus, FORBES has learned. And where Netflix goes, others often follow; just look at the massive uptick of public cloud usage in recent years, following the company’s major investment in Amazon Web Services."
So everyone uses "the cloud" (whatever that is) because Netflix uses AWS. I don't remember the last time I saw a reach like that on a site like Forbes.
You have to admit though, this certainly reads like a native content article. In the current business climate, you can't fault people for assuming this was paid for.
0-days aren't a problem for sentinelone EPP.
> Use and regularly update anti-virus software on all systems commonly affected by malware
It seems like the popular thing lately is to bitch and moan and question the morality of using ad-blockers, but using an ad-blocker is the single most important thing you can do to improve security on your machine for the average user. Blocking Flash, or, should you happen to still encounter it, Java, from autoplaying comes in second. Blacklisting SourceForge in your hosts file might be up there, if they are still bundling crapware with the few legitimate downloads that haven't moved elsewhere.
ublock origin has a "Badware risks" filter list with sourceforge in it.
They are dropping the wrong name if they actually want to promote the product.
Those are FreeBSD servers so you are correct but something needs to prevent that data from being put on their by other OSes.
The dumbest part is that the title isn't even right, Netflix still absolutely do anti-virus/anti-malware, they've just given up on ineffective signature scanning, and are moving to a dynamic scanning engine.
I actually think signature based AV sucks and would be happy to see the industry move away from it, but cannot condone such dumb submarine articles as this.
Wat?!!
Precluding cautious web users from reading is somewhat ironic given that this article is about web security, if indeed that is what this is about. It's probably not intentional, just oversight on Forbes' part.
And things like Reason Core are brilliant for nuking any rootkits that somehow get on to a system https://www.reasoncoresecurity.com/
Malware has grown up and is now residing in hardware and can survive entire OS re-installs. I feel sorry for Windows users these days because malware has grown up and it is not as obvious you have malware. In the past there were obvious signs you were infected and the malware made itself known (sort of stupid when you're an attacker really).
Also some of the 'second opinion' tools are interesting too:
http://www.surfright.nl/en/hitmanpro