7 comments

[ 3.0 ms ] story [ 24.9 ms ] thread
Click bait title. This is about a way to circumvent anti virus. This is not about how anti viruses failed in general.
Does any large/important installation actually rely on antivirus for their security posture? My impression is that if you're at the point of having to detect malicious code, you've already failed, and most large companies that run antivirus only do so because it's required by years-old compliance standards.
Your comment is naive for several reasons.

For compliance reasons, many industries are required to install AV. On linux, most admins just install Clam-AV on directories that change for that compliance checkbox.

However, on linux, the likelihood of a virus is small, so really it's a waste of resources. If you're doing data center egress filtering, you'll know when unwhitelisted outbound connections are initiated that you have a problem.

Obviously on Windows it's more of a necessity. (One of the reasons is that most hackers target Windows because that's the more immediately lucrative OS.)

Regarding "rely" and "failed", if you have a port exposed to the Internet, there are no guarantees except that you will get pwned.

The closest to perfection I've seen is in major Japanese companies, where they close all ports except 25, 80 and 443, and use packet and application inspection on those ports.

But end-users obviously get annoyed. (When I was doing a contract in Tokyo, they pulled an ISP T1 directly to my desk so I was exempt from their internal IT policies - I was literally on the open Internet.)

Antivirus has always been the wrong solution to this problem. Mobile computing showed us the way: sandboxed applications with the operating system asking the user for consent before exposing any new APIs to the application.

The fact that any arbitrary program executed on Windows can still wipe out your entire user folder without any sort of warning or request for permission is astounding to me. There's probably a million different (unsecured) ways to bork the install too, so that your computer won't boot the next time it restarts. And let's not forget our best friend, ransomware, whose singular reason for existing is the lack of filesystem controls.

Sandboxes can still be dirtied, and would not have stopped the recent Apple Mail zero-day.

For that you need static analysis on file formats, but this is a recent technique and not something that scanners have historically been good at (e.g. Moxie's recent reverse file format strike on Cellebrite).

Nevertheless, it comes down to defense-in-depth. There's no silver bullet.

I'm not sure anything is perfect but in practice I get zero problems on the iPhone and used to have quite a few with antivirus on a Windows pc.
Still no anti-virus for JavaScript to this day. #TooSoon