13 comments

[ 3.2 ms ] story [ 34.5 ms ] thread
This is mostly just sad. Updating through HTTP without proper signing, really? Also last time I checked I couldn't even download Avast through HTTPS.
It surprised me just yesterday to note that Microsoft security essentials is also downloaded by way of HTTP.
Same with all Microsoft updates, but the update catalog and the updates are signed. This is because they support downloading to a corporate master updates mirror, and further downstream mirrors.
Here's PDF: http://mincore.c9x.org/breaking_av_software.pdf

Disclaimer: I hate slideshare with passion. Presentation format and how they use HTML makes it painful to use if there are some connection issues (and their servers routinely hang on slides.

> I hate slideshare with passion.

Same. I can't figure out why people trying to share their PDF slides use it, when any device more sophisticated than a flip-phone has a good built-in PDF reader.

My favourite part is having slideshare tabs crash before they are done loading the page if I have the chrome's "experimental platform features" flag set.
I can imagine AV engines having massive attack surfaces due to having to support a ton of exploitable file formats and decompression methods, and often supporting decade+ old detections. It still is a surprising that some vendors (I'm looking at you Bitdefender!) have obviously not even tried to fuzz their product. Koret's presentation is already a year old, so I hope vendors would've now gotten at least some of their shit together. I wouldn't bet too much money on it though, as it still has virtually no effect on how much the product will be sold. Take a guess many people will still give money to Bitdefender because they have had a really good review performances.

There's definitely a pattern that AV companies put their efforts in being able to say they're #1 in outside tests or in reviews. In ye olden times someone would just take multiple vendors, scan against 1000000 old viruses and rank them based on the detection %, and as the end result the "best" (and the most sold) products ended up being resource hogs. Later reviewers took notice and started also measuring file copying performance and detection capabilities against active malware, and in a year or two many vendors adapted and improved their performance and their efforts against malware that actually is being spread.

Hopefully reviewers will take notice and include some exploitability metrics in the future so that vendors need to focus on it or go out of business.

Funny thing is that despite Bitdefender having thousands of exploitable points in their product, at the moment your average user will still be less vulnerable against online criminals than most those who don't run anything.

Obviously it wouldn't be easy to test on Linux, but it would be really interesting to see the results of fuzzing against Windows Defender. Seeing as it's the de facto AV packaged with Windows 8, and a lot of people use MSE on prior versions, imagine the attack surface area.

Then again, if Microsoft is competent in how they built their AV engine, it might be properly fuzzed already. With such a wide deployment, you'd certainly want to think so...

"In an interview with Dennis Protection Labs, Holly Stewart, the senior program manager of the Microsoft Malware Protection Center, said that Microsoft Security Essentials was just a “baseline” that’s designed to “always be on the bottom” of antivirus tests. She said Microsoft sees MSE as a first layer of protection and advises Windows users to use a third-party antivirus instead."
Huh... That is really not the vibe I get from their website[0].

>"There are a host of nasty intruders on the Internet including viruses, trojans, worms and spyware. Microsoft Security Essentials offers award-winning protection against these intruders without getting in your way."

To me that reads like MSE is really good at protecting your computer. Why should I as a consumer think that I need something else? They really need to message that better if that is indeed the case.

[0]: http://windows.microsoft.com/en-us/windows/security-essentia...

That website was probably written by professional marketers. Large companies usually don't let its engineers advertise to consumers (and that's effectively what MS is doing here).
Most viruses are identified by their signature only, because most of them are dumb. Heuristics for unknown threats are often there purely for marketing.

AVs have all more or less the same signature database due to the same reason as above, most viruses are dumb and well known (most can't even be called viruses, think adware & co). IMO this the best reason for not having multiple AVs. I personally do not trust an AV for anything more than dumb signature checking (which are easily circumvented with polymorphism or sometime encryption alone) and targeted heuristics.

I also don't even want to start thinking at the mess that could be created by several AVs's injection/hooking mechanisms on the same machine.

>Any software you install makes you a bit more vulnerable. AV engines are no exceptions. Just the opposite.

The only time I've ever gotten a (disruptive) computer virus was after installing Norton Antivirus. These days my goal is to ensure that I can quickly reformat and reinstall my system. I keep records of what I've installed and how I configure it.

Antivirus software is usually either dangerous, not worth paying for, or basically malware. How much anti-virus software is just resource-hogging, popup-spamming adware? No thanks.