Linked by Thom Holwerda on Sun 23rd Sep 2007 10:54 UTC, submitted by irbis
Bugs & Viruses "For at least a decade, the standard advice to every computer user has been to run antivirus software. But new, more commercial, more complex and stealthier types of malware have people in the industry asking: will antivirus software be effective for much longer? Among the threats they see are malware that uses the ability of the latest processors to run virtual machines that would be hidden from antivirus programs." Note: Please note that our icon contest is still running! So if you have an idea on how to rework this story's icon, read this.
Thread beginning with comment 273548
To read all comments associated with this story, please click here.
No
by chrono13 on Sun 23rd Sep 2007 11:50 UTC
chrono13
Member since:
2006-10-25

1. Ineffective.
virus.gr used to run extensive tests on detection rates of all anti-virus software and publish monthly results. The last one I have shows Kaspersky rather effective at 99%.
McAfee Enterprise 91%
Symantec 83%
For Symantec, the most popular antivirus in the world, that is a fantastic double digit failure rate of 17%.

2. Ineffective
Most viruses source code is readily available online. A few small changes and this "new" virus is invisible to almost all virus scanners. Too much trouble? Recompile it - chances are this "new" compiled version will also not be detected since it isn't exactly like the one on record. Don't have the source or really lazy? Compress the executable and you'll find again that most anti-virus scanners fail to see it.

3. Black list
Absolutely can not work when there are hundreds, perhaps thousands of new additions to the list *daily*. See #1

4. Cure is worse than the disease.
Many people have Norton (not Symantec) installed on their home computers for protection.
This causes system instability, incredible slowdowns and in most cases it can not be removed by its own uninstaller. When its uninstaller does not fail, much is still left behind.
At work, Sunday morning is filled with tech calls regarding lockups and slowdowns. One of the major servers is being scanned for viruses. If a virus hit on Sunday morning, no one would notice anything out of the ordinary.

5. Subscription
Few pay it. Few want to. Most feel they shouldn't have to. They are right. The OS should not be *that* vulnerable to begin with.

6. Apathy
The "background noise" of the Internet is due to millions of virus or trojan (zombie) Windows machines. Slow, crash-prone, and loaded with spyware and adware popups, and the user will still click it all away, agreeing to anything just so they can check their bank to see if they can afford that Dancing Bunny on ebay. This is also related to #5. If the user has a significant role in the security of the system, it won't be secure.

7. And finally, The Dancing Bunny Problem
"What's the dancing bunnies problem?
It's a description of what happens when a user receives an email message that says 'click here to see the dancing bunnies'.

The user wants to see the dancing bunnies, so they click there. It doesn't matter how much you try to dissuade them, if they want to see the dancing bunnies, then by gum, they're going to see the dancing bunnies. It doesn't matter how many technical hurdles you put in their way, if they stop the user from seeing the dancing bunny, then they're going to go and see the dancing bunny.

[UAC: DancingBunnys.exe, Cancel or Allow?]

There are lots of techniques for mitigating the dancing bunny problem. There's strict privilege separation - users don't have access to any locations that can harm them. You can make the user invoke magic commands to make code executable (chmod +e dancingbunnies). You can force the user to input a password when they want to access resources. You can do lots and lots of things.

However, at the end of the day, the user still wants to see the dancing bunny, and they'll do whatever is necessary to bypass your carefully constructed barriers in order to see the bunny."

In OS design, the Dancing Bunny's problem should ALWAYS be considered and carefully crafted medium between usability and security to include least privileges, password protected rights elevation, and secure defaults.

Windows has failed to deal with Dancing Bunnys for decades. Vista still does not effectively deal with this problem.

Viruses and spyware will only stop, or come to a much more reasonable classification of "rare" when Microsoft designs an OS that is resistant (limited users with password protected elevations) to the Dancing Bunnys problem. Any other solution, including anti-virus, is a poor substitute for real OS and computer security.

Reply Score: 18

RE: No
by flanque on Sun 23rd Sep 2007 12:13 in reply to "No"
flanque Member since:
2005-12-15

I think there's a lot of truth in what you're saying, but at the same time I think your point on users' stupidity will render anti-virus software a 'must have' simply because they don't know any better.

Further, it's that same stupidity that would make us techies look like morons if we convinced ourselves that the people we support don't need anti-virus, until the day it hits the organisation badly and we have to face up to the reality that it doesn't matter what level of user education we are dealing with, we're all humans and we make mistakes. One mistake can be extremely costly.

Add to that the fear campaigns of anti-virus vendors and I just don't see the end of anti-virus software.

I do however see an increased amalgamation of anti-virus, anti-malware, anti-spyware packages. I think it will come to a point where pure anti-virus software will become obsolete if it doesn't also support protection of the above said.

Reply Parent Score: 3

RE[2]: No
by chrono13 on Sun 23rd Sep 2007 12:49 in reply to "RE: No"
chrono13 Member since:
2006-10-25

I am absolutely not advocating that people run Windows without anti-virus. That is just as naive as opening dancingbunnys.exe despite the 3 warning dialogs. In fact, I think Windows users should use updated Anti-Virus, updated Anti-Spyware, Updated Anti-Rootkit, and anything else they can.

Anyone who has ever been in a serious security discussion with a number of people will hear that group of people "I don't run anti-virus and I haven't caught any viruses!”
End users are naive; these “no anti-virus” groups of people are morons.

My point was that if you are not running Windows, then running antivirus is not necessary. All other operating systems have secure defaults and secure design, making anti-virus irrelevant. Note that these other OS's may also have optional security systems (AppArmor, SELinux, etc) that go above and beyond the OS defaults to protect further.

Windows Vista is much more secure than XP by emulating only a small fraction of these security measures that have proven effective and remained effective for decades (assuming they aren't disabled for their annoyance of poor implementation).

But in terms of security, Vista is to XP what Linux is to Vista.

We have to wait another 6 years until 2013 before we see a real secure OS from Micorsoft?

With that sad fact in mind, you are right on all counts. Viruses will continue to thrive for a long time, and reactive, barely effective, costly, 3rd party protective measures will consolidate threat detections.

And yes, ant-virus will still be necessary, and just as ineffective, or worse, than they are today.

Reply Parent Score: 5

RE: No
by Ben Jao Ming on Sun 23rd Sep 2007 12:32 in reply to "No"
Ben Jao Ming Member since:
2005-07-26

You're totally right. I don't pity people who have their credit card details stolen. If you use xp, and you get a virus, it's usually your own fault in one way or the other. People need to get educated instead of being these ignorant blunts who just buy more and more hardware and have bigger and bigger nortons.

That said, I never mind explaining to people what a virus is and how they get them. Unfortunately they never listen... they just want the antivirus program to have this false sense of safety. Maybe I should start telling people to stop using av and just avoid the viruses. It's possible... even with xp.

Edit: Forgot to add my punchline... do you pity people who crash a car, when they don't have a drivers license? Do we need to make cars that can drive safely even though the driver doesn't how to drive it? My answer: NO, DAMMIT!

Edited 2007-09-23 12:38

Reply Parent Score: 2

RE: No
by Lennie on Sun 23rd Sep 2007 12:33 in reply to "No"
Lennie Member since:
2007-09-22

In Unix/Linux it's quiet a lot easier.

Give the user no privileges to install any software in the normal places, don't set executable-bit at mounting of data and home partitions.

That leaves scripts, but they'll have to be executed as: perl script.pl or equivalant.

For the scripting languages a simple wrapper could do some checks, to prevent that as well.

Done: that's all you need to do in Unix. In windows it's a lot more complicated.

Reply Parent Score: 2

RE[2]: No
by Erunno on Sun 23rd Sep 2007 12:54 in reply to "RE: No"
Erunno Member since:
2007-06-22

Except that viruses can still go on a rampage in the user accessible places (read: home directory) and in the worst case destroy all your data. Contrary to server maintainers I reckon that desktop users care much more about their data than the OS which can be easily replaced.

Reply Parent Score: 5

RE[2]: No
by Ben Jao Ming on Sun 23rd Sep 2007 12:55 in reply to "RE: No"
Ben Jao Ming Member since:
2005-07-26

It's true that downloading something and executing it might take a little bit of skill in theory. Unfortunately there is still some work left, because certain programs make this hard:

In Nautilius, if you double-click a .pl file, it might run it using perl.. same thing goes with other poorly configured file browsers.

In Firefox if you goto an URL that points to some extension you might give it the right to install.. if you're a stupid user who wants to see dancing_bunny.xpi in action.

and so on...

Another case might be that you download and run a program you trust and then it does something you don't want it to. Even if you're in userspace this might affect your privacy and sniff up stuff like credit card numbers.

Saying that Linux/Unix is safe from this kind of stuff is wrong, but assuming that the user is smart enough to avoid it is more likely than for xp users.

Reply Parent Score: 4

RE[2]: No
by netpython on Sun 23rd Sep 2007 17:13 in reply to "RE: No"
netpython Member since:
2005-07-06

How many linux/unix users harden their boxen as any admin worth his/her salt does?

Reply Parent Score: 4

RE[2]: No
by Doc Pain on Sun 23rd Sep 2007 17:16 in reply to "RE: No"
Doc Pain Member since:
2006-10-08

"In Unix/Linux it's quiet a lot easier."

In principle, it is, but not in reality. Let me explain:

"Give the user no privileges to install any software in the normal places, don't set executable-bit at mounting of data and home partitions. "

This would imply a difference between the user (who may not do the things mentioned above) and the administrator (who may do because it's his job). In today's world of UNIXes and Lunix, there's hardly a difference between user and administrator. A PC at home - a server at home (intended or due to malware running), but no administrator. Or put into other words: User and system administrator are the same person. Due to a lack of interest, knowledge, experience and maybe time, the "administrator part" does not do his work, but the "user part" wants to see the dancing bunnies.

The weakest part of a chain will cause a fraction. THis part usually is the user. The best means of security won't work if they are bypassed to increase comfortability or a "look and feel" the software manufacturer assumes his customers to require.

Of course, security is more important to UNIX / Linux than it is (or at least, has been) to "Windows". Hey, the Internet runs on UNIX, we can't afford dancing bunnies in routers and name servers! :-)

If you can't increase users' interest in security, even AV software will fail. Reality proves that it does in fact - just imagine why more than 90% of mail today is spam.

If you take responsibility away from users, they feel everyone thinks they're stupid. If you give responsibility to them, they feel overwhealmed and uncomfortable. In my personal opinion, today's Linux desktop OSes have found a good balance here. I wish "Windows" would do so, too, but - without wanting to insult anyone - "Windows" users still "have no time" to care about important things when they use a PC; the Linux users seem to be more educated and responsible in these regards. Of course, a computer is just a tool, but you still need to know a few things in order to handle it properly. Linux users have understood this requirement, so have Linux OSes.

Reply Parent Score: 3

RE: No
by yachp on Sun 23rd Sep 2007 20:34 in reply to "No"
yachp Member since:
2007-08-30

"7. And finally, The Dancing Bunny Problem"

Why can't some kind of quarantined place be created where one could safely run potentially suspect programs.

I mean whether is a dancing bunny program or a naked picture of how knows who, what we are typically talking about are photos or videos or something of that nature.

Why can't a space be created where a program that is supposed to show a video, or picture or whatever be simply be restricted to what its supposed purpose is.

I mean if it is a video, it doesn't need to access one's email program. It doesn't need to delete any files that are already on your computer. It doesn't need to change any settings on your computer. So why can't these functions be denied a suspect program.

Then one could simply run the dancing bunnies program and if that program tried to access something that wasn't a video, it wouldn't be able to.

Reply Parent Score: 1

RE[2]: No
by matthekc on Sun 23rd Sep 2007 21:04 in reply to "RE: No"
matthekc Member since:
2006-10-28

http://en.wikipedia.org/wiki/Sandbox_(computer_security)

I don't think antivirus is an effective solution. exe's should all run in a virtual environment with a clever set of rules to reduce risks. If the app tries to break the rules shut it down and report it. All sorts of 1980's and 90's communication protocols have holes and need to be reworked. Until apps are sandboxed and protocols are fixed this isn't going away. Switching to linux is a partial preventative to the problem not a cure.

Reply Parent Score: 1

RE[2]: No
by wannabe geek on Mon 24th Sep 2007 03:15 in reply to "RE: No"
wannabe geek Member since:
2006-09-27

"Why can't some kind of quarantined place be created where one could safely run potentially suspect programs."

Bitfrost

http://wiki.laptop.org/go/Bitfrost

Or you can always use VirtualBox.

Reply Parent Score: 1