Linked by David Adams on Fri 23rd Apr 2010 15:58 UTC
Bugs & Viruses A version of the McAfee antivirus software used in the corporate and public sectors misidentified the svchost.exe file in Windows XP systems as malware, sending the affected machines into a loop of restarts. Only users of McAfee VirusScan Enterprise on Windows XP service pack 3 were affected, but the fallout was pretty severe, with hospital and police systems among those taken down.
Thread beginning with comment 420674
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: State of AV today
by moondino on Sat 24th Apr 2010 21:52 UTC in reply to "RE[3]: State of AV today"
moondino
Member since:
2010-03-27

A quote from that link:

"the contestants are required to do this in default browser installations without plugins such as Flash or Java, which are commonly used as vectors for attacks."

So basically, not a real world situation.

Every product has security flaws... the security software / anti-virus needs to look at the choke points and protect those, instead of stupid hash detection or proactive detection that hits almost as many false positives as it does legit malware. Choke points being, the registry keys that have to be changed for a program to survive a reboot, the installation of a device driver or service, etc.

In a business environment, tell me how we are going to move thousands of users who are accustomed to Adobe Acrobat / Reader to FoxIt without training or extensive documentation, re-training of the Help Desk, etc.

To boot, FoxIt has it's own slew of security issues. There are PDFs out there that buffer overflow FoxIt as well, just scan Secunia or disclosure sites for a few examples. Security via obsecurity doesn't work in an age of targeted attacks.

I'm not trying to toot my own horn, but I used to work for a major AV security company and I'm only putting this kind of thing out there to help people be better protected. Google Chrome does have the ability to control javascript execution per site now, but you have to whitelist them manually, which is a huge pain. If you could simply right click the address bar and then choose allow top-level site, it would be manageable and I would switch from Firefox / NoScript almost immediately. With the current model, however, Firefox is easier to manage, although quite a bit slower. ;)

Edited 2010-04-24 21:59 UTC

Reply Parent Score: 1

RE[5]: State of AV today
by WereCatf on Sun 25th Apr 2010 10:38 in reply to "RE[4]: State of AV today"
WereCatf Member since:
2006-02-15

In a business environment, tell me how we are going to move thousands of users who are accustomed to Adobe Acrobat / Reader to FoxIt without training or extensive documentation, re-training of the Help Desk, etc.

In a business environment Acrobat/Acrobat Reader is the de-facto standard and it's probably really tough to try to get people to move on to something else.

But for home users I often suggest SumatraPDF. It's pretty snappy, small, and doesn't seem to suffer from the same vulnerabilities as Foxit or Acrobat, atleast not when I've tried it in a VM with an infected file. It lacks some of the capabilities of its bigger brothers, though, but it could very well be worth the small effort of trying if you know someone who only needs to read PDF files, not edit them ;)

Reply Parent Score: 2

RE[6]: State of AV today
by darknexus on Sun 25th Apr 2010 12:46 in reply to "RE[5]: State of AV today"
darknexus Member since:
2008-07-15

This is probably a dumb question, but what's to retrain in operating a PDF viewer? GO to page x, read, next page, read, fill out form, print/send... etc. I can understand maybe needing to retrain if you were to switch wordprocessors or something, but a document viewer?

Reply Parent Score: 2

RE[6]: State of AV today
by nt_jerkface on Mon 26th Apr 2010 01:54 in reply to "RE[5]: State of AV today"
nt_jerkface Member since:
2009-08-26

But for home users I often suggest SumatraPDF. It's pretty snappy, small, and doesn't seem to suffer from the same vulnerabilities as Foxit or Acrobat


I think the problem with Sumatra is that it is too light, as in missing too many features even for home users. It's like the notepad of pdf readers. As soon as they want to do something beyond reading the file they will just go and install Adobe reader. I really can't recommend it for that reason.

Reply Parent Score: 2

RE[5]: State of AV today
by nt_jerkface on Mon 26th Apr 2010 01:36 in reply to "RE[4]: State of AV today"
nt_jerkface Member since:
2009-08-26


In a business environment, tell me how we are going to move thousands of users who are accustomed to Adobe Acrobat / Reader to FoxIt without training or extensive documentation, re-training of the Help Desk, etc.


That's a fair concern for changing office suites but a pdf reader? It's not like you can do that much with a pdf.


To boot, FoxIt has it's own slew of security issues. There are PDFs out there that buffer overflow FoxIt as well,


The vast majority of pdf exploits only work with Adobe reader. It's not that I believe FoxIt to be 100% unhackable, it's more Adobe's abysmal security record.
http://www.computerworld.com/s/article/9157438/Rogue_PDFs_account_f...


Security via obsecurity doesn't work in an age of targeted attacks.


Yes it does because those attacks are often targeted at the largest targets. It just shouldn't be relied upon as a sole method of defense.

With the current model, however, Firefox is easier to manage, although quite a bit slower. ;)


I've never trusted the Mozilla code base and I think their security record in the past was more due to IE6 being an easy target. Last year Firefox had far more vulnerabilities than IE8

Despite being the most attacked browser, IE had 45 reported vulnerabilities, compared with 169 vulnerabilities reported for Firefox.

http://news.cnet.com/8301-27080_3-20002879-245.html

Reply Parent Score: 2