What does everyone think of this story?

[rookcifer]

Hey, I just read up this story on the effectiveness of AV programs (the tests were conducted in Windows:
http://computer-forensics.sans.org/b...rising-results
Personally, I've bookmarked it for future reference when misinformed people decide to comment on their brilliant antivirus- but what do you guys think? Is their methodology sound? Is this test real-world?
Thanks.

Haven't read the article yet, but I assume it was a study showing AV software is overrated. This is not new, as there have been *many* studies and tests like this over the years that prove AV is not that effective. Many big named brands have huge failure rates and false positives. Of course, companies like Kaspersky, McAfee, and Symantec have billions and billions of dollars and their marketing machines leave these little inconvenient facts out. All you have to do is ask yourself why we see more news about computer viruses and other attacks now than ever, even though the AV companies are selling more software than ever. Something doesn't add up there.

If you're using Windows and you rely on AV software as your first line of protection, you are not doing yourself any good. AV software on Windows has its place, but it should be the last line of defense.

[rookcifer]

I think the article points out the importance of definitions.

What Anti-Virus programs are = help protect against known windows viruses.

Problem is they don't even do a good job of doing that! Read the studies. Many tests have been done by independent labs over the years using *known* signatures and they prove the dismal record of AV software in detecting them. Some are better than others, but none of them are anywhere near 100% when dealing with *known* viruses.

AV software is a scam, nothing but a money making scheme. Look at the billions of dollars each of these companies have (I mean they are making bank) and then ask yourself if all that software they have peddled has really helped the world in security. The answer is no. We have more people getting infected than ever.

No blacklisting method is ever going to do anything but keep the user behind the criminals (and keep them paying for more AV updates).

With that in mind, I'm going to take a page from Penn And Teller and say "AV software is Bulls**t."

[OpSecShellshock]

Also keep in mind that people who write malware test it against the most widely-used AV engines before making it available, and on top of that they can make tiny, operationally imperceptible changes to the way their code is packaged that make it appear to AV software like a completely different thing.

Now, known-quantity malware is still available all over the place, and AV software is fine for dealing with that. On Windows systems it's still better to have it than to not have it, but only just, and that's about the best that can be said for it. The web is full of easily-avoided, ambient hazards, kind of like the street is.

[0011235813]

Haven't read the article yet, but I assume it was a study showing AV software is overrated. This is not new, as there have been *many* studies and tests like this over the years that prove AV is not that effective. Many big named brands have huge failure rates and false positives. Of course, companies like Kaspersky, McAfee, and Symantec have billions and billions of dollars and their marketing machines leave these little inconvenient facts out. All you have to do is ask yourself why we see more news about computer viruses and other attacks now than ever, even though the AV companies are selling more software than ever. Something doesn't add up there.

If you're using Windows and you rely on AV software as your first line of protection, you are not doing yourself any good. AV software on Windows has its place, but it should be the last line of defense.

I totally agree. Sorry AV companies and your paid pedlars you put at the computer store, but your products just don't work. They should be more concerned with locking down that certain *unnamed* operating system, not providing mediocre third party "solutions". Or better yet, switch to Linux.

Problem is they don't even do a good job of doing that! Read the studies. Many tests have been done by independent labs over the years using *known* signatures and they prove the dismal record of AV software in detecting them. Some are better than others, but none of them are anywhere near 100% when dealing with *known* viruses.

AV software is a scam, nothing but a money making scheme. Look at the billions of dollars each of these companies have (I mean they are making bank) and then ask yourself if all that software they have peddled has really helped the world in security. The answer is no. We have more people getting infected than ever.

No blacklisting method is ever going to do anything but keep the user behind the criminals (and keep them paying for more AV updates).

With that in mind, I'm going to take a page from Penn And Teller and say "AV software is Bulls**t."

Again, agree. You do have apparmor and a DNS running? Of course, I imagine you've also secured your browser with WOT, Ghostery, NoScript etc. right?

Also keep in mind that people who write malware test it against the most widely-used AV engines before making it available, and on top of that they can make tiny, operationally imperceptible changes to the way their code is packaged that make it appear to AV software like a completely different thing.

Now, known-quantity malware is still available all over the place, and AV software is fine for dealing with that. On Windows systems it's still better to have it than to not have it, but only just, and that's about the best that can be said for it. The web is full of easily-avoided, ambient hazards, kind of like the street is.

I think those malware writers would have a much harder time trying to write malware for Linux, where they first have to find a way to get users to run their malware outside of the official repositories (which users will be unlikely to do once everyone starts preaching the "download software from your pm/software center only" moto...) , and then make it run on that particular distribution, and then making it run on that particular processor architecture. And good look trying to make browser exploits and pdf exploits when everyone gets different default browsers(and default pdf clients, evince vs okular for example), being sandboxed by apparmor, not running as root, and being updated every day by thousands upon thousands of open source developers!

[rookcifer]

Again, agree. You do have apparmor and a DNS running? Of course, I imagine you've also secured your browser with WOT, Ghostery, NoScript etc. right?

I don't use WOT because it is a blacklisting method and it (just like AV software) will *always* be behind the curve. I don't use Noscript because it is too much of a hassle. I do have apparmor profiles for my browsers, which should stop most malicious scripts from being able to do much of anything.

[Ms. Daisy]

I think those malware writers would have a much harder time trying to write malware for Linux, where they first have to find a way to get users to run their malware outside of the official repositories (which users will be unlikely to do once everyone starts preaching the "download software from your pm/software center only" moto...) , and then make it run on that particular distribution, and then making it run on that particular processor architecture.

No. It's the same process to write malware for Windows as for Linux. It just hasn't been done on Linux apparently because the rewards are not worth the investment for the malware writers. Delivering the malware in a way that it will fool the victim is a separate issue from writing it.

[0011235813]

I don't use WOT because it is a blacklisting method and it (just like AV software) will *always* be behind the curve. I don't use Noscript because it is too much of a hassle. I do have apparmor profiles for my browsers, which should stop most malicious scripts from being able to do much of anything.

I can understand NoScript being too much of a hassle, but that bit about WOT is completely incorrect. You don't understand that WOT is a community-driven project that is actively being contributed to either by members or anonymously, by hundreds of thousands of people who are using it. WOT is up to date with easily 95%+ of all malicious sites on the web.

No. It's the same process to write malware for Windows as for Linux. It just hasn't been done on Linux apparently because the rewards are not worth the investment for the malware writers. Delivering the malware in a way that it will fool the victim is a separate issue from writing it.

Pure semantics. What good is writing a piece of malicious code if you simply can't distribute it to the targeted platform in large enough quantities? There's absolutely no reason for attackers to target the Linux platform if the distribution methods are too ineffective to be monetized.

Also, with all the browser exploits and plug-in exploits running around, why hasn't Linux been affected by any? Technically speaking, such web based threats are platform independent, yet Linux still doesn't get infected. I think this shows a critical flaw in the market share analogy, which is another myth like antivirus.

[CharlesA]

I think this thread has run it's course.

0011235813: I suggest you revise your posting style and stop trolling.

This thread is closed.