Sign in / up

back to article Antivirus tools are a useless box-ticking exercise says Google security chap

Google senior security engineer Darren Bilby has asked fellow hackers to expend less effort on tools like antivirus and intrusion detection to instead research more meaningful defences such as whitelisting applications. The incident responder from Google's Sydney office, who is charged with researching very advanced attacks …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *

Page:

  1. veti Silver badge

    About time

    ... someone called out the antivirus industry for the waste of space it is. I almost said "scam", but that wouldn't be fair: they're not malicious, particularly, just - useless.

    I'd love to see a whitelist-based approach to antivirus. It's good enough for firewalling, and that already works way better than any antivirus package I've seen.

    41 7 Reply
    1. AlbertH
      Reply Icon

      Re: About time

      AV is a scam. I have never seen any AV product actually do anything useful. When it's trivially easy to build and disseminate a Windows virus in minutes, the AV vendors are - at best - playing "catch up" and at worst are just shipping bogus products that just use up machine resources for no return whatsoever.

      Since MS don't understand the basic principles of security - they used to, but abandoned it in favour of "ease of use" - if you want any real kind of "cybersecurity", you cannot use MS products. When the business world catches on to this basic truth, MS will be (finally) done for, unless they abandon their entire product range and start again, much as Apple did with OSX.

      Even Chrome and Android have better fundamental, underlying security than any version of Windows!

      7 36 Reply
      1. patrickstar
        Reply Icon

        Re: About time

        Uhm, for your information, Windows has exactly the same type of permissions/user model. (In fact it's more powerful than the traditional *ix permissions model, but the benefit of that is in doubt...)

        17 10 Reply
        1. Warm Braw
          Reply Icon

          Re: About time

          the benefit of that is in doubt

          Well you're right in everything you say, which probably explains the downvote.

          User-based permissions are not terribly useful when there is effectively only one user on the machine. Application whitelisting is a step in the right direction, but of course that's just an invitation to compromise whitelisted applications.

          Each application should have a set of authorisations to do just enough to accomplish its job and it needs to get those authorisations transparently and, for the most part, explicitly - for example a user clicking "open" in a file dialog provided by the operating system would authorise access to a specific file - rather than by implicitly inheriting a user's authority and later using it against him. While too much user annoyance could be avoided by sensible defaults (specific locations where preferences, temporary files, etc, can be accessed), better security does depend to some extent on a bit more user inconvenience and I'm not sure this is something users will ultimately accept.

          6 2 Reply
          1. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: About time

            "Application whitelisting is a step in the right direction"

            Can someone kindly explain *why* it's a step in the right direction?

            Why can't the *OS itself* provide (ideally, impregnable) protection on *data*, regardless of what particular application is trying to access it? By all means add whitelisting on top, but when almost anything can turn into code whether it's authorised or not, whitelisting is not a sensible rock on which to build, surely?

            And why the ridiculour trend (on both Android and Window boxes) for the false assumption that allowing any access to a data item means allowing total access to that item (ie why is it suddenly no longer considered necessary to distinguish between read-only access, and read/write (or even delete) access?)

            E.g. "Do you want xxx to be able to make changes to your system"

            Has everything from the world of multi-user multi-tasking computers+OSes got to be re-invented from scratch by bright young things and "security researchers", before today's multi-user multi-tasking devices+networks are moderately safe to use? It would appear that way.

            19 0 Reply
            1. Warm Braw
              Reply Icon

              Re: About time

              Can someone kindly explain *why* it's a step in the right direction?

              Because you have to get there from here. Adding application-whitelisting to an existing operating system is a lot easier than redesigning the entire system and hence can be delivered more quickly without potentially also requiring changes to the applications themselves.

              Has everything from the world of multi-user multi-tasking computers+OSes got to be re-invented from scratch

              Actually, pretty much. Security on those systems was intended to protect users from each other, not to protect users from rogue applications. Although the mechanisms used to implement that protection can probably be used to advantage, they may not on their own be enough.

              6 2 Reply
              1. Anonymous Coward
                Reply Icon
                Anonymous Coward

                Re: About time

                "Adding application-whitelisting to an existing operating system is a lot easier than redesigning the entire system and hence can be delivered more quickly without potentially also requiring changes to the applications themselves."

                OK, it keeps IT departments and whitelist-tool vendors busy. What real benefit does it provide, unless the underlying OS is also reasonably secure against "unauthorised code execution"?

                "Security on those systems was intended to protect users from each other, not to protect users from rogue applications"

                So close and yet so far.

                Back in the day, there was data (files, memory, other objects), which generally had access protection, and code, which generally inherited the access rights of the user. Variations on this theme also existed.

                Back in the day, the "application" concept didn't come into it much, except in certain special circumstances (e.g. involving a handful of known+trusted applications being granted SETUID to gain extra rights in particular circumstances, and similar such).

                Back then, if Joe Public wants to 'run' a script, he gets to run a script, no whitelist needed, no damage possible (in most cases). The OS built in mechanisms prevent, protect, audit-log (etc) access (including failed access) to the data. The application is only allowed to access data the user can access (exceptions apply, see above).

                Move forward two or three decades and that largely seems to have got lost somewhere.

                The whitelist concept attempts to provide a figleaf for the IT manager and their department, whereas in actual fact it does nothing to prevent unauthorised code execution, let alone unauthorised elevation of privilege.

                Authorisation and audit of who's using specific applications can, if necessary, be done a different way without being dependent on blanket whitelisting. E.g. by using the OSes security mechanisms to protect the executables/scripts/etc involved.

                But hey, let's repeat the same learning process from thirty years ago and see how wrong we can get it this time. Looking pretty good so far, especially as we've got nice shiny GUIs and "management tools" to hide the underlying can of worms.

                Windows NT 3.1 had most of this in 1993, btw. UNIXes (including Linux) too. And then along came "one computer = one user".

                8 0 Reply
            2. patrickstar
              Reply Icon

              Re: About time

              All current general purpose OS's are horribly broken for many reasons, security being one of them. I am, by the way, personally pissed at Apple for screwing up the last chance to do it right for the next 20 years or so.

              Windows has several ways to keep things from writing to the system or user data - separate user accounts, integrity levels (running with low integrity basically means you can't affect anything with a higher integrity level - even if you're the owner - like writing to files or injecting code into processes), etc. Problem is that there is still a huge attack surface to escalate privileges from that.

              1 0 Reply
        2. oldcoder
          Reply Icon

          Re: About time

          Actually not. That is part of the reason it is so vulnerable. There are so many ways around any security Windows actually gained from NT when NT really was a microkernel design.

          1 3 Reply
          1. patrickstar
            Reply Icon

            Re: About time

            The NT/Windows kernel has never been a true microkernel - all runs in the same address space with the same privileges. Time to change that, perhaps... the architecture certainly would allow it.

            1 0 Reply
        3. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: About time

          Uh, no. . . The one thing that is broken by design in Windows is the RBAC user permission model.

          As root on an *IX box you can override permissions and fix things, leaving them as they are.

          As Administrator on a Windows system there are things you don't own and can't change. You can take ownership, there by FKing the whole system up to change one tiny thing, but that's a clusterfk if you ever attempt it.

          0 0 Reply
      2. Patrician
        Reply Icon
        Facepalm

        Re: About time

        And the Microsoft bashing begins; didn't think it would take many posts before we saw this.

        13 3 Reply
      3. TAJW
        Reply Icon

        Re: About time

        "...I have never seen any AV product actually do anything useful..."

        You should see my wife browse the Internet or read email. Despite my over 40 years in IT and past 10 in Security, I still can't get her to be careful. Malwarebytes and Security Essentials are always popping up warnings, blocking sites and removing junk from her clicking on anything and everything. User training is probably the most useful thing we can do for security, but there are folks out there that will *NEVER* learn.

        8 0 Reply
    2. Mikel
      Reply Icon

      Re: About time

      Where have I read this before?

      5 0 Reply
      1. Anonymous Coward
        Reply Icon
        Linux

        Re: About time

        I've been saying this for 20 years. And I haven't seen (other people's) AV catch a single genuine threat the whole time.

        icon --> Smug (Linux Weenie)

        1 1 Reply
        1. Destroy All Monsters Silver badge
          Reply Icon
          Mushroom

          Re: About time

          And I haven't seen (other people's) AV catch a single genuine threat the whole time.

          I call rank bullshit!!!

          AV may not be the solution to everything and there sure are threats slipping through, but given the current paltry state of the "industry" (more like a bunch of idiot people that should be Godwin'd by fast track to terminal reeducation camps and that really should have decided to start a career in creative fantasy writing or "modern" painting instead of going into IT) they take on the role of necessary seat belts. Won't protect from a car mugging or an encounter with a trucvk, but protects against the usual vagaries (and I get warning about these in my mailbox every week as someone has again decided to CLICK ON SOMETHING!!)

          2 0 Reply
    3. Roo
      Reply Icon
      Windows

      Re: About time

      "I'd love to see a whitelist-based approach to antivirus. It's good enough for firewalling, and that already works way better than any antivirus package I've seen."

      AFAICT SELinux delivers that - and more, without the disk thrashing. Labelled IPSEC + SELinux goes a bit further - giving you a way to identify remote processes and decide if you trust them or not too. I am surprised no one else has mentioned it yet.

      6 0 Reply
  2. Ole Juul

    less effort indeed

    I haven't used antivirus since the days of scanning floppies. The amount of time and aggravation I've saved is considerable.

    8 10 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: less effort indeed

      but for those being spammed by your bot-net host are constantly fighting fires.

      17 0 Reply
      1. Ole Juul
        Reply Icon

        Re: less effort indeed

        but for those being spammed by your bot-net host are constantly fighting fires.

        That's a bit of an assumption isn't it? I watch all the machines like a hawk and do a frequent sockstat and related. You're just being rude.

        0 2 Reply
        1. IsJustabloke
          Reply Icon
          Trollface

          Re: less effort indeed

          "You're just being rude."

          new to the internet eh? ;)

          1 0 Reply
    2. Mage Silver badge
      Reply Icon

      Re: less effort indeed

      NoScript is more protection and less damage than AV. Whitelist a minimum of scripts.

      4 3 Reply
      1. Infernoz Bronze badge
        Reply Icon
        Holmes

        Re: less effort indeed

        Use of NoScript, Request Policy Continued and other Browser security extensions in Firefox (expensive in Chrome, SRWare Iron or Opera because webkit uses a very memory expensive process for each!) are probably why I have very very rarely seen an anti-virus hit. I'd argue that a lot of commercial JavaScript scripts, inline content, links and cookies, are significant anti-privacy threats, so switching to HTML5 from Flash doesn't fix all the security issues!

        I only run the light weight Avira anti-virus because bloated shit like McAfee can make an SSD machine seem nearly as slow as a spinning disk machine, this is especially curse inducing on I/O bandwidth crippled machines like even a 'decent' i5 ultrabook!

        All the f'ing retarded websites, including corporate intranets, which /still/ haven't migrated to HTML5 from damned insecure Flash should have just be told to just die already by /all/ the browser providers!

        The Java plugin will disappear when Oracle finally releases Java 9, assuming the released doesn't get delayed again past summer 2017, and it will probably be /much/ more secure due project Jigsaw, so all the anti-Java trolls can just STFU then.

        1 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    Probably the best "antivirus" you can have…

    … is running Windows instances in a VM.

    1. Malware these days is coded to detect such things on the off-chance that it's a whitehat's sandbox environment for reverse engineering, so shuts down when it detects a virtualised environment.

    2. Provided you know how to use the snapshotting feature of your VM software, you can roll back in mere seconds. The malware doesn't stand a chance.

    The elephants in the room here are of course the security of the VM implementation, overheads and hardware access. (e.g. anything that makes heavy use of 3D graphics won't perform so well in a VM)

    1 20 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Probably the best "antivirus" you can have…

      and without an AV how do you know to roll back because you've been infected by something silently watching keystrokes, siphoning data or using you as a node to the rest of the infrastructure or a DDOS point?

      And that's you, never mind the average user.

      I'm not pro AV, but I do wear a bicycle helmet whilst riding.

      35 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Probably the best "antivirus" you can have…

        >I'm not pro AV, but I do wear a bicycle helmet whilst riding.

        No defence against when you're head or torso is sandwiched between an articulated lorry wheel and the tarmac, same false sense of security. Gruesome but true.

        9 13 Reply
      2. Aitor 1
        Reply Icon

        Re: Probably the best "antivirus" you can have…

        I also wear a helmet, and doing that saved my life (I broke it with my head and got unconscious plus broken bones).

        That said, riding in the city or on a road the helmet is almost useless, as the real danger are car, trucks and white vans (in particular, construction workers vans.. they seem to hate cyclists for some reason). The helmet does nothing here.

        6 5 Reply

        1. This post has been deleted by its author

      3. patrickstar
        Reply Icon

        Re: Probably the best "antivirus" you can have…

        Why are you assuming an attacker didn't take 5 minutes to check his toolkit against AVs? There are even services to do this for you automatically. Hell, there are even services to fix any AV detections automatically...

        Why are you assuming bugs in the AV (there are lots...) wasn't how he gained access in the first place?

        2 1 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Probably the best "antivirus" you can have…

          @patrickstar I wasn't, hence the cycling analogy which others seemed to have misinterpreted.

          The point being, I'm aware of the shortcomings of my helmet, I'm very aware of it's cons vs it's pros, but I still wear it, because, in some instances, however small the likelihood, it serves a purpose.

          And I'd rather my helmet perform it's intended purpose, then take the hit myself.

          10 1 Reply
          1. patrickstar
            Reply Icon

            Re: Probably the best "antivirus" you can have…

            AV presents a (real, if you're subjected to targeted attacks) risk that you get owned through your AV. That would be akin to getting strangled by your helmet strap, or something.

            If you're not subjected to target attacks ,just make sure your software is up-to-date (most mass malware infections happens through old if not ancient vulnerabilities) and that your configuration is non-standard enough that there isn't any financial incentive for mass exploits to work against it.

            0 1 Reply
        2. Seajay#
          Reply Icon

          Re: Probably the best "antivirus" you can have…

          If you're going to be the first infection perhaps because the virus has been written specifically for you, AV won't help you. As you say, the attacker will have checked his virus against the major AV suites. However, if you would have been the 10,000th but in that time, new virus database updates have come out, your AV has saved you.

          Darren is primarily involved in security for Google who are easily a big enough target that it is well worthwhile crafting viruses specifically for them. That means that although his advice is correct, it only really applies to him and to other similarly big targets. Not necessarily to me.

          8 0 Reply
          1. Charles 9
            Reply Icon

            Re: Probably the best "antivirus" you can have…

            Thing is, virii have gotten sophisticated enough to reach Captain Trips levels where no two infections are alike enough for an AV to catch.

            2 1 Reply
  4. Anonymous Coward
    Anonymous Coward

    "He illustrated his point by referring to the 314 remote code execution holes disclosed in Adobe Flash last year alone, saying the strategy to patch those holes is like a car yard which sells vehicles that catch on fire every other week."

    Which sounds great until you realize many people and firms are pretty much held hostage to Flash. Like being stuck in the middle of a shark-infested ocean with a leaky boat. What option do you have other than to keep bailing?

    "I'd love to see a whitelist-based approach to antivirus. It's good enough for firewalling, and that already works way better than any antivirus package I've seen."

    But then you have to whitelist browsers or you can't go on any Net, Inter or Intra. Malware simply targets the whitelisted apps and employs things like privilege escalation if needed (which can also target apps that require the privileges, collect separated privileges, etc.) to get past any safeguards.

    "The elephants in the room here are of course the security of the VM implementation, overheads and hardware access. (e.g. anything that makes heavy use of 3D graphics won't perform so well in a VM)"

    Plus there's always the threat of a Red Pill: a hypervisor attack that can escape the VM.

    22 0 Reply
    1. Sampler
      Reply Icon

      You mean like the one disclosed earlier this week?

      7 0 Reply
    2. RealFred
      Reply Icon

      Having a whitelist means putting your security in someone else's hands while you can't do anything about it. Its exactly like using antivirus software

      22 1 Reply
    3. roselan
      Reply Icon

      Flash? Try Word macros...

      We have been hit by a cryptosystem through a remoteapp ( or more precisely through the vpn used by the remote app). Our legacy email system doesnt know what an antivirus is (and stores attachements in a database).

      Yes antivirus we are an issue, but most of us in the real world face earthier challenges.

      2 0 Reply
    4. Sandtitz Silver badge
      Reply Icon

      "He illustrated his point by referring to the 314 remote code execution holes disclosed in Adobe Flash last year alone, saying the strategy to patch those holes is like a car yard which sells vehicles that catch on fire every other week."

      <pedant> That was actually the total number of vulns for Flash last year, not everyone of them necessarily being remote code execution holes. </pedant>

      I wonder why he didn't point to the 187 vulns Chrome had last year...?

      25 0 Reply
  5. Winkypop Silver badge
    Devil

    Whitelists?

    Oh, I thought he was discussing the new Trump Regime.

    Praise be to glorious leader!

    14 6 Reply
    1. Destroy All Monsters Silver badge
      Reply Icon

      Re: Whitelists?

      ENOUGH!

      You know how to get to Portland for a protest meetup with the other liberal arts students and state dripfeed survivors.

      0 3 Reply
      1. Roo
        Reply Icon
        Windows

        Re: Whitelists?

        "Portland for a protest meetup"

        Dunno about protesting, but the beer's great there (or at least it was the last time I visited). :)

        0 0 Reply
  6. Pompous Git Silver badge

    Telling users not to click on phishing links
    Network Solutions started sending out emails telling its clients that they have to "click on the red button" to confirm your email address or we terminate your service. I emailed back and pointed out to support that NetSol had issued an advisory telling users not to click on red buttons in emails as they were likely phishing attacks.

    Support emailed me back that it was an ICANN requirement that domain registrants confirm their email and the only way to confirm my email was to click on the red button. I pointed out that we were conversing via the email address concerned and was told that was not evidence the email address existed; only clicking the red button would do that.

    I no longer use NetSol.

    36 0 Reply
    1. DryBones
      Reply Icon

      Good move. Did anyone notify the local zoo that their monkeys had gotten on the internet again?

      12 1 Reply
    2. Roger Greenwood
      Reply Icon

      " . . was not evidence . . "

      Sounds like trying to argue with bomb 20

      7 0 Reply
    3. h4rm0ny
      Reply Icon

      I contacted my hosting company over a similar thing, asking if it were actually a phishing attack. They confirmed that no, it wasn't and yes, the domain name ICANN was using was legitimate even though it sounded like a scam. I was unimpressed.

      I'll be holding on to my AV for a while longer. Did Google say who should be in charge of whitelisting? Was it them, by any chance?

      8 1 Reply
      1. Mephistro
        Reply Icon
        Thumb Up

        "Did Google say who should be in charge of whitelisting? Was it them, by any chance?"

        I came here to say that same thing. Thanks for saving me the effort!.

        Also, I seem to recall MS trying the same trick many moons ago, though a fast search didn't find anything.

        Whitelisting performed by an interested party that is creating/trying to create several monopolies. What could possibly go wrong?

        11 1 Reply
      2. Charles 9
        Reply Icon

        "I'll be holding on to my AV for a while longer. Did Google say who should be in charge of whitelisting? Was it them, by any chance?"

        Whitelisting is only practical in a business setting where there's a boss to dictate terms. In this case, it's the boss who manages the whitelist.

        In a home setting, no whitelist can be considered safe except one curated by the user him/herself, only most users lack the aptitude to correctly curate a whitelist. And placing it in someone else's hands essentially places your trust in a Trent who could really be Mallory.

        4 0 Reply
  7. DerekCurrie
    Unhappy

    If Only Google Could Get A Handle On Their Own Security Problems

    Fragmentation: The impossibility of keeping Android OS up-to-date on OEM manufactured devices.

    Google Play Store Malware: The impossibility of knowing that apps downloaded from Google's own app store for Android aren't malware, despite Google's 'efforts' to stop the problem.

    Headlines such as:

    "1 in 5 Android Apps Is Malware" - Yahoo

    "97 percent of mobile malware is on Android" - Forbes

    "F-Secure says 99% of mobile malware targets Android" - GreenBot

    "Android Malware Removed From Google Play Store After Millions of Downloads" - Wall Street Journal

    "More Google Play apps infected with Brain Test malware ..." - ZDNet

    "Over 400 instances of Dresscode malware found on Google Play store, say researchers" - ZDNet

    ...Ad Nauseam...

    28 1 Reply
    1. king of foo
      Reply Icon

      Re: If Only Google Could Get A Handle On Their Own Security Problems

      Might that correlate more strongly with size? Android has 80%+ of the market :. it makes sense that it would have 9x% of the attention. Windows suffers in the same way on the desktop.

      If traditional PCs continue to be replaced by "non windows" devices in the home then perhaps even more attention will be given to the likes of android, chromeos and iOS, and one day windows could be quite secure... then both users can give themselves high fives...

      8 2 Reply
      1. h4rm0ny
        Reply Icon
        Happy

        Re: If Only Google Could Get A Handle On Their Own Security Problems

        >>"Might that correlate more strongly with size? Android has 80%+ of the market :. it makes sense that it would have 9x% of the attention. Windows suffers in the same way on the desktop."

        Yes. Though that does give me ironic flashbacks to arguments in the mid-2000's when people here would hold up the quantity of Windows malware against the quantity of GNU/Linux malware and when I'd point out the difference in userbase size and user sectors (server vs. home), they'd go "nuh-uh. It's nothing to do with how many people use it".

        7 1 Reply

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like