Antivirus tools are a useless box-ticking exercise says Google security chap

[P4-630]

Advocates whitelists and other tools that 'genuinely help' security

"Kiwicon Google senior security engineer Darren Bilby has asked fellow hackers to expend less effort on tools like antivirus and intrusion detection to instead research more meaningful defences such as whitelisting applications.

The incident responder from Google's Sydney office, who is charged with researching very advanced attacks including the 2009 Operation Aurora campaign, decried many existing tools as ineffective "magic" that engineers are forced to install for the sake of compliance but at the expense of real security.

"Please no more magic," he told the Kiwicon hacking conference in Wellington, New Zealand November 17 2016.

"We need to stop investing in those things we have shown do not work."

"And sure you are going to have to spend some time on things like intrusion detection systems because that's what the industry has decided is the plan, but allocate some time to working on things that actually genuinely help."

Bilby wants security types to focus on tools such as whitelisting, hardware security keys and dynamic access rights efforts like Google's Beyond Corp internal project.

"Antivirus does some useful things, but in reality it is more like a canary in the coal mine. It is worse than that. It's like we are standing around the dead canary saying 'Thank god it inhaled all the poisonous gas'," he said.

The Google hacker also argued that networks are not a security defence because users are so easily able to use mobile networks to upload data to cloud services, bypassing all traditional defences.

Advice on safe internet use is "horrible", he added. Telling users not to click on phishing links and to download strange executables effectively shifts blame to them and away from those who manufactured hardware and software that is not secure enough to be used online.

"We are giving people systems that are not safe for the internet and we are blaming the user."

Referring to the 314 remote code execution holes disclosed in Adobe Flash last year alone, he compared the strategy to patch those holes to a car yard which sells vehicles that catch on fire every other week. ®"

http://www.theregister.co.uk/2016/1...s_try_whitelists_not_just_bunk_antivirus_ids/

 

[RejZoR]

Just because antiviruses aren't 100% effective it doesn't mean they are useless. Seatbelts, airbags and vaccines also don't prevent deaths by 100% and we aren't running around screaming how useless they are. Some do, but those people are stupid to be quite honest. Antiviruses aren't any different. It may happen that you'll still get infected, but decreasing that chance from 100% down to just 10% (give it a worst case scenario) makes quite a difference, doesn't it?

And whitelisting, even if you have the greatest database of whitelisted stuff, you can't ever have everything whitelisted. We've also seen how digital signatures were exploited for distribution of malware through seemingly safe digitally signed files. Not to mention how annoying it is to the user. avast! for example has one of the most extensive whitelist databases for its Hardened Mode (Aggressive) setting and yet, you can regularly find it showing a warning on an unknown file because it's either so new or so rare that it hasn't come across their whitelisting system yet.

To give Google's bragging into perspective, if they know so much, why people still keep on finding tons of exploits in their software and/or services? I've been involved in antivirus industry for over 15 years and Ive seen it how dramatically it has evolved just since then. Antiviruses aren't just "antivirus" anymore, they are very complex and highly sophisticated protection systems. The days of pattern matching only days are long gone. It's still used because it's fast and efficient for known stuff, but for unknown, the technology is really rather amazing. Especially considering 99% of detections are machine generated. Humans just fine tune these systems, the rest is entirely in machine controlled and generated, because there is just too much clean and malicious apps being released every day for humans to analyze them one by one. They only do that on stuff discarded from systems as "undecided verdict" and they look into it personally because it's suspicious but system can't figure it out just yet.

 

[FordGT90Concept]

I haven't used an anti-virus beyond what Microsoft offers for years. Only got infected once on Windows 7 because of ImgBurn adware (didn't untick the box) and have never been infected or seen an infected Windows 10 machine yet.

I agree with Google that, if you're serious about security, white listing is the only way to go. That doesn't just go for applications but also domain names. Malware would be cut hugely if white listing was standard practice.

Case in point: I've been running Server 2003 R2 -> Server 2012 R2 for almost a decade now and it has never been infected nor ever had an anti-virus. Why? White list only Internet Explorer. If the website is too much of a dick to get white listed (facebook.com is a perfect example of this), I simply refuse to go there with the server. Non-white-listed pages can't redirect, can't use applets, can't use scripting, downloads are forbidden, can't cross-domain reference, and can't use ActiveX Controls. It fundamentally comes down to just HTML and CSS which are harmless.

 

[RejZoR]

Adware is not malware and as such you weren't "infected". It's just an annoyance, nothing else. Like a big fat bug splattered on a windshield of your car. Is it a safety hazard? No. Is it annoying because you'll have to scrape it off by hand? Yes. That's adware.

Whitelisting in the end is only as good as people controlling it at the very end. Meaning, END USER. We. Us. I've seen people with my own eyes who, when antivirus detected something, they went and disabled it just so they could execute the file anyway. What makes you think they won't do same stupidity with 100% whitelisting just because it's preventing them from doing what they want? Black listing is still the way to go, we just have to bump it up a notch. But we are getting there. I'm seeing systems that are connected to the cloud that are incredibly sophisticated and with superb results.

 

[SomeOne99h]

........ I've been involved in antivirus industry for over 15 years and Ive seen it how dramatically it has evolved just since then. Antiviruses aren't just "antivirus" anymore, they are very complex and highly sophisticated protection systems. The days of pattern matching only days are long gone. It's still used because it's fast and efficient for known stuff, but for unknown, the technology is really rather amazing. Especially considering 99% of detections are machine generated. .........

I read an article that anti-viruses shouldn't be called anti-viruses but rather "Anti-malware" because they are against anything that can be bad for the computer or the user not just viruses.

 

[FordGT90Concept]

Adware is not malware and as such you weren't "infected". It's just an annoyance, nothing else. Like a big fat bug splattered on a windshield of your car. Is it a safety hazard? No. Is it annoying because you'll have to scrape it off by hand? Yes. That's adware.

Anything on my computer that I didn't deliberately put there is malware in my book. I nipped it in the bud by prohibiting it from launching and did a clean Windows install a few months later to get rid of it entirely.

Whitelisting in the end is only as good as people controlling it at the very end. Meaning, END USER. We. Us. I've seen people with my own eyes who, when antivirus detected something, they went and disabled it just so they could execute the file anyway. What makes you think they won't do same stupidity with 100% whitelisting just because it's preventing them from doing what they want? Black listing is still the way to go, we just have to bump it up a notch. But we are getting there. I'm seeing systems that are connected to the cloud that are incredibly sophisticated and with superb results.

No amount of software will solve a PEBKAC fault. Solution: operating system establishes the white list with no obvious option to ignore. Microsoft browser do this to some extent with downloads. If you download a file that has been reported to be trouble, the obvious things the user clicks will actually delete it. You have to read and understand what you're reading to not delete it.

 

[basco]

i too have not used a antivirus software since 7 years-before always gratis like avira.
but i dont do online banking nor do i have important files on my machine and only browse sites i know.
i think a good firewall is better then av software

 

[Caring1]

Anything on my computer that I didn't deliberately put there is malware in my book.

Like Windows 10

 

[RejZoR]

Anything on my computer that I didn't deliberately put there is malware in my book. I nipped it in the bud by prohibiting it from launching and did a clean Windows install a few months later to get rid of it entirely.


No amount of software will solve a PEBKAC fault. Solution: operating system establishes the white list with no obvious option to ignore. Microsoft browser do this to some extent with downloads. If you download a file that has been reported to be trouble, the obvious things the user clicks will actually delete it. You have to read and understand what you're reading to not delete it.

Well, by not unticking it, you kinda have deliberately installed it...

 

[FordGT90Concept]

I'm only human.

 

[Folterknecht]

I agree with Google that, if you're serious about security, white listing is the only way to go. That doesn't just go for applications but also domain names. Malware would be cut hugely if white listing was standard practice.

With companies like Google, Facebook, Twitter, MS and Amazon leaving behind the stance of neutral entities (only concerned with their own profits) long ago, I sure as hell don't want them to determine what 's "safe" for the public.

You and me will find a away to get where we want, but Joe Average won't be able to see what these companies don't what us to see.

 

[FordGT90Concept]

The only search I had white listed was https://encrypted.google.com Facebook was not, Twitter was not, Amazon was not. Microsoft was because of windows update and Visual Studio downloads and redistributables. I remember HighPoint-Tech was white listed to get RocketRAID drivers. TechPowerUp and GeneralNonsense were white listed for the rare instance my personal computer was off/disabled and I needed to access them.

Bare in mind that white listing simply permits the website to function as normal (medium security). It doesn't give it elevated permissions to do anything. Everything not listed as a trusted site runs at high security where pretty much everything that isn't HTML and CSS is prohibited.

 

[Luke Whitton]

Most of us that use antivirus and have a bit of knowledge about computers, tend to use free versions or just stick with Microsoft's standard "Windows Defender" (Im guessing).
I think some antivirus are as bad as a computer virus in itself. Take the likes of Norton antivirus, my first laptop wouldnt even run because of how much it was 'Bogging' the computer down.

Ive got a couple of friends that actually pay for this rubbish.... and its not exactly cheap!
Does anyone on here pay of it?

 

[remixedcat]

Just run adblock (ublock origin) noscript, and have hosts files and good routers/firewalls that block the shit and you should be good... However have antivirus (webroot or eset) and you will be good to go as well as the absolute best solution:

Common Sense Enterprise Edition 2017!

 

[alucasa]

Haven't used anti-virus for nearly a decade. No problemo.

 

[Steevo]

I like the part where he says it's dumb to tell users not to click links they don't know and how it should be hardware manufacturers jobs to keep us safe from the internet.

It reminds me of the people who say it's up to men to learn not to rape, cause all men are rapists.


I use basic AV, most ISP's have some basic security built in, but the idea that all websites are or should be made safe...... retarded.

 

[Kursah]

Just run adblock (ublock origin) noscript, and have hosts files and good routers/firewalls that block the shit and you should be good... However have antivirus (webroot or eset) and you will be good to go as well as the absolute best solution:

Common Sense Enterprise Edition 2017!

This plus OpenDNS filtering allows you to whitelist for your entire home or business network. Has a standard running black and whitelist predefined if you just want to use their DNS servers from your PC or router. Very effective and well worth folks doing.

Common sense is always going to be the biggest factor IMHO.

 

[RejZoR]

OpenDNS only filters phishing websites. For better filtering you should use Norton Safe Web DNS servers. Those also filter malware sites as well as phishing.

 

[Kursah]

OpenDNS only filters phishing websites. For better filtering you should use Norton Safe Web DNS servers. Those also filter malware sites as well as phishing.

Maybe OpenDNS has updated since you last looked at it, but I've been using it at home for a couple years and working with it on a professional level, it does more than just phishing sites anymore. I was initially worried about Cisco taking over OpenDNS but it's only improved, and is faster to deploy updated blacklists than ever before.

If you just use OpenDNS without a free Home account or paid Business Umbrella account, then it filters a predefined list of malicious, phishing and adult websites. If you do a free home account, you can actually choose which predefined lists you want to filter along with blacklist/whitelist capabilities. Plus it is super easy to manage and free.

Here's some screenshots from my account for example for those not familiar with the free Home account console:

PRE-DEFINED FILTER OPTIONS

BLACKLISTING on OPENDNS

WHITELISTING on OPENDNS

I haven't used Norton Safe Web before, but have been told by folks while it is generally considered more secure its DNS servers are slower. That's the cost of security though...waiting a little bit extra might be worth it. If you use it, maybe you could share some screenshots of it?

Frankly I see no reason to go beyond OpenDNS with its current feature set, but its good to have options because there shouldn't always be just one. I'm not a fan of Norton security software (at least the pre-loaded OEM crap) and what it lets by so I'm leery to use their filtering, but it seems to be pretty well regarded. The problem I see with Norton is you get what they give you and you don't get control over white/blacklists as you do with OpenDNS. That might be fine for some, and submitting to a request as per the FAQ is possible... but why do that when it can be done and allowed within a few minutes on OpenDNS? I suppose for folks that don't want to have as much control over what their filter is doing...this is a good option...for those that like a little more control I believe OpenDNS would be the superior option.

 

[RejZoR]

It has been like this for ages and none of categories cover malware webpages.

 

[Frick]

It reminds me of the people who say it's up to men to learn not to rape, cause all men are rapists.
.

It is definitely up to men to learn to respect women, because a whole lot of them don't.

 

[DeathtoGnomes]

Anything on my computer that I didn't deliberately put there is malware in my book. I nipped it in the bud by prohibiting it from launching and did a clean Windows install a few months later to get rid of it entirely.

Onedrive, or wtf-ever is called now, is exactly this, malware. You didnt have a choice of installation and you cant uninstall it except thru old skool means, atleast with win10 there is a mock setting that "supposedly" disables it but is yet open to hacking that can re-enable it and use it as a backdoor so to speak.

 

[Solaris17]

Unfortunately I find this "Advice" to be a bit one sided. There is not a shred of it that isnt true or not advised. However These kinds of mitigations are for people with a good understanding of technology that haven't managed to implement it.

I also find it curious that TPU members even flaunt it a bit. I would hope that anyone intelligent enough to hold higher discussion on this forum would have the ability to implement these practices, but assuming that it is enough for even the general populous is short sighted to see the least. Not to mention with the evolution of technology and the pressure from even local utilities to "pay your mortgage online" using the argument that people incapable of following this advice just "shouldn't use a PC" is arrogant.

AV software and even the paid version offer non-advanced users much needed protection and im surprised some members dont appear to know this. Perhaps its not dealing with thousands of users that clouds there understanding.

Gateway protection from IDS/IPS and other flow control applied via whitelist or heuristic blocking employed will always be best sure. After all the best protection is to "not let it get in to begin with" but that one line could have covered that entire article.

However this is easier said then done or even impossible given the understanding of todays technology to senior or even un-educated citizens.

Lets not forget that PC classes and training is not fundamental in todays society nor is it required or enforced in all schools.

I don't really see this article for any more than regurgitating best practice that system administrators have known for years with the addid short sightedness of expecting it to be deployed in a home environment.

My sister doesnt understand how to enable openDNS sorting on her router and I'd be willing to bet a whole lot of the rest of the global population doesnt either.

 

[cadaveca]

My sister doesnt understand how to enable openDNS sorting on her router and I'd be willing to bet a whole lot of the rest of the global population doesnt either.

I personally feel that you SHOULD know this sort of stuff, and access to the internet should have some sort of "licensing" just like driving a car, so that you have to have a proper education prior to even connecting. This might be a bit harmful to those that make the internet their source of income, but like buying a car, or getting a phone, there are criteria (credit, in the example) that must be passed before you access those services. Until you can provide proof that you are adept enough at using the internet, everything should be screened, and there should be "police" whose job it is to remove malicious users and prosecute them, no matter what global region you are in.

At the same time, I do not believe that there is a single shred of privacy on the internet, since anything can be captured at the ISP level and anywhere in-between.(just like cell phones).

 

[Frick]

Onedrive, or wtf-ever is called now, is exactly this, malware. You didnt have a choice of installation and you cant uninstall it except thru old skool means, atleast with win10 there is a mock setting that "supposedly" disables it but is yet open to hacking that can re-enable it and use it as a backdoor so to speak.

Do you mean someone would use the service to hack your system or do you mean that MS will "hack" it back on? In any case it is not malware, by definition.