Antivirus- Dead Or Alive?

[Ink]

If Antivirus is dead, why do new "Anti-Malware" apps keep appearing around the web. Not to long ago, someone posted their idea of an Anti-Malware product. And while I support existing well-established security that use Signature + Cloud with other technologies for a multi-layer approach, why do these new developers make software based on Signatures?

In one way I understand it's for them to understand and further develop their skills, but Signature-based, really!?

Thanks for the feedback.

 

[Deleted member 178]

If Antivirus is dead, why do new "Anti-Malware" apps keep appearing around the web. Not to long ago, someone posted their idea of an Anti-Malware product. And while I support existing well-established security that use Signature + Cloud with other technologies for a multi-layer approach, why do these new developers make software based on Signatures?
In one way I understand it's for them to understand and further develop their skills, but Signature-based, really!?

1- because signatures is easy for average Joe to understand, and they don't need interactions : file is detected by signatures > file is deleted, quarantined or allowed.
2- signature engines will monitor the system on access (Read) by default, BB/HIPS only at execution. Means a BB won't kicks-in if you just open a folder full of malware; however, the signature engine will start deleting the files right away.

 

[Winter Soldier]

Antivirus is alive but ... suffering.

Everything quickly changes for our mental forms, which are used to conceptualize arguments in the certainty that this conceptualization is almost eternal, that doesn't change over time.
What yesterday was a virus, now it is malware, ransomware, and so on. It specializes, changes, evolves; moved by different motivations, purposes and strategies that change, quickly.

Today it is not easy just to talk about malicious code or malware, but it is an attack chain.
Because being the victim of an attack means becoming part of a chain that perhaps does not see us as the ultimate goal but as an intermediate step; for example, a small group of machines at the command of cybercriminals part of a network attack.
Or you are compromised without the use of malicious code, but with a social engineering strategy that convinces some of us to open a Excel file that contains a macro that opens connections toward the attacker using Powershell. Then, using this connection to download additional malcode in order to complete the data theft.
Let me think of the chain as a strategy of attack, we must defend ourselves and just the antivirus/antimalware really are not enough.

 

[Ink]

1- because signatures is easy for average Joe to understand, and they don't need interactions : file is detected by signatures > file is deleted, quarantined or allowed.
2- signature engines will monitor the system on access (Read) by default, BB/HIPS only at execution. Means a BB won't kicks-in if you just open a folder full of malware; however, the signature engine will start deleting the files right away.

I understand what you are saying, but I was more directing at people who want to develop a new Antivirus software. No one wants "Yet Another Antivirus" software, when we already have Vendors with far more resources for Signature-based protection + other technologies.

Why not get creative like SecureAPlus or VDS, or BB with Sandboxing.

 

[Xsjx]

I understand what you are saying, but I was more directing at people who want to develop a new Antivirus software. No one wants "Yet Another Antivirus" software, when we already have Vendors with far more resources for Signature-based protection + other technologies.

Why not get creative like SecureAPlus or VDS, or BB with Sandboxing.

Antivirus is not dead, but the small av companys are.
Only the top 5 can protect you Avira,Bitdefender,Kaspersky,Norton,Avast.

 

[Wave]

I think it is because a lot of these new "Anti-Malware" products are either from young developers who barely know what they are doing, or just a vendor who wants to overtake an existing one with the end goal of making money on way or another. For example, a new vendor might arise with a free Anti-Malware product and they may do something like sell data to make a profit (covered in the privacy policy), or they may gain attention and a user-base through the free product and then drop a paid product, attracting the existing customers to the paid version, thus resulting in their fans purchasing and making them a profit.

Then again, there are tons of kids these days trying to make said products in the .NET Framework. Make sure to steer clear from them with the exception of a few, since more often than not, any .NET-based product claiming to be an Anti-Malware/Anti-Virus is useless and usually doesn't proceed past basic checksum hash detection. Which is obsolete and literally useless if you really need a product to protect you.

Checksum hash detection is definitely obsolete in terms of identification for new zero-day malware, however it can still be useful for detecting threats before they are given the chance to actually execute, as @Umbra said. If you have zero-day behavioral components then that is great too obviously, but if the malware can execute at all then it does give it a chance to exploit and escape the protection... Believe it or not, standalone Behavior Blocker/Host Intrusion Prevention Systems can be easily defeated and evaded (even if it monitors the activity being executed by the monitored program) these days due to them being developed and evolving around user-mode these days (due to kernel-mode patching limitations on x64), and the work around for this would be usage of the hyper-visor for real virtualization (sandboxing and then monitoring within the sandbox), but learning to do such work can be very time consuming and for a vendor to implement this technology it can be very pricey.

The reason checksum hash detection is obsolete is simply due to the fact that malware can be shipped back into the wild with a new checksum simply after modifying one byte of the Portable Executable, then it will be undetected via signatures. Static heuristics goes a long way in the Anti-Virus industry but more often than not, the security product will have a useless memory scanner (for whatever reason), and therefore simple packing techniques will completely evade the detection (since if a product has an advanced and decent memory scanner, it can attempt to apply the heuristics after the sample has unpacked itself in memory -> e.g. dump it to disk after it's unpacked itself, then apply the scanning, if found to be clean then resume the original process from it's suspended mode).

I don't think anything will change really, these products just pop out of no where like there is no tomorrow... Too many people want to release their new product and get a slice of cake but have nothing to bring to the table that doesn't already exist, and even myself have tried to do something like that before.

I agree that we have enough AM products on the market already, there is already many to choose from... But people get interested in the security industry and want to own something "big" and "successful" themselves, so they spend tons of time on it, and even if it does turn out to be good they usually wait years before getting barely any market share since the already successful vendors are on-top for usage by people due to being known more widely and having existing for longer.

Even AV vendors like Norton have admitted that the AV industry is dead and obsolete (I may have gotten that wrong, I apologize if I did), but it makes a lot of people money. The security industry can pay very well for some, not always though... And people have jobs which pays them a lot of money I guess, even if they aren't really doing much work. I would imagine that the average Avast engineer would make around £100,000-£200,000 a year or maybe more due to how much money Avast probably make, but I am not really sure.

I would say that layered protection would be the way to go anyway: web protection (anti-phishing, anti-exploit, help prevent the download in the first place), real-time for signatures and static heuristics (to help prevent the download or transfer from removable device in the first place), BB/HIPS (real-time monitoring of untrusted programs), and/or sandbox if required. But those AV products with awful dynamic protection, yeah I would say they are obsolete IMO.

But yeah I find this thread really interesting, waiting to see what other people say now...

 

[Ink]

Antivirus is not dead, but the small av companys are.
Only the top 5 can protect you Avira,Bitdefender,Kaspersky,Norton,Avast.

I never said Antivirus was dead. In fact I voted for "Antivirus Is Alive - But only if used as part of a multi-layered security approach".

The top 5 based on what?

 

[Xsjx]

I never said Antivirus was dead. In fact I voted for "Antivirus Is Alive - But only if used as part of a multi-layered security approach".

The top 5 based on what?

Users/Employees... and lab results

 

[Wave]

Users/Employees... and lab results

You realize that those "lab results" from companies like AV-Comparatives really should be taken with a grain of salt and nothing more, just like YouTube video reviews posted by community members of even this forum, right?

 

[Xsjx]

You realize that those "lab results" from companies like AV-Comparatives really should be taken with a grain of salt and nothing more, just like YouTube video reviews posted by community members of even this forum, right?

Ye ik but i had even kaspersky nothing detected on a pc from someone i know and Avira picked 960 virusses of it...

Kaspersky already blocked munch but what did a small company do let 10.000 malware trough ? Idk but in my opinion Avira is the best

 

[Davidov]

antivirus is now just such amendment hips BB + anti-exe+ sandbox are more important than antivirus and especially wisdom.

if you pay for something that's sandbox or hips (rehips) or maybe AppGuard Emsisoft or Kaspersky have good BB and application controls

 

[Arequire]

Voted as part as a multi-layered approach.
I personally wouldn't rely on just a singular antivirus product nowadays. Don't get me wrong, the industry as a whole has made great strides in going beyond signature-based detection and combating zero-days, which is good, but malware authors are using increasingly sophisticated methods to avoid detection and we've probably all seen plenty of reviewers on this site and elsewhere test singular AV products and have malware sit quite happily on a system even when it's being protected by behaviour blockers, HIPS, IDS, cloud analysis, etc.
Even when a products' non-signature defences do work it sometimes comes too late. All this fancy tech that's designed to catch unknown malware is great and all until a new strain of ransomware comes along and encrypts all your files in seconds, while 10 seconds after the fact the behaviour blocker kicks in and finally terminates the malware.

People have been proclaiming antivirus as dead for a long time now and I can't help but disagree. Hell, I even disagree with the notion that signature-based detection is dead. Yes, there's so much malware out there now that signatures can't keep up with it all. Yes, signatures are an outdated way of detecting threats. Yes, signatures are useless against zero-days and the like, but here's what I see: Millions of people have had their systems and files saved billions of times by signature-based detection. Signatures still have their place, antivirus still has its place, and at the end of the day people are going to secure themselves how they see fit. Layered or non-layered, the end user is going to decide that and who the hell am I to tell them what to do. Best I and anyone else can do is advise them on what they feel is appropriate.

 

[Kardo Kristal]

"Antivirus Is Alive - But only if used as part of a multi-layered security approach."

In my opinion best approach is multi-layered security (e.g signatures + cloud + BB + sandbox).

I disagree that signature-based protection is useless (like some ex-banned member mentioned many times here).
When your goal @Wave is to claim to everyone how bad .NET based products are (like you did in several threads recently) then please make better one (not just screenshots, videos and nonsense hype without real product).

What about Windows Defender? Is it useless crap then just because it depends mostly on signatures?
There is no point to rate product based on programming platform/language only. There are also other factors.

PS. @Wave managed to lock many threads here with word-war recently. I still don't understand why Wave is not banned already. Your behavior proves that ex-banned members should not be allowed again.

Regards,
Kardo

 

[Wave]

"Antivirus Is Alive - But only if used as part of a multi-layered security approach."

In my opinion best approach is multi-layered security (e.g signatures + cloud + BB + sandbox).

I disagree that signature-based protection is useless (like some ex-banned member mentioned many times here).
When your goal @Wave is to claim to everyone how bad .NET based products are (like you did in several threads recently) then please make better one (not just screenshots, videos and nonsense hype without real product).

What about Windows Defender? Is it useless crap then just because it depends mostly on signatures?
There is no point to rate product based on programming platform/language only. There are also other factors.

PS. @Wave managed to lock many threads here with word-war recently. I still don't understand why Wave is not banned already. Your behavior proves that ex-banned members should not be allowed again.

Regards,
Kardo

I don't know why you are acting like this, but believe it or not, what I have said about the .NET Framework is based on facts and not opinion... Go ask any engineer at a real AV company like Avast, they can tell you that the .NET Framework was not designed for security.

.NET security products are entirely based on user-mode, you will not have the ability to utilize kernel-mode which means you cannot tackle more advanced threats like kernel-mode rootkits, which may or may not be prevalent in the wild these days... that is irrelevant.

As far as performance goes, native code will execute faster as it doesn't use a Just-In-Time compiler.

That doesn't mean I do not support some .NET projects when the developer is trying hard and I never had a problem with CS or Xvirus.

What about Windows Defender? Is it useless crap then just because it depends mostly on signatures?
There is no point to rate product based on programming platform/language only. There are also other factors.

Signatures are obsolete because they can be bypassed easily and are not good for malware, that doesn't mean they have no uses. I even said in my original post that it is good for preventing the execution in the first place... Read the actual post next time before replying?

There is no point to rate product based on programming platform/language only. There are also other factors.

Urm, well fact is that .NET is limited with security.

What do you expect to make proper dynamic heuristics or a sandbox in the .NET Framework? LOL

I personally think you are just worked up because CS is based on the .NET Framework...

but ok go and contact an engineer at a top AV company and ask them the following: "Is the .NET Framework good for a security product engine?", I am sure they will tell you "no".

There is a crystal clear reason as to why top vendors which are actually successful use native code...

 

[Wave]

When your goal @Wave is to claim to everyone how bad .NET based products are (like you did in several threads recently) then please make better one (not just screenshots, videos and nonsense hype without real product).

Well I am actually trying to make a good one in a native language which isn't limited from within a .NET engine, so.... I guess you wouldn't understand how hard it is to do something properly since you took the easy route with C#.NET and VT. Each to their own? I don't even mind you nor CS so I don't know why you act like this still.

Why on earth would I try to make a security product in .NET after I've explained why it isn't a good idea? The GUI for it is fine but the engine? Urm...

I even showed you my work on a live Skype call about 2 months ago, do you see me as some sort of threat? I don't know what is going on here but I think either jealousy or opinion disagreement problem. There doesn't need to be a problem, I am not sure why you are making one. We can all be friends and help each other out, share opinions and advice, that is what places like this is for...

It's not like I am some noob coder who does VBScript, people can go read my code threads. It's pretty obvious that I really am making a security product.

.... The first opinion sticks so make it count.

 

[Dani Santos]

@Kardo Kristal I don't think @Wave is saying Crystal Security and Xvirus are crap, you can see he always uses them as exceptions to his opinions. But it's true most "AntiVirus" made in .NET are bad and made by newbies that don't know anything about security and start sharing their product like it beats all major Antivirus. I don't blame them for wanting to do an Antivirus just don't share them with others saying that it is the best, it's not.

I also .net to develop Xvirus, but I admit that .NET is slow and not powerful enough and it's holding Xvirus evolution down. .NET was never meant for this kind of applications that require speed and low access to the system. I think .NET has many great uses but it is slow and not powerful enough to do a behavior blocker or HIPS. All you can do is static analysis which will never compete with big Security Companies speed wise.

About him creating his own product. I can assure you that he is and that I've seen it in action. Now just calm down the both of you and don't ruin this awsome thread.

 

[Handsome Recluse]

Antivirii have been too overzealous in putting every functionality and just extra random annoying features maybe adapting to people's paranoia. All I can see from antivirii is not just them adapting to malware, they're adapting to the herd, maybe purely and unconsciously so. It's unlikely that they'll be removed from the spot especially given antivirii and what Microsoft and Google tries to do with their security are the only usable and immediately readily available.

 

[larry goes to church]

Traditional AV approach malware an in signature based fashion. Tracking MD5's among other unique indicators. That is how they can confidently say we have analyzed more than 1000M~ samples (just an example). They actively have those signatures in your machine.

The next gen AV is behavior based. It looks for things that are non-human capable for example.
For example tradition AVs would look for strings like powershell, one way to get around that is in command prompt to type po^w^er^s^h^ell and then your command, CMD ignores the ^. It is the approach now to identify non-human behaviors and classify them as malicious or not.