Google Engineer Says Antivirus Apps Are Ineffective Magic, Don’t Genuinely Help

[Exterminator]

There still are many people out there who think that antivirus solutions are must haves for any computer user, but Google senior security engineer Darren Bilby is certainly not one of them.

Speaking at Kiwicon hacking conference, Bilby, who is Manager of the Platform Integrity team as part of the Enterprise Infrastructure Protection Group, said it loud and clear: antivirus apps are simply ineffective and the security world should concentrate its efforts on things that can make a difference.

“Please no more magic,” he was quoted as saying by The Reg. “We need to stop investing in those things we have shown do not work,” he continued, adding that antivirus solutions are nothing more than ineffective magic that most admins install just because they have to, not because they’re efficient.

“Antivirus does some useful things, but in reality it is more like a canary in the coal mine. It is worse than that. It's like we are standing around the dead canary saying 'Thank god it inhaled all the poisonous gas'.”

Focusing on this that matter
The Google engineer eventually calls for security experts and hackers to concentrate on things that are more important, such as intrusion detection systems that can make a difference and protect users even if they access malicious websites or open compromised documents.

“And sure you are going to have to spend some time on things like intrusion detection systems because that's what the industry has decided is the plan, but allocate some time to working on things that actually genuinely help.”

Bilby also explains that most companies blame users for getting their PCs compromised because they click on links and files that are infected, but in reality, the security of these systems is not good enough to protect them, and this is where security engineers should focus in the future.

While opinions on the efficiency of antivirus solutions are still mixed, these statements come only a few days after Russian-based security company Kaspersky started a war against Microsoft for trying to convince users to give up on third-party security software and switch to its own Windows Defender.

Kaspersky has already received the support of other security vendors, who also believe that Microsoft is playing dirty in Windows 10 with Windows Defender, calling for European authorities to look into this practice and decide if it affects competition or not.

 

[antreas]

one smart person who think like me. I am not using antivirus for some time now.

 

[RoboMan]

I should refuse to join this theory. For most of us, maybe Antivirus helps us but we're conscious and instructed well enough and to differ an infected file/PUP from a clean sample. So, in this case, maybe antimalware software are more like an addition to feel safe.

Now, picture an ordinary home with a PC computer, shared by parents and kids. Parents who use Microsoft's Office to work. Kids who use social networks to communicate and flash-based online games, not forgetting about the infinit downloads for playing installed games. We're talking about adults who may by victims of ransomware through MS Word's macros. We're talking about Flash plug-in abuse from hackers to infiltrate or infect your system. And of course, we're talking about the hundred of possible malwares filtrating through the "games" downloaded.

For us, for experts and for people who know about security, maybe it's not as necessary as researchers highlight it to be. For ordinary people, families and work offices, i must say is a must. Maybe it really protects a 50-60% of all the malware attacks/hackers/crackers out there. But at least we're half less attacked.

 

[_CyberGhosT_]

Anti-Virus fans have to wake up and realize that most "sig-based" solutions
have now been rendered ineffective and obsolete for any platform including
the PC.
I have been Sig-free for some time now, and my security and the performance
of my PC have both got a leg up. I started experimenting with Sig-free at a time
when the choices were slim, now there is plenty to run with that are quite effective.
This is one area where sticking to "as is" because it is comfortable or familiar
is going to cost the lazy ones in the long run.

 

[Azure]

When he said that antivirus are ineffective. Did he mean the signature detection aspect of them or every component in an antivirus? Like behavior blocker, HIPS, sandbox, and intrusion detection system(which Bitdefender seems to have).

 

[DardiM]

Thanks for the share

I think "sig" is the minimum for all AV, and has to be completed with other methods.
Not all malware are zero days (once detected at least one time), and the infection for some people could quickly avoid infection for others.

 

[Ink]

“We need to stop investing in those things we have shown do not work,” he continued, adding that antivirus solutions are nothing more than ineffective magic that most admins install just because they have to, not because they’re efficient.

I agree with this. Antivirus are ineffective when you think how many malware it takes to bypass it's signature-based detection. Using signature-less protection, for example, Default Deny or Anti-Executable.

I am not saying Signature-less is better, but based on the fact that even with an Antivirus installed, you're more likely to have malware go undetected than prevented.

 

[RoboMan]

I agree with this. Antivirus are ineffective when you think how many malware it takes to bypass it's signature-based detection. Using signature-less protection, for example, Default Deny or Anti-Executable.

I am not saying Signature-less is better, but based on the fact that even with an Antivirus installed, you're more likely to have malware go undetected than prevented.

Are you saying that sig-less methods should complement sig-based software? Or that sig-less methods should be the only active protection on a system? E.g: adding anti executables and antivirus / only anti executable & other sig-less software

 

[cruelsister]

Google Security did a survey of Security Pros about a year ago. One of the questions was if they thought the traditional AV was of any value. 5% Yes, 95% No (and the 5% were probably lying).

 

[Fritz]

I think this has to be taken with a grain of salt, just like the "100%" claims from AV companies or labs.

There's no doubt in my mind that it's better to have some AV solution than not. Now if that solution is gonna cover your behind completely is a whole different story. Take a condom for example. You can use one and handle it inappropriately or infect yourself with an STD through different pathways while using it. Yet nobody in their right mind would recommend to never ever use one. It's one part of the puzzle, just like AV measures.

Sig-based malware isn't on top of the foodchain anymore, but it's still found in the wild, so why not have an AV trash it? Yes, a good behavior blocker is great on top. So is using half a brain while using the web and handling data in the first place.

 

[cruelsister]

Fritz- It's not that the traditional AV can't catch malware that has been around for a day or two (or longer); it's that there is a period of 6-8 hours from the first release of malware that no AV works against. For me that is significant and unacceptable.

As to being smart on the Web, that also is a thing of the past with the advent of maladvertising. A totally legitimate website can host malicious ads. They rely on third party companies from whom they get the ads to make sure they are fine, but this often does not happen. An example can be found here: Major sites including New York Times and BBC hit by 'ransomware' malvertising

An infection can occur to anyone, and being careful has nothing to do with it.

 

[Fritz]

Thanks for your thoughts @cruelsister, I really appreciate that.

Still, I think being careful is the first line of defense. Of course, that includes doing away with ads. Also, I use NoScript and only allow the content I specifically need. To me, the AVs are the cherry on top.

 

[AtlBo]

I have been Sig-free for some time now, and my security and the performance
of my PC have both got a leg up. I started experimenting with Sig-free at a time
when the choices were slim, now there is plenty to run with that are quite effective.
This is one area where sticking to "as is" because it is comfortable or familiar
is going to cost the lazy ones in the long run.

CyberGhosT...is this better than EMET? I have been reading that EMET can be bypassed. MS apparently has done nothing with the information to improve the program, while improving security in W10. I feel sad about this, considering it doesn't seem unusual for many users to be still using W7 or W8 and with EMET. Here are a couple of links on overcoming EMET:

Bypassing EMET 5.2 Security Protection » Active Directory Security

Scrutiny from an Inquisitive mind: Defeating EMET Protections (2)

This individual had an amazing discourse with the developer of Voodoo Shield. I recommend anyone with more than a passing interest in security read the conversation. Unfortunately, the conversation ended with this thread being closed of all things, which it has been since October of last year. I personally think both of the main participants are right, but others may have more knowledge based opinions than I on that subject. BTW, the thread was closed mostly due to well meaning 3rd party comments I believe, rather than those of the two primary participants. The thread can be accessed here:

Could anti-exe programs prevent applications from executing unknown dlls?

Comments begin at the end of page 5 and continue through to page 9 (end of thread). The conversation actually began here at MTs and was moved on request of the Voodoo Shield developer who expressed an interest in possibly acquiring a sample of code that could break VS as the individual's code had broken EMET. The Wilder's thread is the conversation.

 

[ForgottenSeer 55474]

I believe in my heart that Antivirus and Anti Malware works

 

[enaph]

I believe in my heart that Antivirus and Anti Malware works

It's not about what you believe in but about bare facts and those say that AV's are the last tools to rely on when we are talking about being secure.

 

[_CyberGhosT_]

I believe in my heart that Antivirus and Anti Malware works

The sad part is, what you believe in your "heart" will do nothing to protect your machine,
like pablozi points out it's just not that kind of world my friend.
I had a soft spot for BitDefender for many years, I just happen to know when it's time to move on, and "for me" when the time came I moved on

 

[_CyberGhosT_]

CyberGhosT...is this better than EMET? I have been reading that EMET can be bypassed. MS apparently has done nothing with the information to improve the program, while improving security in W10. I feel sad about this, considering it doesn't seem unusual for many users to be still using W7 or W8 and with EMET. Here are a couple of links on overcoming EMET:

Bypassing EMET 5.2 Security Protection » Active Directory Security

Scrutiny from an Inquisitive mind: Defeating EMET Protections (2)

This individual had an amazing discourse with the developer of Voodoo Shield. I recommend anyone with more than a passing interest in security read the conversation. Unfortunately, the conversation ended with this thread being closed of all things, which it has been since October of last year. I personally think both of the main participants are right, but others may have more knowledge based opinions than I on that subject. BTW, the thread was closed mostly due to well meaning 3rd party comments I believe, rather than those of the two primary participants. The thread can be accessed here:

Could anti-exe programs prevent applications from executing unknown dlls?

Comments begin at the end of page 5 and continue through to page 9 (end of thread). The conversation actually began here at MTs and was moved on request of the Voodoo Shield developer who expressed an interest in possibly acquiring a sample of code that could break VS as the individual's code had broken EMET. The Wilder's thread is the conversation.

I don't mess with EMet so you most likely know more concerning EMet than I do. MS does not have the best Track Record
so my sources for security tend to be on the other end of the spectrum
I am very aware of VS and it's history, I beta'd it from the start and Dan and I are friends.
I admire and respect those that have the ability and skill to compete on the level that Dan does yet maintain his honor and good nature at the same time.
But yes to answer your question, I have no doubt that VoodooShield is in a league of it's own
when it comes to EMet .

 

[RoboMan]

Let's be honest. There's a reason why antivirus and antimalware stopped long ago being effective and that's because malware programmers focused on coding their programs on a why to run without alerting the AV's technology. And why was this? Because most of the users had an antivirus that would ruin their job.
Now, it's as well incorrect to say anti executers and such programs are the future of cybersecurity. When antivirus are obsolete and everyone owns an anti executer on their system, coders will focus their work on hiding as much as possible processes and command lines used so not to alert such software. We have studied this, haven't we?

The same applies to all those home users who ever told us "Mac is better cause it's invulnerable to virus" and deeply inside we know, it's not, and if Mac ever becomes the most used platform, malware will spread as fast as in Windows nowadays.

 

[AtlBo]

Thanks for the information CyberGhost. VDS dev does seem like he's super as you say honorable and good natured. I will look at VooDoo shield. Watching the videos on the VDS site was great. The company seems to be determined to present the product accurately. Impossible not to respect that for anyone.

[I believe in my heart that Antivirus and Anti Malware works/QUOTE]

One thing that occurs to me about anti-virus to consider is the fact that a-v companies have such powerful labs and great ability to find threats. This seems to me reason enough to keep the a-v side alive and well, especially considering all the functions that are bundled with the a-v apps these days. What would VirusTotal be with the contributions of the major a-v and defs providers? And VooDoo Shield, for an example, depends on VT for information, even though it's primarily an anti-executable.

 

[motox781]

I see a lot of talk about people saying: "Sig base protection is no good". To be honest though, what modern 'widely used' AV nowadays uses strictly signature based protection only? I can't think of any that heavily relies on signatures only.