Google Engineer Says Antivirus Apps Are Ineffective Magic, Don’t Genuinely Help

[motox781]

And one more point, I run a small PC repair business and it's been awhile since I've cleaned malware from systems. Most of the stuff I see is PUPs, but still very little. Everything seemed to change around Windows 8.1. I don't think the change came from Windows Defender or third party AVs, but with Windows OS becoming more secure and possibly a combination of other factors (removal of JAVA from systems, reduction of Flash content, stricter AD removal policies, etc).

 

[Solarquest]

I cannot imagine a PC without any security program.
AV protect you from known malware with signatures and from unknown with heuristic, Hips, BB, sandbox, anti-exe/whitelist etc.
What signature detect won't be executed (unless user likes to "play with fire") and system is safe.
Unknown samples might get blocked by AV as not.
BB, Hips , anti-exe/whitelist etc are the future and the best protection from unknown malware but signatures will always be there for known malware...at the end, to prevent is better than to heal...

 

[ForgottenSeer 55474]

Move on to what,BD is the best AV

 

[Vipersd]

For a long time AV software was the only defence from viruses and similar stuff.

Today it is useful tool but only as one of several layers of defence against malware.
Personaly I don't like integrated software like today's AV on the market. In my opinion it is better to have indipendent software for each kind of threat.

It is like IE integrated in Windows which was the dumbest posible idea. Modular and indipendent ways of interworking between software on the computer is solution. If one thing is compromised, then simply delete that and start again. Integrated stuff gets all infected.

 

[motox781]

For a long time AV software was the only defence from viruses and similar stuff.

Today it is useful tool but only as one of several layers of defence against malware.
Personaly I don't like integrated software like today's AV on the market. In my opinion it is better to have indipendent software for each kind of threat.

It is like IE integrated in Windows which was the dumbest posible idea. Modular and indipendent ways of interworking between software on the computer is solution. If one thing is compromised, then simply delete that and start again. Integrated stuff gets all infected.

I understand your analogy. Competition is good. I agree. But the argument against that would be the same thing Android is suffering from: fragmentation. Apple seems to do a pretty good job with security, considering they corner the market on a lot of apps within both Mac OS and IOS.

 

[DardiM]

What I have often seen / heard around me :

"I want / need some free apps to do some tasks. Then I have to let the prog to be run : I can't "anti-exec" all "

=> several others methods have to be used to detect bad apps (sig from database, bad behavior detection, etc).

What seems to be evident for some users, can be the opposite for others.
A secured PC is a PC without users, and turned off - From DardiM

 

[AtlBo]

Oh yes, one other thing that might be considered about traditional a-v is the on demand and scheduled scanning ability that comes with all the a-vs. Also most of them monitor removable storage devices. Seems to me kind of hard to separate these two functions from the simple traditional defs formulas, especially since the a-v programs are responsible in so many senses for catching known bad files. Definitely another layer of defense can be found in this thinking I would say. A super clever malware might evade even complex HIPS or even anti-exe somehow (I don't see how honestly), but if it is known malware the old fashioned defs approach will catch the file and block the attack, no matter where it starts. Maybe it's simplistic by some standards, but it does seem to me that standard a-vs are useful in many ways. I find the 360 TS bundle very competent, and it blocks numerous potential threats. Even blocked 3 times VoodooShield during installation for the changes to the system it makes. Bundling this with database recognition seems smart all things considered.

What I have often seen / heard around me :

"I want / need some free apps to do some tasks. Then I have to let the prog to be run : I can't "anti-exec" all"

=> several others methods have to be used (sig from database, bad behavior detection, etc).

Very good point DardiM. Very well said, and I find myself in this predicament sometimes I'm sorry to say. I hate it when it happens, but a really good a-v can be the extra layer, including the db sig recognition...

 

[Vipersd]

Android has a problem with the concept itself. Another problems with android is that in 90% of devices it comes unrooted and full of bloatware.

Clean the OS itself and lock it. OS just need's to be a good trafic cop not the Jack of all trades but master of none.

Another problem is the concept of the open software without any boundaries and guidence for secure operating. Everyone can write an app, but is it secure, who checks it before people can use it?

 

[tim one]

PEBKAC (Problem Exists Between Keyboard And Chair).

If, in a normal situation, the average user receives a suspicious email attachment (for example) and he scan it with his anti-virus/anti-malware and these do not detected malware inside the attachment, then two possibilities are in place:

1. the attachment is clean
2. the attachment is infected but FUD

The decision to infect the system or not is of the user who decides whether to open the attachment or not.

In 90% of cases, the average user opens the attachment, confiding in his AV/AM.

 

[XhenEd]

I agree that sig-based approach, by itself alone, will fail, especially against zero-day malware. But even then, I still consider sig-based approach as an essential component of today's anti-malware industry (I'm not talking about a product, but the whole of security industry). This is because majority of users don't know the difference of clean software and malware. It's better to have an imperfect blacklisting solution to decide for these people, than having none. Better to lower infection probability, than a hundred percent chance of infection.

Signatures will be for blacklisting.
Heurisitics/Behavior Blocker/HIPS will be to block malware activity.
Default-deny will be for whitelisting.

I believe most AVs today employ one or more of the above solutions apart from just signatures.

As for me personally, though, default-deny solution is the most secure.

 

[tim one]

I agree that sig-based approach, by itself alone, will fail, especially against zero-day malware. But even then, I still consider sig-based approach as an essential component of today's anti-malware industry (I'm not talking about a product, but the whole of security industry). This is because majority of users don't know the difference of clean software and malware. It's better to have an imperfect blacklisting solution to decide for these people, than having none. Better to lower infection probability, than a hundred percent chance of infection.

Signatures will be for blacklisting.
Heurisitics/Behavior Blocker/HIPS will be to block malware activity.
Default-deny will be for whitelisting.

I believe most AVs today employ one or more of the above solutions apart from just signatures.

As for me personally, though, default-deny solution is the most secure.

That's why I said above and I agree.
The average user relies mainly on signatures, not all the average user can deal with a HIPS or behavior blocking.
If the attachment above is a real .pdf file but contains malicious code, the user could see, at the time of executing, a BB warning as : " invoice.pdf trying to inject code in Adobe Reader".
The average/inexperienced user might think simply that the file needs some permission to be open from Adobe R.
Absolutely wrong: a legitimate .pdf file does not inject code!
This is to say that the majority of average users, click "allow" because they are not adept in the understanding of the most advanced alarms.
The first filter for the average user, are the signatures that are nowadays more and more ineffective.

 

[_CyberGhosT_]

I like that we don't all agree, but we have one common focus and that's "Security"
If we all thought alike this would be one boring place.
Great feedback !

 

[Xtwillight]

soory my English is not good.
The statement the senior security engineer Darren Bilby in the
Article is not correct.

he says Quote:
"antivirus apps are simply ineffective and the security world should concentrate its efforts on things that can make a difference.
“Antivirus does some useful things, but in reality it is more like a canary in the coal mine. It is worse than that. It's like we are standing around the dead canary saying ‘Thank god it inhaled all the poisonous gas’.”

I Say:
The canary in the coal mine has many lives
Saved why? The small lungs of the bird and the bodies of the
Birds were quickly enriched with carbon monoxide and so on
Died the bird. The miners were warned and left
The part of the pit building.

he say Quote:
The Google engineer eventually calls for security experts and hackers to concentrate on things that are more important, such as intrusion detection systems that can make a difference and protect users even if they access malicious websites or open compromised documents.

I say :
IDS =Intrusion Detection System
Can be used as an attack target itself see:
Intrusion Detection System – Wikipedia
Smart protection
Behavior blocker, HIPS, sandbox, and intrusion detection system,
Will form a future together.

Cruelsister good Statement : Google Engineer Says Antivirus Apps Are Ineffective Magic, Don’t Genuinely Help

So long advertising areas rented
But can not be controlled, It is always To be a danger.

So long secret services Exploit now
and for your purposes use It is a danger.

So long Operating systems Such as Windows,
it enable with small things a system competing To be able to.
There will be no right Protection

 

[Vipersd]

To prevent intrusion you need strong wall in case of IT it is firewall both hardware and software. Problem is that wall can be breached. In order to secure your fortress or in IT your PC you need layered protection which could fight against the breach. That is why modular and indipendent software is important. If you defeat integrated version you would probably go right through an compromise entire antimalware software. With modular aproach every indipendent software is backing each other and provide much harder defences.

We all think along the same way with some diferences that layered approach is the best way to protect your PC.

Firewall
AV
Antimalware
Software for locking your system
Virtuelisation and sanboxing

 

[Andy Ful]

Darren Bilby is right. The traffic lights are simply ineffective and the traffic security world should concentrate its efforts on things that can make a difference. There are some known solutions like: avoiding traffic (Anti-Exe, White listing), working at home using computers and sending avatars to company meetings (Virtualization, Sandboxing). It is also good to constantly watch the cars and to not cross the road when they are less than 100m ahead (HIPS).
I use all these solutions, and I'm happy. My friends don't, and they are happy too.
Sadly, most people prefer usability over security.

To be serious, I think that he is right, especially when we are talking about targeted attacks.
But the weakest point in business/institution security is still the human factor, and bad security education.

 

[jamescv7]

There is the point where Antivirus is ineffective.

Of course the terminologies are not clear which parts of component rises but for sure its all about signatures.

People should know that it has proper combination process and relying too much on AV will not help you out.

 

[Andy Ful]

To prevent intrusion you need strong wall in case of IT it is firewall both hardware and software. Problem is that wall can be breached. In order to secure your fortress or in IT your PC you need layered protection which could fight against the breach. That is why modular and indipendent software is important. If you defeat integrated version you would probably go right through an compromise entire antimalware software. With modular aproach every indipendent software is backing each other and provide much harder defences.

We all think along the same way with some diferences that layered approach is the best way to protect your PC.

Firewall
AV
Antimalware
Software for locking your system
Virtuelisation and sanboxing

It is true, but the problems sometimes arise when the layers silently do not like each other. We do not know how really the layers work at some deeper level, so choosing the good setup is not trivial.

Thankfully, we have Malweretips forum to share problems and solutions.

 

[jamescv7]

Virtualization is likely the common setup that you may see for some enterprise or institution nowadays.

However you need some protection that rely fully on cloud to detect possible intrusions especially where external drives may contain threats that tries to infect even though the system is virtualized.

 

[susan albert]

one smart person who think like me. I am not using antivirus for some time now.

I am also doing same thing!
Fordyce