How Antivirus Companies Are Hacking the Truth -- and Making Us All More Vulnerable

[509322]

Everyone defending Default-Deny, has anyone of you ever used Comodo, avast!'s Hardened Mode (Aggressive) or Microsoft SmartScreen in Block mode?

Yes.

The purpose of default deny is to block everything by default. That's why it is called default deny. Otherwise it is default allow.

The whole objective is to lock down and closely monitor the system. What you call "inconvenience", Microsoft and the industry calls "protection." So it is a matter of diverging perspectives.

Anyone can easily show that "Accommodating users who want to use stuff is the fundamental cause of our current blight."

Unless you happen to be a beta tester

Default deny publishers aren't going to make it different because beta testers find it inconvenient. Beta testers are expected to deal with it. No further discussion needed.

someone who always updates things to latest versions on day zero

This is an issue with reputation-based systems that employ file change monitoring. The whole point of default deny is to block system changes - unless the user authorizes such changes in one way, shape, form or another. Either by creating exclusions manually one-by-one or creating permanent allow rules. I know it can be done in COMODO. With Avast you have to get them to whitelist by publisher certificate or file. Same thing with Microsoft SmartScreen. These protection features were created and designed to block stuff newly introduced to the system. They are meant to maintain a steady-state system. If a user's goal is not to maintain a steady system-state, then

Policy-based default deny does not have this issue. Our product, for example, permits the vast majority of updates to proceed in system lock down mode. And if something is being blocked the user can easily create allow exceptions in the vast majority of cases.

Creating allow exceptions and preventing many legit system changes from being blocked is typically a one-time configuration matter. So I have a very difficult time grasping how it can be called "inconvenient."

If the "incovenience" is defined as the user having to do a single thing in the first place, then by that definition they should never, ever, turn on a single digital device.

or happens to be a developer.

Really ? A developer doesn't even bother messing with work on the real desktop because this is a known issue with both default allow and default deny solutions. Windows Defender itself causes tons of issues for developers. This is widely known and accepted.

Developers circumvent such issues by coding in a virtual machine with all interfering protections disabled inside the VM... and that includes Windows Defender, MSE, etc because they invariably cause problems.

but as soon as you step outside of casual expectations, it becomes a huge inconvenience.

I don't know... millions of people use default deny and get it to work on their unique systems and with their unique circumstances.

I suppose it all comes down to a user's definition of "inconvenience" and their tolerance for it.

No protection model is going to work for everyone. That's why I advocate people should use what they like... what works best for them.

 

[mlnevese]

I'd like to ask a question as I never used a default deny solution... How does it deal with big system changes such as Windows Update? Do you need to turn it off before updating and manually allow the changes later?

 

[509322]

The future of Ai\ML and defautl allow, for it to work properly and better, is "Collect it all to know it all, then make a determination of good versus bad." No different than what the NSA was so bitterly accused over.

"Users that want to use stuff with 'convenience'"... well, by its very nature, that model is based entirely upon massive data collection.

So then, people will argue "you violate my privacy !"

Dealing with people and their nonsense. You can't have it both ways. It just ain't gonna happen.

Like I always say... people are inherently the problem. You cannot solve these problems without first educating people and making them a big part of the solution. And then, even if you do that, many still don't do what they're supposed to do. We cannot protect people from themselves. People create these problems but don't do what is needed to solve them. That's why every EULA says "It's on you buddy..."

 

[shmu26]

I'd like to ask a question as I never used a default deny solution... How does it deal with big system changes such as Windows Update? Do you need to turn it off before updating and manually allow the changes later?

It depends what software you are using and how you have it configured, but I have tried a lot of different default/deny solutions, and they all seem to do okay with Windows Update.
If you are updating to a whole new version, such as to Windows 10 1809, then you should disable ALL your security software. But regular monthly updates are not a problem.

 

[509322]

I'd like to ask a question as I never used a default deny solution... How does it deal with big system changes such as Windows Update? Do you need to turn it off before updating and manually allow the changes later?

I'd worry more about the Windows Update itself borking your system.

3rd-parties do not run around testing Windows Insider Program to any significant degree. It is because Microsoft changes stuff between the last WIP release and what is actually released. So it is just best to wait until a major Windows Update is released and then fix the problems that Microsoft caused.

3rd party induced problems are not the real issue. Microsoft itself is the problem.

 

[Windows_Security]

What is 100% in real life?

Only one thing is 100% certain in life: death, everyone is going to die at some time

Best advice in life:

 

[ForgottenSeer 69673]

DARPA's next AI campaign. https://www.darpa.mil/work-with-us/ai-next-campaign

 

[Ink]

Thoughts about where an Antivirus app cannot exist;

• iOS
• Windows Phone / Windows 10 Mobile

In order to understand why you don't need antivirus software for your iOS device, it's important to understand how those programs function on devices that run other operating systems. Rich Mogull, analyst & CEO of the Securosis security firm, tells us that in order for antivirus software to work, it needs hooks into the operating system that — when available — "also create potential vulnerabilities."
[..]
Mogull explained that these hooks provide "very deep access to monitor what's going on and detect malware," and can lead to situations where the antivirus software "becomes the target of the attack." iOS doesn't allow for the possibility to latch such hooks into its system, thanks to a design that deeply separates the apps from the rest of the system, a process commonly known as sandboxing.
- Why Apple iPhones Don't Need Antivirus Software

 

[artek]

I'm not really certain a default deny setup adds anything to the security of my systems. I am not running scripts, files, word documents, etc., that I don't either expect to be recieving or hav enot been downloaded from legitimate websites. I could of course be wrong, but there's two primary ways I can see myself getting infected - the first being a flaw in the browser combined with a flaw in the OS. The second being something that I believe to be safe that I'm going to run anyway. CCleaner for example, or some other kind of file that wouldn't typically be used to deliver malware that has a flaw in it which leads to system compromise.

Would a default deny setup stop the first kind of issue? Possibly. One of the most recent times I've been compromised was using a default deny setup. The second issue a default deny setup would do nothing because I believe the file to be safe, so I'm going to allow it anyway. Default deny works wonders for less knowledgeable users, one only needs to look at iOS to see an example of that, but I belive it needs to be combined with some sort of authoritative mechanism to verify the non-malicious nature of applications users install. Apple does this a bit better than Google, but there have still been cases where someone has managed to sneak a malicious application onto the iOS appstore. If you were to put a default deny/containment setup on a windows machine it needs to be combined with some sort of a whitelist or the novice user is going to be annoyed to the point of allowing everything thus defeating the strengths of a default deny system.

 

[509322]

Thoughts about where an Antivirus app cannot exist;

• iOS
• Windows Phone / Windows 10 Mobile

Claims of such and such OS being "malware proof" are completely bogus. Two examples, from many:

This Nasty New Malware Can Infect Your Apple iPhone or iPad
Malware found lurking in apps for Windows Mobile

 

[bribon77]

The second issue a default deny setup would do nothing because I believe the file to be safe, so I'm going to allow it anyway.

ok, and if you use an AV you can not also think that it is False Positive ??

 

[Nightwalker]

I'm not really certain a default deny setup adds anything to the security of my systems. I am not running scripts, files, word documents, etc., that I don't either expect to be recieving or hav enot been downloaded from legitimate websites. I could of course be wrong, but there's two primary ways I can see myself getting infected - the first being a flaw in the browser combined with a flaw in the OS. The second being something that I believe to be safe that I'm going to run anyway. CCleaner for example, or some other kind of file that wouldn't typically be used to deliver malware that has a flaw in it which leads to system compromise.

Would a default deny setup stop the first kind of issue? Possibly. One of the most recent times I've been compromised was using a default deny setup. The second issue a default deny setup would do nothing because I believe the file to be safe, so I'm going to allow it anyway. Default deny works wonders for less knowledgeable users, one only needs to look at iOS to see an example of that, but I belive it needs to be combined with some sort of authoritative mechanism to verify the non-malicious nature of applications users install. Apple does this a bit better than Google, but there have still been cases where someone has managed to sneak a malicious application onto the iOS appstore. If you were to put a default deny/containment setup on a windows machine it needs to be combined with some sort of a whitelist or the novice user is going to be annoyed to the point of allowing everything thus defeating the strengths of a default deny system.

I completely agree with you, great post.

Default deny is much better for less knowledgeable users than for more experienced/geeks users, somewhat contrary to popular belief.

Comodo with cruelsister settings is a good compromise between security and usability for example, it can be used by every kind of user, but it still has much more value for the "begginer".

IMO the fear of malware infection in a domestic environment is something overrated, it is so simple to avoid infections if you are using up to date software (Windows 10 + Chrome + Adblocker).

 

[509322]

or the novice user is going to be annoyed to the point of allowing everything thus defeating the strengths of a default deny system.

That's all on the user. The user is entirely the problem. People will want to argue some kind of counter point, but it is an exercise in futility.

A user that uses a product incorrectly is all their fault. It is their responsbility to figure out how to use it properly and use it properly every single time. That's why people fail 90 out of 100 times with warranty claims... because they misused the product which immediately voided the warranty.

I could of course be wrong, but there's two primary ways I can see myself getting infected - the first being a flaw in the browser combined with a flaw in the OS. The second being something that I believe to be safe that I'm going to run anyway

They're called application and OS exploits. All you need is a single type for your system to be pwned. They're are two types, zero-day and known. True zero days with remote code execution are worth a lot of money. Enough money that the ones that find it will probably sell it instead of trying to scale it up and make it work is some hoakee, end-user campaign that will net them less money. The known ones get the systems that are unpatched or running unpatched softs. Exploits target the most widely distributed softs out there. The popular ones.

I am not running scripts, files, word documents, etc., that I don't either expect to be recieving or hav enot been downloaded from legitimate websites.

You don't have to be a high risk user for your system to be pwned. But the reality is that - if you are a safe user - the likelihood of infection is low.

And in truth, you can run default Windows security and never get infected.

It all comes down to what the user wants.

And if a user doesn't know, well then it's all on them. That's life bro. That applies to so many things in life. You are an adult, it is your responsibility to figure it out. IT security is no different.

I'm not really certain a default deny setup adds anything to the security of my systems. I am not running scripts, files, word documents, etc., that I don't either expect to be recieving or hav enot been downloaded from legitimate websites. I could of course be wrong, but there's two primary ways I can see myself getting infected - the first being a flaw in the browser combined with a flaw in the OS. The second being something that I believe to be safe that I'm going to run anyway. CCleaner for example, or some other kind of file that wouldn't typically be used to deliver malware that has a flaw in it which leads to system compromise.

Would a default deny setup stop the first kind of issue?

Default deny - the kind of default deny that I am talking about - stops just about everything. It is not difficult to learn nor difficult to use. It is not the inconvenience that some people make it out to be. The person is inherent to default deny. There are millions of people who make default deny work for them and they go about their stuff without obsessing.

 

[Ink]

Claims of such and such OS being "malware proof" are completely bogus. Two examples, from many:

This Nasty New Malware Can Infect Your Apple iPhone or iPad
Malware found lurking in apps for Windows Mobile

Not sure what you read from that, but there's nothing to suggest they are Malware-Proof.

 

[Nightwalker]

Claims of such and such OS being "malware proof" are completely bogus. Two examples, from many:

This Nasty New Malware Can Infect Your Apple iPhone or iPad
Malware found lurking in apps for Windows Mobile

About the malware on iOS I doubt this vulnerabilty still exists and the infection method isnt that simple.

OS doesnt need to be totally malware proof for the user to be safe, the security on iOS is so high that you dont need to install antivirus or anything similar.

 

[509322]

Not sure what you read from that, but there's nothing to suggest they are Malware-Proof.

It's a bogus claim. Just like it can be argued that the entire IT security industry is working on bogus claims - which is the whole premise of the article.

And just to prove it someone can show COMODO hacks and kill it.

They can take that to the article author and say "How you like them apples ?"

 

[509322]

About the malware on iOS I doubt this vulnerabilty still exists and the infection method isnt that simple.

OS doesnt need to be totally malware proof for the user to be safe, the security on iOS is so high that you dont need to install antivirus or anything similar.

It doesn't matter. The implicit claims made by the guy are bogus. It's a black and white issue.

If you didn't realize it, iOS is a default deny device.

Of course people are much better off on iOS than they are on Android... any day.

 

[artek]

That's all on the user. The user is entirely the problem. People will want to argue some kind of counter point, but it is an exercise in futility.

A user that uses a product incorrectly is all their fault. It is their responsbility to figure out how to use it properly and use it properly every single time. That's why people fail 90 out of 100 times with warranty claims... because they misused the product which immediately voided the warranty.



They're called application and OS exploits. All you need is a single type for your system to be pwned. They're are two types, zero-day and known. True zero days with remote code execution are worth a lot of money. Enough money that the ones that find it will probably sell it instead of trying to scale it up and make it work is some hoakee, end-user campaign that will net them less money. The known ones get the systems that are unpatched or running unpatched softs. Exploits target the most widely distributed softs out there. The popular ones.



You don't have to be a high risk user for your system to be pwned. But the reality is that - if you are a safe user - the likelihood of infection is low.

And in truth, you can run default Windows security and never get infected.

It all comes down to what the user wants.

And if a user doesn't know, well then it's all on them. That's life bro. That applies to so many things in life. You are an adult, it is your responsibility to figure it out. IT security is no different.



Default deny - the kind of default deny that I am talking about - stops just about everything. It is not difficult to learn nor difficult to use. It is not the inconvenience that some people make it out to be. The person is inherent to default deny. There are millions of people who make default deny work for them and they go about their stuff without obsessing.

I don't know that I agree that it's the user fault. I think it's more the OS manufacturers fault than anything. If compromise due to social engineering are the norm than there's something wrong with the system. Knowledgeable computer users are in the minority, and it is possible to design a system that is highly resitant to the probelms a typical windows user faces. One only needs to look at iOS to see an example of it. That's not to suggest that permissive computing enviroments are bad, but I belive they're bad for your typical home-user.

 

[509322]

I don't know that I agree that it's the user fault. I think it's more the OS manufacturers fault than anything. If compromise due to social engineering are the norm than there's something wrong with the system. Knowledgeable computer users are in the minority, and it is possible to design a system that is highly resitant to the probelms a typical windows user faces. One only needs to look at iOS to see an example of it. That's not to suggest that permissive computing enviroments are bad, but I belive they're bad for your typical home-user.

If I put in place security boundaries and you take them down, then that is all on you. It is no different using software.

The real failure is in user education. You simply cannot compensate for users' lack of knowledge and inexperience with software. Absolutely not. It is like putting a band aid onto an underlying genetic disorder. That's how stupid the solution is.

And it is the fault of the OS publisher that puts out such a permissive OS in this day and age. Of course permissive computing is a menace. It's the second reason we find ourselves in the current blight. The first reason are users. Ignorant user with matches + permissive OS loaded with flammable fuel = explosion. Dramatic, but apt example.

iOS is a lock down, default deny device. The whole point of iOS is to take as many user choices away from users because users cannot be trusted to protect themselves. "Users that want to use stuff" are a menace.

The malware problem cannot be solved by security software publishers alone. People are an integral part of the security. If people cannot handle it, then they should be given only devices with extremely restricted user choices. That, in fact, is the whole premise of iOS. People can be counted on to make bad choices - whether willfully or innocently. So you take away the choice in the first place.

 

[artek]

For novice users yes, we agree. But I quite like being able to do whatever I want on systems I own. But my priorities are not the same as the stay at home mom, grandma/grandpa, etc.