Battle Least vulnerable antivirus

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Google’s ProjectZero team has found a lot of vulnerabilities in most AVs.
Microsoft made a step in the right direction by adding a sandbox for Defender.

I was wondering, which AV vendors are security conscious with respect to their own products ? There’s little point in trying to further optimize Defender’s good detections & protection if the vendor software introduces new vulnerabilities.
 
5

509322

That’s security by obscurity, I’d rather pick the best written software by a team that follows good practices

No, it's the smartest way of coping with vulnerabilities. The smartest way to defeat a vulnerability, for example in Microsoft Office, is not to use Microsoft Office in the first place. The smartest way to avoid Windows vulnerabilities, is not to use Windows. Avoiding targeted software is the leading mitigation strategy.

I don't know what you're going on about here, but like I've said, nobody does the kind of auditing that you're looking for because of the time and expense. An audit can delay things for quite a long time and nobody is willing to accept that. Also, no one that I know of is willing to spend the time, effort and money to audit old code that has been built upon over years, if not decades.

Not to mention the bottom line of expenses. How about if I do audits of everything and pass-on those costs to end-users. Let's say, raise the price by $20, $50 or more for each subscription ? I've mentioned this a number of times in prior posts but you have not once acknowledged it. All you want is for security softs to have no vulnerabilities, but almost assuredly would not want to pay for that luxury. And I do call it a luxury as, practically, vulnerabilities are little to worry about because they are a fractional threat.

Bug bounty programs are hit-or-miss. In real terms, they close potential exploits. However, they do little to stop exploits generally = exploits still happen. They're more or less a speed bump to the determined. The determined is always going to find a way. If one doesn't understand those statements then they should research the topic at-depth.

How well a software protects the system is far, far, far more important than worrying about whether or not it has vulnerabilities. The topic of vulnerabilities in security software has been beaten to death forever and the industry's answer has simply been to ignore that debate. The uninitiated and uninformed just see it as a black-and-white issue of is there a vulnerability ?, and if yes, it must be fixed - and the publisher is negligent if they allowed to be released in such a state. Well... it doesn't work that way. Even if there is a vulnerability it takes more than discovery to leverage it into an actual working exploit - which is something that very few have the capabilities, resources and willingness to make it happen. Essentially, you are getting into the realm of high-capability organizations such as nation-state actors. If you're worried that some nation-state is going to exploit your security soft, then you have much bigger problems.

Unfortunately for you, you will find no security softs that meet your criteria. So either you revise your expectations or just don't use any security soft. Those are the two options.
 
Last edited by a moderator:

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
No, it's the smartest way of coping with vulnerabilities. The smartest way to defeat a vulnerability, for example in Microsoft Office, is not to use Microsoft Office in the first place. The smartest way to avoid Windows vulnerabilities, is not to use Windows. Avoiding targeted software is the leading mitigation strategy.

I don't know what you're going on about here, but like I've said, nobody does the kind of auditing that you're looking for because of the time and expense. An audit can delay things for quite a long time and nobody is willing to accept that. Also, no one that I know of is willing to spend the time, effort and money to audit old code that has been built upon over years, if not decades.

Not to mention the bottom line of expenses. How about if I do audits of everything and pass-on those costs to end-users. Let's say, raise the price by $20, $50 or more for each subscription ? I've mentioned this a number of times in prior posts but you have not once acknowledged it. All you want is for security softs to have no vulnerabilities, but almost assuredly would not want to pay for that luxury. And I do call it a luxury as, practically, vulnerabilities are little to worry about because they are a fractional threat.

Bug bounty programs are hit-or-miss. In real terms, they close potential exploits. However, they do little to stop exploits generally = exploits still happen. They're more or less a speed bump to the determined. The determined is always going to find a way. If one doesn't understand those statements then they should research the topic at-depth.

How well a software protects the system is far, far, far more important than worrying about whether or not it has vulnerabilities. The topic of vulnerabilities in security software has been beaten to death forever and the industry's answer has simply been to ignore that debate. The uninitiated and uninformed just see it as a black-and-white issue of is there a vulnerability ?, and if yes, it must be fixed - and the publisher is negligent if they allowed to be released in such a state. Well... it doesn't work that way. Even if there is a vulnerability it takes more than discovery to leverage it into an actual working exploit - which is something that very few have the capabilities, resources and willingness to make it happen. Essentially, you are getting into the realm of high-capability organizations such as nation-state actors. If you're worried that some nation-state is going to exploit your security soft, then you have much bigger problems.

Unfortunately for you, you will find no security softs that meet your criteria. So either you revise your expectations or just don't use any security soft. Those are the two options.

If indeed nobody in the AV industry wants to write quality software, then the only option that makes sense is to use Microsoft’s product.

Nobody’s perfect and bugs exist in all pieces of software but MS does take development processes seriously.
 
  • Like
Reactions: Gandalf_The_Grey
5

509322

If indeed nobody in the AV industry wants to write quality software, then the only option that makes sense is to use Microsoft’s product.

Nobody’s perfect and bugs exist in all pieces of software but MS does take development processes seriously.

It's not just the security soft industry. It applies to all software. One need only look at Adobe, Oracle, CISCO, etc, etc. So to answer your question, like I have been saying over-and-over, no one does it.

People have to be willing to pay for it. And since almost everyone doesn't want to pay, they just aren't going to get it.

Really ? When I look at the Microsoft CVEs, they literally number in the hundreds every year. Based upon those statistics it doesn't seem to me that Microsoft is all that great at managed development processes. And in many cases Microsoft refuses to fix CVEs because it doesn't consider the vulnerability to be an exploitable one.

The best recourse against all of that is to not use Microsoft products.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
It's not just the security soft industry. It applies to all software. One need only look at Adobe, Oracle, CISCO, etc, etc. So to answer your question, like I have been saying over-and-over, no one does it.

People have to be willing to pay for it. And since almost everyone doesn't want to pay, they just aren't going to get it.

Really ? When I look at the Microsoft CVEs, they literally number in the hundreds every year. Based upon those statistics it doesn't seem to me that Microsoft is all that great at managed development processes. And in many cases Microsoft refuses to fix CVEs because it doesn't consider the vulnerability to be an exploitable one.

The best recourse against all of that is to not use Microsoft products.

This is going somewhat off topic but Adobe , Cisco, Oracle are not the current top tier tech cos, they are the ‘90s top tier tech cos. Today’s big tech, eg Google, Amazon, Microsoft all build amazing software and have very good dev, build and release policies

There are a lot places , even outside big tech, where there are policies on build flags that apparently are not used by many AV cos and the reason is stability - I’m not talking about security software ( never worked on security) where the presumption would be they’d be even more careful with these things.

I’d take Defender from a company that does look at their compilation flags over any product from a company that doesn’t because using good software is important.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
You better not use Windows then because it has an atrocious incidence of vulnerabilities.

This is getting off topic, If someone doesn’t like windows that fair enough and they can enjoy OS X or Chromebooks or Linux or whatever they like more.

the main question is if there are vendors who follow proper development processes and pay attention to the security of their own product, not about budget problems of AV companies or how enabling a compilation flag affects their timeline management. We’re not their project managers nor their board, we’re potential clients and it’s a fair question to make.

If they won’t do these things on their own, Defender upping the stakes is a good thing.
 
F

ForgottenSeer 58943

All of them will have 'issues', nobody here can specifically state any particular one that is more secure or less vulnerable because nobody really knows and most of them aren't even regularly audited or even have bug bounties that attract people to try and exploit them for disclosures.

You can bet all of the big name ones have off-the-shelf bypasses and exploits. You can also pretty much be assured your security is going to have a lower threat surface by using more obscure programs. That is - known bypasses are out there for something like Trend Micro, and in some cases plentiful, but not so much so for lesser used security programs because picking apart those programs requires time/effort/money and a particular actor that is being targeted won't even be using it anyway.

Also - this is important - programs that are regularly updated tend to have a lower threat surface (in some, not every case) because those updates can often break exploits/bypasses. It's good practice for developers to release fairly regular updates. A company I worked for years ago that had their stuff pirated a lot used to release constant patches because each patch broke the cracks for the program so constant updating was a form of copy protection in and of itself. :)
 
5

509322

So true. IMO software devs should develop both versions and let people choose. Some will want great coding and will pay.

Not really. The vast majority of people are not willing to pay for top quality. Nowhere is that more true than when it comes to software. No one is willing to pay for expensive audits. Spending literally thousands upon thousands of dollars to find and fix vulnerabilities... no one does it. It is just too expensive. It is more economically viable to just let others find and report vulns - the same way that corporations allow known problems to exist and cause damages because it is cheaper to pay out damages than to fix the original problem.

If I have to develop and maintain different product versions in parallel, then it is just going to drive up my expenses - which I am going to pass onto the consumer by raising prices even higher.
 
  • Like
Reactions: Handsome Recluse

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
All of them will have 'issues', nobody here can specifically state any particular one that is more secure or less vulnerable because nobody really knows and most of them aren't even regularly audited or even have bug bounties that attract people to try and exploit them for disclosures.

You can bet all of the big name ones have off-the-shelf bypasses and exploits. You can also pretty much be assured your security is going to have a lower threat surface by using more obscure programs. That is - known bypasses are out there for something like Trend Micro, and in some cases plentiful, but not so much so for lesser used security programs because picking apart those programs requires time/effort/money and a particular actor that is being targeted won't even be using it anyway.

Also - this is important - programs that are regularly updated tend to have a lower threat surface (in some, not every case) because those updates can often break exploits/bypasses. It's good practice for developers to release fairly regular updates. A company I worked for years ago that had their stuff pirated a lot used to release constant patches because each patch broke the cracks for the program so constant updating was a form of copy protection in and of itself. :)

Zero bugs or exploits is impossible indeed but while nothing’s perfect I’m looking for vendors that do look after the security of their own product.
The metric you mentioned, frequency of software updates ( not signatures ), is a good one and it’s quantifiable, how do vendors currently stack with respect to update frequency ?
 
5

509322

Zero bugs or exploits is impossible indeed but while nothing’s perfect I’m looking for vendors that do look after the security of their own product.
The metric you mentioned, frequency of software updates ( not signatures ), is a good one and it’s quantifiable, how do vendors currently stack with respect to update frequency ?

Update frequency does not corelate\ensure a low rate of exploitation.

Most use the "find and fix" method of fixing some (not all) of the vulnerabilities found and reported by others.

If frequency of updates is important to you, then it is very easy to identify the two publishers that have the capacity to adhere to it... Microsoft and Google. Despite this fact, Microsoft and Google products are routinely smashed by exploits.

The only ones that I know of that go on limited vulnerability hunts are Microsoft, Google, CISCO, etc. But like I keep pointing out, their products have among the highest exploit rates regardless of their frequent updates. The truth of the matter is that the malicious actors are able to stay ahead and outwit the publishers and the publishers are always playing catch-up. It's the eternal game.

If you want to know who sets compilation flags then you'll just have to contact each vendor individually.
 
Last edited by a moderator:

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
Google’s ProjectZero team has found a lot of vulnerabilities in most AVs.
Microsoft made a step in the right direction by adding a sandbox for Defender.

I was wondering, which AV vendors are security conscious with respect to their own products ? There’s little point in trying to further optimize Defender’s good detections & protection if the vendor software introduces new vulnerabilities.

Every Security Software can't run away from alot of Vulnerabilities. AV vendors is trying hard to patch them and so do hackers/crackers; trying hard to exploit them. Hence if you wan to minimise vulnerabilities hassle, then avoid using commonly available/ famous/well-known programs/softwares.
 
  • Like
Reactions: Moonhorse

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Update frequency does not corelate\ensure a low rate of exploitation.

Most use the "find and fix" method of fixing some (not all) of the vulnerabilities found and reported by others.

If frequency of updates is important to you, then it is very easy to identify the two publishers that have the capacity to adhere to it... Microsoft and Google. Despite this fact, Microsoft and Google products are routinely smashed by exploits.

The only ones that I know of that go on limited vulnerability hunts are Microsoft, Google, CISCO, etc. But like I keep pointing out, their products have among the highest exploit rates regardless of their frequent updates. The truth of the matter is that the malicious actors are able to stay ahead and outwit the publishers and the publishers are always playing catch-up. It's the internal game.

If you want to know who sets compilation flags then you'll just have to contact each vendor individually.

I don’t consider Cisco at the same tier as the other two, it’s still a good company but not at the same tier. most of the software I use is either from Google, Microsoft or a big open source projects, I don’t believe security by obscurity adds value.

As far as AV vendors are concerned, which is the main topic, so far there is evidence only for MS paying attention to the security of their AV product so that’s probably the best option
 
5

509322

I don’t consider Cisco at the same tier as the other two, it’s still a good company but not at the same tier. most of the software I use is either from Google, Microsoft or a big open source projects, I don’t believe security by obscurity adds value.

As far as AV vendors are concerned, which is the main topic, so far there is evidence only for MS paying attention to the security of their AV product so that’s probably the best option

Reducing attack surface by not using targeted programs is Basic Security 101. It is a well established, widely accepted, and extremely effective mitigation. In fact, it is the most effective and smartest way to avoid exploits.

Picking Microsoft is an odd choice given the fact that its products are exploited at the highest rates within the industry despite the extensive "find and fixing" going on.

Vulnerabilities are among the least understood of all IT security issues on the forums - especially the practical aspects. So the nature of this thread doesn't surprise me one bit.

As I pointed out in my very first post, in Ormandy's opinion he thinks Windows Defender is the least vulnerable. However, that doesn't make much of a difference when the product will allow your system to become infected. All the quality control and compilation flags in the world won't mean anything if the product routinely performs miserably against new malware, USB flash drive infections, and other attacks.
 
  • Like
Reactions: Handsome Recluse

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Reducing attack surface by not using targeted programs is Basic Security 101. It is a well established, widely accepted, and extremely effective mitigation. In fact, it is the most effective and smartest way to avoid exploits.

Picking Microsoft is an odd choice given the fact that its products are exploited at the highest rates within the industry despite the extensive "find and fixing" going on.

Vulnerabilities are among the least understood of all IT security issues on the forums - especially the practical aspects. So the nature of this thread doesn't surprise me one bit.

As I pointed out in my very first post, in Ormandy's opinion he thinks Windows Defender is the least vulnerable. However, that doesn't make much of a difference when the product will allow your system to become infected. All the quality control and compilation flags in the world won't mean anything if the product routinely performs miserably against new malware, USB flash drive infections, and other attacks.

Defender performs rather well in lab tests though, why do you think it’s low grade ( usb autorun is disabled on all my machines ) ?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top