Ok, disclaimer first: I've previously worked at Kaspersky Lab (incident response division).
Now, I want to say that many of the incidents that we have investigated, would have been prevented by anti-virus software (in many cases AV software was deliberately disabled by user).
And I'm talking about incidents that resulted in million-dollar thefts - not just cases of some user getting cryptolocker on their home computer.
I agree that AV software is bloated and has very large, messy and barely maintainable codebase, but I disagree with people who say that "I have never used any AV products and in 10 years have never been infected with malware" - this attitude is careless, to say the least, and in corporate environment could lead to huge financial losses.
There are many criminal groups that put serious effort in the development and distribution of malware - not just script kiddies, but professional programmers and hackers.
BTW, there are also region-specific malware - so for example I would rely more on Kaspersky for detection of malware targeted at Russian businesses, than Symantec or Microsoft AVs.
Just to play the devils' advocate, I do think that the attitude of "never use AV products" could work in corporate environment, provided the administrators are competent and draconian enough to counter-weight the absolute incompetence of users (because, frankly, the largest attack surface is the incompetence of the user):
use security policies of the domain to only allow whitelisted applications to be run;
restrict internet use to whitelisted destinations;
configure mail servers to accept only whitelist sources, use DKIM/DMARC, and reject multipart messages.
Mandate usage of wired-only HID peripherals which are soldered to the port. Don't use wifi, and physically secure the access to network wires.
Glue shut all other computer ports.
Go all-out Saudi-arabian with people who don't comply with security policies and punish them by removing digits and public hangings for repeated offenses.
I work as a security consultant for a major tech company and my clients are almost always Fortune 500 (with some Fortune 100 companies, and at least one top-10 company). When they hire us, we get to learn everything about their security infrastructure.
The trend is clear: AV is out, Carbon Black (or Crowdstrike, etc) is in. This is especially prominent in the financial industry. My wife works at a tiny local bank and they're doing trials of Carbon Black.
AV is terrible software, the chemotherapy of the security world. It only exists because it's slightly better than the alternative, and if you don't have an active disease, it acts as a disease of its own. You're glad its there when it saves your life, but you curse its name every day. Application whitelisting tools don't interfere with the day-to-day workings of your computer, but don't let the bad stuff in. You're only allowed to run the software you need to run, and nothing else.
It's not set-it-and-forget-it like AV, but it's a damn sight more effective and less annoying to the users.
Except AV started out like how Carbon or Cylance did (lean, effective, buzzworthy, etc) and other popular applications started out. It was decades of feature creep, poor competition, out of control pricing, etc that killed the AV industry.
I'm seeing the same thing today. Getting a trial of Cylance for a small environment seems next to impossible and when 3rd party testers test these apps, the false positive rates are terrible. Worse, they miss a lot of obvious malware traditional AV doesn't.
I am skeptical this technology is some silver bullet for the industry. I imagine cryptolocker changed the game where its politically expedient to whitelist everything be it application, driver, URL, etc where in the past IT departments were told to pound sand because some executive couldn't install Bonsai Buddy on the weekend or whatever.
Once you have proper whitelisting then you can pretty much remove AV or go with a non-traditional AV product like the kinds you list or no AV at all. Whitelisting requires a centralized IT department, no BYOD, and a lot of other infrastructure and talent smaller organizations simply don't have. I suspect traditional AV is here to stay for rational reasons and the technology behind things like CB or Cylance will eventually be part of a traditional AV package.
Arguably, the heuristics behind Win10's more advanced SmartScreen are a poor man's version of this and SS comes with every copy of Windows10 (The Win7 version is actually very poor). I imagine there's a lot of anxiety about being acquired by these companies before traditional AV reverse engineers what they do or SmartScreen gets good enough to the point where you can run a flawed local AV and still get some world-class heuristics watching your back as well.
Whitelist-only works until it doesn't. All an attacker has to do is compromise one of the whitelisted apps (e.g. a web browser) and they will have infiltrated the device and perhaps the network. Certain institutions can tolerate operating as a digital supermax prison (law firms, banks, Government). Most can't. The future is likely some mix of network defense, whitelist/blacklist management, traditional AV for each device, VMs (less effective with migration of apps to cloud), and lots of user education.
I'm pretty sure no AV would help against targeted attacks on high profile target. If you have multi-million business to secure, you play at totally different risk model.
That's exactly what I had in mind when I read the GP. If third party AVs have a large and complex codebase with unknown or even known security flaws, they won't help much against targeted attacks or make them even easier.
On the other hand, AV usability is so bad you can't expect it to help "normal" people. All those popups do more harm than good when people start ignoring them.
Well, I agree that AV most likely wouldn't protect you against targeted attacks - but most of the attacks that we investigated were targeted quite broadly - phishing email campaigns targeting financial organizations (with address lists based on some hacked legitimate resources for accountants, for example).
And usually these attack succeeded because of insecure infrastructure, poorly trained admins, old, non-updating systems (some people still think using Windows XP on internet-connected computers is fine), and lack of AV software.
"usually these attack succeeded because of insecure infrastructure, poorly trained admins, old, non-updating systems (some people still think using Windows XP on internet-connected computers is fine)"
In this case, there are much bigger problems than the lack of AV.
What do you mean, exactly?
All I want so say that while targeted attacks are the most difficult to defend against (well, by definition), it is the medium-sophistication-level attacks that cause the most damage (in my experience), just because of their volume.
It's not some state-of-the-art APT malware, it's bundles of RATs + generic backdoors/keyloggers packed in SFX archives, that are usually quickly detected by most AVs (provided that AV bases are regularly updated).
Maybe some of them thought they were fine if they were using AV software? I know what you mean, but the marketing departments of many AV vendors praise it like some kind of all-around solution. I'm pretty sure some people think they can get away with disabling updates etc. and than just buy AV software afterwards when they feel they can't handle their systems anymore.
Maybe the perception that you can achieve some kind of security through band-aid solutions is exactly the cause for the lacking security of many organizations?
> in many cases AV software was deliberately disabled by user
Right, because the only way AV software can ever be effective is if it blocks things that legitimate programs also do (if a given piece of functionality has no legitimate uses it wouldn't be in the OS in the first place) - so users get in the habit of disabling it. Installing a piece of software that e.g. stops you running any downloaded .exe files is useless - if you didn't want to run the .exe you wouldn't be trying to run it, and if you do want to run it you'll turn off the antivirus. If you just want to disallow it completely, you can do that at the OS level easily enough.
There is no magic that AV can do to make it any easier to tell legitimate software from not. Reactive scanning for specific threats is ineffective in the modern era - by the time AV knows about a new form of malware most of the damage has already been done. So all that AV can do is monitor what programs do and apply inherently unreliable heuristics, and maybe be more or less sensitive about those heuristics than the OS is.
Example with .exe files isn't good one. Modern AVs may do better job than just blocking them. I use Norton AV, which shows a report summary on new downloaded files, based on which I can make informed decision on whether to launch it or not (I personally launch immediately only trusted executables and google for any issues of the rest). The same can be done with all threats: AVs warn, provide some details and let users decide what to do.
> I use Norton AV, which shows a report summary on new downloaded files, based on which I can make informed decision on whether to launch it or not (I personally launch immediately only trusted executables and google for any issues of the rest).
Trusted in what sense? Does Norton maintain their own whitelist? Is there any reason to believe that whitelist would be any better than the digital signature check that's built into windows?
> based on which I can make informed decision on whether to launch it or not (I personally launch immediately only trusted executables and google for any issues of the rest). The same can be done with all threats: AVs warn, provide some details and let users decide what to do.
But what information can the AV offer that actually helps the user makes a better decision than they would have otherwise?
For apps looks like they have a whitelist based on usage statistics, so it's basically vetting by other users of NAV. It does not replace digital signature check, but it's a good addition to it.
Any AV software is better than having none but that's not the point of the article. It specifically recommends Microsoft's AV and to stay clear of all the others.
I'm sure it's hard on all the AV vendors out there but with Microsoft Essentials and Windows Defender I don't see the need for a third party AV.
IMO, I think common sense, basic hygiene practices, a minimal education and a decent firewall goes a longer way, being much better than an AV could.
For example the most common way people get infected is by installing software from unreliable sources and by not keeping their computer up to date. I'm pretty sure that learning to regularly update your OS and browser, learning to search, recognize and use the official sources for software, to stop doing software piracy for that matter, learning to not click on .exe files received in emails and to be suspicious of all attachments, learning to uninstall everything that infects your browser with useless plugins, I'm pretty sure such simple knowledge would cut 99.9% of all incidents.
Most software vulnerabilities in the wild are not novel, "zero day" exploits are not that common. This is why even though I hate Microsoft's recent update policies, on the other hand I understand their newfound aggressiveness in pushing those updates, as it is really frustrating that users ignore update warnings. I also appreciate Chrome's fast updates, which encouraged Firefox to do the same.
Google runs the largest advertising network in the world. Plenty of malware slips through the cracks every day, both downloadable apps/software/extensions as well as ads that lead to obvious scams. Facebook, Microsoft, Yahoo etc all suffer the same problems. I think these problems are likely unavoidable at that kind of scale. But I would never rely on these companies as the only (or even primary) line of defense.
You need an antivirus that can watch running programs for bad behavior. Polymorphic viruses have been around for decades and will defeat any simple blacklist. And the halting problem means you can't possibly categorize every program as being harmful or not by static analysis.
One reason is that they simply do not perform as well on benchmarks. Other reason is that if there is only one AV vendor then it is a lot easier for developers of malware to penetrate systems than if there are dozens of vendors.
Sounds like they're choosing their battles just like the US ones.
My takeaway here is not to trust either Russia or US based companies, as none of them will escape working with the secret services. China and India have plenty of exploitative AV like software as well, mainly for mobile.
Are there any European AV? Or Japanese? Or South African? I'd love to have something that has an eye eg on Microsoft's products, because there's no doubt that they have backdoors and report home.
It's just about making a choice of which spy agency is going to get your data. NSA for western companies, KGB-or-whatever for Russian ones. If you live in the West, it may be worth considering both options.
Do you have some facts or reasonable suspicions about western AV companies collaborating with NSA? What I’ve heard they aren’t collaborating, NSA is researching AV vulnerabilities just like bad guys do.
Besides, Russia considers themselves at the state of “hybrid war” against the whole world. It sounds insane but apparently that’s what their government believes, and that’s what their propaganda broadcasts. That’s why an AV product made by a Russian state controlled company carries some unique risks.
Since mid-December, a high-ranking Kaspersky manager, Ruslan Stoyanov, is in jail for high treason.
Do you know what kind of deal KGB wants from him?
I don’t.
There are rumors that he's in jail for association with "Shaltai Boltai" hacker group, which published emails of D.Medvedev. Same for FSB officer, who supposedly worked with Stoyanov.
I’ve heard other rumors. I’ve heard he’s in jail because he failed to secure their systems from Ukrainian hackers and 1GB of confidential data was leaked: https://en.wikipedia.org/wiki/Surkov_leaks
But just hearing rumors doesn’t mean we know anything.
> “the fact” and “probably” are mutually exclusive.
I don't see how; statements about probability can be factual and we have plenty of evidence that Google, Microsoft, and US telcos do; why should AV vendors be different?
As far as companies usually following the letter of the law... do they? What makes you so sure?
In natural science or in medicine you can estimate that probability (because control groups, multiple experiments, statistical methods, etc). In such context, a statement about probability can indeed be factual.
In general conversation or in legal context they can’t. If you have facts, there’s no “probably” because you know for sure. And if you don’t, it can be you belief, or your personal opinion, but not a fact.
> do they? What makes you so sure?
Over my career, I’ve worked in several US software companies. Lately, I’m working with various US companies as a contractor.
Multiple times a company put a lot of efforts and money to comply with the law: we redesigned our products, moved across states, trained employees to comply with various regulations, and so on. Having friends in the industry with similar observations, I conclude such things happen all the time.
Well, what I’ve seen with my own eyes during 17 years in the industry is much more believable than the BS about evil corporations that (mostly liberal) media wants me to believe.
That’s no evidence. That’s what makes me so sure.
Speaking of which, what makes you so sure plenty of US companies are breaking the law?
And, yes, there are certainly lots of compliance programs out there, but I'd argue those have more to do with avoiding enforcement action than necessarily adhering to the law. I'd guess Wells Fargo (Wachovia at the time) had a compliance department while they were laundering money for drug cartels and yet it still happened.
I find it eminently believable that many or even most US companies would comply with an illegal request from US intelligence agencies.
There are 6 million companies operating in US, employing 115 million people. If the majority of them were breaking the law, you’d knew about that not just from the media but also from some of those 115 million people who happen to be your friends and family.
> I find it eminently believable that many or even most US companies would comply with an illegal request
I don’t find it believable because I don’t see motivation for such compliance.
In an authoritarian state, a government can abruptly take away your business (https://en.wikipedia.org/wiki/Euroset) and optionally throw you in jail for 10 years (https://en.wikipedia.org/wiki/Yukos) if you don’t comply, and you can’t do anything against it. That’s a strong motivation to comply. I don’t see such motivation for western companies.
If your argument is "anecdotal evidence is much better than reported, sourced news" then I have to disagree, regardless of what the TED talk says. The examples are some of the biggest and most prestigious companies in the country and I'm gonna guess most of the low-level schmucks like me and my friends and family aren't in on the huge, illegal operations.
My argument is, you should distinguish two majorities, the majority of media-reported incidents, and the majority of some real-life things.
Those two are very different. If you don’t distinguish between them, you’ll come to absurd conclusions like “the majority of US drivers are drunk”, “vast majority of US citizens voted for Hillary”, or “the majority of US companies are breaking the law”.
> of the biggest and most prestigious companies in the country
The total number of financial crime cases in 2011 was around 10000. Even if we assume each case was against different company (that gives us upper estimate), that’s merely 0.17% of the US companies who were charged with financial crimes in 2011.
As you see, real data is pretty close to my anecdotal evidence.
BTW, there are also region-specific malware - so for example I would rely more on Kaspersky for detection of malware targeted at Russian businesses, than Symantec or Microsoft AVs.