Did Virus Scanners Just Become Obsolete?

from the were-they-that-necessary-before? dept

It's become something of a joke when you look at just how many anti-something software products you need these days just to keep your computer safe (anti-virus, anti-spam, anti-spyware, firewall, anti-trojan, anti-phishing, anti-hijack, etc., etc., etc.), but the list usually begins with anti-virus software.  According to one security researcher, though, anti-virus software may have just become a lot more insecure.  Because the software needs to scan so many files so quickly, there are some programming shortcuts put into the products -- and the researcher has basically figured out a way to use those shortcuts to trick plenty of anti-virus products into completely skipping over malicious files.  The claim, also, is that the only way to fix this is to really rewrite how the scanning works.  Looks like, once again, people are going to need security software to protect themselves from their security software.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    paul, 4 Nov 2005 @ 1:48pm

    solve your virus problems!

    i know how to solve your virus problems! get a mac...

    reply to this | link to this | view in chronology ]

    • identicon
      not today, 4 Nov 2005 @ 2:07pm

      Re: solve your virus problems!

      Oh goodie, then you can come and train all 4500 of my users on a new OS, software, and do tech support for them too.

      Don't forget to rewrite all our financial software, convert all our databases and custom apps, set up remote networking across WAN's, VPN, and dial up, and Deliver a new e-mail system that doesn't change a thing about how users work.

      Since it's so easy I'll expect it done ASAP.

      How many more time do we have to see this uninteligent response from the "it just works" ditto-heads??

      reply to this | link to this | view in chronology ]

      • identicon
        cc, 4 Nov 2005 @ 2:16pm

        Re: solve your virus problems!

        Agreed, the "get a Mac" comment is getting old.

        I'm no Win advocate either, though. I have a Wintel and a Mac at home. Assuming that the Mac is a more secure OS than Win, Win is more vulnerable to virus attacks because of its ubiquity. If Mac was 90%+ of the market, you'd see more viruses than you do now. It might be harder, but it's not impossible.

        reply to this | link to this | view in chronology ]

        • identicon
          SuperJudge, 6 Nov 2005 @ 8:56am

          Re: solve your virus problems!

          "If Mac was 90%+ of the market, you'd see more viruses than you do now. It might be harder, but it's not impossible."

          That's a narrow minded fallacy. I can't see the future, so I would definitely not try to say what would happen there.

          It's possible though. History tends to repeat itself.

          Maybe there will be a balance in the force.

          reply to this | link to this | view in chronology ]

        • identicon
          Jeff, 7 Nov 2005 @ 7:19am

          Re: solve your virus problems!

          "If Mac was 90%+ of the market, you'd see more viruses than you do now. It might be harder, but it's not impossible."

          You mean we might see 1 virus? That would be a lot more, because as of right now there are 0 viruses for OS X, 0 viruses for Linux, 0 viruses for Solaris and how many for Windows? Detect a pattern here? Its called Unix-based OS's.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 24 Jan 2006 @ 2:44pm

            Re: solve your virus problems!

            You sir, are full of shit.

            A simple Google reveals that there are numerous Linux virii, numerous Mac virii, numerous Solaris virii.

            They are not as prevalent as Windows virii, true, but that's sort of a no-brainer -- there are one hell of a lot more Windows machines than Max+Linux+Solaris put together.

            But the point is valid: to some extent, Mac (et. al) is relying upon security through obscurity. If you reversed the situation, to where Mac was ~90% and Windows ~8%, you'd see Mac virii really take off. Even more so, in my opinion, because of the "it just works" attitude -- Mac users are trained to not want to think about what's happening behind the scenes, so as long as the machine doesn't crash, it could be spewing out billions of little virus copies and the Mac user would be happily clicking his shiny smiling icons.

            But the "there are 0 viruses" comment is either a lie or flat out wrong. There are plenty of virii for Mac (and all flavors of Unix), and they would almost certainly take off in popularity if the Mac platform ever "took over."

            reply to this | link to this | view in chronology ]

      • identicon
        seenitall, 4 Nov 2005 @ 2:50pm

        Re: solve your virus problems!

        Then come to my company, do all of the same for about 25,000 salaried employees worldwide. PLUS convert all the manufacturing systems and Human Machine Interfaces that run on Windows AND train our 40,000 hourly employees on the new OS’s and new interfaces at our 30 manufacturing facilities. Don’t forget, of course, that this all needs to be done seamlessly so our customers see no interruptions in their deliveries, and aren't tempted to buy from our competitors.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Nov 2005 @ 4:05pm

        Re: solve your virus problems!

        While i totally agree that the ditto-heads are annoying, I think you're exaggerated the extent of the logistical nightmare.

        What kind of system are you running that your desktops are intimately tied in an OS lock-step with your servers? That's hideously poor planning that went into that eggbasket, and for the sake of any shred of security you should decouple the clients from the servers.

        .. and remove the hard drives from the clients too, but that's next quarter.

        reply to this | link to this | view in chronology ]

      • identicon
        Bill Ray, 6 Nov 2005 @ 1:57am

        Re: solve your virus problems!

        Beautiful thing about Mac is that it will virtually train the users on its own.

        Mac is more intuitive, and any end-user with half a brain can look into the common windows tasks and find a quick and friendly solution.

        Sure the "get a mac" arguement is getting old but, as a die-hard Windows user since 3.1, I gave it up a year ago for Mac.

        what I can say is this: Windows is for folks who like to work on cars, and Mac is for people who like to drive.

        Fharfernugen here.....

        reply to this | link to this | view in chronology ]

    • identicon
      drew, 4 Nov 2005 @ 2:07pm

      Re: solve your virus problems!

      or, if you want to keep your current computer, install linux...

      reply to this | link to this | view in chronology ]

    • identicon
      Wyndi, 4 Nov 2005 @ 2:21pm

      Re: solve your virus problems!

      You are an idiot - Macs suck!

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Nov 2005 @ 4:11pm

        Re: solve your virus problems!

        That's a very well-researched and well-communicated, thoughtful comment. Nice to see some adult conversation on here ... oh, wait a minute. I must have been responding to someone older.

        reply to this | link to this | view in chronology ]

    • identicon
      Jesse McNelis, 4 Nov 2005 @ 5:21pm

      Re: solve your virus problems!

      umm...a Mac will not save you. MacOS has vurnabilities just like any other operating system.

      But seeing as a virus's soul purpose is to copy itself and spread, it doesn't actual need root prilivedges to do this.

      The only solution to virii, worms, spyware etc. is basic common sense.It can be sumed up in 3 rules that have been know to many since before the Web was in common use.
      1. Don't run an executable that you don't completely turst the source of.
      2. Run every process with the minimum priviledges required to perform it's job.
      3. Don't run any unnescessary services from your system.

      Very basic rules that have keep me virii, worm and spyware free since 1985.

      reply to this | link to this | view in chronology ]

    • identicon
      Lorenzo Thurman, 5 Nov 2005 @ 2:08pm

      Re: solve your virus problems!

      I'm twice as secure, I have two!

      reply to this | link to this | view in chronology ]

  • identicon
    cc, 4 Nov 2005 @ 2:17pm

    GoogleScan to the rescue?

    Maybe Google could create a spinoff of their incredibly fast GoogleDesktop to do the anti-xyz disck scanning/monitoring.

    reply to this | link to this | view in chronology ]

  • identicon
    Rikko, 4 Nov 2005 @ 2:32pm

    What are they currently doing?

    To me the on-access scan methodology is dreadful - it's like a police state that uses up resources (and now we learn that they also cut corners) at every turn.

    Why can't we just scan every file being created? Isn't that a fairly effective border guard? If a file has to be scanned immediately after being written to disk or into memory (some intelligence would be necessary to prevent scanning the loading of an old app vs something that your browser just pulled down), where is the potential for infection?
    I don't claim to be an expert, but I see it as a pretty severe chokepoint when any new file is suspect and any citizens are not - even unzipping a file with a virus would be writing that new file somewhere, and then the scanner would pounce.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 Nov 2005 @ 3:25pm

      Re: What are they currently doing?

      yeah scanning every file that's created is a great idea. Except how long does it take before a virus is "caught" and included in the virus definitions? Probably not before thousand and thousands of people are infected.

      What would be so hard about windows having the antivirus capabilities built right in as a system process optimized to not bog down systems? It runs constantly and is always scanning; especially when CPU process is low (middle of night). This sounds like the best option that doesn't exist.

      Microsoft already has 243982734987 patches released each week that users are required to update if they wanna avoid vulnerabilities. What's so hard about adding virus definitions to the mix?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 Nov 2005 @ 3:58pm

        Re: What are they currently doing?

        The option you suggest is the best indeed. However, you, sir, sound like an auto-MS-bashing Slashbot. You know what's hard about this option? Microsoft simply doesn't make antivirus software.
        The biggest names in antivirus software are all third-party vendors. Go bug them if you would like virus definition updates to be integrated with the main Windows Update that downloads Microsoft's updates du jour.

        reply to this | link to this | view in chronology ]

      • identicon
        Timothy Purdy, 4 Nov 2005 @ 8:55pm

        Re: What are they currently doing?

        I almost totally agree with your idea. I like the thought of having something tied into the OS that scans continuously, however, like some have already said, Microsoft just doesn't do Anti-virus. [ But of course Google could do just that, conquer every realm of the computing world...]. A 3rd party does need to create a new kind of scanning. One thought from me, is not looking for the signatures of known threats, but instead, WHAT a virus does. Stop scanning for each individual object, which in turn has caused programs to take shortcuts. Instead, try to find the specific actions taken by viruses and worms alike and take those out. of course you could double check and find its name and specific type and thus find all of the files associated with it, but I believe its the type of scanning that needs to be changed. And, I do of course know that programs may already be taking this action and I could be just sounding stupid, although, I don't try to declare myself as an expert on this matter. However, what i see in the scanning is that it tries to find the files associated with the threats on the list, which of course has to be updated all the time. What if you don't need to go and find its true identity? Firewalls and apps alike tell you when something 'hinky' is going on, like an attack on your computer. Why not put that aspect into the scanning of viruses and find the apps and files which is used and associated with malicious and 'bad' acts?
        I'm just throwing stuff out there, but, i believe something needs to be done. Something new needs to be made and these threats to be either lessened, or more favorably, non-existent.Please, e-mail me if I am totally wrong or what i just said is allready true. I would like to know if this action has allready been taken, or its just something totally stupid.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 5 Nov 2005 @ 7:32am

          Re: What are they currently doing?

          A lot of software has most of these features, but people turn them off, or never know to turn them off. How come? Because it makes everything run slow. Scanning files when they are opened uses a lot of processor cycles, and heuristic scanning (searching for behaviors, not definitions) takes noticeably longer than regular scanning, so at some point people find the virus scan to be too much of a nuisance and turn it off, even though a virus will be more of a nuisance. I have my software scan accessed files, all mail files, I manually scan all downloaded files, and it does a full scan every week (it takes several hours in which my computer is useless), all of these using heuristic scanning. I feel like it is somewhat worth it, I haven't had a virus in years, but in the last year or so, it has only detected 3 virii, all on the e-mail system, and all in attachments of obviously spam e-mails (most virii are already removed by my mail server before they hit me). A good antivirus is only part of the story, you have to set it up right, be smart on the internet (no IE!) and scan any files you can't vouch for. It is also important to secure whatever network you are on. I am at a college where all the students laptps were bought through the school, and the IT department makes sure the security settings are uniformly high. This does wonders for preventing viruses on campus, and the occasional AIM virus is usually squashed in less then a day. In my case I use Symantec, which was set up very well by the IT department at my college, but I am sure that if you buy the full version of any commercial product it will work similarly (I like macAfee's online virus database better, and I haven't looked at the others). Again, the real trick is being smart about the internet and securing your entire network.

          reply to this | link to this | view in chronology ]

  • identicon
    Slacker, 4 Nov 2005 @ 3:07pm

    THE ADS ARE IRONIC

    As I read the article the ads presented to me, one for anti spyware and one for Norton AV 06.

    reply to this | link to this | view in chronology ]

  • identicon
    Bird Flu, 4 Nov 2005 @ 4:53pm

    Tamiflu

    Who needs virus scanning when you have tamiflu?

    reply to this | link to this | view in chronology ]

  • identicon
    Thomas Crummett, 4 Nov 2005 @ 6:41pm

    Virii arent easy to get

    I am online 24/7. I host and maintain several sites and servers. I run Windows XP SP1. I have 0 virii infections in over 5 years. I have had 3 virii get to my computer, 2 of which I was expecting.
    The 1, was a fairly complex virii, but Bullguard killed it before it did anything.
    The 2, one of which a friend sent me because he was trying to fix it (don't ask, hes weird), Bullguard killed it before it was done downloading. The other, I had my friend remotely hack into my computer to show how secure it was. Took him a long time, and he only manage to give me the file, nothing happened. Then I enabled bullguard and it died :)

    I said Bullguard a lot. Mainly because it is all that. There are 2 main types of software, those made to protect, and those made to profit. Norton, McAffee, and many others, are made to profit. The make the anti-virus software ASAP, and release it to sell it. Sure it gets some virii, but what it doesn't get is what really matters. Others, like Bullguard, are made to protect. These types of software usually have very few updates because they werent released half-assed to make a profit. They were made to be final.
    I'm not saying Bullguard doesn't have updates. Infact, sometimes they have hourly virus definition updates, keeping you on the razor's edge of new definitions.

    All in all, Bullguard isn't the only protection. Using Internet Explorer puts you at great risk for getting adware or other malicious software. Firefox seems to block most of anything you could ever get. ActiveX is the plugin of the devil.

    reply to this | link to this | view in chronology ]

  • identicon
    ndean, 6 Nov 2005 @ 5:38am

    The simple 'anti-' answer ...

    White-list execution. Begin with a deny-all execution policy on the host, then specify that which may execute (by hash) and nothing else is permitted ... period. Santuary (www.SecureWave.com) does this extremely well - first-hand experience, enterprise-wide.

    reply to this | link to this | view in chronology ]

    • identicon
      PB, 7 Nov 2005 @ 4:48pm

      Re: The simple 'anti-' answer ...

      Ndean, SecureWave sounds like a great solution. I have never had a virus infect my PC and I have no Spyware, Adware or Trojans either, I myself use Deep Freeze on my PC at home, which is somewhat similar to SecureWave. I just "freeze" my C drive, which has my programs and OS on it. My frozen drive cannot be written to, it's like RAM...everything I do on the C drive evaporates when I reboot. My data I keep on an external USB drive. Anytime I need to write something, I just plug the external drive in, otherwise I keep it disconnected.

      Although I really don't need to, I still run a NAT, SW Firewall, AV and the other "anti's" but it really doesn't matter if I get a virus because I started out with a clean install of XP and immediately froze the drive, so as soon as I reboot the PC loses any viruses or rootkits that install.

      Whenever I need to update my PC (or write to my USB drive), I reboot to be sure it's clean and update it, then refreeze. It might sound like a hassle to some, but I'm so used to it now, I hardly notice the minor inconvenience, plus it's kind of empowering to know I can surf *anywhere* I want and know my PC can't be infected, (and I do surf everywhere and you should see the stuff that gets in even with all my “protection”).

      reply to this | link to this | view in chronology ]

  • identicon
    Joshua, 16 Aug 2006 @ 4:31pm

    McAffee Virus Scan (5 star???)

    This so-called '5 star' virus detection unit has completely overlook nearly 100 viruses on my computer.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Advertisment

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.