Excellent timing. I just alt+tabbed away from writing an email to McAfee because one of my users sent me a screenshot of s3stat.com with a bright red "Dangerous Site Warning" from McAfee's SiteAdvisor.
Evidently, "We tested this site and found it very risky". Even though it's the public site for a 5-year-established (and popular) SaaS product. Even though it has no downloadable executables of any description. Even though it has no non-moderated user-generated content.
... which is a page saying that their automated somethingorother scraped the internet and decided that my site is crazy dangerous, listing reasons such as... well, nothing actually. But look at it. It's RED! Must be bad.
So even if you don't actually write software that could possibly contain viruses, you can still end up on the wrong side of the antivirus companies.
Holy shit! Seeing your comment, I checked out two of my own sites. One hosts software that I no longer sell (www.egorg.com), and it checked out ok. Interestingly, Yahoo (my host-- hey, it was my first! And paypal integrated easily! Besides, pg built the tech so...) flagged it last week during one of their auto-scans. They couldn't explain why- they just flagged it.
We've tested millions of websites, but we haven't tested this one yet. Be the first one to submit feedback on it!
Maybe it is possible to wreck someone's reputation by submitting bogus feedback to a site they haven't scanned yet. I would be curious how they answer you, because I see nothing that would cause a red flag in their "tests" for your site.
I work in information security for a company who uses McAfee products, and I share your irritation. It can be quite a chore to track down why WebWasher is blocking a site or why our SIEM has flagged a site as a botnet C&C or otherwise risky site.
It doesn't help when we get business groups or developers saying "we need this site unblocked in order to see a 1pm webinar!" and it's 12:59. Site Advisor is useless.
The business of antivirus, especially, has a huge incentive to shove it IN YOUR FACE that the software is detecting things whether they're false positives or not. This scares people into re-upping their subscription. Most computer users don't understand there can even be such a thing as false positive. For all those support calls you get, there are probably 10x that number that simply take the security software on its word and let it delete/block your application.
An aptly timed popup from the antivirus vendor will appear shortly thereafter asking the user to pre-purchase 2 more years of complete computer protection! Oh, the business of fear mongering. . .
EDIT: This is one of those very hard problems startups should be solving.
It's flat out wrong of you to say that antivirus companies don't care about FP's.
There are over 25k new malware samples coming out daily, and everybody is just trying to cut through them as fast and efficiently as possible. Yes there are innocent casualties of this -- False positives -- but these are sincere mistakes .
False positives are very embarrassing for the security company. It is something that can even cause people their jobs. Don't you think for a second that these are not looked at.
I make malware definitions for a living, and you can trust me when I say that I check the FP reports first thing every morning, several times during the work day, & I check our forums every night at home to make sure we don't have any FP's rolling in.
At most security software companies, FP's taken very seriously & I know that personally I would love to be able to educate Indie developers about what triggers detections and ways we can both work together to reduce them. It's easier said then done, however, and also it is delicate info that you don't really want to yell off the rooftops - because malware creators could really use the same info to their advantage.
I didn't say the industry doesn't care. But, the business model relies on detecting as much as possible and shoving that in your face to get more bookings. I have no doubt you take false positives very seriously at an engineering level.
However, the bottom line impact of a false positive on some indie software has to be negligible.
I wrote a Windows program for my dad about a year ago. It would have worked great. I was thinking about selling it, actually!
Except, the antivirus flagged it. I called the AV vendor and they (probably the first-line tech support) said unless that my dad called the vendor, they could do nothing.
The only false positive that might be remotely reasonable is my executable name is identical to a virus. rte.exe or something similar, as I recall. Whatever. A binary difference should have demonstrated substantial difference between my exe and the virus.
So, my dad didn't get his program, and I got left with a renewed awareness that AV vendors are ruinously unhelpful, and I'd rather work on moving my family and friends to Linux or OSX.
So you spent the time to write a program, one good enough to consider selling it even, but couldn't be bothered to try changing the executable name? Or ask your dad to call the AV vendor?
I did ask my dad to call. Nothing seemed to come of it.
I was working in a hurry and didn't think to simply change the exe name, making the presumption that such a simple thing shouldn't influence the AV decision.
When going through airport security, do you think it matters at all if your name is Osama Bin Laden? Such a person is going to experience a much larger degree of scrutiny from TSA then a person named John Smith.
If a mere name alone is enough to create a false positive and changing this is a living nightmare, why are you in the least bit surprised that customers and developers are livid at having to deal or workaround the closed and disparate world of AV?
Neither is it the least bit surprising that support personnel and developers consider the shear number and consistency of false positives as "fear-mongering".
It would only take a further small step to then consider, what is the point of having AV at all in the first place since the best it can do is fill an increasingly small hole in prevention for ordinary user behaviour and a static role for precursor forensics (actual forensics would not need the service).
TL;DR. AV industry has a LOT to answer for, to the point where it maybe should not exist in its current form.
I think it can be justified. It's not common, it's known as being one of the more crude methods of detecting malware -- but hey -- we use what works and what fixes peoples machines. That is why it is in use by some vendors today.
Here's an example:
Some companies block anything named 'svchost.exe' that isn't in system32. Create a txt doc and name it svchost.exe and drop it on your desktop and some antivirus software will detect and remove that item.
Why? Because there is no good reason for someone to have svchost.exe anywhere other than SYSTEM32 and also because svchost.exe is one of the top 10 most common names for malware. So, at risk of some FP's -- some companies have a rule that simply removes these if found anywhere else.
Of course it is. No legit anitvirus company is blocking all files named rte.exe. That's insanity. I am just saying in some circumstances, the name of a file can be a huge help in indicating that maybe you should take a closer look.
Specifically with Norton, I've received warnings/quarantines where it's rather non-obvious and difficult to learn what the actual problem is. The program's interface allows one to click and drill down one or two levels, but the descriptions are often more non-descriptive than descriptive. And then one faces a link (which is, by the way, not tooltipped or otherwise designated as a link) that fires up your browser and takes you to a web page on the security software vendor's (in this case, Norton) web site.
Well, that's f-ing annoying. And then, to boot, often the page that is navigated to contains content that is little or no more helpful in telling you what specifically they detected or why specifically the warning/action triggered.
I recall one case in particular, where going through all this and reading between the lines, it appeared that the quarantine was the result of a "reputation" trigger. Norton wasn't familiar with the executable and it didn't have much or any presence in their reputation system, so the default action was to flag it a "high security" risk and to "quarantine" it.
I understand there is a balancing act. If you don't keep it simple and use strong enough language, Joe Blow user may start to disregard the warnings, until soon enough s/he has a real problem.
But as a more advanced user, this is completely frustrating. I want to know what the problem is, so that I can make an informed decision with regard to the "security event".
(And yes, on the Windows machine, I do run Norton. Comes with my only Internet connectivity option, anyway, and it makes an acceptable, and useful, component of a layered defense.)
I got bit by this reputation thing just this morning. I'd sent out a link to a .exe for a dead simple app (open serial port, tx commands, rx replies, output to screen) and sure enough, someone tried to download it and got blocked by Norton. I sent it in as a FP, not in the hopes they'll do anything about my little .exe, but just to make more work for them.
All of this. False positives are horrible for both antivirus companies and their customers, and great care is typically taken to avoid them.
Not to mention that if you start alerting the user too much, they'd start tuning out the alerts; that becomes a big problem if and when they're infected with something.
They throw up these scary pop-ups that basically say "this is a nice computer you have isn't it? It would be... terrible if something were to happen to it, wouldn't it?"
Interestingly, the best AV I've found seems to be the one from microsoft.
couldnt agree more. I am using PC with XP/7 for years now and never had a virus. I go online into some questionable websites and downloads sometimes but if user uses a common sense, he wont open that AllPrinterDrivers.exe from unknown source just to install drivers to his printer.
I never needed and I think I never will need an AV.
Safe Hex is an important part of keeping a machine clean. (See, for example, RSA being hit because someone opened an Excel attachment.[1])
But as malware authors find more holes and use more exploits it becomes harder to know what's safe or not. Having some weird defaults in operating systems (don't show file extensions; perform an action based on the extension and not the type of file; build a web-browser into the OS; use a preview pane that auto-opens a lot of things so you don't need to "open" an email message it's been opened for you by the pre-installed email client etc etc) really didn't help.
There's also a problem with users. (This comment in not aimed at you!) Some operating systems have very many users who believe themselves to be clueful but who really really are not. The arrogant 19 year old who can slot together a motherboard and GPU and PSU and put them in a case, who can connect his aunt's computer to the Internet, who can install add-ons to his web browser. These are people who think they know what they're doing, who think that the pirated OS they use is fine because they checked an MD5 hash, and who think the pirated software they use is fine because someone would have said something in the torrent comments if it wasn't. And then, if they have a problem, they'll download a pirate AV and hope that isn't infected. These are the people most mocking of the "wipe and re-install; that's the only safe option" philosophy. They'll spend a day using various bits of anti-malware and scanners and web-searching. And they won't find the infected WMV file and they'll get re-infected a few days later.
It drives me crazy when we find an infected computer at work and the solution posited by both the user and the desktop team is "run the corporate AV". No. We have a backup system for a reason. If you don't use it (like the policy mandates you do), that's your fault. The machine gets completely wiped and reimaged.
AVs are a first-line and an indication that something is wrong. If you need to run the AV to clean an actual, real virus, you should be reloading the machine.
One of the reasons the author is complaining about AV is the very reason an AV will likely catch a browser exploit that runs local code. The program the author tells you to write in C doesn't have a definition either, but the code matches an signature that the AVs will look for, same with browser exploits. Native code running without the OS knowing why will usually end up being flagged.
Answer: Good definitions are crafted so that are intended to detect not only all existing versions seen but also allows room for change and file characteristic changes so that future versions of the malware family can be caught with the same definition.
Good definitions will go on killing items in the wild well past the date the initial zero-day came out (the one that caused the need for the definition in the first place).
This is why brand new generations of malware drop and they are detected by a few security guys. This is also why some people have huge #'s of FP's -- because they allow so much room for flexibility to catch future malware - that they accidentally kill off legit files in the process.
Well, ok, that makes sense; I thought the OP was trying to say that AV provides protection against brand new zero-day exploits which seems like wishful thinking.
No, I meant basically what jgmmo said, the AV scanners pick up a lot more than the virus they were written to prevent. Anything that triggers virus-like behavior will let you know you're infected (might not be able to clean it though). That's one of the points made in the article about false positives.
Oh, man. I use Linux for my day job but keep a Windows 7 install should the need arise. An old friend sent me a link to try out a video game he and a buddy made in college. I downloaded the program, Norton deletes it immediately. It didn't recognize the application signature. (Actually, it recognized it but it wasn't popular enough -- about 100 people had apparently downloaded this game that also used Norton.) After dicking around with Norton for about 30 minutes (nearly drowning in a sea of check boxes and vaguely titled program options), and reaching the boundaries of my Google-fu I just gave up and removed Norton.
Problem solved.
I'm glad I'm not a startup or small company trying to ship Windows executables.
My first call when doing tech support at a local ISP was someone who couldn't get online. It said he was connected, his network device was working fine, he was on the WiFi and it said he had great signal, but nothing worked.
I walked him through getting to Add/Remove Programs and asked him if he saw Norton Internet Security. Told him to uninstall it. Everything works.
He asked if that made his computer less secure. I said 'Technically yes, but only because you can actually use the internet now.'
I worked at that ISP for a week, had the same problem come up three times. My mother had the same issue, and I've had two other friends who had it. Thankfully, I knew how to deal with it because it had happened to me when I bought a Dell laptop years ago.
I was expected the article to discuss how much the HDD on your machine thrashes (and the fans sound like a jet engine) from scanning every .class and .jar file on your machine, of which there are usually tens of thousands.
And I wish I had a Euro for every client site we've had to manage where some javascript scanner thinks it's so smart and drags the performance of a web-app to a crawl.
I've come to the conclusion that AV software gets more attrocious the more you pay for it or the more it requires advertising every 5 minutes on television. They push it on you via scaremongering every day at least once.
HOWEVER, I've been using Microsoft's free security essentials package for Windows 7 for about 2 years. It never pokes you in the eye, never lets a single thing through and doesn't screw your system resources. It just keeps out of your way. As I said, it's $0 which is how much it should cost and is supplied by the vendor which knows their own security problems the best.
With respect to Linux or MacOS X, I never have installed an AV package ever.
I like MS Security Essentials because, basically, I've already said "I'm willing to trust Microsoft for my system software." Norton, Symantec, McAfee, they all are terrible companies that I'd happily keep off my hard drive given the choice; when I'm using Windows, I've already accepted MS. Plus, since MS knows their OS better than others, they've managed to make a security system which doesn't bring a brand new machine to its knees.
The only trouble I've ever had with MSE is that if you edit your hosts file to block the Facebook "like" button, MSE will pop up a warning and delete the www.facebook.com entry.
I've had this happen, too. But after the first time I told MSE that it was a false positive, it never bothered me again about the hosts file. Good doggy.
Oh, and all your EXE-files will also be marked as viruses by the way (since you're most likely using a "self-executing-unpacker-code + data" architecture, which is considered a risk-factor by most antiviruses, no idea why).
Because most malware does this exact thing to obfuscate its payload. Here's a good example of the relative entropy distribution of malware executables versus non-malware executables on page 26 and 27:
http://www.virusbtn.com/pdf/conference_slides/2007/CaseyShee...
As an former Windows user who never ran A/V because of the stated reasons, in my old age I've finally broken down started using one as rebuilding a box is no longer high on my priority list. If you are a home user on windows, I highly highly recommend http://windows.microsoft.com/en-US/windows/products/security...
It's free, it stays the hell out of the way, doesn't slow the system down, and works.
Edit: I do not work for Microsoft, and this post was written on a netbook running Ubuntu.
I was trying to install netcat on a work windows box to transfer some files (long story). Every attempt at copying the executable out of the zip file would throw up an error about the file not existing, no explanation as to why or who was causing the error. After an hour I removed the antivirus. File copied just fine after that. I guess netcat is a 'hacker tool' and not allowed on protected windows system; too bad I had work to do.
There seems to be a lot of hate for antiviruses here on HN. I have this question, then - what kind of features would YOU want from an antivirus? If a startup was to launch tomorrow with some sort of antivirus or similar product, what would it need to have for you to buy/subscribe/etc.?
Basically, be MSE: unobtrusive. I haven't written anything for windows since high school, so I don't know how it stacks up for devs, but it's great from the user's pov. Free, lightweight, and invisible: everything I want in an antivirus program.
Is an anti-virus even the right approach, especially for an experienced user? Wouldn't some sort of permissions management (maybe like SELinux or AppArmor) coupled with a firewall be just as secure? Getting the majority of your software from a repository (e.g. with yum or apt-get) also seems like it would help significantly.
I'm not a security expert, but it seems like you can have a perfectly secure computer without an anti-virus.
Never delete a file automatically! Always ask and use quarantaine. MSE is madness and all the others, too because they destroy important files without asking.
Is there really a reason to even run anti-virus software all the time as long as you don't try to open executables and macro-containing documents that didn't come from a reputable source?
Yes, because you don't even have to be using the computer to acquire new malware -- if Windows isn't patched and you don't have a properly configured firewall in front of the system. Simply browsing the web with fully patched Windows behind a firewall is a risk as well.
Among other things, I review orders for an advertising service, 20-30 a day. Some of these orders are purposely placed to advertise sites with malicious code that installs malware. My fully patched Windows 7 system behind a firewall, running antivirus and the latest Google Chrome, gets infected with something or other on a regular basis -- at least once a month -- without me ever downloading any files.
Last week it was one of those fake antivirus programs that terminates all your real antivirus programs and pops up a window saying you're infected and need to upgrade for $29.99 every 20 seconds.
That one was probably a Java plugin vulnerability.
I knew a university professor who was installing Windows XP onto a workstation that was connected to the university network. The machine ended up infected with Blaster before he'd even finished the installation.
Heh, I worked in big oil at the time, and they couldn't kill blaster because IT people kept on imaging new computers on internally exposed networks. We probably could have killed the outbreak a week or two earlier if everyone just stopped imaging for a day.
So once a month something gets past the antivirus. How often does the antivirus block (not notice something that wouldn't work on your system, block) malware?
If I had to estimate, at least 95% of the website malware gets caught by MSE. This is a typical day reviewing new ad placements: http://i.imgur.com/gvtY9.png
No, because if you visit a site that successfully exploits an unpatched vulnerability in your browser (or plugins) that allows for remote code execution, you WILL be infected. I'd label myself extremely savvy and I've been hit by what I think were ads loading a Java applet that somehow broke out of the JRE and ran an executable.
I always turn off Java on the browsers I use. It's a HUGE security hole that allows for drive-by infections and the cost of not having java applet support is something I can very much live with.
This. The days of needing to allow or execute malicious executables has passed. Drive-by downloads are extremely common, they use a vulnerability - and bam they can download whatever they want to your PC -- which in turn, will download more stuff.
I see this a couple ways. If you pull binaries off the internet, it's hard to say you can just ignore it and don't need any protection. That is exactly the kind of thinking that got us to where we are with malware in the first place. I just can't see a downside to scanning your system once a week after hours or something like that; most of the time it will find nothing but if it ever finds anything it's probably worth it.
Then I look at the products out there, there are a lot of them and they all seem terrible. We've got giant computers compared to 10 years ago and this software still takes them to their knees at times and you just want the crap to be invisible. In part I think it has to do with the all encompassing "security suite" concept where they try to be all things to all people. It does seem ripe for some disruption.
I mean, like maybe using some virtualization software to have multiple "zones" or something, trusted, suspect and untrusted and some clever reverting and snap-shotting to let you run programs in untrusted environments fairly seamlessly or something. Scan it with some uberscanner and then promote it to trusted. Or something, the OS vendors will have to help and MS has created an AV cesspool.
On Windows one can compile a DLL or EXE in such way that you can overwrite the executable while it's still running.
With the Microsoft Linker this is achieved by adding /SWAPRUN:CD,NET - it means that the image might be running of CD-ROM or Network - and both can lose media connection, so copy the image in memory beforehand.
This could be useful, only if it wasn't for certain Anti-viruses that treat a lot of my executables as viruses once any of these two flags are on (CD, NET or both).
You can actually edit the flags on existing executable, using EDITBIN (or LINK /edit - it's the same - linker is a bit like "busybox" here).
Another reason is that the antivirus we currently have installed at work slows down copying off the shared network. And because it's off the network, the antivirus has to check it everytime (unlike HDD, where it can keep some cache of what was checked).
For me it's not so much that it's not always accurate but more than it always make my computer soooo slow. And also, that I don't believe in antivirus.. Precaution is everything; One you've got the virus, unless it's a trivial or unoffensive one, better to format.
I don't run anti-virus, the cons are too big and it's not actually a good protection over just taking common sense precautions. I've only been bitten by infections on 2 occasions over 20+ years, and anti-virus wouldn't have helped with either.
Aren't modern Windows capable of installing everything as root and keep the user account from infecting anything that is on the system level?
That effectively solves the virus problem since the worst that can happen is that something unwanted runs as the user privileges or deletes/infects files in home directory. The machine itself stays clean and you can avoid full reinstalls.
If the user gets a virus then all you need is restore his home directory from a clean backup. And if you want, possibly run some antivirus on anything that gets backed up, to try to make yourself feel good about backups being clean.
> Because if your software has some kind of copy-protection built-in (encrypts and stores serial numbers, hides and encrypts parts of the source code to protect from reverse engineering etc.) - an antivirus will most likely detect some "very dangerous" trojan.
Don't waste your time with this crap. You don't have any secrets on my computer. I will crack your DRM and reverse engineer as I please.
Anti-virus is a flawed idea in general. The incentives are all wrong in the business model for one thing, the other thing is that it literally cannot possible protect you from new viruses. It's just a completely flawed idea, and in practice it is a net loss.
Microsoft Security Essentials is a nice compromise if you need to appear responsible to individuals and small businesses. It gets the job done, and it's only minimally intrusive. It also comes from a company that most people tend to trust.
Norton, on the other hand, is pure evil. If Microsoft bundled Security Essentials with Windows and thereby pushed all those pathetic AV vendors out of business (just like they did with web browsers), I might turn a blind eye this time and call it the lesser of two evils.
Replace it with a simple app that randomly shows fake notifications for threats, with a clickable button called "remove threat" that doesn't do anything. Upon clicking, show some stats on how many fake threats were dodged.
(1) you won't be seen as irresponsible anymore
(2) since users will constantly receive threat warnings, they'll be more careful than usual, improving security
When I worked at Geek Squad during college, we used to joke that Norton Internet Security had decided the internet was too dangerous and automatically disabled it.
You have no idead how many internet connection problems I solved with the Norton removal tool.
Doctor: Furthermore, start doing the same thing (developing software) to the other one (Linux) because it's .. Er.. fresh.
Man: Wait, but won't the other one start hurting because I'm using it more?
Doctor: Oh right, I guess if everyone switching to use Linux tomorrow, then the malware authors would begin targeting it more aggressively. I supposed my anti-Microsoft rant was misplaced.
Evidently, "We tested this site and found it very risky". Even though it's the public site for a 5-year-established (and popular) SaaS product. Even though it has no downloadable executables of any description. Even though it has no non-moderated user-generated content.
But it's got this: http://www.siteadvisor.com/sites/www.s3stat.com
... which is a page saying that their automated somethingorother scraped the internet and decided that my site is crazy dangerous, listing reasons such as... well, nothing actually. But look at it. It's RED! Must be bad.
So even if you don't actually write software that could possibly contain viruses, you can still end up on the wrong side of the antivirus companies.
nice.