Blacklists Don't Work

blog
21

You are of course right about blacklists and anti-virus software Jeff, but have you considered the use of blacklists for browser ad blockers?

In this very different circumstance they appear to work rather splendidly. It feels like years since I’ve seen an ad on the internet. (Of course I never clicked them anyway, ever. Was it you who Twitter’d http://blogs.mediapost.com/spin/?p=1085 ?)

(FYI your tasteful and notated ads are not blocked by the Firefox Adblock Plus extension)

22

Things are even worse. See the statistics page of VirusTotal.com: http://www.virustotal.com/estadisticas.html

Only 9 of 20226 threats (0.04%) were detected by all engines. This is terrifying.

23

Blacklists are useless, but non-admin is not panacea either. Btw, “computer hygiene” helps a lot.

24

Jeff, Have you seen this :

http://www.youtube.com/watch?v=Ga1crmF7uls

It seems that 99,9% detection rate isn’t good enough. Botnets are getting more and more intelligent. They are changing their dsn-adresses so fast that blacklists are useless.

Tapio

25

Jeff I also don’t run a virus scanner I just can’t justify giving up all the system resources for as you said something that is unlikely to work for any new virus. But I do need to run my computer as admin for the reason of programming which is a pain I would go onto my normal user account for any other reason but don’t want to maintain admin and personal accounts all the time it’s tedious to keep settings etc… on both accounts.

I think the perspective on anti-virus from this blog is different to average users as most people who read this blog will know what exe to run and what not to along with the processes and services that should be running on their windows machines. This means they can usually detect a virus themselves and then may find out about it and what antivirus program can cure it. At this point I bet for most it’s either temporarily install a program to remove the virus or go back to the backup of their system they have. I maintain a ghost image of my drive on dvd’s with all the software I use installed and no data.
I take this and install it adding any updates and any new software I might be using and back this up for usage next time. Then I add my latest data and hey presto new clean computer probably runing a bit faster than before all in the space of an hour.

A better antivirus program for me would be a small program that detect’s new processes and services of unknown origin. I think this is included in some anti-virus but that is the only part I would want I don’t care about on the fly scanning of files against an outdated blacklist.

Pete

26

Agreed 110%, with 1 concept the author introduced. That’s “HEURISTICS” it RULES! Being able to detect what NOBODY ELSE HAS ALREADY, is key!

I just mentioned that here in fact, to a person debating ESET NOD32 vs. AVG, ESET went 12/12 at av-comparatives’ website on HEURISTICS (best guess/“smells like a duck, tastes like a duck: MUST BE A DUCK!” type stuff), here:

http://www.av-comparatives.org/seiten/ergebnisse_2007_08.php

AND, the same @ VB100 website too it passed ALL of their tests with FLYING colors (40 vendor’s antivirus offerings tested, only 3 did this). See here:

http://www.virusbtn.com/vb100/archive/results?display=summary

ESET NOD32 #1, not only where it’s important (heuristics) the most, but also for SPEED (written MOSTLY in assembler, this helps, with a good algorithm!)

APK

P.S.= Personally, also professionally (I kill these things daily, both spyware /or virus, etc. et al)? I see FAR MORE spyware the past year now, by far, vs. std. classical “viruses”… apk

27

Where I debated this (as to what I feel is important in antivirus products today, sorry, missed posting it here earlier):

http://www.neowin.net/forum/index.php?s=3953b2d51f1210e888e8141875774601showtopic=602537hl=

HEURISTICS (best guess tech for UKNOWN threats) rules, ESET NOD32 seems to “rule that roost” per evidences in my last post here, above!

APK

28

Joe is right:
No matter which account you are using, a virus can (and will) destroy your data.

I don’t care about the OS; i can install it in under 1 hour. I DO care about my data; it would take hours or weeks (depending on th etime of last backup) to recover it.

29

As already mentioned, you don’t necessarily need administrative privileges to do nasty things. And to add to that, we have privilege escalation exploits; I’m sure there’s plenty that haven’t been found yet, also for ux based systems. And while the current generation of ux users are ber tech-savvy people who read 42 security lists and keep their kernels updated by the hour, regular Joes wouldn’t.

As for AV packages, well, what you want isn’t a stupid BoyerMoore(patternList[idx], mappedFile), you want behavioral blocking that checks for suspicious program activity. The cost in CPU cycles in negligible, and it doesn’t need the heavy disk activity that on-demand virus scanning does.

30

I am the System administrator for a small college. Mostly Linux servers, Linux/Windows clients. Users do not get to run as administrator on any of our systems. We keep our software up to date. And I still have to deal with 4 or 5 security incidents a year. All on the Unix side (because that’s where we serve user websites from, of course). Talk about the magical magicness of non-administrator accounts is flatly wrong.

Here’s the fundamental law of computer security: don’t be the easiest, most common, target on the net.

You can be sure that once most systems switch to running non-Administrator accounts, that malware writers will make the jump with only a few issues. Because, speaking as a Unix administrator, they already have.

31

As others have pointed out, running non-admin won’t protect your user account’s files and settings, but it does keep the system from getting totally borked (at least in theory).

32

"I love the folks who install three anti-virus-“solutions”, and another two personal firewalls, in addition to the built-in firewall.

All active simultaneously, of course."
Of course they’re not all active simultaneously. They’re all expired, but no-one knows how the buggery to uninstall them.

Running as non-admin won’t protect you from something taking advantage of a buffer overflow. But then neither will most AV software. Not in time. That’s the whole point of the article - blacklists don’t work. So you’ve got this behemoth of a utility churning away in the background that’s protecting you less than, currently, running as non-admin in most respects.

Again, to reitterate my previous post. We are fighting a losing battle with completely the wrong emphasis. A normal persons computer gets infected, and it will whether they have the latest shiniest AV software or not. If they’re lucky it just bogs their machine down until it slows to a crawl. A simple AV can help prevent/detect and fix this sort of thing - so long as it doesn’t slow it to a crawl in the first place. At worse it takes their machine down and they’ve lost all their data (all they can do is take it to the shop, and they will more often then not wipe the HDD just for good measure, even if they promise on pain of death that they wont). Backup is now the only answer. Or it mines their machine for sensitive information, and the only prevention against that is education.

AV software as it is currently marketed is a false hope.

33

I have been running my Vista powered PC without anti-virus for about 6 months now. With the built in Defender, Vista’s UAC and other security enhancements built into Vista, IMHO, there is no need to install Anti-virus. As a backup precaution though, I did create an image backup of my OS and App partitions using Vista Ultimate’s imaging feature. In the unlikely event that my PC is infected with a virus, I will just wipe the HDD clean and restore this image.

I do have an Antivirus software that I can use to scan my PC from time to time… it came with the Sandisk U3 USB key that I bought at a discount. I have run it only once to scan my Vista PC and as expected, it found no virus. If I were to run an anti-virus, I would rather run it off the USB key as oppose to install it on my PC’s HDD.

34

A solution :

  • You have 10 differents softwares for performing the same task T
  • Each time you need to do T, you pick randomly one of the 10 softwares

Against saturation attacks, let’s use saturation defense :smiley:

35

I love this post. I share the same feeling and am happy that someone just posted it.
No i do not run as an administrator and yes it helps a lot.
But an antivirus is still essential.
What you are forgetting is how often do we end up installing something thinking of it as harmless and then voilaa!
I’ve tried to install a couple of(seemingly harmless) applications by launching them with the admin privileges and my AV catching it installing some nasty trojans. And believe it or not, one of them was an online car racing game supplied on a cd of famous pc magazine. How does one avoid these traps. So those annoying Antiviruses are here to stay and for long.
:frowning:

36

“I don’t care about the OS; i can install it in under 1 hour. I DO care about my data; it would take hours or weeks (depending on th etime of last backup) to recover it.”

You may be able to install the OS in under an hour, most people can’t. Mainly because “reinstalling the OS” means going to the shop and buying a new computer. Or at best getting someone else to come round and fix it.
Yes, data is precious and that can still be attacked. But a whole class or distressing, destructive and costly attacks have been thrown out the window. Now all we need is a primitive anti-virus and a much heavier focus on decent backup tools - which is good for more than just virus damage. That seems to me a much more logical way to proceed. People are currently so focused on an impossible prevention they don’t spend enough time worrying about how to recover from it.

37

Wow, this is something that we should see on Penn Teller, right? I mean if this is all true, and i do believe it is, then there’s a huge amount of bullshitting going on. Can you imagine just how many people get money by producing anti-virus software.

38

Hey Now Jeff,
I learned the while talking (http://www.codinghorror.com/blog/archives/001017.html) make sure to omit the blacklist model for security.
Coding Horror Fan,
Catto

39

“What matters most, I think, is detection rate for new threats. That’s what’s really dangerous, not some ancient strain of a long-forgotten DOS virus. I’m sure anti-virus vendors love comparatives like this. It makes for great ad copy”

Well… AV-Comparatives also do retrospective/proactive tests…

The latest test (http://www.av-comparatives.org/seiten/ergebnisse_2007_11.php) is scanning all new viruses within one month, with the antivirus updates from before the first sample.

From that test, ESET NOD32 scored the best with 71% detection, and no false-positives (AntiVir detected 81% but had many false-positives).

71% (81%) proactive detection is GOOD for “blacklisting software”.

AV-Comparatives also have a bunch of proactive tests with a 3-month period also (no new updates for 3 months, check with new stuff from that period).

I’d say the biggest problem are the ones that are fooled to install a “codec” to watch their porn, or runs “My secret pictures.exe” they get from some random e-mail/IM.

End-user whitelisting won’t work. They’ll trust the pornsite that tells them to disable the protection, or whitelist the software.

For companies, most are probably running pretty strict with non-admins already.

40

And yes about *nix and macs not installing an antivirus.
Who cares? I mean, the comparative user base is tiny compared to windows, nobody bothers on wasting their time on them.
And yes i expect “some” criticism from the respective zealots.
:slight_smile: