Actually AV software vendors tend to remove all the old and outdated signatures. Otherwise, the sig files would bloat and become massive.
Thus, many of the tested virii are fairly recent and moderately relevant.
Virus scanners are only as smart as their users:
Users who click on every attachment, just because they have a virus scanner promising to protect them will still catch a virus sooner or later. That’s statistics law, as long as the detection rate does not equal 100%. Which is - as we all know - impossible to achieve, because the virus has to be in the wild, before it can get analyzed and added to the signature data base. IOW: Someone has to get sick before you can invent the vaccine. It’ll never work the other way around.
The other sort of users who don’t trust their software and think before they execute any kind of software, don’t need a virus scanner, because they have a brain doing its job. And the brain’s heuristics seem to be much more efficient. 
After all, there’s this universal truth:
Virus scanner can only show the presence of a virus, never their absence.
That is what makes virus scanners useless as a protection measure. They may have their use as part of an intrusion detection system, though.
P.S. Telling me that a virus scanner actually protects you from getting viruses onto your machine is like telling me that software can get “bug-free by testing”.
That’s why WindowZones exists… it allows Windows users to continue their bad practice of running as admin but it locks things like IE/Mail/etc into non-admin sandboxes. Check it out at WindowZones.com
This is -exactly- the scenario and rationale that the product was created for!
In my opinion, Microsoft Vista’s “Allow/continue” dialog boxes have nothing to do with security for the exact reasons that many people have already commented on: No ordinary user is going to do anything more than click “allow” whenever they are confronted with the dialog. I can’t picture my mom (or any of a number of accountants in our company) saying, “oh look… this software is doing something suspicious. Should I allow it?” She’s just going to click ahead.
Instead, Microsoft is using the age old method of CYA (Cover your ***). By putting up incessant warnings to the user, when something goes bad Microsoft can claim, “Oh, but we told you about it, so the damage is really your fault.”
Quite possibly the most ridiculous post I have seen on your website. Everyone else has your mistakes covered though so I just want to register my disdain for this.
I did not read all your comments (too many). But the notion that nix/OSX does not suffer from malware is because of non-administrator default settings is quite absurd. The reason there not affected is because its not profitable for the malware writer at this point in time, and for no other reason. There is *nix malware, two new ones just this week. Check sophos.
“There’s almost nothing a virus, malware, or trojan can do to a user who isn’t running as an administrator.”
That statement is completely inaccurate. A trojan can steal the data from your home directory and HTTP it back home, no need for administrator there. Malware wants your data, not just your box or root account. And since you run most apps as non-administrator, I think its safe to say that most malware has access to that data.
-
whitelists work fine … but how do I get mail from people who have not sent mail to me before? - Oh it’s in the spam box with the 10,000 spam emails (and since it’s an order from a new customer it’s the most important email I will get today)
-
Unix security is not just don’t run as an admin, it is don’t run things just because they are a program as well
A particular buffer overflow exploit will only work on one version of one program, this means that all the users with their autopatched latest Outlook are all the same but the user running another client is less likely to get hit
Buffer overflows, and stupid users will compromise any system, but the other methods of infection are stopped on Unix systems, and the most common one, of a user trying to run the program that someone sent them or they found on a website, is difficult enough to to so that they won’t bother
- Why is Development so difficult to do on Windows without running as Admin? Unix users developed most of Unix without thier development tools running as admin? Is this just Microsoft taking the easy option?
Ever think that maybe some of the folks injecting viruses into the community may be actually “employed” by some of the major anti-virus companies?
It brings me back to an old Charlie Chaplin skit where he is a window replacement salesman and he pays a street kid a few cents to go throw rocks in windows right before he makes his pitch…
Let’s not be naive about their intent, and most of all, just be smart in how you guard your computer. With proper precautions you can completely protect your computer for malware.
Great article. Antivirus software is voodoo but Unix as a personal OS has holes too. For example. . .
Lots of users have a personal bin directory prefixed on their $PATH. They could be tricked into running sudo malware with a file like $HOME/bin/apt-get.
Sudo is often configured to only ask for a password if some amount of time has passed since the last sudo because entering a password constantly is annoying. Unprivileged malware could watch the process list for a user command known to require sudo and time it’s attack to gain root privileges by calling sudo itself. It is also possible to never require a password for sudo and I’m sure this feature is used more than it should be.
As pointed out by commenter Joe, malware on unix can still wipe out your data without root privileges.
A good sudo configuration and regular backups are a more general and cost-effective solution than any Antivirus.
Very nice article.
But what do you think should be done? It’s fine to shoot down something that doesn’t work. But what does work?
By default, sudo will tie its password timeout to a given tty, so a malware that’s daemonized or running from a user’s crontab probably won’t be able to use it. It’s possible to configure it less securely, and there are sometimes good reasons to, so you’re right in general.
Anyway instead of leaving my comments on the issue, I thought I’d blog
about it too!
But I’m not reading your blog - I’m reading this one.
I’ve been reading CH for a long time, possibly most of it’s existence. I have to say, this has been one of the best posts I have ever read. And the shear fact of the matter is, it all makes too much sense to me now. I think I have spent too much time messing with what I will have to now refer to as the black list of doom. And I should have been spending my time focusing on the hardware and software of recovery. I’m glad I’m young, as I would have felt like I spent too much time on it if I 10, 20 or 30 years further on. It’s still something I don’t wish to admit really. I gotta thank you.
On another note, and I don’t know that this is the place for it, but my library runs a newsletter, and I would like to ask permission to put CH in the newsletter as one of my site recommendations. It’s kinda my thing to ask before I do. So what do you say?
“Learn to use the Internet.” - that’s arrogant and nave, WurdBendur. All it takes is one compromised banner ad server serving a surf-by exploit, and bang - you’re dead. You don’t need to be surfing pr0n sites or downloading warez.
Remember that the problem here isn’t to keep power++users, programmers, and ux living-in-parent’s-basement geeks free from viruses. It’s keeping the average Joe safe.
Your wrong about blacklist, at least in some cases.
Email is one case that blacklist are very effective. Most email providers use DNSBL (DNS Blacklist) to block or filter emails. Some are accurate enough to use before you even except the SMTP connection (spamhaus.org is a good example) others are commonly used in point based systems to increase the probably a message is spam (http://www.surbl.org/)
I can see how this is less effective in comment spam. First blog comments are far less common than email so there is less of a community around building a blacklist. And email servers are meant to talk to other email servers, so having a dynamic IP talking to a mail server is generally a good indication of spam. Blog comments are the opposite, anyone can leave a blog comment so you can’t category the traffic as easily.
Though this has probably been stated in the comments already, I don’t have the time to go through all of them, and since nobody seems to have quoted you on your first point, I’ll go ahead and take the honor.
“1) I think the reason that most viruses are written to infect M$ Windows is because it has such a big market share”
Actually, there are alot more reasons than that. While alot of people think that as systems become more popular, the amount of viruses for them will increase, this is only a small part of the matter. In reality, it is nearly impossible to infect a Linux or Mac machine with a virus.
-
Root access. Unless the user is doing something really special, they aren’t going to be logged in as an admin, so the code won’t be able to run. For administrative tasks, the user authorizes a short session of administrative status. Even in this status, by theory, programs should not be able to take advantage of it themselves.
-
Compatibility. While this is geared more towards Linux than Macs, it is still a valid argument. Simply put, there needs to be several different releases of the said malware, one for each of the major denominations of Linux distributions. Unless, of course, the virus has you compile the source code yourself. But a user stupid enough to compile the source code for a virus is a user that shouldn’t be running Linux.
That being said, you could make an argument that programs are able to convince the user to compile them, to convince the user that “Oh, yes, we are legit,” but the system is going to return some serious warnings in the meantime. Even after the program is launched, Linux and Macs will do everything they can to shut down the script, and, assuming the user isn’t a bumbling idiot, they will succeed.
The bottom line: Macs and Linux computers are not at risk for viruses. Period.
I think we have a lot of people bashing Vista who have never run it.
Reggada holds up Unix-based systems as better because if users try to do something that requires admin privileges, it fails, then you can run it again with sudo to give it admin privileges if you choose. I fail to see how this is better than Vista detecting the app wants to do admin stuff and asking if it should be allowed. Is it better because it’s harder?
That plays into the comment that Vista’s UAC accomplishes nothing but CYA for Microsoft because it lets them say they warned people. Well, they DID warn people, so their A should be C’ed.
Do you think the Unix approach would make much difference to computer-illiterate people? They simply won’t be able to do certain things until a computer-literate person tells them how to run sudo, then the lesson they’ll take from that is if something gives them an error use this magic sudo program to fix it. They’ll share with all their friends. Hell, they’ll probably just start running EVERYTHING with sudo and share THAT trick with all their friends.
Allen says he’d love if his Windows computer worked like his Ubuntu computer, which just has a popup asking for an admin password when he installs something. Vista’s UAC will do that if it is a normal user account or will simply ask for an OK if it is an admin account.
I think what people fail to understand about Vista’s UAC is that for the most part it is meant to transition us to apps that work correctly. Once I settled into my PC where I wasn’t installing things frequently, and once I got updates to several of my apps, I hardly ever see the UAC prompt. I wonder if the people talking about every app actually run Vista or if they picked up this impression from the Mac commercials. If you are getting an annoying number of UAC prompts, then you probably have a bunch of apps that need to be fixed. This is the exact kind of bad app that people are complaining about, so you’d think they’d be happy that the app essentially gets a badge of shame (the UAC prompt) plastered on it at every startup.
“Do you think the Unix approach would make much difference to computer-illiterate people? They simply won’t be able to do certain things until a computer-literate person tells them how to run sudo, then the lesson they’ll take from that is if something gives them an error use this magic sudo program to fix it. They’ll share with all their friends. Hell, they’ll probably just start running EVERYTHING with sudo and share THAT trick with all their friends.”
Continuing this line of thought, I think it boils down to telling Grandma that she is to answer “no” to this prompt (or not run sudo or whatever), always, unless she is sure it is something that is OK to run.
I tend to be more on the side of not requiring much expertise from the typical users, because some of these “how to keep yourself safe” lists are ridiculous, but this is one place where the line has to be drawn. Sorry, Grandma, but if you allow everything or whitelist everything then you’re on your own.
gray list
I don’t agree with you.
-
They do work. I downloaded kaspersky internet security and ran it. It found a lot of crap on my computer.
-
Just because they don’t catch every single malware doesn’t mean they suck. Catching most of the malware is much better than catching nothing. Plus how would you know if it doesn’t catch everything unless you know you planted a malware and your av software didn’t recognize it.
-
Some of the AV slow down your machine considerably. Find one that doesn’t. Scan your machine when you’re not using it. That makes good use of its idle time. I run backups and scanning when I am sleeping.
-
You personally have a fast machine. Do AV software they really slow your machine considerably?
-
AV software do not replace your security and safe guards. They complement it. If you depend on them to give your a false sense of security, it’s your fault, not the software’s. An automatic shifting car makes it easier for you to drive, it doesn’t teach you how to drive or drives your car. AV software help you against malware.