comp/net virus protection

mbpark · 02-02-2009, 05:17 AM

Tom,

My methodology/process catches a lot more than just Conficker

. It catches the viruses that hide themselves in System Restore space, and the ones that hide themselves using the Windows API and even File Streams. I've found many viruses this way. I just used Conficker as an example.

Unfortunately, you can't have a good process to "stop" a virus when the system itself is heavily flawed and allows compromise the way Windows does. The benchmarks I posted earlier were for known viruses. That just turns your AV program into a glorified pattern recognizer. That is irrelevant when many of the new viruses know how to subtly change themselves to avoid detection and you have to use behavior-based techniques to get at the viruses.

I don't see this situation changing any time soon. There's no good way to look at a live system considering how complex Windows is, and how it presents hundreds of hiding spots for any piece of malware. You have to find where they load from, not where they live afterwards.

The solution is to re-architect Windows, and that has only just started with Vista and Windows 7. The solution is not the multi-billion dollar malware defense industry. While it keeps many very smart people employed, it's all for naught if the underlying system has the issues Windows does.

Take a look at Green Hills Integrity, Kadak AMX, QNX, or even OpenBSD to see how an OS can be resistant to such attacks.

tw · 02-02-2009, 12:54 PM

Quote:

Originally Posted by mbpark

I don't see this situation changing any time soon. There's no good way to look at a live system considering how complex Windows is, and how it presents hundreds of hiding spots for any piece of malware. You have to find where they load from, not where they live afterwards.

I am not discussing 'fixing the problem'. Windows is what it is. Now, which anti-virus software does its job best given that Windows is what it is?

I have spent time trying to remove malware without any anti-virus software. Some were simple - an entry in the registry. (AOL belongs in that category as far as I am concerned.) Others were almost amusing - new tasks with random names appear as other pieces of the malware were removed. I could not remove all the pieces fast enough. I once manually removed a virus on a Windows that would not even boot. That was particularly fun.

Interesting is how 'System Internals' detected the virus installed by Sony from numerous music CD-Roms. I have also done that. But that is not relevant to the question.

Given that Windows is what it is, what benchmarks does the OP have to identify the better anti-virus software? Not even a good benchmark. We still don't provide a bad benchmark to answer the OP's question.

A bad benchmark might have been Nirvana's post IF it listed which 50 malware was removed or quarantined by what program. Currently, we don't even have a list of viruses categorized by the program that detected and removed it. Currently we have others claiming their anti-virus software works good without any indication that the anti-virus software even detected or removed anything.

Without a list of current malware X removed by anti-virus software Y, then the OP only has blind recommendations. Recommendations provided without the always necessary reasons 'why'. Currently the OP has few useful answers. Even the best answers are only subjective.

Symantec once was recommended for having detected and removed most known malware. Today, Symantec does not appear to have the same reputation. Why? Why is AVG better?

Consumer Reports once tested maybe 15 different anti-virus softwares using malware. Don't remember when. I recall that Trend Micro was highly recommended. That could be a benchmark to answer the OP's question because it also says why each was rated.

Microsoft only recently changed attitude. The resulting meeting with anti-virus manufacturers was reported to have gone on all day, all night, and up to lunch the next day. So yes, we should expect some improvements from Windows in the future. But that is not relevant to the OP's question. Given what we have is what we have, what benchmarks exist to rate anti-virus software?

glatt · 02-02-2009, 01:02 PM

Quote:

Originally Posted by tw

I once manually removed a virus on a Windows that would not even boot. That was particularly fun.

*Pictures tw hunched over a motherboard with a pair of tweezers, cursing softly, as he pulls a worm out of its hole in the processor.*

02-02-2009, 05:17 AM	#1
mbpark Lecturer Join Date: Jan 2001 Location: Carmel, Indiana Posts: 761	Tom, My methodology/process catches a lot more than just Conficker . It catches the viruses that hide themselves in System Restore space, and the ones that hide themselves using the Windows API and even File Streams. I've found many viruses this way. I just used Conficker as an example. Unfortunately, you can't have a good process to "stop" a virus when the system itself is heavily flawed and allows compromise the way Windows does. The benchmarks I posted earlier were for known viruses. That just turns your AV program into a glorified pattern recognizer. That is irrelevant when many of the new viruses know how to subtly change themselves to avoid detection and you have to use behavior-based techniques to get at the viruses. I don't see this situation changing any time soon. There's no good way to look at a live system considering how complex Windows is, and how it presents hundreds of hiding spots for any piece of malware. You have to find where they load from, not where they live afterwards. The solution is to re-architect Windows, and that has only just started with Vista and Windows 7. The solution is not the multi-billion dollar malware defense industry. While it keeps many very smart people employed, it's all for naught if the underlying system has the issues Windows does. Take a look at Green Hills Integrity, Kadak AMX, QNX, or even OpenBSD to see how an OS can be resistant to such attacks.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)