Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/2/2012
08:21 PM
Robert Graham
Robert Graham
Commentary
50%
50%

Antivirus And The Wisdom Of Cabbies

Viruses that cabbies -- like the one who drove me to Def Con -- complain about are precisely those that antiviruses can't clean

Last month en route to Def Con, in the taxi from the airport, I mentioned that I was in town for a "hacker convention." The cabby immediately started asking for technical support to help remove a "Trojan" (his words) from his machine. I asked him whether he had an updated antivirus. He said he had; he originally had AVG that caught nothing, and then his son installed a new antivirus that warns him of the infection (and claims to clean it) every time he turns on his computer. He sees this as an improvement, but it still hasn't gotten rid of the virus or fixed the fact that his browser home page is constantly redirected to foreign advertising sites (most aren't even in English).

This is, of course, not unusual. Everyone in our industry experiences much the same thing when getting into taxies. About half the time I tell cabbies I'm in cybersecurity/hacking, I get a similar story: They are infected, and they have the latest antivirus, but it doesn't work as well as they'd hope.

It's easy to say something generic like "antivirus is broken," but the problem is more complicated than that. Antivirus products just deliver what the market asks for. We are the market; therefore, the problem really is that we are the ones who are broken.

The most common way we (the market) measure viruses is by running them through a "wild list" of real viruses. This is nonsense. The percentage a product catches of this list is almost wholly unrelated to the percentage of the real-world threat end users experience. The normal wild-list score is above 95 percent, but a product that catches only 50 percent on this test could, in fact, do a better job in the real world.

The problem is timing. By the time the antivirus update that catches a virus reaches your machine, you've already caught the virus.

And antivirus does a horrible job at clean-up. Sure, they can quarantine some files, but a lot of times it's impossible, and the virus stays around, as in the example above.

This leads to the "Baysian Cabby Effect" -- the viruses that cabbies complain about are precisely those that antiviruses can't clean and just leave on their system for years. Thus, while uncleanable viruses may only be small percentage of actual viruses, they become a dominant reason why people are unhappy with antivirus products.

Another problem is that antivirus can't (easily) fix stupid. Cabbies complain about the Trojans that hackers put on their machines. They use that word -- I'm not they know what it means. Like the citizens of Troy who brought the horse statue inside their gates, a Trojan is something you, yourself, put on your machine. It's like getting syphilis and saying, "But I don't know how that happened."

It may seem totally unfair to judge antivirus by how well they deal with stupid users, but isn't that the point? Experts can avoid viruses, detect them, and remove them without the aid of antivirus programs. The entire point of antivirus is to protect inexperienced users from themselves. We therefore need to stop evaluating antivirus on how good a job they do for experts, but how good a job they do for everyone else.

I'm sure you've heard the following joke, but I'm going to repeat it anyway: A passerby notices a guy looking for his keys under a street lamp. He asks, "Where did you lose your keys?" The other says "I'm pretty sure I dropped them in the grass over there." Passerby asks, "So why are you looking here?" The guy answers, "Because the light is better." Measuring antivirus by the wild-list is the same concept. We choose criteria that are easy to measure, but not the ones that matter.

So the conclusion is this: Antivirus is going to continue to perform poorly, cabbies are still going to complain, and it's as much our (the cybersec community) fault as it is the antivirus companies.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.