« previous next »
Pages: [1]

Author Topic: The last Straw - Anti-virus software just too full of crap  (Read 646 times)

0 Members and 1 Guest are viewing this topic.

Jason

  • Administrator
  • *
  • Posts: 728
  • I love guitars
  • Respect: +62
The last Straw - Anti-virus software just too full of crap
« on: January 17, 2011, 02:26:51 PM »
0
The last Straw - Anti-virus software just too full of crap

For the last while, I've been using the free edition of PrevX CSI because, it has a handy feature of pointing out the path where most malware reside. However, this software, these days has become more and more annoying with false positives to the point where I uninstalled the thing!

The final straw for me was when I attempted to encode some videos for playback on my cellphone. It flagged the DLLs of software (VirtualDub and FLASKMPEG) I've had since 2003, as infected, and I know pretty darn well those files are harmless. Yet the software cannot even detect most rootkit infections. It has also lately been flagging TightVNC and others as malware, so to hell with it, I removed it from the system.

I have also had issues where it reported my OWN OBJECT CODE as a virus. I compiled a program I had written and suddenly it went apeshit about the object executable. Changed one character in the source code by altering one of the const char arrays and the antivirus stopped bitching. I have even had trouble e-mailing said object file to an associate because GMail also flagged it as a virus.

At work, it has gone off with an in-progress download of a legitimate CAD program update from a legitimate vendor. The complete file scans clean, yet when it is downloaded to 37% the incomplete file causes PrevX to scream "virus"

I think, that with the attempt to squash and keep on top of more and more sophisticated malware, the anti-virus vendors have cocked-up bigtime. I also believe that the method of detection is no good as most malware uses legitimate call chains, conventions and other features, which are identical to commercial software, as most malware nowadays are coded using the same toolchains as many commercial products. Tons of malware is coded in Visual C++ and even Borland Delphi, and we all know that Delphi shares the VCL component classes of Borland C++ Builder, meaning any malware in delphi could trigger false positives for a BCB application, which is what probably happened to me.

Signatures are no longer good enough, better analysis and running the suspected malware through a debugger, needs to be performed.
« Last Edit: January 17, 2011, 02:30:06 PM by Jason »
Logged
Be conservative in what you send, be liberal in what you accept from others- Jon B Postel
 

Epsilon

  • Administrator
  • *
  • Posts: 1984
  • Relativistic Momentum
  • Respect: +36
Re: The last Straw - Anti-virus software just too full of crap
« Reply #1 on: January 19, 2011, 08:18:04 AM »
0
I think a large part of the problem is the heuristic detection used by most anti-virus vendors today. Sure its necessary, but as you stated it often mistakenly flags legitimate software as infected.

Speaking of Delphi, a company that I was with had a large team coding in Delphi at one stage. A very interesting virus popped up there that attached itself to the Delphi compiler. Thus every time the developers compiled their own software, the virus attached itself to the compiled version and then started spreading itself across the network. It took a while to figure out what was going on and to totally clean up all the infected machines.

The other thing about anti-virus software is that if you leave it running permanently, it consumes quite a bit of resources and has a performance impact on anything you basically do on a machine. On my personal laptop I must admit I'm probably a bit cavalier by disabling it most of the time and then running an occasional full scan of my system. Probably not the safest thing to do, but it works for me.
Logged
Information wants to be free

Jason

  • Administrator
  • *
  • Posts: 728
  • I love guitars
  • Respect: +62
Re: The last Straw - Anti-virus software just too full of crap
« Reply #2 on: January 19, 2011, 11:57:36 AM »
0
It is likely the heuristic detection yes...
And I agree, antivirus products consume vast resources... slowing the machine down.

I've found that 99.9% of infections come in from the web via the browser. If only they, in their infinite wisdom could have designed the things better from the beginning, then we wouldn't be sitting with this mess today....
Logged
Be conservative in what you send, be liberal in what you accept from others- Jon B Postel
 
Pages: [1]
« previous next »