ANTIVIRUS:THE ANTIMARKETING TEST

Lundi 11 juin 2007 1 11 /06 /Juin /2007 19:26

ANTIVIRUS:THE ANTIMARKETING TEST

Introduction

Kaspersky products reseller has published pdf papers about the efficiency of kav 6 in general
and rootkit removal in particular¹.
In these papers, malwares and demo are used to show and demonstrate the effectiveness of the
proactive module.
Naturally, the results are maximum: 100% !
Naturally...because we can't expect any security software editor and reseller to show the
weaknesses of his products.
May he is aware about its weaknesses...

The rule of marketing and advertising is mainly to show the bride more beautiful than she
really is.
This is a legitimate policy : we live in a business world, isn't it?

However, under Kav protection, we were able to :

-spy from various ways on (keyloggers, sniffing, webcam),

-run scripts, copy files and folders,

-create new accounts and play with privileges,

-evade the scanner engine,

-Dump silently all the content of an USB stick to the desktop, and root and damage the system from external drives (USB, CD Rom),

-compromise security by running backdoors,

-run remote code execution (Outlook etc)

-crash browsers and computers (...)

-download malicious files...

We have thereof shown the limit of marketing.
And what concerns Kaspersky antivirus concerns any other antivirus, HIPS and firewall editor.
Like any other security sofware, Kaspersky antivirus 6.0 is not the perfect product that is presented by the usual marketing speech.

Softwares as Security, Softwares as a Religion

By this test we have shown some limits of antivirus and HIPS softwares: internet threats are too
various, numerous and sophisticated to be fully covered by just one product.
Unfortunately, security forums are full of endless discussions about super products which
provides ultimate security.
This is here the impact of the massive marketing investissment of the IT Industry: and even
system administrators and IT Manager are influenced by the sirens of marketing...

Antivirus, firewall, HIPS, HIDS, NIPS, NIDS, IPS, IDS, Anti-0 Day, anti-keylogger...the ultimate²
software does not exist.
Or only in the IT Managers wishes and developers dreams...

Dealing security with softwares is a lost battle: Protection provided by security sofwares is
both driving and limited by its own components: code.

A software is composed of line of code,
but any line of code can theoretically be broken³,
then any software can be bypassed and defeated.

As simple as is this sophism, there's an intangible law: The Graal of security doesn't exist,
neither than the Graal of product.

The second house of a programer is the table draw, and this house should be the school of modesty: as much talented are security softwares developers, it's difficult to believe in the unknown genius...
The line of code designed today can be defeated tomorrow: the destiny of a programer's work is
like Sysuphus destiny.

Things are not as simple as the equation: Disease=medicine, crime=police, virus=antivirus,
computer threat=security software.

Security is a complex process⁴, not only a variable of products.
Highest is the control level on this process, highest is the level of security.

Unfortunately, the police can't control any street or any airport, the system administrator
can't have an absolute control of what happens on a network perimeter:
does he, in the first place, control if the installed security products are securely coded...

The Computer's world: a grey world.

Windows is not perfect, but it can be enhanced to mitigate impact of malwares: if the user gets
used to apply the principle of least privileges, and takes time to harden the system⁵.
And the AV industry has legitimately never done the apology of least privilege principle:
"Windows is not secure, buy our products and you'll be secure" is the marketing bla-bla used
since years.

Fotunately, with the release of Vista, Microsoft has made up for lost time: what requires
efforts and knowledge with XP, comes already hardened into Vista.
And the "intrusion" of Microsoft in the security industry has generated grumbles and loaded UZI
from most AV editors.
In fact Microsoft wants legitimately its part of the market, and AV editors do not wish to loose their own.
This is a business battle: who could seriously doubt of that?

But what about the end user?
Should he remains a cash machine?

"Do we really need a Security Industry" ⁶ has recently written Bruce Schneier.
And if it's difficult to be totally agree, we need to consider that the computing security business is like any othey business: Money is its only religion.

In the land of this world, we have:

-In the first side of the river, there are products providers (softwares, hardware): the web is
dangerous: buy our products and you'll be secure.

-In the second side of the river, there are vulnerability assessments societies, ethical
hackers: your line defense can be compromised: see the demonstration and the POC, subscribe to our services (audit, web protection, secure transactions etc) and we'll help you to make it much more secure.

-In the middle of the river, all computer users (home, corporate , institutions,
administrations) who cross the river and meet here and there spammers, crackers, ddoser,
cybercriminals...

Each group needs each other: security products providers need cybercriminals for a marketing exploitation of the fright, ethical hackers and vulnerability assessments campanies need security products providers for their research or to sell their services (and the tools used by pen-testers and cybercriminals are sometimes the same)...

There's no white side and black side: like Human being, things are often grey.

Greatness and decadence of the black list protection concept

All that being said, we need to be as objective and neutral as possible.
And to consider and admit some facts.
Since AV exist, since AV are AV, the black list concept is a dead end.
Since years and years, antivirus softwares provide a colander-like protection: more than any firewall or HIPS, an antivirus is the kind of software the most easy to bypass.

Since years and years, the AV industry has sell ineffective products, designed by "virus
experts" and defeated by kids of 12 years old...
From the system administrator to the international security guru, who can utterly trust them?

Moreover some institutions like Virus Bulletin used to play the AV industry marketing game: by
providing tests with 100% detection rate results, they gave to the home user the feeling that
antivirus softwares are able to stop 100% of the malwares.
The VB100 logo is not only designed to point out reactive editors, but also to help these editors
in selling more and more softwares...

The black list concept can't stop 100% of malwares: this fact is integrated in the EULAs of
most antivirus editors (chapter 5.3 of the Kaspersky Eula for instance).

Last year, an organization⁷ has released tests with created malwares as test files, and naturally, the AV industry has contested this testing methodology.
As far as we know, new malwares emerge each day: this is a reality.
And the contestation of this testing approach is the contestation of the reality.

Business or not business, there's a limit with the bad faith...

With the available technology (virtualization⁸ for instance), the different security models
(white list⁹, behavioural analysis¹⁰, sandboxing¹¹) and the different classes of software (HIPS¹²,
Rollback/instant back up), antivirus based black list are technically not absolutely necessary.
And it would not be difficult to demonstrate that an HIPS based white list is much more
effective and reliable than any antivirus based signature file detection.

That which is not checked as safe (white list) is automatically blocked: this is a wall.
Only that which is checked as malicious is automatically blocked (black list): this is a colander.
This ovious fact does not require any kind of testing demonstration.

In addition, there will be in the future an hardware¹⁴ alternative to antivirus softwares: it is also legitimate for the hardware chipset industry to take its part of the market...

But the majority of users are not familiar with HIPS, and do not have the knowledge to define if
a file is malicious or not.
The presence of AV boxes at Wal Mart, Carrefour, Al Campo, Tesco, Ahold, Metro and in any other supermarket is not endangered.

Antivirus are dead¹³, viva antimalwares: Kaspersky 6 or the evolution from antivirus to antimalwares

"If God does not exist, then everything is permitted" has said Dostoevsky.
And in a world driven by money, cybercriminals¹⁵ are not the last ones to show how genius can be Human being for doing bad things.
There are more and more computers users in the world, and in the same time internet threats in
general and malwares in particular become more and more sophisticated.

Most antivirus editors have not followed the wave of this sophistication.
Perhaps are they afraid to disturb their consumer's habits (the sacrosaint scan button); and in the same way, to loose their part of the AV market.
A typical example is the rootkit phenomena: Windows rootkits exist officially since 2000, and
the AV industry only takes care of them since 2006/2007¹⁶.
Strange definition of reactivity isn't it?

Fortunately, some editors are convinced of the need of a real and technical evolution.
Kaspersky is one of them.
When big companies invest more in marketing, small and middle size companies invest more in
research and development.
This is here the most reliable policy in the long run.
Moreover, isn't it the rule of editors: to provide the most reliable and effective security
software, to give the best they can do for their potential consumers?

Our test has clearly demonstrated that the integration of an HIPS or proactive module is very
helpful to offset the limits of signature file detection.
Many tests have shown the need of another approach to fight unknown malwares.
In the case of kaspersky, the behavioural analyzer has catched malwares which were not
recognized as malicious by the black list protection.
If behavioural analysis isn't a brand-new security concept, the integration of proactive module in
a classical antivirus is a kind of revolution for common users.

Using a computer nowadays becomes more and more risky without a reliable protection.
By the integration of this proactive module, Kaspersky antivirus is currently and without any doubt the "antivirus" which provides the most exhaustive protection for end users.

1.PDMVsRootkits: direct download here.

Proactive defense/PDM paper here.

2.The ultimate security software (fun)

Dark Reading: "Top 10 Reasons Security Products Don't Work"

HIPS/IPS products become more and more popular, but it seems this is not the panacea if we also take into consideration that many of them are vulnerable to attack evasion techniques...

3.Exploiting software: how to break code.

4.From product to process, Bruce Schneier.

5.An exhaustive guide for home user here.

6."Do we really need a Security Industry" from Bruce Schneier's blog.

A summary here.

7.Techworld article.

8.Wikipedia

Virtualization info

Kernelthread: An introduction to virtualization

9.Wikipedia

"Black list versus White list software solutions" by Faronics: Anti-Executable is an example of white list HIPS.

"Witelisting Repairs Broken Anti-Malware Model"

Darkreading: A-Listing Your Apps.

"Antivirus 2.0: the bouncer approach" (as a pdf here)

Securewave, one of the leader of the white list security approach with Sanctuary, provides interesting articles links on its web site.

- BBC News: Staying safe without antivirus

- NZ fights viruses in two fronts

10. Securityfocus: "Behaviour blocking: The Next Step in Antivirus Protection".

11.Wikipedia

Kernelthread

12.Wikipedia

An overview of personal/desktop HIPS here and an HIPS list updated recently for the purpose of this article.

The list of our Castlecops friends (the list of anti-phishing HIPS is empty: update required :) )

Darkreading review of corporate H/IPS: "Host intrusion prevention products"

An example of innovative HIPS approach with Nexthink.

13. "The slow death of AV technology".

"Has The End arrived for Desktop Antivirus?"

14. "A chip counters the viruses"

15.Crime-research: Computer crime: top threat in 2007.

2006 FBI/CSI Computer Crime and Security Survey: pdf here.

An interesting blog here.

16. Only a few editors like Kaspersky, Nod32, BitDefender or AVZ integrate a fully functional antirootkit module.
Currently most anti-rookits tools from AV editors are simple beta tools.