Antivirus Software – The Art of Denial
Why av isn’t working any more
It’s pretty clear to most people by now that antivirus software just isn’t doing the job. Not only can you not tell if it’s a three percent success or a ninety percent success, this measurement is simply impossible to determine. The reasons are also obvious. It is a tool left over from another time, and although it still has its uses, it simply isn’t suited to being your major line of defense. It’s not up to the job.
To start with, an AV scanner will only detect what you are already infected with. In the old days of the amateur viruses, there was an activation date for the virus (Michelangelo, for example, activated on Friday March 6th) and that left all the time leading up to the trigger date to detect and remove the infection. We no longer hear about a trigger date. Malware is there for a reason, whatever that reason is.
Today, there are more new and unique samples of malware each day than were produced in the entire first decade of virus history. (more than two hundred thousand new samples each day as of this writing, probably more by the time you read this) These malware samples mostly don’t replicate, and can almost never be reported to be in the wild. Finally they are only in circulation for an average of 27 hours. This is too much work and not enough time for even the best old fashioned AV scanner. Taken with other facts known about scanning and malware, one thing becomes clear: The AV scanner is obsolete.
Other things have been tried, and they all have their place
Many different schemas have been applied to malware and security problems, with varying amounts of success. A firewall isn’t enough to protect you, but can be a powerful tool to detect and analyze outgoing packets of data. Host based intrusion prevention relies on pattern files for the functionality of malware (instead of its actual content strings) but can be easily defeated by simply varying the attack structure sufficiently to evade the patterns being used. Heuristics, Reputation Services, Network filters and many other things each target one part of the malware and hacker problem, often with very good results, but none of them is up to the task.
It might be better to examine the major source of the problem.
The design philosophy of our existing systems comes from an era of inconsequential threat. The computer programmers who made up PC DOS 1.0 had never seen a virus, Trojan or worm. They were not anticipating cloud computing or botnets or international cyber crime. These were science fiction concepts, and like all the best such concepts, actually and eventually came to not only live up to their fictional roots but surpassed them in every way. Since the personal computer began in the happy go lucky 1980’s, everything was designed with a default allow architecture. This means that all incoming content is trusted by the personal computer, and will be run or installed without any scrutiny on either the part of the user or the part of the computer itself. You might say that out computers are not only insecure, but that they are actually promiscuous. This is a pity because in the era that came before the pc era, mainframe computers had very strict permissions settings. In the world of a pc every man is his own system administrator. We call this condition Default Allow mode.
So we blithely let every program we find on the internet (when one browses the internet one picks up programs without ever even seeing them) to run and install and then check them against a database of known malware, after the fact.
The alternative is Default Deny, and it is known by many names, Whitelisting, Lowered Privileges User, to name just a few. Previous attempts to limit accessibility to the Computing Client have put the burden of approval on the user. This is working pretty well on the Mac, but their method simply requires a password for each executable file that is downloaded or installed. This is not only not powerful enough a denial, but it bothers users who are accustomed to having full admin privileges on a Wintel based system. Likewise, the recent Vista and Win7 forays into Denial have met with very negative user previews. Users simply do not like to be the gatekeeper on any systems, preferring to leave that to the AV vendor.
Default Deny assumes that the user’s machine is clean and malware free to start with, and should be arranged on either a brand new machine or on a machine that has just been formatted specifically for the purpose. In a world where AV cannot detect everything, you are best served by not removing malware as it is found, but starting with a blank page.
To date, producing an adequate denial system has proved beyond the various AV vendors and also beyond the Giant of Redmond. Here at Comodo we have a different perspective, because we are a different kind of company. Our Whitelist arrives at your computer already knowing more than eighty million certified applications. As a Certificate Authority, we have actually measured and catalogued most every common application in the world. If you encounter any application that doesn’t fit the whitelist, the program is run in a secluded sandbox, well away from the ability to do any real damage. This combination keeps the client very secure, and does It without bothering or frightening the end user.
This is only part of a comprehensive security strategy that includes backup, malware scanning, HIPS, behavior recognition, a firewall, and comprehensive technical support. Comodo offers a full spectrum of security products for the end user, the small and medium business and the largest enterprise. After all, we’re a trusted authority.
Comodo is so confident that this comprehensive security offering can safeguard your system that we actually offer a guarantee that includes an offer to repair any system problems caused by any failure of ours to protect you up to five hundred dollars. No other vendor has ever made such a claim, and, to date, we have never had to pay. (legal restrictions apply, guarantee only good on paid version of the software, not the free version). For full details visit Comodo.com/news/press_releases/2010/04/comodo-internet-security-complete-v4.html.
You can try out Comodo’s Default Deny protection at Comodo.com/home/internet-security/antivirus.php.