An interesting perspective on the state of security programs, from Susan Bradley’s invaluable blog:

“Anti-virus, you have lost. You sit there filling up our system trays with your little icons and flashing bubbles, constantly seeking attention with your false positives and pleas for updates and money. Your ugly self-advertising user interfaces make us feel physically sick. You cripple our machines’ performance and stability with your hundred processes and services loading at bootup and klunging up the system hooks. It takes a lot to bring a modern, powerful PC to its knees with swapping and bluescreens, but you manage it.

“Yet despite all this, you still don’t protect us. Oh, sure, AV is still effective against old-school viruses and the more widespread mail worms. But come on, what idiot still gets infected by those? No, the bulk of today’s infections – including my neighbour’s – are driven by web browser-based exploits and related fake-software downloads, against which today’s AV tools are woefully ineffective.

“The payloads involved are enormous in quantity and range, and are mutated constantly. Against this, signature-based AV has no chance to keep up. Woollier signatures and heuristic-based detection increases the chances of detection a little, but at the cost of so many false positives the user can’t trust it any more. Or worse, they do trust it and end up deleting a bunch of random files that happened to be compressed using an application compressor (packer=virus, according to stupid AV). Oh, and Windows Explorer.

“Oh sure, you might get an alert from your AV when visiting an exploit, because it peeks into your Internet cache folder and manages to recognize part of the payload, or an intermediate downloader file, or the original exploit itself. ‘I’ve removed a virus for you!’ it says, ‘aren’t I super! It’s ‘Delf’, or ‘Agent’, or ‘Small’, or one of the other names we give to specimens we don’t really know what they are but they’re probably not good�.

“By that point it’s far too late; either your browser wasn’t vulnerable, and the AV has valiantly protected you from nothing at all, or the suspect code has already been run, downloading a whole bunch of other bad stuff. Even if it did miraculously catch all of those (and the odds aren’t looking good), how could you possibly know for sure you were still clean? There are some very hard-to-spot rootkits out there that your average PC-using clod hasn’t the faintest hope of detecting.”

I’ve lost a couple of nice computers in the last few months, reformatting hard drives when malware got onboard and could not be cleaned off economically, even though security software was running and theoretically up to date. I’ve got no answer here, just a bad feeling that the problem will get worse.

Share This