# Antivirus tools are a useless box-ticking exercise says Google security chap



## P4-630 (Nov 19, 2016)

*Advocates whitelists and other tools that 'genuinely help' security*






"_*Kiwicon* Google senior security engineer Darren Bilby has asked fellow hackers to expend less effort on tools like antivirus and intrusion detection to instead research more meaningful defences such as whitelisting applications.

The incident responder from Google's Sydney office, who is charged with researching very advanced attacks including the 2009 Operation Aurora campaign, decried many existing tools as ineffective "magic" that engineers are forced to install for the sake of compliance but at the expense of real security.

"Please no more magic," he told the Kiwicon hacking conference in Wellington, New Zealand November 17 2016.

"We need to stop investing in those things we have shown do not work."

"And sure you are going to have to spend some time on things like intrusion detection systems because that's what the industry has decided is the plan, but allocate some time to working on things that actually genuinely help."

Bilby wants security types to focus on tools such as whitelisting, hardware security keys and dynamic access rights efforts like Google's Beyond Corp internal project.

"Antivirus does some useful things, but in reality it is more like a canary in the coal mine. It is worse than that. It's like we are standing around the dead canary saying 'Thank god it inhaled all the poisonous gas'," he said.

The Google hacker also argued that networks are not a security defence because users are so easily able to use mobile networks to upload data to cloud services, bypassing all traditional defences.

Advice on safe internet use is "horrible", he added. Telling users not to click on phishing links and to download strange executables effectively shifts blame to them and away from those who manufactured hardware and software that is not secure enough to be used online.

"We are giving people systems that are not safe for the internet and we are blaming the user."

Referring to the 314 remote code execution holes disclosed in Adobe Flash last year alone, he compared the strategy to patch those holes to a car yard which sells vehicles that catch on fire every other week. ®_"

http://www.theregister.co.uk/2016/1...s_try_whitelists_not_just_bunk_antivirus_ids/


----------



## RejZoR (Nov 19, 2016)

Just because antiviruses aren't 100% effective it doesn't mean they are useless. Seatbelts, airbags and vaccines also don't prevent deaths by 100% and we aren't running around screaming how useless they are. Some do, but those people are stupid to be quite honest. Antiviruses aren't any different. It may happen that you'll still get infected, but decreasing that chance from 100% down to just 10% (give it a worst case scenario) makes quite a difference, doesn't it?

And whitelisting, even if you have the greatest database of whitelisted stuff, you can't ever have everything whitelisted. We've also seen how digital signatures were exploited for distribution of malware through seemingly safe digitally signed files. Not to mention how annoying it is to the user. avast! for example has one of the most extensive whitelist databases for its Hardened Mode (Aggressive) setting and yet, you can regularly find it showing a warning on an unknown file because it's either so new or so rare that it hasn't come across their whitelisting system yet.

To give Google's bragging into perspective, if they know so much, why people still keep on finding tons of exploits in their software and/or services? I've been involved in antivirus industry for over 15 years and Ive seen it how dramatically it has evolved just since then. Antiviruses aren't just "antivirus" anymore, they are very complex and highly sophisticated protection systems. The days of pattern matching only days are long gone. It's still used because it's fast and efficient for known stuff, but for unknown, the technology is really rather amazing. Especially considering 99% of detections are machine generated. Humans just fine tune these systems, the rest is entirely in machine controlled and generated, because there is just too much clean and malicious apps being released every day for humans to analyze them one by one. They only do that on stuff discarded from systems as "undecided verdict" and they look into it personally because it's suspicious but system can't figure it out just yet.


----------



## FordGT90Concept (Nov 19, 2016)

I haven't used an anti-virus beyond what Microsoft offers for years.  Only got infected once on Windows 7 because of ImgBurn adware (didn't untick the box) and have never been infected or seen an infected Windows 10 machine yet.

I agree with Google that, if you're serious about security, white listing is the only way to go.  That doesn't just go for applications but also domain names.  Malware would be cut hugely if white listing was standard practice.

Case in point: I've been running Server 2003 R2 -> Server 2012 R2 for almost a decade now and it has never been infected nor ever had an anti-virus.  Why?  White list only Internet Explorer.  If the website is too much of a dick to get white listed (facebook.com is a perfect example of this), I simply refuse to go there with the server.  Non-white-listed pages can't redirect, can't use applets, can't use scripting, downloads are forbidden, can't cross-domain reference, and can't use ActiveX Controls.  It fundamentally comes down to just HTML and CSS which are harmless.


----------



## RejZoR (Nov 19, 2016)

Adware is not malware and as such you weren't "infected". It's just an annoyance, nothing else. Like a big fat bug splattered on a windshield of your car. Is it a safety hazard? No. Is it annoying because you'll have to scrape it off by hand? Yes. That's adware.

Whitelisting in the end is only as good as people controlling it at the very end. Meaning, END USER. We. Us. I've seen people with my own eyes who, when antivirus detected something, they went and disabled it just so they could execute the file anyway. What makes you think they won't do same stupidity with 100% whitelisting just because it's preventing them from doing what they want? Black listing is still the way to go, we just have to bump it up a notch. But we are getting there. I'm seeing systems that are connected to the cloud that are incredibly sophisticated and with superb results.


----------



## SomeOne99h (Nov 19, 2016)

RejZoR said:


> ........ I've been involved in antivirus industry for over 15 years and Ive seen it how dramatically it has evolved just since then. Antiviruses aren't just "antivirus" anymore, they are very complex and highly sophisticated protection systems. The days of pattern matching only days are long gone. It's still used because it's fast and efficient for known stuff, but for unknown, the technology is really rather amazing. Especially considering 99% of detections are machine generated. .........


I read an article that anti-viruses shouldn't be called anti-viruses but rather "Anti-malware" because they are against anything that can be bad for the computer or the user not just viruses.


----------



## FordGT90Concept (Nov 19, 2016)

RejZoR said:


> Adware is not malware and as such you weren't "infected". It's just an annoyance, nothing else. Like a big fat bug splattered on a windshield of your car. Is it a safety hazard? No. Is it annoying because you'll have to scrape it off by hand? Yes. That's adware.


Anything on my computer that I didn't deliberately put there is malware in my book.  I nipped it in the bud by prohibiting it from launching and did a clean Windows install a few months later to get rid of it entirely.



RejZoR said:


> Whitelisting in the end is only as good as people controlling it at the very end. Meaning, END USER. We. Us. I've seen people with my own eyes who, when antivirus detected something, they went and disabled it just so they could execute the file anyway. What makes you think they won't do same stupidity with 100% whitelisting just because it's preventing them from doing what they want? Black listing is still the way to go, we just have to bump it up a notch. But we are getting there. I'm seeing systems that are connected to the cloud that are incredibly sophisticated and with superb results.


No amount of software will solve a PEBKAC fault.  Solution: operating system establishes the white list with no obvious option to ignore.  Microsoft browser do this to some extent with downloads.  If you download a file that has been reported to be trouble, the obvious things the user clicks will actually delete it.  You have to read and understand what you're reading to not delete it.


----------



## basco (Nov 19, 2016)

i too have not used a antivirus software since 7 years-before always gratis like avira.
but i dont do online banking nor do i have important files on my machine and only browse sites i know.
i think a good firewall is better then av software


----------



## Caring1 (Nov 19, 2016)

FordGT90Concept said:


> Anything on my computer that I didn't deliberately put there is malware in my book.


Like Windows 10


----------



## RejZoR (Nov 19, 2016)

FordGT90Concept said:


> Anything on my computer that I didn't deliberately put there is malware in my book.  I nipped it in the bud by prohibiting it from launching and did a clean Windows install a few months later to get rid of it entirely.
> 
> 
> No amount of software will solve a PEBKAC fault.  Solution: operating system establishes the white list with no obvious option to ignore.  Microsoft browser do this to some extent with downloads.  If you download a file that has been reported to be trouble, the obvious things the user clicks will actually delete it.  You have to read and understand what you're reading to not delete it.



Well, by not unticking it, you kinda have deliberately installed it...


----------



## FordGT90Concept (Nov 19, 2016)

I'm only human.


----------



## Folterknecht (Nov 19, 2016)

FordGT90Concept said:


> I agree with Google that, if you're serious about security, *white listing is the only way to go*.  That doesn't just go for applications *but also domain names*.  Malware would be cut hugely if white listing was standard practice.



With companies like Google, Facebook, Twitter, MS and Amazon leaving behind the stance of neutral entities (only concerned with their own profits) long ago, I sure as hell don't want them to determine what 's "safe" for the public.

You and me will find a away to get where we want, but Joe Average won't be able to see what these companies don't what us to see.


----------



## FordGT90Concept (Nov 19, 2016)

The only search I had white listed was https://encrypted.google.com Facebook was not, Twitter was not, Amazon was not.  Microsoft was because of windows update and Visual Studio downloads and redistributables.  I remember HighPoint-Tech was white listed to get RocketRAID drivers.  TechPowerUp and GeneralNonsense were white listed for the rare instance my personal computer was off/disabled and I needed to access them.

Bare in mind that white listing simply permits the website to function as normal (medium security).  It doesn't give it elevated permissions to do anything.  Everything not listed as a trusted site runs at high security where pretty much everything that isn't HTML and CSS is prohibited.


----------



## Luke Whitton (Nov 19, 2016)

Most of us that use antivirus and have a bit of knowledge about computers, tend to use free versions or just stick with Microsoft's standard "Windows Defender" (Im guessing).
I think some antivirus are as bad as a computer virus in itself. Take the likes of Norton antivirus, my first laptop wouldnt even run because of how much it was 'Bogging' the computer down.

Ive got a couple of friends that actually pay for this rubbish.... and its not exactly cheap!
Does anyone on here pay of it?


----------



## remixedcat (Nov 19, 2016)

Just run adblock (ublock origin) noscript, and have hosts files and good routers/firewalls that block the shit and you should be good... However have antivirus (webroot or eset) and you will be good to go as well as the absolute best solution:

Common Sense Enterprise Edition 2017!


----------



## alucasa (Nov 19, 2016)

Haven't used anti-virus for nearly a decade. No problemo.


----------



## Steevo (Nov 19, 2016)

I like the part where he says it's dumb to tell users not to click links they don't know and how it should be hardware manufacturers jobs to keep us safe from the internet.

It reminds me of the people who say it's up to men to learn not to rape, cause all men are rapists.


I use basic AV, most ISP's have some basic security built in, but the idea that all websites are or should be made safe...... retarded.


----------



## Kursah (Nov 19, 2016)

remixedcat said:


> Just run adblock (ublock origin) noscript, and have hosts files and good routers/firewalls that block the shit and you should be good... However have antivirus (webroot or eset) and you will be good to go as well as the absolute best solution:
> 
> Common Sense Enterprise Edition 2017!



This plus OpenDNS filtering allows you to whitelist for your entire home or business network. Has a standard running black and whitelist predefined if you just want to use their DNS servers from your PC or router. Very effective and well worth folks doing.

Common sense is always going to be the biggest factor IMHO.


----------



## RejZoR (Nov 19, 2016)

OpenDNS only filters phishing websites. For better filtering you should use Norton Safe Web DNS servers. Those also filter malware sites as well as phishing.


----------



## Kursah (Nov 19, 2016)

RejZoR said:


> OpenDNS only filters phishing websites. For better filtering you should use Norton Safe Web DNS servers. Those also filter malware sites as well as phishing.



Maybe OpenDNS has updated since you last looked at it, but I've been using it at home for a couple years and working with it on a professional level, it does more than just phishing sites anymore. I was initially worried about Cisco taking over OpenDNS but it's only improved, and is faster to deploy updated blacklists than ever before. 

If you just use *OpenDNS* without a free Home account or paid Business Umbrella account, then it filters a predefined list of malicious, phishing and adult websites. If you do a free home account, you can actually choose which predefined lists you want to filter along with blacklist/whitelist capabilities. Plus it is super easy to manage and free.

Here's some screenshots from my account for example for those not familiar with the free Home account console:

*PRE-DEFINED FILTER OPTIONS*





*BLACKLISTING on OPENDNS*





*WHITELISTING on OPENDNS*





I haven't used Norton Safe Web before, but have been told by folks while it is generally considered more secure its DNS servers are slower. That's the cost of security though...waiting a little bit extra might be worth it. If you use it, maybe you could share some screenshots of it? 

Frankly I see no reason to go beyond OpenDNS with its current feature set, but its good to have options because there shouldn't always be just one. I'm not a fan of Norton security software (at least the pre-loaded OEM crap) and what it lets by so I'm leery to use their filtering, but it seems to be pretty well regarded. The problem I see with Norton is you get what they give you and you don't get control over white/blacklists as you do with OpenDNS. That might be fine for some, and submitting to a request as per the *FAQ *is possible... but why do that when it can be done and allowed within a few minutes on OpenDNS? I suppose for folks that don't want to have as much control over what their filter is doing...this is a good option...for those that like a little more control I believe OpenDNS would be the superior option.


----------



## RejZoR (Nov 19, 2016)

It has been like this for ages and none of categories cover malware webpages.


----------



## Frick (Nov 19, 2016)

Steevo said:


> It reminds me of the people who say it's up to men to learn not to rape, cause all men are rapists.
> .



It is definitely up to men to learn to respect women, because a whole lot of them don't.


----------



## DeathtoGnomes (Nov 19, 2016)

FordGT90Concept said:


> Anything on my computer that I didn't deliberately put there is malware in my book.  I nipped it in the bud by prohibiting it from launching and did a clean Windows install a few months later to get rid of it entirely.



Onedrive, or wtf-ever is called now, is exactly this, malware. You didnt have a choice of installation and you cant uninstall it except thru old skool means, atleast with win10 there is a mock setting that "supposedly" disables it but is yet open to hacking that can re-enable it and use it as a backdoor so to speak.


----------



## Solaris17 (Nov 19, 2016)

Unfortunately I find this "Advice" to be a bit one sided. There is not a shred of it that isnt true or not advised. However These kinds of mitigations are for people with a good understanding of technology that haven't managed to implement it.

I also find it curious that TPU members even flaunt it a bit. I would hope that anyone intelligent enough to hold higher discussion on this forum would have the ability to implement these practices, but assuming that it is enough for even the general populous is short sighted to see the least. Not to mention with the evolution of technology and the pressure from even local utilities to "pay your mortgage online" using the argument that people incapable of following this advice just "shouldn't use a PC" is arrogant. 

AV software and even the paid version offer non-advanced users much needed protection and im surprised some members dont appear to know this. Perhaps its not dealing with thousands of users that clouds there understanding.

Gateway protection from IDS/IPS and other flow control applied via whitelist or heuristic blocking employed will always be best sure. After all the best protection is to "not let it get in to begin with" but that one line could have covered that entire article.

However this is easier said then done or even impossible given the understanding of todays technology to senior or even un-educated citizens.

Lets not forget that PC classes and training is not fundamental in todays society nor is it required or enforced in all schools. 

I don't really see this article for any more than regurgitating best practice that system administrators have known for years with the addid short sightedness of expecting it to be deployed in a home environment. 

My sister doesnt understand how to enable openDNS sorting on her router and I'd be willing to bet a whole lot of the rest of the global population doesnt either.


----------



## cadaveca (Nov 19, 2016)

Solaris17 said:


> My sister doesnt understand how to enable openDNS sorting on her router and I'd be willing to bet a whole lot of the rest of the global population doesnt either.



I personally feel that you SHOULD know this sort of stuff, and access to the internet should have some sort of "licensing" just like driving a car, so that you have to have a proper education prior to even connecting. This might be a bit harmful to those that make the internet their source of income, but like buying a car, or getting a phone, there are criteria (credit, in the example) that must be passed before you access those services. Until you can provide proof that you are adept enough at using the internet, everything should be screened, and there should be "police" whose job it is to remove malicious users and prosecute them, no matter what global region you are in.

At the same time, I do not believe that there is a single shred of privacy on the internet, since anything can be captured at the ISP level and anywhere in-between.(just like cell phones).


----------



## Frick (Nov 20, 2016)

DeathtoGnomes said:


> Onedrive, or wtf-ever is called now, is exactly this, malware. You didnt have a choice of installation and you cant uninstall it except thru old skool means, atleast with win10 there is a mock setting that "supposedly" disables it but is yet open to hacking that can re-enable it and use it as a backdoor so to speak.



Do you mean someone would use the service to hack your system or do you mean that MS will "hack" it back on? In any case it is not malware, by definition.


----------



## cdawall (Nov 20, 2016)

In the years I have worked in the tech industry Antivirus is no use when the user is an idiot. They could have the best paid for stuff that exists and will still get a virus. At that point, what is the point. The dead canary is a perfect metaphor for what it does now. We have come a long way since everyone had limewire and downloaded aids to get free music. 

As of now it's semi rare I actually see a machine with a virus and most that legitimately have one have an Antivirus. That says one thing to me. User error.


----------



## silentbogo (Nov 20, 2016)

cdawall said:


> In the years I have worked in the tech industry Antivirus is no use when the user is an idiot. They could have the best paid for stuff that exists and will still get a virus. At that point, what is the point. The dead canary is a perfect metaphor for what it does now. We have come a long way since everyone had limewire and downloaded aids to get free music.
> 
> As of now it's semi rare I actually see a machine with a virus and most that legitimately have one have an Antivirus. That says one thing to me. User error.



That's pretty much what I've concluded:
- Traditional AVs use signature databases of known threats. Good at finding outdated malware, but useless against fresh threats
- Heuristic AVs use behavioral analysis to determine threats. The analysis is based on known and assumed behavior of malware, hence - useless against new threats and suffers from false-positives.
- None of the above include human factor into equation

So, over the past 10 years I've only made a mistake of purchasing a 2-year license for Kaspersky Antivirus. Never used one since 2007 and never got infected. 
Most of the infected laptops or PCs that appear in my workshop have some kind of "adequate" anti-malware or antivirus installed (usually NOD32, Malwarebytes or Avast), but it still does not prevent "user-sanctioned" attacks.


----------



## Jetster (Nov 20, 2016)

If you use the Firefox Kasperski add-on it does prevent some user-sanctioned attacks. It can identify scripts with malicious intent when you access the site. But your right about no software can prevent everything. Not even close.

And for the most part I would rather have a risky internet than completely safe with some government overreach program.  This is the great paradox of the internet.


----------



## Caring1 (Nov 20, 2016)

cdawall said:


> In the years I have worked in the tech industry Antivirus is no use when the user is an idiot. They could have the best paid for stuff that exists and will still get a virus. At that point, what is the point. The dead canary is a perfect metaphor for what it does now. We have come a long way since everyone had limewire and downloaded aids to get free music.
> 
> As of now it's semi rare I actually see a machine with a virus and most that legitimately have one have an Antivirus. That says one thing to me. User error.


I agree, this guy I know has been through three laptops, and all three have had to be wiped at least once due to his clicking yes on basically anything, admittedly he's an idiot, but people do turn of the Anti-Virus if it prevents them from doing what they want.
He's also one of those that deny doing anything stupid unless you ask the right specific question, I just shake my head.
Giving credit card details in a random pop up, he's done it.


----------



## 64K (Nov 20, 2016)

Caring1 said:


> I agree, this guy I know has been through three laptops, and all three have had to be wiped at least once due to his clicking yes on basically anything, admittedly he's an idiot, but people do turn of the Anti-Virus if it prevents them from doing what they want.
> He's also one of those that deny doing anything stupid unless you ask the right specific question, I just shake my head.
> Giving credit card details in a random pop up, he's done it.



Wow! That guy needs someone looking out for him. I know someone who gets the popup screens that won't let you close them until you pay money. Probably from porn sites but he won't admit to it. I showed him how to use Task Manager to close the browser in the future. There ought to be some class at school that teaches you how to be safe on the internet. It's too easy to prey on people that don't have a basic understanding of how to be safe on the internet. I use Microsoft Security Essentials and run Malwarebytes ever couple of months but I've only ever been infected with a serious virus once in all my 20 years on the web.


----------



## Jetster (Nov 20, 2016)

I can't remember the name of it. But 4 years ago I ran accost a virus that loaded itself into the bios. I formatted the one hard drive and it came back. I had to flash the bios and reinstall a second time.


----------



## Ubersonic (Nov 22, 2016)

Haven't used standalone antivirus in about 14 years, I make a point of not downloading viruses from dodgy sites instead.  Plus Windows has had decent AV built in now anyway.


----------



## RejZoR (Nov 22, 2016)

Downloading viruses from dodgy sites. How about when viruses were served to users from a legit site through hijacked 3r party advertisements? Your logic stops working at that point because things haven't been that simple since like 10 years ago...


----------



## Ebo (Nov 22, 2016)

I use to F-secure internet package including, safe browsing, so even on dodgy sites, the programme askes: are you sure that you wanna do that ? . 

I have only been hit once the last 5-6 years and and it got cought right away. If its dodgy, it runs in an sandbox inviroment.


----------



## Jetster (Nov 22, 2016)

Here is the new Kapserski Firefox add on


----------



## RejZoR (Nov 22, 2016)

Ebo said:


> I use to F-secure internet package including, safe browsing, so even on dodgy sites, the programme askes: are you sure that you wanna do that ? .
> 
> I have only been hit once the last 5-6 years and and it got cought right away. If its dodgy, it runs in an sandbox inviroment.



And how do you know something is dodgy when you're on I odn't know, www.newyorktimes.com and iFrame serving ads within that page gets hijacked and serves you driveby malware instead of ads? This is mostly why AV's have HTTP and now even HTTPS scanners, because of these exact scenarios.


----------

