Endpoint
8/2/2012
08:21 PM
Robert Graham
Robert Graham
Commentary
50%
50%

Antivirus And The Wisdom Of Cabbies

Viruses that cabbies -- like the one who drove me to Def Con -- complain about are precisely those that antiviruses can't clean

Last month en route to Def Con, in the taxi from the airport, I mentioned that I was in town for a "hacker convention." The cabby immediately started asking for technical support to help remove a "Trojan" (his words) from his machine. I asked him whether he had an updated antivirus. He said he had; he originally had AVG that caught nothing, and then his son installed a new antivirus that warns him of the infection (and claims to clean it) every time he turns on his computer. He sees this as an improvement, but it still hasn't gotten rid of the virus or fixed the fact that his browser home page is constantly redirected to foreign advertising sites (most aren't even in English).

This is, of course, not unusual. Everyone in our industry experiences much the same thing when getting into taxies. About half the time I tell cabbies I'm in cybersecurity/hacking, I get a similar story: They are infected, and they have the latest antivirus, but it doesn't work as well as they'd hope.

It's easy to say something generic like "antivirus is broken," but the problem is more complicated than that. Antivirus products just deliver what the market asks for. We are the market; therefore, the problem really is that we are the ones who are broken.

The most common way we (the market) measure viruses is by running them through a "wild list" of real viruses. This is nonsense. The percentage a product catches of this list is almost wholly unrelated to the percentage of the real-world threat end users experience. The normal wild-list score is above 95 percent, but a product that catches only 50 percent on this test could, in fact, do a better job in the real world.

The problem is timing. By the time the antivirus update that catches a virus reaches your machine, you've already caught the virus.

And antivirus does a horrible job at clean-up. Sure, they can quarantine some files, but a lot of times it's impossible, and the virus stays around, as in the example above.

This leads to the "Baysian Cabby Effect" -- the viruses that cabbies complain about are precisely those that antiviruses can't clean and just leave on their system for years. Thus, while uncleanable viruses may only be small percentage of actual viruses, they become a dominant reason why people are unhappy with antivirus products.

Another problem is that antivirus can't (easily) fix stupid. Cabbies complain about the Trojans that hackers put on their machines. They use that word -- I'm not they know what it means. Like the citizens of Troy who brought the horse statue inside their gates, a Trojan is something you, yourself, put on your machine. It's like getting syphilis and saying, "But I don't know how that happened."

It may seem totally unfair to judge antivirus by how well they deal with stupid users, but isn't that the point? Experts can avoid viruses, detect them, and remove them without the aid of antivirus programs. The entire point of antivirus is to protect inexperienced users from themselves. We therefore need to stop evaluating antivirus on how good a job they do for experts, but how good a job they do for everyone else.

I'm sure you've heard the following joke, but I'm going to repeat it anyway: A passerby notices a guy looking for his keys under a street lamp. He asks, "Where did you lose your keys?" The other says "I'm pretty sure I dropped them in the grass over there." Passerby asks, "So why are you looking here?" The guy answers, "Because the light is better." Measuring antivirus by the wild-list is the same concept. We choose criteria that are easy to measure, but not the ones that matter.

So the conclusion is this: Antivirus is going to continue to perform poorly, cabbies are still going to complain, and it's as much our (the cybersec community) fault as it is the antivirus companies.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8891
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors...

CVE-2014-8892
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to bypass intended access permissions and obtain sensitive information via un...

CVE-2015-1170
Published: 2015-03-06
The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 before 345.20, and R346 before 347.52 does not properly validate local client impersonation levels when performing a "kernel administrator check," which allows local users to gain administrator privileges via unspecified API call...

CVE-2015-1637
Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.