Monthly Archives: September 2006

Stupidity Squared – from the AV Vendors

Posted on Thursday, September 28, 2006 by Robin Bloor

This week AVID stands for AntiVirus Is Defunct. I’ll provide yet more evidence of this sorry truth and hopefully you’ll get the point.

A few weeks ago I came across an article on the Internet which was advocating installing two separate anti-virus products in order to have a better chance of stopping malware. The logical argument was; AV products don’t stop all viruses and any ad-hoc test will reveal that a virus that one product lets in will sometimes be stopped by another.

I looked for other occurrences of this helpful-to-AV-vendors-but-misguided advice and discovered this on FCW.com, pre-sented as “5 tenets of effective threat management”.

“To effectively block viruses, use two gateway [AV] products rather than one, especially at your main e-mail gateway… If you are particularly sensitive to viruses because your internal network is wide open, three antivirus gateways are even better.”

Why not four or five, one wonders? Why not the full set? This piece of nonsense brings to mind tests done on 16 AV products by av-comparatives.org (see http://www.av-comparatives.org/ for full details) which tested 16 AV products against 474,759 KNOWN instances of malware, including DOS viruses, Windows Viruses, Macro Viruses, Script viruses, worms, backdoors, Trojans and other bad stuff.

This research roundly disproves one of the kind assumptions that I have been disseminating in these AVID postings of mine. I’ve always suggested that AV products stop KNOWN malware. My apologies, but this research proves quite the opposite. In this test none of AV products tested stopped all of these 474,759 KNOWN instances of malware. The best of them let in about 500 of this KNOWN population and the worst let in 90,000.

One commentator concluded that in order to stop all of these KNOWN threats, you would need to install all 16 AV products!!

So there’s the answer; don’t install just a handful of AV products, hang the expense and install them all. Sadly, this remedy falls foul of the fact that while you might be able to install 16 gateway products and have them scan incoming email in series (I’m not sure, but you might), you would paralyze a PC if you loaded 16 different AV products onto it. The products would also interfere with each other. And to cap it all, none of them would stop the UNKNOWN viruses (the zero day threats) that AV products regularly let through and which are a much greater problem.

The idea isn’t just stupid. It is also impractical. Of course, it’s also unnecessary because there are products from four vendors, AppSense, Bit9, SecureWave and Savant Protection which do the job properly and will stop the KNOWN and UNKNOWN viruses with equal effectiveness.

Enough for this week… Although, perhaps I should warn you that I’m now accumulating so much material for AVID that I may be forced into making it a weekly rather than fortnightly Blog item.

Posted in Campaigns | Tagged , , , , , , | Leave a comment

Savant Protection: A New Whitelisting Company

Posted on Tuesday, September 19, 2006 by Robin Bloor

Anti-Virus In Demise is this week’s AVID focus. You know when a technology sector is beginning to thrive when there are new entrants. There is a new entrant into the Software Authentication/Anti-Malware market which (as I keep saying) is destined to utterly destroy the AntiVirus market.

For 18 years the AV market grew and thrived until it became a $4 billion industry accounting for about 52 percent of the spend on IT security. It is awesome that products that repeatedly failed to protect their customers from malware have thrived so mightily—more so that all other IT security products, most of which actually do stop threats.

Anyway the game is up. Alternative technology is available that does the job properly, and now there are four companies providing it. Not as many as the 30 or more AV companies but hey, sit back and watch the AV market contract while this one replaces it.

The way that Software Authentication products work is; well, they check executables to see if they are “authentic” as they queue up to execute and they stop them if they are not. How do they know what is authentic? When these products are loaded for the first time onto a clean machine they finger-print all the (valid) executables or import a whitelist from elsewhere in the network, or both. After that, anything that is new and unknown is only allowed to run if it is given permission by the user. Even if given such permission to run, it runs in “quarantine”. It will not be allowed to run elsewhere in the network unless it is given a clean bill of health by the central IT Security team.

This is the way that the Software Authentication products (from AppSense, Secure-Wave, Bit9 and now Savant Protection) work. Outside of the fact that these products automatically stop all malware (whereas AV products don’t even stop viruses very well) they work in slightly different ways. Savant Protection has the nuance that it uses cryptographic techniques to validate users and generate software fingerprints. User validation works by strong authentication—based on a randomly selected file. The fingerprints that Savant Protection generates are not just unique to the executable they apply to, they are unique for every computer/executable pair. Thus even if a user makes a mistake and permits some malware to run, it will never run anywhere else in the network.

These products don’t just stop viruses and worms; they stop spyware, adware, user loaded software like P2P file sharing software, hacker exploits and associated hacking tools, web page based exploits, old versions of software accidentally invoked and anything whatever that you don’t want to run on your computers,

So what does it mean that there is yet another AVID company? Well it means that there is more marketing budget and more sales people out there to spread the message that the age of malware is coming to an end and Anti-Virus Is Dead!

We’re not done here, by the way. I keep acquiring new information to publish—more than I need to keep AVID going on a fortnightly basis.

Posted in Campaigns | Tagged , , , , , , , , | Leave a comment

The Internet Media Game: Apple v Alternatives

Posted on Tuesday, September 19, 2006 by Robin Bloor

What Apple is in the process of doing is controlling the media purchase market. The problem for every other entrant into this market is the same as the problem that confronts every new web site that decides to compete with Amazon. The Internet buying habit is driven by consumer confidence and habit. Most people who install iTunes buy something eventually. They quickly learn that buying is pretty much effortless and eventually it becomes a habit.

Taking myself as an example, I’ve bought about 100 items from iTunes, including about 8 videos—all music videos which cost no more than TV programs. I will probably buy movies from the same source. If I was into games, I’d probably do games too. What is so convenient about iTunes? The same program which provides me access to a media store also manages my media. How do you break this grip? The only answer is do the same thing much better. That’s a tough nut to crack.

But there is an alternative. The alternative is to give the content away and make money from inserting ads in the content. This is the strategy that is being pursued by NBC (owned 80 percent by GE, 20 percent by Vivendi Universal). NBC has set up a syndicated operation called NBBC (in the hope of confusing everyone in the UK)—NBBC stands for National BroadBand Company. The idea is that web sites, content creators and NBBC team up to place videos and share the ad revenue. Other broadcasters, ABC, Bravo, USA, Comedy Central, even the BBC and Channel 4 could make their content available (Fox and CBS have already signed up). So think like this; US TV ad revenue is about $60 billion. If you get even a small piece of that, you have a business.

All that needs to happen is for people to start playing TV programs (or other content) from the web. Not much of this happens now, aside from Apple’s success, because it’s not easy to go from web page to TV screen. Most people only play shorts on their PCs/Macs. If they want to watch a whole movie they cut a DVD and put it in the DVD player. If the NBBC model works it will have established a kind of Google AdSense operation. Google, Yahoo and YouTube may be inclined to do something similar.

So how would this stack up against the Apple Juggernaut? Hard to say until it gets going, but there’s a potential fly in the ointment. Surely some software will eventually appear which strips the ads from the video. If so you’ll never be able to know for sure that an advert played.

Posted in Apple | Tagged , , , , , , , , , , , , , | Leave a comment

AntiVirus: An Ex-Technology

Posted on Tuesday, September 5, 2006 by Robin Bloor

AVID, as regular readers of this blog know stands for Anti-Virus is Deceased or, alternatively, AV is Dead. Borrowing from Monty Python, we can emphasise this message by insisting that;

“AV’s passed on! This technology is no more! It has ceased to be! It’s expired and gone to meet its maker! It’s a stiff! Bereft of life, it rests in peace! If you hadn’t nailed it to the PC it’d be pushing up the daisies! Its metabolic processes are now ‘istory! It’s off the twig! It’s kicked the bucket, it’s shuffled off its mortal coil, run down the curtain and joined the bleedin’ choir invisibile!! THIS IS AN EX-TECHNOLOGY!!”

I’m getting ahead of myself, perhaps, but there’s two reasons why we’re predicting the imminent demise of AV software.

Point 1: It doesn’t work. To be precise it fails to stop the potentially most damaging viruses—the new ones.

How bad is it at doing this? Pretty awful really. Let’s take a specific case as an example; the SQL Slammer worm—which first saw the light of day in January 2003. It was estimated that the SQL Slammer worm infected 90 percent of the computers that it could infect in the space of 10 minutes. From the perspective of AV software, it was disastrous. As far as I can tell there is no evidence that any AV software stopped the initial onslaught of this particular worm from the moment it began its jaunt across the Internet.

Why was that?

Well, it was simply a matter of how the worm worked. Once it had infected a computer running Microsoft SQL Server, it scanned the Internet for other such machines to infect and when it found one, it infected it. This caused an explosion of processes looking to infect other machines all running at digital speeds. This little worm didn’t need any help from people to proliferate. The way to kill the infection was to download a SQL Server patch which eliminated the buffer overflow that the virus was using to hijack servers. It was the only cure. The cost of SQL Slammer was estimated as $1.5 billion.

Point 2: There are products that actually do the job properly from security vendors Bit9, SecureWave and AppSense.

AV becomes an ex-technology when companies start buying this technology, a trend which is now happily in progress. When this trend explodes, it will be the beginning of the end for viruses and other malware. Until it happens such software will persist because AV technology doesn’t stop it effectively.

Posted in Campaigns | Tagged , , , , , , , , , , | Leave a comment