Wednesday, December 23, 2009

More on antiviruses.

Just look at this. They claim there's 15,000 new virus definitions each day. For windows. How comes there's less than 1 new virus per day on other systems, which have only maybe 10x smaller marketshare? How come open source antivirus software has orders of magnitude fewer new definitions per day yet is fairly effective? The world is not so huge for such a number of new viruses a day anyway. How the hell are they counting, what are they counting as distinct viruses? Server side polymorphics? If a clever virus makes new variation every time, specific definitions aren't useful, you need a clever solution that lets the virus run but catches it when it tries to replicate.
My best guess is that this number is not even a count, it's simply a number that they figure is the optimal number to display in the software and write in their releases for the purpose of maximization of their profits and for advertising of their brand new "whitelisting" approach which ain't gonna protect anyone but would probably generate a lot of profit for antivirus companies (say, I launch a new software product, how it's going to get whitelisted if people aren't running it because its not whitelisted? The typical solution to a chicken and egg problem is that you have to buy a chicken. Or an egg, plus incubator. Meaning if there's whitelisting, developers have to pay for certifications).

In my opinion, antivirus is a broken solution to a wrong problem. If you run non-trustworthy code - such as pirated software, keygens for pirated software, various "toolbars", etc. or if you run email attachment, no antivirus can protect your (windows) pc - it'll eventually be infected. If you have insecure network services, antivirus won't protect you - but a security update to a service could. If you keep everything up to date and you don't run non-trustworthy code, then you're as safe without antivirus. A general security tool which watches for changes in files could be quite useful. A specific blacklist is of little use - it cannot protect even from variations of old viruses. A whitelist is just a nuisance. Antivirus software is written in such a way as to maximize profits of antivirus companies, not as to minimize threats; virus signature lists are far superior for profit generation than general solutions; it is far better to autorun files from usb sticks and then sell antivirus software than to forbid autorun for writable or all media. Microsoft's response of tightening OS security is the only hope for Windows world.


  1. Interesting points. Kind of encourages you to create viruses that only affects Antivirus software. Like breaking their update system...

  2. Some viruses do this, disable antivirus update system. I think all seriously criminal malware does this. There's also possibility to exploit buffer overruns during virus scanning (e.g. with malformed archive).

    What would be great is more system security, and maybe special handling for standard dialogs so that e.g. you run firefox with very low privileges and it can only read and write ~/.mozilla AND the files you choose with open and save dialogs. Most of the software on my computer does not need to be able to set execute bit on files or alter executable files, either.