Go Back   Hardware Canucks > SOFTWARE > O/S's, Drivers & General Software

    
Reply
 
LinkBack Thread Tools Display Modes
  #11 (permalink)  
Old October 29, 2010, 02:59 PM
AkG's Avatar
AkG AkG is online now
Hardware Canucks Reviewer
 
Join Date: Oct 2007
Posts: 4,332
Default

OK there is three big things wrong with your argument.

1) Saying malware == trojans is fallacious argument at best. Sure you can say trojans are malware but you cant say all malware == trojans. It would be like saying not only that all VW bettles are cars so all cars are VW bettles but that all "cars" are BLUE VW bettles. There are numerous other types of malicious programs that do not best fall into the category of trojans.

2) At an even more basic level saying that ANY a/v program that mainly relies on a database of known bad fingerprints is going to be 99+% effective is laughable. Hell they cant even be trusted to get all the KNOWN crap that is out there...and you want to rely on them solely for the unknown? Most experts agree that even the best are usually in the mid 90 range for viruses and lower for other types of crapware. So yes you can compare A vs B vs C with a known list of KNOWN nasties but that doesnt help you in "the wild". You can test against nearly a million known virus types (yet they purposely ignore nontraditional attack vectors) but that doesnt help you against the UNKNOWN and is a crappy way to guess the effectiveness against tomorrows threats. If you see someone touting something as 99.9% effective catch rate look at their methodology. In this case, that one set of tests they run and IIRC (been awhile since anyone I know actually took them seriously and thus been awhile since I looked long and hard at them) they have other test suites they CHARGE companies for that are more effective. That free test is more along the lines of free advertising.

3)Take a look at the false positive rates. Notice how the ones who score higher usually have a higher false pos rating than those that do worse. Thats because it has to GUESS more often and if you guess enough times you will get it right more often. MBAM has a very low false pos rate and as such does NOT train its users to "ignore, ignore, ignore".

Nearly every week I clean up someone's system who has a nasty "virus" on it that was in fact malware. ALL these people have an up to date AV (the days of most people not having any protection are mainly long past) and yet it didnt catch it or failed to completely remove it. Dont get me wrong some crap is too entrenched to dig out via malwarebytes but it sure as hell makes my life easier having it than relying solely on a AV program. What makes my life even easier is MBAM full version. It is the VERY rare scumware that gets past malwarebyts active (full version) protection and it rarely bugs people about things that are NOT bad.

Yes AV companies are hustling to cover off "malware" and "spyware" and "rogueware" but they are not there yet. The reason they are hustling is that is now the number one attack vector and rarely is it the plain old virsus that causes sysadmins hassles it is almost always malware. You pick the best tool for the job, if its a virus in the classical sense you use a AV, it is best described as malware/spyware/rougeware you use SAS or MBAM. You dont rely on one to cover the other area of expertise. As I said I highly recommend a dedicated AV and a dedicated AM/AS program. They dont really overlap all that much and MBAM actually recommend using it combination with a AV as it wont mess with the AV program yet gives better overall protection than "either or" scenarios.

You obviously feel differently and to be honest I hope you never learn otherwise. It sucks having an AV fail to protect you and you have to nuke and pave even though you though you were "protected".
__________________
"If you ever start taking things too seriously, just remember that we are talking monkeys on an organic spaceship flying through the universe." -JR

“if your opponent has a conscience, then follow Gandhi. But if you enemy has no conscience, like Hitler, then follow Bonhoeffer.” - Dr. MLK jr
Reply With Quote
  #12 (permalink)  
Old October 29, 2010, 05:25 PM
Slik's Avatar
Hall Of Fame
 
Join Date: Sep 2009
Location: Sault Ste Marie On.
Posts: 1,082

My System Specs

Default

Quote:
Originally Posted by AkG View Post
TBH, yes you can run multiple AVs but most users do not need to do it.
You are much better off running ONE AV (nod32, kasper, MSE, avira, etc) and ONE AM/AS program such as malwarebytes (paid FULL version). then 2 AV and no anti-malware/anti-spyware programs. :)

I personally use Avira + malwarebytes on some systems. On others I use nod32 + malwarebytes, and on one system I run a copy of windows INSIDE a sandbox (vmware) for when Im doing "interesting" things. ;)
OK, I'm going to go with Anti Vir and Super Anti Spyware for protection. I still have AVG 2011 Free installed but I have it disabled through msconfig. Start up and Services. That way, I can enable AVG if I feel it may find a stubborn bug that Anti Vir could not. Does that set up sound about right? Thank you for all and any recommendations.
__________________
Corsair Air 540 -i7 4930k @ 4.4ghz. Liquid cooled-4x4gb G Skill Trident X DDR3@ 2400mhz- Two EVGA Titans SLI - Xonar Phoebus Sound Card-Dell 3008 30" Monitor-Razer Tiamat Headphones-Butt Kicker Gamer-TrackIR 5
Reply With Quote
  #13 (permalink)  
Old October 29, 2010, 06:48 PM
Top Prospect
 
Join Date: Apr 2010
Location: Vancouver
Posts: 242
Default

Quote:
Originally Posted by AkG View Post
1) Saying malware == trojans is fallacious argument at best. Sure you can say trojans are malware but you cant say all malware == trojans.
"Virus" and "Malware" are used as catch-all terms to describe all types of malicious software. Most (>80% the last time I checked) of the new malware/virus we see today are classified as trojans. However, malware/virus classification is a mess, something classified as a trojan by one vendor maybe classified as something else by another, from the malware type section:

Current Status of the CARO Malware Naming Scheme.

"trojan. A "trojan" is malware that does not even try to replicate itself but which performs some intentionally destructive action, without correctly warning the user. Again, "intentionally", "destructive", "correctly" and "warns" are highly subjective terms. Consider, for instance, a disk formatting program that warns the user in Swahili that it is going to destroy the contents of the hard disk and which assumes that the default answer is "yes". Is such a program a Trojan or not? So, no formal definition of this malware type is possible."

Quote:
2) At an even more basic level saying that ANY a/v program that mainly relies on a database of known bad fingerprints is going to be 99+% effective is laughable.
I don't think I've ever said any AV program is 99+% effective, to the contrary in my message I actually said that "signature based detection rate for brand new variants is pretty bad across the board for all antivirus/antimalware".

I only pointed to the AV-Comparative test result to show that AVs do detect all types of malware and that they do not only detect "Virus" -- as in the strict definition of a file infector / self replicating virus.

AV-Comparative does a proactive/retroactive test using virus/malware that appear after the AVs' signature definitions have been frozen, detection rates for the better AV falls in 50-60%.

http://www.av-comparatives.org/image...c_report26.pdf

It should be noted that the better AVs do not rely on signature based detection alone, but I should also stress that none of them, even with multiple engines (e.g., F-Secure and G-Data) and layered defense, are perfect.

Quote:
In this case, that one set of tests they run and IIRC (been awhile since anyone I know actually took them seriously and thus been awhile since I looked long and hard at them) they have other test suites they CHARGE companies for that are more effective. That free test is more along the lines of free advertising.
The 3 major AV testers -- Virus Bulletin, Andreas Clementi (AV-Comp) and Andreas Marx (AV-Test) all charge vendors for testing, and all reputable tests follow procedures recommended by AMTSO:

AMTSO - Anti Malware Testing Standards Organization

Still the tests should be taken with a pinch of salt, since there is no effective way to dynamically test AVs in real time, they are still data point and useful as long as we understand the tests limitations.

Quote:
3)Take a look at the false positive rates. Notice how the ones who score higher usually have a higher false pos rating than those that do worse. Thats because it has to GUESS more often and if you guess enough times you will get it right more often. MBAM has a very low false pos rate and as such does NOT train its users to "ignore, ignore, ignore".
Most false positives are generated by heuristic scanning, MBAM added a new heuristic engine to their scanner only a couple months ago, it's too soon to draw conclusion on its performance.

Malwarebytes Activates Shuriken Heuristics Module - Malwarebytes Forum

Quote:
Nearly every week I clean up someone's system who has a nasty "virus" on it that was in fact malware. ALL these people have an up to date AV (the days of most people not having any protection are mainly long past) and yet it didnt catch it or failed to completely remove it.
One of the reasons systems with up-to-date AV getting infected is because the attack vector was not monitored.

For example, to block a web-borne attack that exploits a Flash vulnerability, the AV scanner will have to be able to scan HTTP traffic "off the wire" before it gets to the browser. If an AV only scans HDD I/O, it will not detect such attacks.

Once web-borne malicious code has been executed in memory, AVs have a second chance of detecting it if they have good self-protection (e.g., should not be able to force shutdown of the service) and catch subsequent disk I/O (but still, it's trivial to lock a file and prevent the AV from scanning it during disk writes) or with behaviour blocking and other HID modules.

So while I love MBAM as a cleaner and I think it should be in every IT professionals toolbox, I'm very hesitant to recommend it as a major component in protecting the system because AFAIK it does not scan HTTP/Net traffic in real time, has fairly weak self-protection and an unproven heuristic engine.

Quote:
You obviously feel differently and to be honest I hope you never learn otherwise. It sucks having an AV fail to protect you and you have to nuke and pave even though you though you were "protected".
I don't think I'm very different from you on the (in)effectiveness of AVs, for years I've operated on the assumption that they will fail. However, I simply don't see MBAM as any different from other signature based scanners and, IMHO, there are better ways to defend in depth than to run MBAM on top of a good AV. My approach is to use one multi-layered AV program on systems, add sandboxes and access control to reduce users' privileges, keep systems up-to-date, closely monitor security news and on larger networks install a NIDS, e.g., Snort, and train the users properly.
__________________
iK ©
Reply With Quote
  #14 (permalink)  
Old October 29, 2010, 06:53 PM
sswilson's Avatar
Moderator
F@H
 
Join Date: Dec 2006
Location: Moncton NB
Posts: 14,529

My System Specs

Default

Quote:
Originally Posted by Slik View Post
OK, I'm going to go with Anti Vir and Super Anti Spyware for protection. I still have AVG 2011 Free installed but I have it disabled through msconfig. Start up and Services. That way, I can enable AVG if I feel it may find a stubborn bug that Anti Vir could not. Does that set up sound about right? Thank you for all and any recommendations.
Might be too late as you're offline and probably working on it right now (or trying to get back online after it fubarred your connection), but you really don't want to install any active AV onto your system until you've completely removed the old AV. Too many chances that there's going to be a conflict based on things like registry entries.
__________________
MSI Z87I Gaming AC / i5 4670K / 2X 4G Gskill 1866 DDR3 / XFX XTR 750 / EVGA GTX 680 SC+ 2GB / Intel DC S3700 200G / random 160G Sata HDD
Inwin 904 / Swiftech MCP655-b / Alphacool NexXxos XT45 120 Rad / 2X Scythe GT AP-15 / EK Supreme HF / Dell UltraSharp U2412M

Asrock AM1H-ITX / AM1 Athlon 5350 / 2X4G Gskill PC3-14900 / Intel 6235 Wi-Fi / 90W Targus Power Brick / 320G Seagate Momentus / Mini-Box M350 / 1X 22" Dell IPS / 1X 22" HP
Reply With Quote
  #15 (permalink)  
Old October 29, 2010, 07:05 PM
Slik's Avatar
Hall Of Fame
 
Join Date: Sep 2009
Location: Sault Ste Marie On.
Posts: 1,082

My System Specs

Default

Quote:
Originally Posted by sswilson View Post
Might be too late as you're offline and probably working on it right now (or trying to get back online after it fubarred your connection), but you really don't want to install any active AV onto your system until you've completely removed the old AV. Too many chances that there's going to be a conflict based on things like registry entries.
You are correct. I was off line for a bit screwing around etc. I have no obvious issues going back on line etc. right now. Should I anticipate problems if I don't start over again? I mean the uninstall of A.V etc.etc. then reinstall the one I intend using. If I must, I will. Thanks for the advice.
__________________
Corsair Air 540 -i7 4930k @ 4.4ghz. Liquid cooled-4x4gb G Skill Trident X DDR3@ 2400mhz- Two EVGA Titans SLI - Xonar Phoebus Sound Card-Dell 3008 30" Monitor-Razer Tiamat Headphones-Butt Kicker Gamer-TrackIR 5
Reply With Quote
  #16 (permalink)  
Old October 29, 2010, 07:15 PM
sswilson's Avatar
Moderator
F@H
 
Join Date: Dec 2006
Location: Moncton NB
Posts: 14,529

My System Specs

Default

I always strongly recommend it.

Having spent 11 months doing telephone support for an ISP who offered their own "free" AV, I can't tell you how many times I had folks who couldn't get online because they had either too many AVs running, had installed a new AV over a corrupted version of a different AV, or who ended up having some form of conflict.

Here's the link to AVG's stand-alone removal tools.

AVG - Download tools

If it's ever had any version of Norton's installed on it, have a look for the norton removal tool on the symantec website. (My old link doesn't appear to work).

edit: Commonly used Symantec tools | Norton Support

Unfortunately that doesn't appear to have win7 or Vista files on it so you'd have to do a search.
__________________
MSI Z87I Gaming AC / i5 4670K / 2X 4G Gskill 1866 DDR3 / XFX XTR 750 / EVGA GTX 680 SC+ 2GB / Intel DC S3700 200G / random 160G Sata HDD
Inwin 904 / Swiftech MCP655-b / Alphacool NexXxos XT45 120 Rad / 2X Scythe GT AP-15 / EK Supreme HF / Dell UltraSharp U2412M

Asrock AM1H-ITX / AM1 Athlon 5350 / 2X4G Gskill PC3-14900 / Intel 6235 Wi-Fi / 90W Targus Power Brick / 320G Seagate Momentus / Mini-Box M350 / 1X 22" Dell IPS / 1X 22" HP

Last edited by sswilson; October 29, 2010 at 07:23 PM.
Reply With Quote
  #17 (permalink)  
Old October 29, 2010, 07:26 PM
sswilson's Avatar
Moderator
F@H
 
Join Date: Dec 2006
Location: Moncton NB
Posts: 14,529

My System Specs

Default

Double post so that you can see this link.... ;)

Looks like this is the norton tool here.... (don't bother with saving your activation/account code if it's an expired product)

Download and run the Norton Removal Tool to remove your Norton 2006 product or later version | Norton Support
__________________
MSI Z87I Gaming AC / i5 4670K / 2X 4G Gskill 1866 DDR3 / XFX XTR 750 / EVGA GTX 680 SC+ 2GB / Intel DC S3700 200G / random 160G Sata HDD
Inwin 904 / Swiftech MCP655-b / Alphacool NexXxos XT45 120 Rad / 2X Scythe GT AP-15 / EK Supreme HF / Dell UltraSharp U2412M

Asrock AM1H-ITX / AM1 Athlon 5350 / 2X4G Gskill PC3-14900 / Intel 6235 Wi-Fi / 90W Targus Power Brick / 320G Seagate Momentus / Mini-Box M350 / 1X 22" Dell IPS / 1X 22" HP
Reply With Quote
  #18 (permalink)  
Old October 29, 2010, 10:14 PM
Perineum's Avatar
Hall Of Fame
F@H
 
Join Date: Mar 2009
Location: Surrey, B.C.
Posts: 4,039

My System Specs

Default

Quote:
Originally Posted by Slik View Post
Thanks for the quick response. I thought Win. 7 would be ok with it. I wanted more than one, thinking that if A missed a bug,then B or C would catch it. Am I wasting time? Thanks again.
You should be running 2

1. You, with your unending skepticism and vigilance, and

2. Another AV of your choice.

The most fool proof AV should be #1
Reply With Quote
  #19 (permalink)  
Old October 30, 2010, 12:24 AM
Lpfan4ever's Avatar
Hall Of Fame
F@H
 
Join Date: Sep 2008
Location: Calgary
Posts: 2,763

My System Specs

Default

Quote:
Originally Posted by Perineum View Post
You should be running 2

1. You, with your unending skepticism and vigilance, and

2. Another AV of your choice.

The most fool proof AV should be #1
This, this, and...this.

Have never had to do anything virus-removal related to this computer besides be picky about where I go and what I download.
__________________
Quote:
Originally Posted by encorp
I don't know, maybe if you get a big enough compacticator you can put it in your butt and name yourself "sexbuttplug"...
Code:
<martin_metal_88> I think I am gonna sell my server
...
<firebane> i will offer pereniums mom
<firebane> slightly used
<Keltron> slightly is an understatement
<LPfan4ever> Who're you kidding...slightly?
<martin_metal_88> peri's mom, slightly used? lol...

Reply With Quote
  #20 (permalink)  
Old October 30, 2010, 05:34 AM
AkG's Avatar
AkG AkG is online now
Hardware Canucks Reviewer
 
Join Date: Oct 2007
Posts: 4,332
Default

Quote:
Originally Posted by DCCV44.2223 View Post
To long not going to thread crap by reposting it all. -A
Actually yes you did say that AV were 99 percent effective by posting a pdf with proof that said that and then using it as "proof" that an AV by itself is more than good enough and THEN stating that ALL malware is trojan so therefore the test results in the pdf mean that a good AM/AS is not needed. When called on this you than back down saying that is it more like 80%...which just happens to be the number I used on how effective AVs are against "malware". What a coincidence! While still missing my point entirely. So here it is again in a different way:
Would you really rely on solely on something that is only 80% effective against the number one attack vector (aka "malware") or would you use two programs? One for the less likely crap with some limited abilities in other areas(aka a AV program) and one dedicated to the actual most likely threat? ONE size fits all approaches are not the best choice nor offer the best protection.

You don't use one tool for all tasks. Saying that all you need is a hammer when a screwdriver is needed is as foolish as saying that one "all in (w)onder" will protect you against all threats. AVs with limited am/as protection should be considered a nice bonus but not anything more than that until they have proven for a couple years to actually WORK as good as a dedicated AM/AS. MBAM costs about twenty bucks for a lifetime sub. Spending twenty bucks for it and sticking a good free AV like avira on there and the OP would be much better protected than going solely with a paid AV subscription against most threats.

Saying that we wont know if MBAMs latest heuristic approach will generate many false positives or not as its only been around a couple months is as laughable as saying its engine is weak. But at this point Im not even going to argue that with you as that is about as fallacious as you can get (and that IS saying something as you have already proven your willingness to say "oh i didnt mean ABC when I said that I really meant DEF" and when called on that turning around and "saying oh i didnt really mean DEF I meant GHI"... ad nauseum). However I AM going to call BS on your next statement. "Drive by" attacks indeed do happen but the instant the crap actually TRIES to do something the active MBAM stops it if it is known to it (OR if the website is a known bad as the paid version has a website blocking feature that is updated regularly and is one of the better blacklists going) and if not Avira/nod32/etc stops it (and vice versa). That is why I recommend it in CONJUNCTION with a good AV program. Once again the idea is to overlap the security while keeping system overhead LOW (MBAM on my laptop im typing this up is using 1.3MB or mem....which is NOTHING). Nothing will stop everything, so why demand that ONE do just that?

It is good to see that you too are a pessimist by nature. However, I differ from you in that I am NOT a fatalist. Assuming that brand A program (no matter what brand it is) fails doesnt mean you throw your hands up in the air and go "Insha'Allah" or what will be will be. Maybe it is because i was trained that failure was NOT an option that I am more active in making sure that it does not. Dont get me wrong Im not saying MBAM + Avira (for example) is the be all and end all. Its not. But it is the foundation for a good overall safe operating procedure that will keep most peeps safe most of the time. Its actually what i started doing for my customers. Id rather spend the couple bucks and have MBAM and avira setup on the system I do for them and have them running properly so that THEIR experience is as hassle and pain free as possible than spend an hour or more fixing the inevitable mess. It HAS cut down my wasted time significantly and made them happier customers. At the end of the day customer dont CARE that it was their unsafe surfing habits that caused their system to get slow....they just care that their new system is SLOW and therefore is crap which makes them UNhappy customers and less likely to be REPEAT customers.
__________________
"If you ever start taking things too seriously, just remember that we are talking monkeys on an organic spaceship flying through the universe." -JR

“if your opponent has a conscience, then follow Gandhi. But if you enemy has no conscience, like Hitler, then follow Bonhoeffer.” - Dr. MLK jr

Last edited by AkG; October 30, 2010 at 10:02 AM. Reason: had Kb instead of Mb
Reply With Quote
Reply


Thread Tools
Display Modes

Similar Threads
Thread Thread Starter Forum Replies Last Post
Programs for Win 7 32 or 64 bit? GMJim O/S's, Drivers & General Software 0 January 22, 2010 05:28 PM
Font management programs? Sam! O/S's, Drivers & General Software 1 September 3, 2009 12:08 AM
Programs to overclock Shady O/S's, Drivers & General Software 12 July 17, 2009 10:52 PM
ultimate install closed down after install prebent O/S's, Drivers & General Software 0 September 25, 2008 02:05 AM
Programs That Choke Your Chicken misterlarry O/S's, Drivers & General Software 30 September 23, 2008 08:42 AM