The Security Skeptic

Antivirus programs vary in effectiveness, and "how good is my AV protection" has less to do with whether you are using free or commercial ware and more about how frequently you update virus signatures and how aggressively you set the virus inspection. Certain antivirus software offer an advanced feature that allows you to specify the level of detection and at higher levels, you should expect some false positives, i.e., that some files that are not viruses may appear enough like a virus to be flagged as one, even if the file is perfectly benign.

Let's consider an example. I set my AntiVir scanner to high detection level. During the next daily full scan, four files were reported as viruses: Serv-U.Gen, zpf.exe, RockXP.exe and Pwdump2.exe. Serv-U is an FTP server. ZPF.exe is a zip password finder. The others are password recovery utilities I've tested and written about in past blogs. If you search to learn more about the password recovery files, you'll learn that antivirus vendors do not uniformly treat these files as badware/malware. You'll also read reviews at download portals like Download3K that say, "Download3K.com has downloaded and tested RockXP on 2 Apr 2007 with 4 of the best antivirus engines available today. We have found it to be clean of any form of badware" and "Some antispyware, antivirus or antitrojan programs can detect RockXP as being infected or possibly infected with a form of badware (virus, spyware), although the application runs perfectly safe and does not pose a threat to your system. This type of reading is called a 'false positive' and it occurs when antivirus software wrongly classifies an inoffensive (safe) file as a virus. The incorrect report may be caused by heuristics or by an incorrect virus signature in a database."

I find the phrase "inoffensive (safe) file" unsatisfying and inaccurate. Download3K.com and others use this phrase to indicate that nothing malicious is hidden in the file. Inoffensive is not necessarily safe. Perhaps it's an *unauthorized* download. Perhaps it's a program the owner evaluated long ago and forgot to remove. Isn't a password recovery or file transfer program useful to someone who's owned a PC? Isn't it possible that it's present on my hard drive because someone other than the rightful owner/operator put it there?

Rather than calling these false positives, let's call them aggressive positives. An aggressive positive is a scan result that causes you to pause, reflect, and do some research. OK, the file is benign: do I need this file on my system any longer? Does keeping it put my PC, the data that reside on it, and other systems on my network at risk?

Unsophisticated users may gain the most benefit from aggressive positives. What do they know about files? They expect one thing from AV programs, "to keep nasty stuff off my PC". Yeah, aggressive positives, I like that...

Archived at http://www.securityskeptic.com/arc20080301.htm#BlogID680 by Dave Piscitello  

If you believe that a virus infecting a Macintosh is about as likely as being struck by lightning, you are living on borrowed time. The infection probability is low today, but Macs now account for between 10-16% of the personal computer market, and it's growing. Eventually, some virus writer will be unable to resist the temptation to earn the notoriety associated with "the first major virus attack on Mac OSX". Moreover, many Intel-based Macs will run Windows XP in a virtual PC or shared partition configuration, so common partitions and network shares can be infected with Windows viruses.

The subject "Antivirus on OS X" generated an interesting thread on the Apple-Focus mail list. Some posters argue the case for "security through obscurity". Others argue that by taking advantage of the security features in OS X, you distance yourself from the "low hanging fruit" and are adequately protected. Still others argue in favor of commercial antivirus software.

Only a few chimed in with a freeware alternative I use called ClamXav. ClamXav is a GUI and configuration extension for the open source antivirus program, ClamAV. ClamAV is a respected antivirus checker. It offers background and on-demand scanning. You can schedule scans as well as virus engine and virus definition updates. ClamXav can be downloaded as a universal binary, separately or bundled with ClamAV. Some articles imply that ClamXav's GUI is more complicated than commercial AV software. I'd argue that ClamXav is *easy* to configure compared to some commercial AV products I've used and long since abandoned. And it's hard to argue "free" versus an initial outlay of $40.00 plus a recurring annual subscription fee for virus definition update services.

I don't subscribe to security through obscurity as the sole line of defense (thanks, Fred) and I'm never satisfied by merely changing my risk so I'm not among the low-hanging fruit. If you run OS X and aren't interested in purchasing a commercial AV software, try ClamXav. I've tested it with EICAR and other virus samples I've collected over time and it works fine for me.

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID544 by Dave Piscitello  

Following the second leg of the NWW Security Tour, I have even more questions to answer. Trying to knock off easy and popular ones quickly, I chose,

Where is the best place to put IPS in a network?

Where you place IPS (or IDS) is largely affected by the types of attacks you seek to block and the vectors you believe attackers will use. If you are worried about network level denial of service attacks from origins outside your trusted networks, you might use IPS at an Internet-facing firewall, but if you are worried about DOS attacks emanating from trusted network segments - WLANs, home office broadband and business partner networks connected to your trusted networks using IPsec VPNs - then you might place defenses against DDOS closer to server farm(s), or even on individual servers, in the form of host intrusion detection and protection. The closer you place IDS/IPS to actual assets, the more you are able to defend against both external and "insider" threats.

IPS can also block application level attacks. The same stipulations apply. I wrote about application protection in some detail here.

Archived at http://www.securityskeptic.com/arc20051001.htm#BlogID463 by Dave Piscitello  

I am giving my son my laptop for personal and school use. Since my Norton Antivirus annual subscription terminates this month, I took the opportunity to try another free for personal use antivirus software, Antivir Personal Edition Classic from H+BEDV.

In past blogs, articles, and at my Antivirus Resources page, I've recommended AVG's Avast! Antirivus personal edition for home users. My wife uses Avast! on her laptop, and it is a reliable, easily configurable product. AntiVir has basically the same features as Avast!: resident Virus Guard, macro protection, boot and master boot protection, scheduled Internet updates, nominal spyware protection, repair/delete/quarantine of detected malware, and (of course, my favorite) multi-levels of event logging.

An who can help but like an antivirus product that calls its full scanner Luke Filewalker?

Effective blocking, timeliness of signature delivery, and program updates will of course be the ultimate metrics on which to judge AntiVir, but at first blush, I believe it will do for a personal laptop.

Companies like H+BEDV and AVG do an enormous service to the Internet community at large by offering free personal edition software. While skeptics might claim such products are loss leaders for 2^nd tier antivirus companies desperate to increase market share, I'm comfortable believing there's some "nobler purpose" behind this sort of activity.

And I'll look hard at small business licensing from both companies when time comes to renew my annual Norton subscriptions.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID404 by Dave Piscitello  

The response to my spyware resource page has been remarkable. I've received many inquiries about antivirus resources. This surprised me because there are so many on the 'net already. I've tried to complement what already exists by providing direct links to Virus, trojan and hoax encyclopedia and lists; online virus scanners; virus removal tools, and most importantly, fully-functional and resident antivirus programs that are free for personal use. Visit Antivirus Resources.

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID305 by Dave Piscitello  

Central Command's latest monthly report of the Top 12 computer viruses arrived via email August 2004. First, I decided I'd compare prevalence numbers across AV vendors. Then, I snooped around for what I thought might be a a more interesting comparison: how do prevalence statistics compare over time? More...

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID302 by Dave Piscitello  

Recently, Network World Fusion interviewed the respected antivirus researcher, Mikko Hyppönen. The title of the article and conclusions therein suggest that The Virus Writers Are Winning. I suggest you read Mikko's answers more carefully. When asked, "Who's winning this battle?", he only concedes that virus writers "always have the upper hand because they have access to [security vendors'] products". If the virus writers were winning, we'd be dealing with viruses that couldn't be quarantined or removed at all, leaving you no recourse but to reinstall your OS, and you'd soon be more expert in the process of reinstalling Windows than your neighborhood PC repair folks. More.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID295 by Dave Piscitello  

In every Hollywood action movie, the action hero is a formidable adversary: adept in martial arts, an expert with explosives, a brilliant hit-and-run tactician, adept with every weapon imaginable. The action hero is an irresistible force.

Imagine if Chuck, Arnold, Jean-Claude, and the rest were drawn to The Dark Side. Now imagine that they are executable code on your computer. It’s not your imagination; it’s a blended threat. more...

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID258 by Dave Piscitello  

I recently received a suspicious email, purportedly from eBay, requesting that I log into a web page to verify my account information. If you're curious how I and my partner, Lisa Phifer, examine email messages to determine if they are valid or bogus, read my Loop column, Recognizing and responding to spoof email messages.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID244 by Dave Piscitello  

After reading my colleague, Fred Avolio's blog entry, Is Security a Black Art?, I, too, found myself wondering just what Andrew Briney was thinking when he wrote his recent *logoff* column in Information Security Magazine.

In his column, Andy says, "we still haven't got a clue how to stop viruses, and the state-of-the-art in virus defense remains soft." After the obligatory bash against Microsoft Windows, he goes on to claim we've become accustomed to failure, that the state of AV is crawling along on all fours, and enterprises are "cobbling alternative solutions, such as worm-catching honeypots and reverse (outbound) IDSes" to address the problem.

In singling out viruses, Briney chose one of the few things I think we really seem to know how to do reasonably well, technologically. We *do* have a technology clue about handling viruses; in fact, a very good clue. Sadly, we fumble badly, both operationally and culturally. So let's lay the blame where it belongs.

I haven't had a virus infect my work computers for nearly 4 years, despite receiving, on average, 25-30 infected emails per day (up from about a dozen per day last year this time.) I don't use a worm-catching honeypot or a reverse catching IDS. I have, as Andy describes, "double clicking dopes" as users, although my family would not be pleased to be so characterized. So why am I successful where {some | many | most } F1000 companies are not?

1. I use the antivirus gateway my service provider offers. All mail delivered to my network passes through the gateway. In two years, only 4 viruses have actually been delivered to the clients here. Two were detected by desktop AV, I detected one, and my wife, who is decidedly non-technical, suspected one and asked me to investigate.

2. I keep our desktop AVs up to date.

3. I block most potentially harmful attachments by MIME-type at my firewall and at the desktop.

4. I and my end users are informed and aware of virus threats. We don't fall prey to social engineering. If my wife and children don't know the sender, they understand that they should not open the message or the attachment. They call the help desk, and I investigate.

Andy passes a blanket condemnation when he should be paraphrasing the adage, "physician, cure thyself".

If you want Fred's perspective, read hisblog.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID231 by Dave Piscitello  

The W32 NETSKY.B worm is all over the news. It's rated a high threat because of its propagation characteristics and IMO small potential for destructive behavior. Some experts suspect NETSKY may be a retaliation worm because it attempts to remove AUTORUN registry entries of several worms already unleashed. Trend Micro has one of the more comprehensive overviews and technical descriptions of the worm.

Many of you will receive dozens if not hundreds of well-intentioned notifications warning you that NETSKY is now "in the wild". (This is the term A/V experts term apply to a worm that has been unleashed to wreak havoc on us all, to the apparent delight of its creator.)

eMail notifications have become a second-order propagation effect of worms. Your desktop antivirus vendor sends them. The antivirus gateway my ISP runs for its customers sends me an email for every infected message it detects. I've received 132 notices from this A/V gateway since February 29th. Tthe morning's just begun here on the U.S. East Coast. By midday, I'll receive an equal or larger number of email messages from antivirus gateways all over the world, claiming I've sent an infected file to the organization the gateway protects.

My machine is clean of this and other viruses, so I haven't really sent infected messages anywhere, but since we refuse to implement non-repudiation of origin in our email systems, I can't prove this.

I've also received 11 messages from individuals who are horrified to discover their systems have been infected, or their email addresses have been used in the mail originator (From:) field of infected email. They all read like this one:

If you received a message from me with a strange

attachment and you don't know what it is, please delete it. It is a virus.

Thanks.

Thanks? Think a minute about the irony of this closing remark. Thank you for accepting my original and possibly infected email message. Thank you for understanding that if you are like me and have failed to properly protect your system against viruses, your system is now infected. Thank you for reading Yet Another Pointless email from me. If you're going to send such messages, at the very least include a hyperlink to a removal tool!

Well-intentioned as this and A/V gateway notification efforts may be, such behavior only serves to prolong the effects of a worm. Call it Chicken-Little Syndrome.

OmiGod a worm is coming a worm is coming a worm is here I had a worm you sent a worm...

Worms succeed in part because otherwise reasonably intelligent people don't think before they open mail messages and attachments.

Demonstrate you've learned a lesson: resist the temptation of trying to correct a problem well out of your hands. If we leave notifications to the antivirus and mail servers, the dust will settle and business will resume normal operation faster. And if A/V administrators will spend some time thinking about the questionable efficacy of sending notifications everywhere in the email universe during a worm event, the dust will settle even faster.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID212 by Dave Piscitello  

The February 18 w32.Netsky.B@mm worm is the first to slip past my ISP's antivirus gateway in over two years. Recently installed definitions for my desktop AV software caught and quarantined the bugger.

This is a real-world corroboration of what I described as the "value proposition of complementary and concentric defenses" in a 2002 TISC Insight column, Server- versus client-based protection?. AV gateway and desktop AV software are a nice combination.

But don't rely exclusively on these. Remember, virus writers and phishers rely on social engineering, specifically, inducing users to open attachments, click on hyperlinks embedded in email messages, or reply to unsolicited mail. Think before you act!

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID206 by Dave Piscitello  

Microsoft's finally getting the message?

For years, Windows operating systems overwhelmingly have opted in favor of ease of use and effectively, against security as the default setting for networking services. Security experts criticized Microsoft soundly and often for this lame security posture.

This philosophy extends to Microsoft's Automatic Updates, which are voluntary because the hue and cry from users was that they didn't trust Microsoft to muck with their systems.

Now, with a slew of worms in the span of only weeks, users may finally be coming to the conclusion, "better the near-monopolistic software giant you know than the malware writer you don't know". Yes, Microsoft can write more secure code. But the mistrust is misguided, and users should realize that if they buy into Windows, they ought to buy into the best available process for securing Windows: automatic updates of security patches without user explicit consent.

For a very large population of Windows users, updates, especially security-related ones, are incomprehensible, so they ignore them. These users are virus carriers waiting to be infected, again and again. Microsoft can take two paths: make security updates mandatory, or make the default setting of security updates "implicitly accept and install". I truthfully don't care which, as they accomplish the only interesting goal of reducing the window of infection.

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID106 by Dave Piscitello  

One of the malicious acts this worm performs is to use email addresses it finds on systems it infects as the originator address of emails it propagates. This has several nasty effects:

• Social engineering - recipients are more likely to open attachments from people with whom they communicate via email, increasing the infection probability.

• Damage to credibility - if infected, recipients may blame the originator, who may not even have been infected.

• Blacklisting, administrative backlash - individuals whose email addresses were used as originator addresses in infected email may have been unfairly blacklisted, called to accountability, or had service terminated, by overanxious ISP, educational network, or corporate admins.

• Confusion, email churn, frustration - individuals whose email addresses were used as originator addresses in infected email may receive email from antivirus gateways, recipients, etc.

Perhaps the most annoying aspect of this behavior is that, even with AV gateways and desktop AV, and despite meeting best industry antivirus practices, you (and I) will be victims. The worm takes control away from us. If your email address is in anyone else's address book - and the worm looks in lots of file types for email addresses - you can be a victim.

I've got to agree with Marcus... "cane the SOB".

Archived at http://www.securityskeptic.com/arc20030701.htm#BlogID77 by Dave Piscitello  

While not a particularly malicious worm, W32/Sobig.e@MM spread pretty fast. What's remarkable to me is just how many copies I've received - over fifty! - and they are likely to still come until the virus deactivates on July 14, 2003.

Symantec has a virus removal tool, and a so-so description. I'd really like AV companies to explain more about whether the virus is perceived as a proof-of concept, etc., At least Symantec doesn't throw FUD like many other AV response centers (I hate the blanket "Horrors! A virus! It will damage your computer!" missives so many .edu centers post).

Archived at http://www.securityskeptic.com/arc20030601.htm#BlogID76 by Dave Piscitello  

James Cowie and Andy Ogielski of Renesys Corporation published a paper entitled "Global Routing Instabilities during Code Red II and Nimda Worm Propagation" in September 2001 that described how two major worm incidents - Code Red II and Nimbda - adversely affected the global routing infrastructure (both more so than the September 11 attacks). The authors speculate that, as the worms propagated, scans on web servers induced congestion, affected flow diversity, and also caused certain internet access routers to shut down. Organizations began disconnecting networks.

Such events are supposed to stimulate routing protocol updates to adapt topology and traffic flows, but they occurred too quickly for the Border Gateway Protocol to respond appropriately. Cowie and Ogielski offer fascinating histograms of BGP activity to corroborate their claim.

Tim Griffin's paper, "BGP Impact of SQL Worm, 1/25/2003" illustrates how BGP histograms from the more recent SQL Slammer worm incident provide additional evidence that worms adversely affect Internet routing. Slammer, however, was frighteningly faster than its predecessors, and offers grounds for speculating how "flash worms" might be used to disrupt the Internet in even grander proportions.

Ido Dubrowsky does a nice job considering both papers in his June 11 article, "Effects of Worms on Internet Routing Stability ", where he draws the sobering conclusion that we need to "build even greater resiliency into the Internet infrastructure to prevent such events from recurring with even more impact."

Find Cowie and Ogielski's paper here; Tim Griffin's paper here; and Ido's paper at Securityfocus.com.

Archived at http://www.securityskeptic.com/arc20030601.htm#BlogID67 by Dave Piscitello  

Minor data point for people who ask "does an Anti-Virus Gateway really help?"

Over the past 11 days, the AntiVirus gateway operated by my ISP detected and quarantined 53 infected email messages and attachments. Only one infected email reached my workstation. Fortunately, eyeballing the message from the suspicious sender,support@microsoft.com, convinced me to discard rather than open it. I learned of the worm this email was propagating about 20 minutes later, and downloaded appropriate virus definitions shortly thereafter.

Archived at http://www.securityskeptic.com/arc20030601.htm#BlogID66 by Dave Piscitello  

Postini, an Anti-SPAM and AntiVirus gateway service, is bundled with my EtherLoop/Internet service from Hargray Communications and Interstar.

I'm overwhelmingly pleased with this feature, and encourage organizations to consider malcode gateways if they haven't done so.

How effective is an AntiVirus Gateway? As a measure of effectiveness, I occasionally check the list of messages quarantined by the Postini Service. From 4/25 to 5/5, Postini blocked 45 infected mail messages, and no infected mail was delivered to my desktop.

How effective is the Anti-SPAM service? Over the same measurement period - eleven days - Postini blocked 1874 messages. Of those blocked, only 10 were messages I would have wanted delivered. Eight of these were maillist postings containing profanity, and two were "jokes" forwarded by a friend who has too much time on his hands.

On the average, about 5-7 SPAM messages still worm (sorry!) their way to my mail client. This is, I think, a remarkably good percentage.

I've forwarded all my mail accounts through the service, and am really pleased with the result. I would never recommend eliminating desktop antivirus measures, but the one-two combination of desktop and gateway is hard to argue against.

For amusement's sake, here's my Top 10 Most Curious SPAM Subject Lines:

• David, Seek of Spam?
• Are you afraid of your mailbox?
• Loose Fat While Sleeping
• FW: This is good ox
• Make your toilet paper talk
• age backwards
• Sweeper off her feet for Mothers day
• This software knows where you live...
• WARNING: Picasso, Van Gogh, Gauguin have been stolen in UK
  (by all appearances, this is really a notification
• *****SPAM***** SmartMini Cams...While Supplies Last!!
  (honest, the subject really begins with ****SPAM******)

Archived at http://www.securityskeptic.com/arc20030501.htm#BlogID32 by Dave Piscitello