We regularly deal with AV that: breaks ASLR/NX, leaks highly privileged interfaces into sandboxed processes, regresses TLS connections to the point of uselessness, makes outbound connections impossible, prevents renderer process launches entirely, and causes all manner of chaos.
-
-
Replying to @justinschuh @taviso
Hey, I know. I'm not saying this part isn't true. It frustrates me too. :-( And I really want to build bridges between the AV vendor community and people like you guys. And I'd be happy to hear of suggestions on how to do that.
1 reply 0 retweets 2 likes -
Replying to @martijn_grooten @taviso
Here's my model for a healthy AV: The AV provides a scanning engine that runs in a tightly sandboxed, isolated container. The OS initiates the scans of data from any entrypoint sources. That leaves the OS responsible for system integrity, and the AV identifies malicious data.
2 replies 6 retweets 26 likes -
Replying to @justinschuh @martijn_grooten
Is there *anything* more perfectly sandboxable than an antivirus engine? The fact that this isn't happening speaks volumes.
6 replies 8 retweets 39 likes -
Replying to @taviso @justinschuh
Yes, incentives. I sometimes wish a company would see its profits drop every time you reported a vulnerability That would change things a lot.
3 replies 0 retweets 2 likes -
I wish there were a Pwn2own for anti-virus software. That's a great artificial incentive.
2 replies 0 retweets 8 likes -
I agree. I have good experience with corporate antivirus ever since moving to a smaller, lighter player, but I’d love to see people getting incentives to hack it
2 replies 0 retweets 2 likes -
Replying to @SwiftOnSecurity @martijn_grooten and
Let me tell you, as someone who implemented a new corporate antivirus and actively monitors its efficacy: Antivirus largely works in the dirty real world if you know how to use it. Antivirus that isn’t administered correctly, which is a huge number, is routinely worthless.
1 reply 0 retweets 7 likes -
Replying to @SwiftOnSecurity @martijn_grooten and
I spoke to a senior consultant at a massive security firm, a large number of customer issues where they open panicked P1 infection issues, are administrators disabling important cloud lookup features.
1 reply 0 retweets 4 likes -
Look, everyday you get thousands of hits w/antivirus, should you feel safer? One argument is "yes, those are attacks failed, we made things safer". Another argument is "no, av is only thing standing between us and disaster, it's trivial to evade, so we're on borrowed time".
2 replies 1 retweet 9 likes
That is not the discussion here though, the argument here is that while catching those trivial attacks they also make more dangerous attacks possible and refuse to take responsibility for them. If they solve that, nobody would care.
-
-
Interesting point
0 replies 0 retweets 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Replying to @taviso @SwiftOnSecurity and
So is the answer (to both threat models) for AV to implement sandboxing techniques that don’t impact on performance?
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.