Then there's the claim about browsers being exploited at scale in the wild, but I know for a fact we've never seen that in Chrome. And I have yet to see an AV provide evidence of where their products have in any way mitigated an exploit against an up-to-date browser.
-
-
Then there's the broken AV incentive structure that actively trains users to engage in harmful behavior. Because good security UX means silent protection, and surfacing alerts only when you must demand action by the user. AV follows exactly the opposite of this best practice.
1 reply 3 retweets 11 likes -
Commercial AV is constantly popping "alerts" in order to "show value" and make upsells. This creates endless warning fatigue, so in the rare event the user faces a real security decision, they've already been trained to just click on through with abandon.
2 replies 0 retweets 12 likes -
Finally, we have to look at the abysmal quality of the average AV—and not just the security vulnerabilities—the performance and stability are also among the worst I've ever seen. And this is stuff running in your kernel, and getting injected into every process in your system!
1 reply 0 retweets 7 likes -
We regularly deal with AV that: breaks ASLR/NX, leaks highly privileged interfaces into sandboxed processes, regresses TLS connections to the point of uselessness, makes outbound connections impossible, prevents renderer process launches entirely, and causes all manner of chaos.
2 replies 0 retweets 10 likes -
Replying to @justinschuh @taviso
Hey, I know. I'm not saying this part isn't true. It frustrates me too. :-( And I really want to build bridges between the AV vendor community and people like you guys. And I'd be happy to hear of suggestions on how to do that.
1 reply 0 retweets 2 likes -
Replying to @martijn_grooten @taviso
Here's my model for a healthy AV: The AV provides a scanning engine that runs in a tightly sandboxed, isolated container. The OS initiates the scans of data from any entrypoint sources. That leaves the OS responsible for system integrity, and the AV identifies malicious data.
2 replies 6 retweets 26 likes -
Replying to @justinschuh @martijn_grooten
Is there *anything* more perfectly sandboxable than an antivirus engine? The fact that this isn't happening speaks volumes.
6 replies 8 retweets 39 likes -
Replying to @taviso @damienmiller and
Excuse my horrible ignorance but don't efficient file system scanners typically need block level read access?
1 reply 0 retweets 0 likes -
Maybe? But it's the bit that does the complex file format parsing that needs to be sandboxed, not the bit that does the fs access (IMO you'd probably want to keep that outside the sandbox)
1 reply 0 retweets 2 likes
Right, a typical design would hand off a read-only handle to a sandboxed process, so the code that needs fs access doesn't do anything very complex - just manages handles and reads a scan result from a pipe.
-
-
Replying to @taviso @damienmiller and
Fair enough
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.