|
Subjunctive posted:My company has > 10K end-user machines and we don't run AV. I wouldn't replace AV, that's the point - I'd use it in conjunction with other tools. You didn't answer the question, you just asked another one.
|
# ? Apr 30, 2016 00:19 |
|
|
# ? Apr 28, 2024 17:18 |
|
co199 posted:I wouldn't replace AV, that's the point - I'd use it in conjunction with other tools. You didn't answer the question, you just asked another one. Why do you think using AV makes it cheaper?
|
# ? Apr 30, 2016 00:20 |
|
apseudonym posted:Why do you think using AV makes it cheaper? Ok, I'm not saying AV makes it cheaper, my question was specifically around securing a large enterprise, without AV, for a "reasonable" price. That's probably too broad of a specification, realistically, but for the sake of conversation we'll let it stand.
|
# ? Apr 30, 2016 00:22 |
|
co199 posted:Ok, I'm not saying AV makes it cheaper, my question was specifically around securing a large enterprise, without AV, for a "reasonable" price. That's probably too broad of a specification, realistically, but for the sake of conversation we'll let it stand. Please do not engage in doing any sort of IT work, let alone security. AV is far from "reasonable" regardless of how cheap it is.
|
# ? Apr 30, 2016 00:25 |
|
co199 posted:I wouldn't replace AV, that's the point - I'd use it in conjunction with other tools. You didn't answer the question, you just asked another one. I don't have the complete inventory of tools that we use, though I know some of them. I don't think we share the list publicly, but I think we've given some public talks about how we manage the corporate user fleet. I'm not sure how I would slice out the cost of the investment in "protect against someone sticking in a USB key that contains malware which happens to have been submitted to virustotal" from the general defense against malware. I know that if I suggested to our corporate IT security team that they look at AV as something to put on our systems, they would give me a near-fatal wedgie and ban me from their part of the building. I believe that our software inventory system actually alarms if it detects AV software installed on a corporate machine. AV would make ensuring the integrity of the corp-side networks *more* difficult, in addition to creating a billion points of additional friction for everyone who works here.
|
# ? Apr 30, 2016 00:27 |
|
co199 posted:Ok, I'm not saying AV makes it cheaper, my question was specifically around securing a large enterprise, without AV, for a "reasonable" price. That's probably too broad of a specification, realistically, but for the sake of conversation we'll let it stand. If you're not saying it makes it cheaper, then why the "reasonable" price element? Why would securing a large enterprise without AV cost more than doing it with AV? (Please include the operational cost of having AV bullshit get in your users' way all the time.)
|
# ? Apr 30, 2016 00:28 |
|
Gonna risk a triple-post and quote myself from another thread:Subjunctive posted:My company has a vast number of the most mainstream users possible. When we detect that they have malware on their computers (through how they interact with the service), we direct them to a tool that removes malware, but does not stay installed or set up shop as AV. Even in cases where we know the user has been compromised, the security risks of modern AV software are too high to recommend for ongoing use.
|
# ? Apr 30, 2016 00:53 |
|
Subjunctive posted:Gonna risk a triple-post and quote myself from another thread: If it's the company I think it is then it does in fact stay installed, constantly "suggests" that you buy the full anti-virus, and finds problems like "this web browser you never use has some kind of edge-case vulnerability if you are dumb enough to use it, but if you want us to automatically fix it you'll need to buy our full suite."
|
# ? Apr 30, 2016 03:42 |
|
Absurd Alhazred posted:If it's the company I think it is then it does in fact stay installed, constantly "suggests" that you buy the full anti-virus, and finds problems like "this web browser you never use has some kind of edge-case vulnerability if you are dumb enough to use it, but if you want us to automatically fix it you'll need to buy our full suite." PM me the details of which was installed? That shouldn't happen.
|
# ? Apr 30, 2016 03:44 |
|
Subjunctive posted:My company has > 10K end-user machines and we don't run AV. Must be nice to work in an industry that isn't subject to PCI, HIPAA, GLBA, US Government Contracting, or UK Data Protection Act regulation. It must also be nice to not have any clients that are subject to any of those things either.
|
# ? Apr 30, 2016 18:56 |
|
Antillie posted:Must be nice to work in an industry that isn't subject to PCI, HIPAA, GLBA, US Government Contracting, or UK Data Protection Act regulation. It must also be nice to not have any clients that are subject to any of those things either. Which part of the Data Protection Act mandates AV?
|
# ? Apr 30, 2016 19:07 |
|
My company is like that too. We don't apply to any of those regulations and we're at >30,000 endpoints. However we just use the free Microsoft av because it comes with our Microsoft subscription, it's free, and it's better than nothing. Security is like an onion, the more poo poo you have layered on top of each other, the better off you'll be.
|
# ? Apr 30, 2016 19:12 |
|
Mustache Ride posted:My company is like that too. We don't apply to any of those regulations and we're at >30,000 endpoints. You are missing the point of why AV is complete crap. Just because you see it as a layer of security does not mean the layer is effective.
|
# ? Apr 30, 2016 22:06 |
|
Antillie posted:Must be nice to work in an industry that isn't subject to PCI, HIPAA, GLBA, US Government Contracting, or UK Data Protection Act regulation. It must also be nice to not have any clients that are subject to any of those things either. The HIPAA Security Rule has malicious software protection as Addressable rather than Required, and certainly doesn't mandate lovely consumer AV. There are definitely HIPAA compliant shops that don't install AV on end user PCs. Consumer AV (or even ESET) doesn't meet the PCI DSS requirement, nor is it a necessary component of meeting the requirement -- if you somehow magically have a system that meets the requirement, and you remove AV, it will still meet the (ridiculous, impossible) requirement. I've been a US Gov't contractor for DOE labs working on clusters for nuclear simulation, without AV, and had no issue.
|
# ? May 1, 2016 00:04 |
|
No no no, you're not getting it at all. I agree that av is crap. That's why we don't pay for it. You should at least use something you get with a Microsoft license than nothing at all to stop the limited crap it does catch. The people who pay for it are the idiots.
|
# ? May 1, 2016 00:44 |
|
Mustache Ride posted:No no no, you're not getting it at all. I agree that av is crap. That's why we don't pay for it. You should at least use something you get with a Microsoft license than nothing at all to stop the limited crap it does catch. guys guys i'm with you 100% except for the point you're actually making so can we please just agree i'm right and move on
|
# ? May 1, 2016 01:27 |
|
OSI bean dip posted:You are missing the point of why AV is complete crap. Just because you see it as a layer of security does not mean the layer is effective. How are you defining effectiveness? Top-tier antivirus software (Kaspersky, BitDefender, etc) consistently picks off 99.9%+ of known threats, 95%+ of unknown threats via heuristics, and 98%+ of malicious sites. That's pretty effective in my book. http://www.av-comparatives.org/wp-content/uploads/2016/04/avc_fdt_201603_en.pdf http://www.av-comparatives.org/wp-content/uploads/2015/07/avc_beh_201503_en.pdf http://www.av-comparatives.org/wp-content/uploads/2016/04/avc_factsheet2016_03.pdf
|
# ? May 1, 2016 01:50 |
|
Paul MaudDib posted:99.9%+ of known threats, 95%+ of unknown threats lol why don't they just catch the other 5% of unknown threats, can't be that hard
|
# ? May 1, 2016 01:50 |
|
Dex posted:lol The test methodology is: pick a freeze date for the AV definitions, collect new/unknown virus samples, then test them against the old AV definitions to see if the heuristics picked them up. What's your specific complaint with that approach? edit: Dex posted:why don't they just catch the other 5% of unknown threats, can't be that hard Well, BitDefender is at 99% heuristic effectiveness. No software is perfect - including filtering web/email at the pipe - but that's not a reasonable standard of effectiveness. Paul MaudDib fucked around with this message at 01:58 on May 1, 2016 |
# ? May 1, 2016 01:53 |
|
based on a random sampling of my open tabs, 25% of internet traffic goes to something awful dot com. guess that radium guy knew a thing or two about servers after all
|
# ? May 1, 2016 01:58 |
|
Paul MaudDib posted:How are you defining effectiveness? this is the dumbest thing I've ever read and you have no idea what you're talking about.
|
# ? May 1, 2016 02:20 |
|
Paul MaudDib posted:How are you defining effectiveness? Tell me how in a real world situation these would actually achieve more than 40%--I am being fair here because it's really 5%. Tell me why AV cannot catch most ransomware even with up-to-date definitions.
|
# ? May 1, 2016 02:24 |
|
quote:The solution actually turned out to be very simple: if all manufacturers pay the same fee in order for their product to be tested, none of them can be advantaged or disadvantaged Our results say all AV is amazing? Oh don't worry, no possible conflict of interest here, we're paid by all AV manufacturers equally.
|
# ? May 1, 2016 02:43 |
|
OSI bean dip posted:Tell me why AV cannot catch most ransomware even with up-to-date definitions Way to beg the question. In the real world,
and that's the AV-related causes of why viruses spread. I would also throw in users that disable UAC or let any random application ecalate to admin (especially dubious stuff like keygens), which may allow additional ways for malware to escape AV detection or kills. Not that antiviruses are perfect - because they're not, nothing is 100% - but if you don't undercut them by doing the above, they are pretty effective. Some are more effective than others though - Kaspersky, BitDefender, ESET, and F-Prot regularly top the pack in detection rates, others have lower detection rates. Ransomware isn't really any different than a standard virus, which also spread quite prodigously. The difference is that an average virus doesn't make your computer unusable until you send 50 bitcoins to Russia. Regular viruses want to stay undetected so they can keep using your machine in their botnet, spamming ads for ch34p v1agra, etc. If every single infected momputer out there suddenly flashed an alert message, we would notice them a lot more. Paul MaudDib fucked around with this message at 03:11 on May 1, 2016 |
# ? May 1, 2016 03:01 |
Paul MaudDib posted:Way to beg the question. In the real world,
|
|
# ? May 1, 2016 03:21 |
|
Paul MaudDib posted:Way to beg the question. In the real world, posts like this are why in TYOOL 2016 security is such a joke of an industry.
|
# ? May 1, 2016 03:32 |
|
What's an ideal approach to security for a home machine mostly used to play video games and browse the forums? I'm curious and would like to make sure I'm not doing anything stupid. At baseline, I keep windows updated, keep UAC on, don't open email attachments, etc.
|
# ? May 1, 2016 03:38 |
|
andrew smash posted:What's an ideal approach to security for a home machine mostly used to play video games and browse the forums? I'm curious and would like to make sure I'm not doing anything stupid. At baseline, I keep windows updated, keep UAC on, don't open email attachments, etc. Keep your stuff up to date, dont run random poo poo off torrents.
|
# ? May 1, 2016 03:39 |
|
Thanks. I gave up pirating poo poo many years and several machines ago.
|
# ? May 1, 2016 03:42 |
|
If AV is so good, why do we have to create fake processes to trick ransomware into not installing itself??
|
# ? May 1, 2016 04:30 |
|
Paul MaudDib posted:Way to beg the question. In the real world, As someone who used to work for an antivirus company, you absolutely have no idea. In your own words, how does antivirus work?
|
# ? May 1, 2016 05:20 |
|
OSI bean dip posted:As someone who used to work for an antivirus company, you absolutely have no idea. Well, signatures look for unique bit-patterns in a file or in memory. For a trivial example, the classic "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" string. Heuristics work by looking for patterns of characteristics and behavior of a process that might be suspicious. For example, a process that isn't signed by a trusted key, was recently installed, is running elevated, and has been a foreground window for less than a second might be a virus. Then there's sandboxing, where you set up what looks like a real kernel but actually is a stub run by the AV program, to see whether an executable or process tries touching a file or system resource that it shouldn't. Paul MaudDib fucked around with this message at 05:44 on May 1, 2016 |
# ? May 1, 2016 05:31 |
|
Paul MaudDib posted:Well, signatures look for unique bit-patterns in a file or in memory. For a trivial example, the classic "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" string. Great. What else does a signature do? Does it have to rely on a file or in-memory? quote:Heuristics work by looking for patterns of characteristics and behavior of a process that might be suspicious. For example, a process that isn't signed by a trusted key, was recently installed, is running elevated, and has been a foreground window for less than a second might be a virus. No. quote:Then there's sandboxing, where you set up what looks like a real kernel but actually is a stub run by the AV program, to see whether an executable or process tries touching a file or system resource that it shouldn't. How does the sandbox deal with non-mutable system calls? So far you're not nailing how anti-virus works. Have you ever seen a signature? Or even better, write me a YARA rule that will detect 99.9% of ransomware. I do suggest that you read this thread before you proceed any further on debating here.
|
# ? May 1, 2016 06:28 |
|
Paul MaudDib posted:Way to beg the question. In the real world, oh man
|
# ? May 1, 2016 06:38 |
|
OSI bean dip posted:So far you're not nailing how anti-virus works. Have you ever seen a signature? Or even better, write me a YARA rule that will detect 99.9% of ransomware. One rule will never catch 99.9% of anything. You're an idiot who's trying to score points by making an impossible request. OSI bean dip posted:https://blog.kaspersky.com/equation-hdd-malware/ OK, I'll keep that in mind if I piss off the NSA (but seriously - if they're giving you 1-on-1 attention you're hosed, they're getting in one way or another). Do you not drive with seatbelts because someone might t-bone you at 80 miles per hour and in that case you'd die anyway? Antivirus picks most of the low-hanging fruit - yeah the NSA is getting in regardless, but you don't have to make it easy for the first script-kiddie who gets a chance at you. You're an idiot if you think the NSA has anything to do with average consumer security. No wonder you're "formerly employed" by an antivirus company. Paul MaudDib fucked around with this message at 06:52 on May 1, 2016 |
# ? May 1, 2016 06:42 |
|
Paul MaudDib posted:One rule will never catch 99.9% of anything. You're an idiot who's trying to score points by making an impossible request. i think you're entirely missing the point here
|
# ? May 1, 2016 06:46 |
|
Paul MaudDib posted:One rule will never catch 99.9% of anything. You're an idiot who's trying to score points by making an impossible request. Paul MaudDib posted:Top-tier antivirus software (Kaspersky, BitDefender, etc) consistently picks off 99.9%+ of known threats, 95%+ of unknown threats via heuristics, and 98%+ of malicious sites. That's pretty effective in my book. So what is it here? How does anti-virus catch "99.9% of known threats"? You think that multiple rules are piled upon it to come up with an answer? quote:Do you not drive with seatbelts because someone might t-bone you at 80 miles per hour and in that case you'd die anyway? Antivirus picks most of the low-hanging fruit - yeah the NSA is getting in regardless, but you don't have to make it easy for the first script-kiddie who gets a chance at you. I am not taking the NSA into account when I talk about things here; stop being obtuse. So instead of responding in a manner where you act as your ego has been maligned, how about you answer my questions? OSI bean dip posted:Great. What else does a signature do? Does it have to rely on a file or in-memory? If you're so certain about how AV works, answer these or shut up.
|
# ? May 1, 2016 06:55 |
|
Paul MaudDib posted:You're an idiot who's trying to score points by making an impossible request. please can you quantify the impossibility of this request
|
# ? May 1, 2016 07:06 |
|
Jesus tapdancing christ, why is everyone so loving angry in these threads?
|
# ? May 1, 2016 07:12 |
|
|
# ? Apr 28, 2024 17:18 |
|
Mustache Ride posted:Jesus tapdancing christ, why is everyone so loving angry in these threads? because if you get called out on being wrong about a thing you shouldn't double down on being wrong
|
# ? May 1, 2016 07:18 |