Lies, big lies and antiviruses. Part one. “And they were the first to start!”
With this article, I begin a series on some aspects of the so-called “antivirus industry”, which I hope will be of interest not only to me alone.
For the umpteenth time we are frightened with horror stories in the style of “another virus has spread around the world in millions of copies. We will all perish! ” That's just, reading the next vigorous press release of the next manufacturer of the next anti-virus tool, you are perplexed. How so? We are so reliably protected, so comprehensively: here both signatures, and heuristics, and even – a beep of the season — a behavioral blocker. Then what ... do people keep getting infected? Where does the epidemic come from? Are modern antivirus products effective?
')
The first antiviruses appeared in the 1985 region as a response to the first file viruses that infect executable and interpretable files and work in the MS DOS environment. Who else remembers, this is such a single-tasking operating system, where its kernel and application programs worked at the same privilege level. And it was antiviruses that turned out to be on this platform the most rational tool for combating viruses, and both cure already infected machines and prevent infection. Viruses spread slowly, on diskettes, from user to user, and signatures for capture and treatment — much faster through networks (BBS, NNTP, ...). And so it went on for quite a long time, until about the beginning of the 2000s (that is, at least fifteen years), when there were three fundamental changes
The cardinal change number one: the Internet has come to us. This means that the propagation environment of viruses has become the same as the distribution of signatures. The advance of antiviruses over viruses has been reduced to zero.
The cardinal change number two: instead of operating systems based on MS DOS (and this, also, the entire Win1.xx – Win3.xx, Win95 / 96/98 / ME line) came to the desktops the Windows NT kernel in the Windows 2000 / XP implementation. Now the kernel of the operating system, its code and data, are reliably separated from the address space of ordinary programs.
The fundamental change is number three: viruses now write for profit. Moreover, the “viruses”, in fact, disappeared from the computers of ordinary people. They were replaced by all sorts of "worms", "Trojan horses", "blockers" and other vermin, focused on getting money.
It is with cardinal change number three that the first major failure of the antivirus industry is connected — antiviruses could not disinfect machines already infected with Trojans. Here is a file infection — as many as you want, and when executable modules are injected into the operating system — no. The whole anti-malware industry has grown on this. All those who still remember such names as Spybot Search & Destroy, Ad-Aware, SpySweeper, I think, do not need to explain anything. I must say that the antivirus industry quickly realized that the money was leaking from their hands and quickly made up for lost time.
That's just because of the fundamental change the number one level of infection prevention has fallen below any criticism. Antivirus catastrophically late. And nothing saves - neither heuristics, nor behavioral blocker. Malicious writers bypass everything.
At the same time, in all forums, topics in the style of “antivirus A periodically pop up, missed the infection, it is bad. Advise good. A person is advised “good”, which remains in this status until the next pass. After that, the cycle of searching for “good antivirus” is repeated.
At the same time, a paradox arises - new technologies to prevent infection, created thanks to the "cardinal change number two" and showing absolute results in tests to prevent infection (the so-called "dynamic tests"), cannot penetrate into the sun, because so late The inertia of consciousness of the overwhelming number of users simply does not allow them to search for anything “protecting”, except for antiviruses. Protection is identically equal to antivirus. Point. “I need protection. Advise a good antivirus. ” Familiar?
But antiviruses are not the best in the task of preventing infection! They just started first!
PS Next part
For the umpteenth time we are frightened with horror stories in the style of “another virus has spread around the world in millions of copies. We will all perish! ” That's just, reading the next vigorous press release of the next manufacturer of the next anti-virus tool, you are perplexed. How so? We are so reliably protected, so comprehensively: here both signatures, and heuristics, and even – a beep of the season — a behavioral blocker. Then what ... do people keep getting infected? Where does the epidemic come from? Are modern antivirus products effective?
')
The first antiviruses appeared in the 1985 region as a response to the first file viruses that infect executable and interpretable files and work in the MS DOS environment. Who else remembers, this is such a single-tasking operating system, where its kernel and application programs worked at the same privilege level. And it was antiviruses that turned out to be on this platform the most rational tool for combating viruses, and both cure already infected machines and prevent infection. Viruses spread slowly, on diskettes, from user to user, and signatures for capture and treatment — much faster through networks (BBS, NNTP, ...). And so it went on for quite a long time, until about the beginning of the 2000s (that is, at least fifteen years), when there were three fundamental changes
The cardinal change number one: the Internet has come to us. This means that the propagation environment of viruses has become the same as the distribution of signatures. The advance of antiviruses over viruses has been reduced to zero.
The cardinal change number two: instead of operating systems based on MS DOS (and this, also, the entire Win1.xx – Win3.xx, Win95 / 96/98 / ME line) came to the desktops the Windows NT kernel in the Windows 2000 / XP implementation. Now the kernel of the operating system, its code and data, are reliably separated from the address space of ordinary programs.
The fundamental change is number three: viruses now write for profit. Moreover, the “viruses”, in fact, disappeared from the computers of ordinary people. They were replaced by all sorts of "worms", "Trojan horses", "blockers" and other vermin, focused on getting money.
It is with cardinal change number three that the first major failure of the antivirus industry is connected — antiviruses could not disinfect machines already infected with Trojans. Here is a file infection — as many as you want, and when executable modules are injected into the operating system — no. The whole anti-malware industry has grown on this. All those who still remember such names as Spybot Search & Destroy, Ad-Aware, SpySweeper, I think, do not need to explain anything. I must say that the antivirus industry quickly realized that the money was leaking from their hands and quickly made up for lost time.
That's just because of the fundamental change the number one level of infection prevention has fallen below any criticism. Antivirus catastrophically late. And nothing saves - neither heuristics, nor behavioral blocker. Malicious writers bypass everything.
At the same time, in all forums, topics in the style of “antivirus A periodically pop up, missed the infection, it is bad. Advise good. A person is advised “good”, which remains in this status until the next pass. After that, the cycle of searching for “good antivirus” is repeated.
At the same time, a paradox arises - new technologies to prevent infection, created thanks to the "cardinal change number two" and showing absolute results in tests to prevent infection (the so-called "dynamic tests"), cannot penetrate into the sun, because so late The inertia of consciousness of the overwhelming number of users simply does not allow them to search for anything “protecting”, except for antiviruses. Protection is identically equal to antivirus. Point. “I need protection. Advise a good antivirus. ” Familiar?
But antiviruses are not the best in the task of preventing infection! They just started first!
PS Next part
Source: https://habr.com/ru/post/103135/
All Articles