Fans of Chinese pioneers
Participation in various events leads to a sad conclusion: the antivirus is not interesting to anyone. The number of visitors to vendor stands tends to zero. It got to the point that even the famous gifts from Kaspersky no longer understand. Mostly suitable to report problems, the questions "what's new?" And "how is it?" Go to the area of ​​legends ...
And this is against the background of the fact that most (according to my statistics - about 19 out of 20) administrators are not even aware that they have not implemented protection against malicious programs - with complete certainty of the opposite. Example? Yes Easy! Summary of the article “CTB-Locker. We decided to pay " :
In fact, this is a typical situation that we, as vendors, constantly face.
')
In the comments, however, indicated that all antiviruses are missing. Naturally, there was a discussion about methods of protection. But what did its members offer? With the exception of one (only one! - I don’t consider my comment, naturally) a discussion participant - “The only way to deal with encryptors is backups.” Killed and not get up.
I will not repeat the evidence. There is a lot of materials on the Internet, from what is within Habr, a series of articles "How to catch something that is not." Here we will only describe the theses - and yes, those who are sure that an antivirus is needed to protect against a pass will read it.
First of all, let's define what we will call antivirus. Below, antivirus will be understood to mean a program that searches for malware based on knowledge of actually existing malware or the principles of their behavior described in virus databases. In principle, this may also include a behavioral analyzer that works on the basis of knowledge about the operation of malware. Of course, in modern antiviruses there are much more components, but usually they understand this as an antivirus (and on the basis of this knowledge they refuse from more functional versions that allow providing better protection. Alas)
So:
Thus, the protection of the computer and the network as a whole is provided not by the antivirus, but by the antivirus protection system - as a rule, including the antivirus. By the way, try (without reading further) to say, for what is an antivirus needed, if it does not provide the protection required by customers?
Accordingly, the antivirus must have:
Unfortunately, most of the specialists in charge of defense are not aware of this. Using only antivirus, they follow the path of the Chinese pioneers, who, they say, created problems for themselves in order to successfully overcome them.
And how many complaints in the spirit of "the authorities do not understand, do not give money"! We have methodological materials on how convincingly for a business to justify the purchase. But what do you think is most often asked for? Yeah, "send us a list of your functional, we will report it to the management." Yeah. Our management is totally versed in protection technologies.
I apologize for the cry of the soul. But at times it all gets it.
And this is against the background of the fact that most (according to my statistics - about 19 out of 20) administrators are not even aware that they have not implemented protection against malicious programs - with complete certainty of the opposite. Example? Yes Easy! Summary of the article “CTB-Locker. We decided to pay " :
- The customer caught the cipher.
- Antivirus is bad because I missed it. Need to change.
In fact, this is a typical situation that we, as vendors, constantly face.
')
In the comments, however, indicated that all antiviruses are missing. Naturally, there was a discussion about methods of protection. But what did its members offer? With the exception of one (only one! - I don’t consider my comment, naturally) a discussion participant - “The only way to deal with encryptors is backups.” Killed and not get up.
I will not repeat the evidence. There is a lot of materials on the Internet, from what is within Habr, a series of articles "How to catch something that is not." Here we will only describe the theses - and yes, those who are sure that an antivirus is needed to protect against a pass will read it.
First of all, let's define what we will call antivirus. Below, antivirus will be understood to mean a program that searches for malware based on knowledge of actually existing malware or the principles of their behavior described in virus databases. In principle, this may also include a behavioral analyzer that works on the basis of knowledge about the operation of malware. Of course, in modern antiviruses there are much more components, but usually they understand this as an antivirus (and on the basis of this knowledge they refuse from more functional versions that allow providing better protection. Alas)
So:
- Antivirus cannot prevent malicious programs that have been tested on current versions of antivirus programs from being developed onto a computer or network. And no heuristics will not interfere with this - their work is also taken into account when developing malware.
- The number of malicious programs entering the anti-virus lab is estimated at hundreds of thousands per day. And even millions. Accordingly, the user may already have a trojan — and analysts have not yet reached him. There are no cases when the first employee who came to work caught the encrypter, and those who were late - no longer exist.
- To protect against as yet unknown malware, it is necessary (must be!) To use other approaches. In particular, the restriction of the software environment, user access rights, etc. - the malicious program should not be able to start, and if it starts, it can be registered in the areas of interest.
- The documents of regulators operating in our country do not require the use of an antivirus, they operate with the term “Antivirus protection system”, and this can be not only an antivirus.
Thus, the protection of the computer and the network as a whole is provided not by the antivirus, but by the antivirus protection system - as a rule, including the antivirus. By the way, try (without reading further) to say, for what is an antivirus needed, if it does not provide the protection required by customers?
- Antivirus intercepts at least 60% of malicious programs.
- Only an antivirus can provide guaranteed cure for an already running malware (of course, after receiving the update) - no other protection system can do this. Even formatting does not guarantee the removal of a well-concealed Trojan.
Accordingly, the antivirus must have:
- Excellent search system for active infections and their treatment. All other types of antivirus tests are pure divorce.
- Self-defense that protects him from malware attacks until he knows about them
- Systems that guarantee the access of the anti-virus on the infected station to the update zones and the control system
- Technologies to reduce the number of entries in the kernel. Let's say non-detection of a malware can be achieved by encrypting it or packing it in a format unknown to the antivirus. Accordingly, search technologies in unknown packers and encrypted files are highly desirable.
Unfortunately, most of the specialists in charge of defense are not aware of this. Using only antivirus, they follow the path of the Chinese pioneers, who, they say, created problems for themselves in order to successfully overcome them.
And how many complaints in the spirit of "the authorities do not understand, do not give money"! We have methodological materials on how convincingly for a business to justify the purchase. But what do you think is most often asked for? Yeah, "send us a list of your functional, we will report it to the management." Yeah. Our management is totally versed in protection technologies.
I apologize for the cry of the soul. But at times it all gets it.
Source: https://habr.com/ru/post/256835/
All Articles