RE: Antivirus- A Corrective Control?

[Ong Chin Ching <ongcc () pcs-security com>]

My point of view

Traditional AV is a corrective control, you realized the file is "executed"
then AV scanned them, if any threats found then the file will be deleted,
quarantined etc, these are corrective actions. 

If it is a preventive control, threats are meant not to be allowed in the
environment but for AV, the infected exist in the environment and only
discovered, detected when it has been executed.

Regards,
Chin Ching

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Jay Scalf
Sent: Thursday, 11 August, 2011 06:18
To: security-basics () securityfocus com
Subject: Re: Antivirus- A Corrective Control?

Well, everyone is right. Let me summarize:

Locally, on your computer, network, etc., both. I have used numerous 
programs that catch some incoming and some in scans. These, however, are 
from known lists or, like Panda Cloud, whatever can be found on the net. 
All give false positives and miss newly created material. (It might also 
be noted that once the virus/malware is found and removed, correction of 
the registry, path, etc., may also be required - so not entirely 
corrective either.)

In terms of the big picture, the entire IT world is reactive - with the 
pen testers out front trying to find holes (potential exploits) to be 
plugged before someone more malevolent discovers it. Still, none of us 
have a crystal ball, so you certainly couldn't call anything of that 
nature preventative in a broad sense. It is a good thing that software 
suppliers respond quickly with patches, but the next major attack will 
likely be from a yet to be documented source.

Lastly, I agree with all those who have gone before in their advice 
regarding the test. (If I learned anything from 6 years of college, it's 
how to take a test.) Read their material carefully and figure out which 
answer they are looking for.

Good luck and best wishes to all,
Jay

On 8/10/2011 4:31 PM, Todd Haverkos wrote:
> "Sandeep Cheema "<51l3n7 () live in>  writes:
>
> > My 0.02$
> >
> > Preventive. Corrective would be if the machine has been compromised
> > and the next task is to clean it.  But that's not how AV behaves
> > ideally. An infected machine can never be cleaned fully but can be
> > prevented completely from getting infected. If you got an AV in
> > place, it should not get infected at all ( as per vandor's claims
> > atleast
> As this is security-basics, and because an alarming number of people
> believe that there's even a shred of truth to the "should not get
> infected at all" myth, as a public service, let's all repeat:
>
>         "No, AV won't protect you from all malware. Not even close."
>
> Make sure everyone knows that AV is trivially evaded, and that
> essentially all decent malware is tested against all the common AV's
> before it's used.  Some crimeware kits even come with support and a
> guarantee of a new version should AV start detecting the current
> version.  Freely available exploitation frameworks are built from the
> ground up to do AV and IDS evasion at several levels.
>
> If a vendor makes a claim anywhere within 100 kilometers of "should
> not get infected at all" they should be summarily discounted from
> consideration as a vendor, and possibly flogged in the street.
>
> If you aren't already, spread the word that AV's value (if any) is in
> complying with mandates for AV, and for being at least something that
> might detect older or more common malware absent any other more
> advanced/more reliable detective measures you've been allowed to
> purchase.  Versus a targetted attack, be sure that decision makers are
> aware that AV is very nearly worthless, and should never ever ever be
> characterized as something that would keep a machine from getting
> "infected at all."
>
> Sandeep, by the way, this isn't directed at you...I suspect you are
> well aware of the gulf between vendor claims and reality on this
> front.
>
> Best Regards,
> --
> Todd Haverkos, LPT MsCompE
> http://haverkos.com/
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.
>
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
> ------------------------------------------------------------------------
>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1392 / Virus Database: 1520/3825 - Release Date: 08/10/11

-- 
This e-mail, and files transmitted with it where applicable, are
confidential and intended solely for the use of the individual or entity to
whom they are addressed. If you have received this email in error please
notify the sender by replying to this e-mail.

Hard copies of attachments will not be forwarded unless specifically
requested.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------

Attachment: smime.p7s
Description: