RE: Antivirus- A Corrective Control?

["Mikhail A. Utin" <mutin () commonwealthcare org>]

My 5c to this discussion. Numbers only.
 Independent testers use sets of hundreds of thousands of KNOWN viruses to test AV software. In "going back" tests the 
best on market SW (even triple engine based) discovers/identifies only about 90%. Please, read "KNOWN" species. In 
"going forward" tests it is about 80% of known to the date of the test.
Basically we are talking of 80% or lower probability of virus identification based on known sets, but in reality I 
would consider 50% or less.

Mikhail A. Utin, CISSP
Information Security Analyst

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Todd Haverkos
Sent: Wednesday, August 10, 2011 5:31 PM
To: security-basics () securityfocus com 
Subject: Re: Antivirus- A Corrective Control?

"Sandeep Cheema " <51l3n7 () live in> writes:

> My 0.02$
>
> Preventive. Corrective would be if the machine has been compromised 
> and the next task is to clean it.  But that's not how AV behaves 
> ideally. An infected machine can never be cleaned fully but can be 
> prevented completely from getting infected. If you got an AV in place, 
> it should not get infected at all ( as per vandor's claims atleast

As this is security-basics, and because an alarming number of people believe that there's even a shred of truth to the 
"should not get infected at all" myth, as a public service, let's all repeat:

       "No, AV won't protect you from all malware. Not even close."

Make sure everyone knows that AV is trivially evaded, and that essentially all decent malware is tested against all the 
common AV's before it's used.  Some crimeware kits even come with support and a guarantee of a new version should AV 
start detecting the current version.  Freely available exploitation frameworks are built from the ground up to do AV 
and IDS evasion at several levels.  

If a vendor makes a claim anywhere within 100 kilometers of "should not get infected at all" they should be summarily 
discounted from consideration as a vendor, and possibly flogged in the street. 

If you aren't already, spread the word that AV's value (if any) is in complying with mandates for AV, and for being at 
least something that might detect older or more common malware absent any other more advanced/more reliable detective 
measures you've been allowed to purchase.  Versus a targetted attack, be sure that decision makers are aware that AV is 
very nearly worthless, and should never ever ever be characterized as something that would keep a machine from getting 
"infected at all."

Sandeep, by the way, this isn't directed at you...I suspect you are well aware of the gulf between vendor claims and 
reality on this front. 

Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential 
and privileged information for the use of the designated recipients named above. If you are 
not the intended recipient, you are hereby notified that you have received this communication 
in error and that any review, disclosure, dissemination, distribution or copying of it or its 
contents is prohibited. If you have received this communication in error, please reply to the 
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication 
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, 
please visit our Internet web site at http://www.commonwealthcare.org.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------