A good article about importance of prevention as the first line of defense.

by Joanna Rutkowska

And here is the response from McAfee guys
http://www.avertlabs.com/research/blog/index.php/2007/09/04/did-we-waste-billions-building-file-anti-virus-scanners/

Well, Security is all about being one step ahead.
Unfortunately McAfee guys can’t put a strong case forward and the only thing they can come up with is:

“Are we really willing to assume that the security at these vendors are so impenetrable that bad guys couldn’t possibly have messed with the content at the production end? With Joanna’s “elegant” solution, all that a cybercriminal needs to do is to compromise an application vendor to create an infected binary, signed by the vendors certificate and viola”

Well, in a world where majority of the risk coming from majority of day zero malware going undetected, in a world where a simple re-packing of an existing malware is tricking many AVs out there, in a world where the underworld now owns tens of millions of PCs as part of their BOT armies, I would, any day, accept the world where the risk is the risk of application developers being infiltrated by the underworld!

Smell the coffe guys… the days of AV as the first line of defense has well passed its sell by date! Prevention is your first line of defense now!

Melih

Way to go. Life is going to be very hard if we persist in being stupid while the bad guys are clever.

LOL

Hmm, they lost me at “viola”…

Which is a member of the strings family of instruments

versus what they perhaps meant to say…

After all, if you’re trying for an effective counter-argument in an attempt to completely discredit the opposition, you have your article proofed by someone sharp enough to catch these types of errors… Surely McAfee has someone with those capabilities.

LM

They lost me at “we”…

Anyway, my first thought of “viola” was really “voila”, which is French for “look there”.

Hmm, perhaps you didn’t follow the 2nd link I posted?

LM

Oh sorry. I missed that one because I didn’t realize it was another one of your intentional mistakes for spelling it incorrectly:

Yes, I realize it’s not your fault that the website named their page incorrectly (:NRD)

The MacAfee guys try to smear the article jumping to crazy conclusions about it:

It sounds a bit like you’re saying Anti-Virus vendors have concocted an elaborate conspiracy over the past couple of decades to extort innocent users!

I certainly did not understood that from Ms. Rutkowska’s article. ??? Looks like MacAfee overreacted.

On the other hand she hasn’t convinced me about this new approach’s being feasible back at the time, but now it’s time for it to be implemented as the first line of defense. Traditional blacklisting and such will be still used on the second line. Unless you want every inbound leak to be catastrophic that is --I’ve heard of people that even today use no AV but only a firewall (even only hardware) and Hijackthis. :o Well the case I heard of was complemented with sandboxing but still I failed to see the point…

Maybe prevention will gain more popularity once people figure out a way to test and report it in numbers to compare it with other products like they’ve been doing for years with detection. Just a thought 88).

Comodo Safelist is a good step toward prevention but I’ll surely like an evolved autolearning safelist.

Comodo main activity pertains certificates.
Adding certificate-aware V3 features make sense to me.

For example It would be interesting an autolearning safelist for microsoft digitally signed apps like Windows updates to grant them specific permissions (if the user want so) and let Defense+ make much less noise.

Also If I trusted an app from a specific brand It won’t hurt and extra layer of protection leveraging digitally signed apps potential. If V3 is on a shared environment it could check sha1 signatures or digital signatures to report modified executables (realtime and on demand modes would be needed).

This function is now replaced by Defense+ file protection. Performance-wise is better but it gives me an uneasy feeling, I may not be used to it though :P.

On a side note Sha1 and digitally signed apps could have no use if there is a kernel rootkit lurking in the shadows :o,but they will grant an additional level of protection for sure.

Anyway, signatures,file names and certificates could make rules machine-independent to a degree (I’ve not tested this, Sorry if it already work this way). This will improve user experience too.

Signatures and cerificates should be revocable and the user should be able to export these preferences.

The top should be something like secunia is already doing. A trusted software could not be so in the long term. A wonderful feature could be to let the user know if their software need an update and where they have to get one.

There would be also a geekie factor in this picture. A security feed feature 8). This could be a way to gather support from security experts. Any security advisory site could provide a feed to let readers keep up with new threats.

V3 will handle user feed subscriptions and alert them about vulnerable software they are running.
Also It could be a good way to alert users about exploits before the exploit detail will be published, at least for critical issues. It would be a more ethical way to handle these things instead to wait months before vendors will fix it. If they are not willing to share the details it could be at least a way to alert users about such flaws >:(.

This way users could at least use a different application while they are waiting for a patch and a full disclosure.

Safelisting topic is still undeveloped but sure if we’ll create one there will be many nice nice ideas popping around :-*

+1