I remember why my Mac does not run AV

I remember the first day I met David DeWalt. We were meeting the the week before finalizing McAfee’s purchasing of Endeavor Security.  He came in wearing a black T and black jeans.  He had floor tickets to the AC-DC’s “Back in Black” concert that night.  Seemed like a very cool, laid back dude.  He was in a good mood.  Within a couple of sentences, he asked me what AV I ran on my Mac.

“I haven’t run AV since 2000.”, I replied.  He snickered.  I am sure he thought of McAfee’s recent rerelease of McAfee’s Mac AV product. Floor tickets can keep you in a good mood.

I thought of this today when @Iv0ryw0lf sent me an image of his AV not being happy with my latest post.

Iv0ryW0lf's AVG Alert

This is obviously AVG seeing untagged JavaScript being posted.  The JavaScript being related to exploit kits, this one it thinks is more closely related to Blackhole EK.  This particular JavaScript is still very active on the Internet, has been around since July publicly, so it makes sense that AVG would attempt to detect it.  It also makes sense that AVG would not care about tags, as placing the script in a js file removes the need for tags.  However, there are HTML tags around the script that make this script not execute in that situation.  Hence, you could not have seen it in the posting.

I would rag on AVG for it is extremely aggressive on alerting and has a high false-positive.  But looking at CRDF, AVG is doing very well in its detection (check link or the end of the blog for today’s rank).

What is wrong in AntiVirus is the need to be aggressive.  AV Scanning often does not care if what it sees can possibly be executed.  I have been burned too many times by AV that wanted to quarantine my MS Word files when I place some evil code in it.  Its annoying to me that the scanner does not know the difference between macrocode and formatted text.  It has been bad enough that back orifice source code has been considered a virus.  Not many users I know compile virus source code to infect themselves (though I am sure you know some that would, so do I).

The reason for the aggressiveness is the desire to improve hit percentage without improving the technology.  Creating new technologies to address shortcomings in detection engines is significantly more expensive than hiring more people to write signatures.  This is true both for AV and for IDS/IPS.  I am sure that there are signatures that alert anytime someone reads one of my blogs with code in it.  But this has to do with a lack of context knowledge in the engine, not that the content is malicious.

So, why do I post code and not images, why do I post bad code at all?  Sometimes I do post the image, especially when it is hard to format. But I feel that posting code allows people to search for examples, and also to cut and past to their delight.  How are we as a community going to learn if we do not communicate?

AV Performance

AV Performance

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: