Tuesday, May 06, 2008

the anti-av revolt

i briefly made reference before to a growing anti-av revolt... that is the customer base for the anti-virus/anti-malware industry rebelling against the industry out of some perceived wrong-ness in it... i'm sure you've probably heard of people who swore off anti-virus years ago, likewise readers of this blog probably recall more overt manifestations of this revolt such as the "anti-virus is dead" campaign or more topically the "race to zero" contest...

usually it's been technically possible to write off individual av detractors as uninformed cranks, but their numbers are growing and their pool of influence is increasing... bruce schneier crying conspiracy when f-secure attempted responsible disclosure with sony was just the tip of the iceberg... now there are a variety of security experts lending their voices to an escalating sequence of expressions of dissatisfaction with the anti-malware industry...

and it's not even like they don't have just cause to be dissatisfied - they do... vendors have let their marketroids run amok for decades, building false expectations of protection in the customer base that are so in-grained we may never be able to undo them, and then predictably failing to live up to those unreasonable expectations...

on the other hand, however, the marketing folks were just telling people what they wanted to hear... there's a school of thought that says if a marketing person isn't showing you a rose-coloured-glasses version of the world then they aren't doing their job - anything less and they hurt their own company by admitting the product/service isn't the best thing since sliced bread... that's generally not a good idea in a competitive market as your competitors will capitalize on that as a display of weakness...

furthermore, there's no good reason for people to actually believe the marketing... a real life whopper doesn't look as perfect and juicy as the one on tv, beer doesn't come with a bevy of buxom beauties all playfully vying for your attention, and cars can't leap over traffic to get you where you're going faster and with a funky soundtrack... we've all learned these things through our real-life experiences and we should have also learned that anti-virus software cannot provide complete protection so why are people getting so bent out of shape over the inevitable failures?...

it really doesn't make a lot of sense but that's the irrationality of the human element for you... unfortunately i don't think it's good enough to just observe the fact and then go on about you're day like it was business as usual - not if (as i suggest) the problem really is escalating...

this may be hard for most to believe but there's actually been a long history of cooperation between competing companies at the more technical levels... this hasn't held true for marketing however; these are businesses after all, they need to make money and generally that's at the expense of their competitors... on a technical level, anti-malware vendors have always had a common enemy - the malware writers - but on a marketing level their opponents have always been each other... now the various marketing departments have a common foe as well (the anti-av movement), but it remains to be seen if they'll recognize their common interests and start working together as the analysts/researchers have...

the industry needs to get serious about image management... they have to start working to repair the damage their marketing departments have done to the public's perception of both the technology and the industry... that means not selling snake-oil in order to pander to unreasonable desires for complete protection (mcafee total protection)... that means putting your creative new technologies into your existing products instead using them as creative new ways to bilk more money out of customers and thereby reinforcing the image of av as blood sucking parasites (norton anti-bot)... and that definitely means not saying asinine things like the malware problem is solved...

it also means marketing something other than scanners... it's all the vast majority of the public knows and it's all anyone seems to think the industry produces... it's like they've been going to the same grocery store for years but only ever went down this one particular aisle, they're barely aware the rest of the store exists and they're getting fed up with what they're finding in that one aisle... they need to be made aware that scanning alone isn't enough (something the more technical members of the industry have freely admitted in public forums for a decade or more) and that the vendors have other technologies available besides just scanners...

much of the av industry is at the mercy of the big 2-3 av companies, unfortunately... it is those companies that have the most influence over how people perceive av but it is also those that would suffer the least by the destabilizing effects of their own PR gone awry... those with the most capability to do something positive have the least motivation to shape up, and if they just keep on keeping on then the public's perception is unlikely to change and the anti-av revolt will continue to grow...

8 comments:

Anonymous said...

>why are people getting so bent out
>of shape over the inevitable
>failures?

'cause they see that such failures are waaaaaaaaaaaaay more frequent now compared to 3-5 years ago.

Easy, huh?

kurt wismer said...

the failures are more frequent because at any given moment there's more unknown malware now than there was 3-5 years ago... and 3-5 years ago there was more unknown malware than there was 3-5 years before that, and so on and so on...

you expect a higher failure rate when you have a higher exposure rate... at least you do when you engage your brain...

the failures have always been there, the growth in the failure rate has always been there, and technologies that don't fail under the same circumstances that scanners do have more or less always been there... i suggest the people getting bent out of shape wake up and smell the coffee...

Andrew Lee said...

Great to hear some reasoned response to the 'anti-av' ranting that comes from some quarters. A thing that our detractors (I'll declare upfront I work for an AV vendor, so am likely to have a bias) often forget is that the anti-malware game is not an equal sum. It's not possible to detect everything, not only because of the halting problem, but also becaus _the attackers have our products_ before we have theirs. We can make it really difficult, we can respond, and we can (and do) develop increasingly sophisticated detection and mitigation methods, but security is not guaranteed by any method. You can't switch off your common-sense or vigilance when you switch on your computer.

There is a reasonable risk of me being shot in the head as I walk through the streets of my city (one of the higher gun crime areas in the UK), and while I can take many precautions to prevent that (including not deliberately going to areas that increase the risk), but the risk is still there. In similar vein, what _YOU_ do on your computer (rather than what your security products do) has the greatest effect on whether or not you will be secure or not. AV and other security products will help you reduce risk, and will measurably increase your security, but they are not a substitue for safe hex, nor are they bulletproof. Indeed, even a bulletproof vest isn't much help if you get shot in the face.

kurt wismer said...

@andrew lee:
"but also becaus _the attackers have our products_ before we have theirs."

very true... that's an asymmetry common to most attack vs. defense scenarios... the defender generally doesn't know how a future attack will unfold and so will be at a disadvantage...

of course after the malware is release (the attack has been performed) the malware then switches into the defense role and is at a disadvantage for not knowing how anti-malware will attack it in the future...

the only way to take away the attacker's advantage is for the defender to force the attacker to attack on the defender's terms... that's not as straight forward for the malware domain as it was for conventional warfare back in sun tzu's time, though...

Anonymous said...

>and 3-5 years ago there was more
>unknown malware than there was 3-5
>years before that,

Exactly!!!

But this PROVES the point of AV detractors: blacklisting AV's usefulness was always shrinking and now shrunk all the way to "AV revolt" levels.

Indeed, that is the only thing the "AV is dead" crowd is saying: AV was great 6-8 years ago, OK 3-5 years ago and not-so-good today BECAUSE the risks of unknown malware were lower before...

So, blacklisting AV IS dead then.

kurt wismer said...

@anonymous:

blacklists are no more dead than any other preventative technology...

you do realize that at any given moment the vast majority of malware is known, right?

the chances of running into something that isn't known has increased but that doesn't mean blacklists are dead, it means something much more obvious - blacklists aren't a panacea... blacklists alone aren't good enough... they never were good enough, they were always meant to be used with other more generic techniques...

Tarq57 said...

One of the biggest problems, it seems to me, (speaking as a total non-expert) is that the "average user" actually doesn't want to know. Most of the folk I know have some concerns about the possibility of theft via software, almost all of them want to abrogate responsibility for that concern to "the best that company X can offer.." (read Norton360.)
Start talking behaviour blockers or sandboxing to them, they think you're from another planet.
Kind of proves your point about marketing...

kurt wismer said...

@tarq57:

not wanting to know, not caring enough to try to learn more or even keep what one already knows in mind is certainly a barrier, but it's not the only one...

i would say probably a lot of those don't care enough because they're coming from a misconceived starting point... their idea of how things are is warped so that one doesn't just have to fight the average person's laziness, one has to fight what the average person thinks s/he already knows...

there needs to be a change in how people perceive the way things are in order to break down the resistance against knowing about things like behaviour blockers...