sorinmustaca.com – Sorin Mustaca – personal blog. Security software, agile development, scrum, programming and more

Please answer here on Facebook : http://on.fb.me/lBFoFD

Everybody knows about this acquisition.

Now, why did Intel (chip produced) needs a Software Security company ?

There are some possible reasons:

1. To enter in a multi-billion market which needs fresh ideas and technologies

2.  To produce better security software which makes use of their multi-core processors

3. Both

4. Add AV in the CPU (or on the board) directly(with some help from the “cloud”)

5. Create an AntiVirus Chip -> move from software to hardware (which they know better)

Of course, I vote for 3… Both.

But also 4 isn’t so bad

Why ?

Well, because there is what the so called “Moore’s Law“. And, Intel is preparing for the point when it will stop being valid.

So, if they can’t produce better hardware, they would better adapt the software that runs on it so that it works much, much better.

Intel is already a major player in the software industry. They produce a lot of good software ranging from drivers and software for the hardware, compilers, code analyzers and integrated development environment.

So, what the AV world is missing is software that runs optimized on those cores. We all try to implement our code in such a way that

it uses those cores, but many things in AV can be only done in one thread. Or … maybe I’m wrong…

4. to build AV protection in the CPU directly…

This is not new, but also I haven’t seen anything which runs correctly and is integrated in the motherboard or something.

5. AntiVirus Chip … now that would really be something.

Practically you don’t have to install an AV ever again. Uhhhh… Ugly thought.

We’ll see what the future brings us.

Quote from the Techblog:
“Amazing! Avira’s free antivirus solution, Avira AntiVir Personal available at our www.FreeAV.com web site, is now getting 10 years old! For ten years, we added an additional security layer around companies by protecting the employees personal computers from malware infections for free.

Amazon: Bestsellers Electronics and Photo

The free version always offered the latest antivirus techniques available, and the best detection rates and superb protection due to heuristics detections. For us that is a good reason to celebrate. For ten days our present to our customers is an additional runtime of 10 months if you buy a usual 1 years license of our premium products or the small business suite.

Happy birthday, FreeAV!
”

Amazon: Bestsellers Electronics and Photo

Amazon: Bestsellers Electronics and Photo

Avira is the first choice of the PC World top of Free Antivirus Products:

http://www.pcworld.com/article/170674/free_antivirus_software.html

I received a nice email with a very good question from Mehdy Mohajery. It is not the first time I am asked the same question.
This time I am documenting the answer I always give.

Question:

I saw you profile on linkedin.com just tonight , and I noticed that you are specialist
in both p2p systems and designing security systems. that encouraged me to
ask a question from you.
As you know, nowadays a lot of viruses are being distributed via p2p networks like KAD
& EDonkey. If an anti virus vendor like avira could provide a plug-in for a major p2p2 client
(emule) to detect viruses before downloading by their FileID (MD4 Hash) , then a major part of
virus traffic on p2p networks can be eliminated. So why nobody on security industry seems to care
about securing p2p networks with this method? should I download every piece of scrap to know
if it’s infected?

I like to know your opinion about this.

Dear Mehdy Mohajery,
There are several reasons why nobody adds an AV for the P2P programs:

1. Having in mind the “free of charge” nature of the P2P networks, nobody will pay for an Antivirus program.
And do not forget how many users are out there… The bandwidth required for such a service would be immense.
For a security company, the trouble just doesn’t pay back.

2. Checking the checksum of the file will not help you very much.
These days we see between 30-200 new malware each day(including variants).
In a P2P network, you do not usually have the malware (virus, trojan, etc.) downloaded as a simple file. It usually comes in an archive or otherwise disguised.
To be able to reliably use a blacklist of checksums, you need to have the malware in “clear”. (reliably = with a very good detection rate)
Of course, it would be possible to be able to blacklist any checksum, but who will submit the files there ?

This brings us back to the users. Let’s assume that we have an online service where users can blacklist any checksum.
How do we check this ? Should we rely on good will and trust ? Of course NOT

So, we need a reputation algorithm. But, in order such an algorithm to function, we need to have somebody who’s reputation is beyond doubt.
Somebody like an AV producer. This entity must 100% say that the file is infected or not. Anybody who votes the contrary, has automatically bad reputation.
Let’s assume that somebody can say with 100% precision that a file is or not malware. In reality this is not true.
But, to have a central authority is contrary to the whole idea of P2P. So, this can not work by definition.

The alternative is to rely again on users. They should vote against each other. The majority wins.
This is how the reputation should be created and maintained. There are many algorithms out there who can deal with several methods of trust assignment.

Conclusion:
- we need a distributed checksum blacklist where anybody can submit any file with the tag : malware or not and the degree of probability that the statement is true.
- we need an algorithm to calculate the reputation of a user and update the probability of a file to be malware or not.

Not an easy task… to be made for free.

3. The files are downloaded in chunks from multiple sources.
Usually, the AV programs can scan files only when they are completed. So, the scanning is possible only at the end of the download.
This means, one has to download the file completely and only then can scan it, which brings no benefit to the user (as of download size is concerned).

4. If you have an AV with an On Access scanner, it will scan the file after it is completely downloaded.
Of course, this depends a lot on the scanning settings of your product. Usually, no On Access scanner will scan archives by default because it is very time consuming.

5. If you have an AV installed, it must also have an On Demand scanner. After the file is downloaded, you can safely scan it before you unpack it or use it on your computer.

This is what comes right now in my mind when I think about an Antivirus for P2P programs.
As you see, no commercial company will invest so many resources (man,hardware,bandwidth->money) in a business model which doesn’t have too many chances to work.