I’ve been reading a blog- specifically, Addressof .
I could ramble on for hours about various things he has said- bit it would be just nitpicks about things. Anyway, this post, or more precisely, some of the comments, attracted my attention.
More »
As with most people, when Vista was first released/announced, I was skeptical. Perhaps it was the rather high system requirements compared to XP, or, far more likely, the fact that I was running a 350Mhz K6-2 at the time that didn’t have a hope in hell of running it, but I hated it. In truth, I also hated Windows XP before I used/ran it.
I’ve used Vista on my main machine for quite some time now, and I didn’t realize how “used to” it I had become, until I went to do something in an XP Virtual Machine, and, without thinking, I pressed Windows Key, and typed a few letters, before I realized I was running XP . For a few moments I was completely disallusioned, and even said (out loud) how the hell did I do this before the search bar?
I finally remembered that I had to literally dig down through either the start menu All Programs Folder or actually get to the document or file manually through windows explorer.
I start nearly every program with the search bar, actually, except for those whose starting actions has become engrained in my mind (cmd prompt used to be in that category, but I had to change it in order to run as administrator if that is necessary).
It’s really an amazing feature that is bashed way to often. In fact I recently discovered yet another use for it- the Search bar in windows explorer that until today I had largely ignored. I was looking for something… and simply typed part of the name in the search bar (after changing to the drive and folder) and poof- there it was. Search completed. It almost felt wrong to not have to drop to the cmd shell to perform some dir /b | find “whatever” commands.
which translates, I suppose- to “the shell was doing it’s job”.
As Far as AV programs go, I haven’t had one installed for quite a long time.
The very reason I don’t use an AV solution myself is simply because of the “reverse pigeonhole principle” — they all do something different, and there is always something that will get through — for those “holes” the best defense is simply a knowledgeable user. The only way to be truly protected would be to have multiple Anti-Virus products installed, whereby one AV’s “Pigeonhole” is covered by another, and vice versa. This of course doesn’t work, since the AV products simply stomp on each other for everything else.
I might also point out that the very premise of AV comparing is somewhat flawed- all it tests is the AV vendors ability to update their virus database as well as the flexibility of that database to describe new viruses; the fact is, once a virus is detected by most major AV products, it’s no longer a “threat”. The reason any virus becomes prevalent is simply because the AV products don’t detect it.
an AV program works rather simply; wether it is “on-demand” (in the now prevalent sense of the word meaning the user is starting it, rather then the traditional sense where it is run when there is a demand for scanning (ie. opening a file), but I digress) or in the background, an AV scans a file in a rather simple manner.
First, of course, it opens the file. Now, this is where a problem can already arise. What if another process has it open? What about security restrictions? I’m sure we’ve all been encountered with the “the file is in use” dialogs when deleting or moving a file. Even with the most basic of settings, such as simply reading the file, a virus can easily mess about with the ACL of a file it creates to prevent anybody from reading the file at all, but still allowing the file to be executing, thereby nullifying the whole goal of the AV product.
Of course, now most AV’s have a kernel mode driver that forces a “dismount” of sorts on the file- that is, closing every open handle to the file. The problem here is of course two-fold, first, it doesn’t actually change the ACL of the file- if the ACL was set to Read and no execute, then the AV still will not be able to read it, and second, it can cause difficult to diagnose errors in other applications when their files handles are suddenly invalid.
Now, in order to combat the first issue, AV products often place their detection logic in kernel mode, where it has complete access to anything, including the ability to change file permissions (I think it can be done in user-mode, too, but I’m not sure), either way, a lot of AVs have their detection logic in kernel mode.
Now, this appears to solve the problem, but really, it introduces a far larger, and more malevolent one. Recall of course that a AV program scans files by essentially reading the file and comparing it using various heuristics to the signatures in it’s database. This is sensible. However, when running in kernel mode- any crash will give the user a blue-screen- and since the AV is dealing with potentially malevolent code in the form of data, a virus writer could use all sorts of tricks to force the AV to crash for any number of reasons.
On the other hand, what crashes one AV will probably not crash another- therefore the whole “reverse pigeonhole” concept rears it’s head once again. In fact, it is this very principle that makes AVs as effective as they are; a malware writer is not going to, for example, write pages of extra code just to circumvent detection on some rather unpopular virus program- it’s not worth the effort.
The main problem with the very concept of software based malware detection is just that- it’s software based. Software is of course designed to make well-defined tasks easier, but defining what is and is not malware is a very difficult thing to do. Consider for a moment what would happen if our standard court judges were replaced by software of some form, and you have an idea what I mean. Basically, it’s a problem set that is only partially incalcable. No AV product can filter out the “criminal” code from the not-guilty, for the same reasons a software based implementation of a judge or jury wouldn’t work- it’s a defined ruleset.
a Jury/Judge obviously runs through the same sort of logic when faced with deciding wether an alleged criminal is guilty, or innocent of a crime. however, it’s important to note that when dealing with the “big time” offenses, the decision is not made by a single person, but by a group of people- in a sense, a group of “criminal detectors” whose various life experiences and intelligence combine to, ideally, properly determine the guilt or non-guilt of an offender.
Perhaps an “ideal AV” would follow the same set of rules- rather then using a single set of rules and hueristics, run the possibly malicious code through a number of tests by various companies. Of course, this implementation has a number of huge problems which are why it hasn’t been implemented in the first place. The first issue is of course Company co-operation- why put in for a slice of pizza when you can go for the whole box? Another, and perhaps even more derisive issue with this method is simply the time it would take to do so- jurors, for example, are often coming to a verdict for days, and in some cases will even get hung, at which point it might become a ranking system for an AV system of the same form- which brings us right back to AV rankings and where we started to begin with. Additionally, with on-demand scanning, even with the additional speed of a computer a “judgement” will not be made in a reasonable amount of time.
Which brings us to the real reason AV programs are not as effective as could be- it’s simple- Performance. It has been noted on several occasions that the later versions of an Anti-Virus are often more “bloated” and “slower” then previous versions. UI changes aside, this is often the case for good reason. As the par for the course of Computer hardware moves up, the speed with which a AV has to work with does as well. most AV vendors take advantage of this extra speed- often unwittingly, as their application may simply not be tested on older hardware at all).
The fact is, a “perfect AV” is not something that can ever exist. And even the term “definitive best” is rather uncongenial; I mean, the very fact is a metric cannot be suitably established to determine with any amount of granularity when one AV is better then another- if one AV has a bigger database, for example, it’s rather meaningless for several reasons- for example, many AV databases include signatures for all sorts of ancient and long annihalated Viruses like “Stoned” and “Michelangelo” this analogous to innoculating children, not for diseases they can get, but rather things like Smallpox or Polio or the Black Death or Cholera; which, while not completely eradicated, can generally be easily treated if contracted (or in some cases, the antibodies are given to them by their mothers anyway). So, while the one AV A has a larger database then AV B, AV B having a “innoculation” for the latest “supervirus” is going to do a whole lot more for them then having “innoculations” for otherwise eliminated viruses.
Adding to the confusion is of course the concept of hueristic detection- since all AVs use a different algorithm, they can of course come up with widely varying “diagnoses” on any number of infected (or even benign or nonexistent) viruses. Add to this the fact that analyzing code paths and branches and trying to use this determine wether a file is “good” or “bad” on a boolean scale is rather optimistic; any number of applications, for example, access Software\Microsoft\Windows\CurrentVersion\Run and related keys, and yet there was a time where all applications accessing this key were labelled as keyloggers- the rule was apparently that any file containing that string was malware, and additionally a very specific form of malware that amounts to nothing more then a shot in the dark. (this was Mcaffee some number of years ago, btw). To make things worse the fix was simple- I simply reversed the string. if I can reverse a string and turn a evil keylogger into a harmless program according to an otherwise popular AV program then the malware writers who create the very thing the detection is supposed to find can do so as well, creating an essentially useless database entry that only serves to add to their little spikey bubble on the their product box/advertisements <
returning back to the main issue of AV detection- speed.
Now, from what I can tell- the rules of AV detection are pretty much this- you can either have speed or you can have accuracy. I’m sure with 24 hours to think about it an AV heuristic algorithm could determine with nearly 100% certainty wether a given file is a virus, even for those sneaky viruses that haven’t been discovered. but people want to use their computer, not watch the hourglass for hours after every file access, so AV vendors have to compromise.
In all honestly, I think many of them have done a bloody fine job of compromise; there is of course a performance hit on every file access, simply because there is extra code running, but the AV vendors have largely made it something that is short enough that it isn’t even noticable, which is rather amazing. Now, if course, it is because of this need for speed that any AV program has holes. It’s not because they
The very reason I don’t use an AV is simply because it gives you a false sense of total security; you think, well, there’s only this little tiny hole in my shield… but meh, nobody has a sword small enough to fit through. The problem is of course that you are eventually going to fit somebody using a foil and then you’re screwed. This “eventually” factor is also important. a user who uses their PC maybe an hour a day is far less likely to meet the virus with a foil then the user who doesn’t, in the same way a person who downloads a good number of files is far more likely to install a trojan by accident then somebody who only looks at recipes online.
Lastly- it doesn’t matter HOW effective an AV is if the user doesn’t care. a user, regardless of their AV, needs to be informed of some basic “rules of the internet” you cannot just slap on some so-called “definitive best AV” and assume they will be fine- they need to have some basic education. So- any “definitive best” AV will have as part of it the user- and since the user is part of the formula, the variable that results when you solve the “equation” may bring out a different AV as the “best” for different people.
Myself- when I want to judge a User interface blindly- I just imagine my mother using it. Now, some of you may be under the impression that my mother is probably some sort of Cobol goddess or something. The truth is, in fact, that she can’t even use a mouse… (actually, wait, that would fit the Cobol Goddess theme.. .dammit). Anyway- she fits the profile of a total newbie to computers and the internet in general. For example, Firefox is not firefox, but rather her “facepage” and of course she cannot and will not connect her camera to any computer, because the moment you connect it to a PC every single picture is put onto a web page (regardless of what I, somebody who knows what they are talking about for the most part, says).
Since the User is such a critical component of the equation, it’s important to factor in the User interface of the Anti-Virus solution that they are coupled with. In my experience, AV programs often make “alerts” regarding viruses scary and full of technical jargon, often with cute little pictures of viruses.
They do this when the program updates as well. when my Mother was using my brothers computer, the AV updated; and displayed it’s little “update” dialog. the dialog included the VERY SAME “scary” virus image (this was ages ago, with AVG) that is shown when a virus was detected. She was terrified that she somehow got a virus onto his computer or something. Not to mention the very hopelessness the image sent- she was even saying “I hope I didn’t infect it, we can’t afford to buy him another one” and other such talk. While one can simply say this is simply user newness to the entire computer scene, it’s important to realize that AV programs are not simply marketed to the technical elite, they are also marketed towards people who have never used computers before and therefore really have no idea what an Anti-virus program does or how it works- all they know is that they “need” one because everybody says they do.
This isn’t to say that they don’t, of course. Really, I’m pointing out that simply saying for them to use “X program” as their AV solution is more software evangelism then it is a proper recommendation, simply on the grounds that the AV and the user are both part of the package; they need to work together. if the user is scared of the user interface presented, they may simply click the “X” button (which, in the case of that version of AVG, was for some reason mapped to “ignore”) so even though AVG was detecting the viruses, nothing was being done to them simply because of the user .
To summarize- the user is part of the AV, in a sense that without a well-informed user, a AV simply may not be able to do it’s job of eliminating and preventing virus infections. It is pertinent to educate users about viruses, and malware in general as well as how an AV works in order for it to be fully effective.
And yes, there are a number of users who could care less about how a PC works, or whatever, and consider it a tool. Well I think they’re full of it.
First off, not all tools are intuitive. you don’t grab a belt sander and instantly know how to use it and the various types of sandpaper and their ideal uses- you learn those things. Even a simple hammer has a learning curve where you gradually reduce the frequency of a smashed thumb. The people who think that a “tool” shouldn’t require any sort of education are the same people who think they can dry off their cat’s in the microwave.
for the last little while, people with fewer brain cells then a Pygmy chimpanzee’s middle finger have been going on and on about how the “world will end in 2012″. Well, I have a little story for you all-
It’s set in the year 2098.
Archeologist (or, as they will be called then, digger men) will be using their dirt shovers (what we now call a shovel) and come upon a beige box.
Experts will be baffled! They released the following information on what they believe the object to be and what it was for.
Professor Jeffson has a theory- he believes that the object was used for storing, and retrieving personal data. the logo “IBM” was an insignia of a long dead religion that dedicated themselves to getting down to business with machines.
Professor Ytterby, on the other hand, has a different theory- he concludes that the device was used for predicting the lunar cycles of the moon, and by using the alphabetic input device, it could predict when people would die. Later, and to the amazement and grief of a large crowd, he powered on the machine and entered the following data at the prompt:
Current Date is Tue 01-01-80
Enter New Date: (mm-dd-yy): 01-01-2100
What he didn’t realize was that what he would reveal with one keystroke was more then any man should ever know.
Current Date is Tue 01-01-80
Enter New Date: (mm-dd-yy): 01-01-2100
Invalid Date
Enter New Date: (mm-dd-yy):
Invalid date?
The professor came to the only logical conclusion- the universe was going to end on the year 2100. The ancient Americans knew of this day, using their advanced vision boxes called “televisions” they were able to see into other people lives, and steal their thoughts. It was also believed that they referred to spoons as “face trowels” and would often purposely do something and loudly exclaim “did I DO THAT?” in a nasally whine that would make Cyndi Lauper blush.
This news spread like wildfire (literally, in fact, as the entire backbone of the internet will be based on the spread of wildfires) Threads such as the following:
Posted by NikolaBreastla (Newbie with 13 posts) at 3:04PM On Wednesday, November 26th 2098
No Way
I Don’t Believe It
NikolaBreastla: the famous Russian scientists we’d all know had he run a brothel
Posted by BoObRaT (Member with 140 posts) at 4:50PM in Wednesday, November 26th, 2098
I HAVE PROOF!
THEY ALSO FOUND A WATCH AT A MORMON BURIAL GROUND, IT WAS STOPPED ON 7/28/1973 AT EXACTLY 11:03:55 PM! YOU DUMS KNOW WHAT THIS MEANS?
“If you get to second base and tell, your a boobrat” – Frank Sinatra IV
Posted by BASeChomper II (member with 400 posts) at 8:04PM On Wednesday, November 26th 2098
THEY ALSO FOUND A WATCH AT A MORMON BURIAL GROUND, IT WAS STOPPED ON 7/28/1973 AT EXACTLY 11:03:55 PM! YOU DUMS KNOW WHAT THIS MEANS?
First: release caps lock. I’m sick of telling you over and over and over again to type normally. It doesn’t make you look smarter. Remember that thread where you argued that the shape was easier to read and I shot you down with 5 case studies by reputable organizations? yeah, that was sort of a hint that you don’t know what your talking about.
Any way- I think that could mean:
That they had really bad watches?
There really were no golden plates?
They were grave robbers?
Come on! Tell us.
My Grandfather was lacktoes intolerant. He couldn’t stand people with no toes.
Posted by BoObRaT (Member with 140 posts) at 9:12PM in Wednesday, November 26th, 2098
Sorry about the caps BC, I know, I remember that thread. I still think they’re easier to read though, regardless of what anybody says.
The watch stopped at the exact time equivalent to 01/01/2100 divided by the constant e Couldn’t it be more obvious?
“If you get to second base and tell, your a boobrat” – Frank Sinatra IV
Posted by BASeChomper II (member with 400 posts) at 9:14PM On Wednesday, November 26th 2098
The watch stopped at the exact time equivalent to 01/01/2100 divided by the constant e Couldn’t it be more obvious?
It could have been more obvious. You could have said that to begin with instead of trying to build up suspense. And you generally use caps to break the suspense, not build up to it. And I don’t care what you think of caps, it’s called “proper grammar” dumbass.
Anyway, the fact that the time stopped at that particular point it pretty circumstantial. That would be like saying that my great great aunt martha had 5 toes and ate meatloaf every Tuesday so she must have been a good square dancer. I’ll have you know she became a good square dancer through dogged training and a strong resolve, not simply by having the standard number of toes and eating meatloaf made from an unspecified animal.
My Grandfather was lacktoes intolerant. He couldn’t stand people with no toes.
Posted by NikolaBreastla (Newbie with 13 posts) at 11:04PM On Wednesday, November 26th 2098
Why the hell is it in all of my posts it’s ended up with that BC guy and the boobrat guy arguing about capital letters?
NikolaBreastla: the famous Russian scientists we’d all know had he run a brothel
Posted by VinylSiding (Moderator with 1305 posts) at 1:04AM On Thursday, November 27th 2098
Why the hell is it in all of my posts it’s ended up with that BC guy and the boobrat guy arguing about capital letters?
It’s a corrolary to Godwins law: all threads involving BC and BOobrat will devolve into a pointless flamewar about either use of capitalization or wether a mouse with a large boob is in fact a rat.
And trust me- It just goes downhill from there.
Anyway, in a mildly serious manner- I find it even more disturbing that devout Christians are even giving this a second thought. They were rather barbaric by modern standards, sacrificed virgins and car salesman, believed in multiple “spirits” (gods) and yet, despite their evident paganism and completely lack of “knowing the true path” (as a missionary might put it), most of them seem to think of it as somehow credible. Although, I suppose it’s perfectly possible they created a giant telescope and were able to see a large comet heading straight towards us, possibly by using a number of butler monkeys to love about the various mechanical bits they had…. actually, wait a moment, I don’t even think the mayans had the wheel.
This is almost understandable for catholics, since their church really is just a government- like the many other times the apocalypse was predicted and they told all their loyal followers “well, you may as well donate all your worldly possessions to the church” and so many people did… and then after when nothing happened, people would go back “oh, hey, err… I sorta need that stuff I donated back”, and the church would inevitably make up some excuse involving poncho size measurements. Actually, that gives me an idea. People! this is a great opportunity! Instead of responding to such claims that “the world is going to end”! get them to give you all their stuff.
Yes people, that is the new low we’ve all stooped to. Now we have people believing prophecies from an “advanced” civilization that couldn’t even figure out the wheel. I imagine it follows that they didn’t have gears either… And you can only throw so many butler monkeys at a problem before the shit hits the fan… pun not intended, of course, being that a fan would require understanding of at least some sort of rotary motion. Besides, most of their butler monkeys were probably building their goofy pyramids that they build for sacrifices as well as for housing their valuable collection of first-edition pokemon cards. It’s another little known fact that the reason they were rather frightened of the Spanish was not because of their muskets, but rather because of the shape of their ammo. you see, as I mentioned the wheel, and therefore any elliptical shape, was somewhat of an enigma to them. this is quit clear in that all their sculptures give faces square features (or maybe they really had square heads, I don’t know). for a while they fought bravely, but then they managed to capture a spanish car salesman (who was trying to sell them a Jetta). When investigating his sales-musket, they discovered, to their horror- spherical ammunition. Their best scientists immediately went to work by testing them. they discovered that they rolled easily, and therefore must originate from the dimension of the doomed (a dimension which was later featured in Quake). They responded in force by sacrificing a low financing rate for their Jetta in exchange for some information from the salesman, which proofed fruitless since nobody’s universal translator was working at the time.
Categories
Tag Cloud
Blog RSS
Comments RSS
Last 50 Posts
Back
Void 
Life 
Earth 
Wind 
Water 
Fire