Talented and well connected cyberthreat analyst Dancho Danchev posted an interview with researcher Thierry Zoller of n.runs AG, the group that recently published a paper on 800 AV product vulnerabilities. He gave Thierry a chance to discuss thoughts on McAfee’s response to the vulnerability findings.
Keep in mind, I may be a bit biased that ThreatFire is one of the best behavioral based products out there, and here is my favorite part of the interview:
“Dancho : Isn’t the single most important vulnerability found in antivirus software during the last couple of years, the easy to bypass signatures based scanning approach, and the product concept myopia of spending years of research into heuristics where the same amount of resources should have probably been spend on behavioral detection solutions?
Thierry : From a larger viewpoint, concentrating the functional aspect of AV software – you are absolutely correct. The “problem” with behavioral detection is this one – they need less updates and..updates is what keeps the AV business model rolling. If this would have not been the case – I am sure we would have a lot better behavioral and overall detection nowadays. It’s ridicule how easy it is to bypass heuristics.”
Great reading.
as a sysadmin i’m really curious about which venders were the most responsive and had the most transparent security processes. i understand they probably left that out of their data to keep the issue of bias out, but just seeing who had the most vulnerabilities really didn’t tell me which vendor is the best/worst.
someone has a ton of vulnerabilities, say symantec, but maybe its because their software has many more subsystems and provides more options, etc, and maybe they are way more responsive to feedback (maybe not)– they might still be a better vendor than AVG even tho AVG has less known holes. maybe not.
i think the biggest thing to come out of this is further proof that mcafee as a corporation has a bad attitude towards security and you should think twice about trusting their products, when they would rather use PR than programming to fix their software.
btw i would really really be interested to hear your personal opinions on various a/v vendors
Hey hapbt thanks for your interest. While we are interested in the study too and the opinions of the authors, we really don’t comment on the PR, development and support processes at other vendors. I would guess that the authors at n.runs are accessible and they would be happy to offer their views and experience. Thanks for the posts.