Signature based AV no future?

[tsilo]

I found two interesting articles , what do you think about it?

http://securitywatch.eweek.com/virus_and_spyware/antivirus_is_dead_dead_dead.html

http://www.it-analysis.com/blogs/Robin_Bloor/2007/6/the_slow_death_of_av_technology.html

[Dwarden]

it's incorrect to say signatures are 100% dead ... they just become part of mosaic ...

combined with other solutions like HIPS, executed code analysis, trusted application database (lol another signatures but as whitelist), behaviour analysis etc.

[sergofun]

Hi all!
Thank you, tsilo, for your question. It's wery actual and corresponds to modern trends in development of information safety.
It would be great to hear answer from avast! developers (in particular from ALWIL team). How do they see the future of avast! ?

[kubecj]

This is not an official ALWIL position, just my thoughts:

a) It's naive to expect the user's have enough knowledge to whitelist the programs by themselves. Even I have sometimes problems to get what program is wanting net access when whitelisting the network connections

b) It's naive to expect to have (on the solution's provider side) the "complete" database of world's software, checked and verified to be clean.

Why does it remind me this: http://www.rhyolite.com/anti-spam/you-might-be.html


I'm not saying that the signatures are the only way or so. They aren't. But whitelisting is not a solution for typical unknowing home user, which I personally suspect as a typical victim of most viruses/trojans.

[alanrf]

I have to wonder why this post is in this particular forum ... since it is not clear to me that is about helping users of avast with the avast product.  I suppose that is the province of the moderators.

However, the writer of the first article referenced said in his blog that he regretted not making clear that his comments were much more directed at the corporate environment and they did not apply so directly to home users.

The writer of the second article referenced was even more specific about being concerned with corporate environments.  I don't see too many corporate users in this forum - so again I wonder about the placement of this post.

However, as an old corporate type who used to make decisions on corporate deployment of such products I'd have to agree with the point made by DWarden.  As to home use ... it reminds me of those awful products that used to try to catalogue the whole of a home users system and every time something changed would pester them so much they just uninstalled them.  Either it works unobtrusively ... and as kubecj has questioned how to have a complete database (especially for home users) ... or it will just fail to be accepted in that segment.     

[kubecj]

Moved the topic to General, since it's not directly related to avast as alanrf suggested.

If we "split" the AVs regarding to typical user, we've got two different branches:

a) home users - see my reasoning above

b) corporate users - yeah, the whitelisting may be an option, but I think there are that many solutions for corporate admin how to stop the users from running unknown software. If they let the users download and run software, the whitelisting is pointless.

[sergofun]

kubecj, alanrf, thx for your answers.
I consider that for the computer protection we need a complex approach. Besides, I consider that if a man can correct adjust the OS (limit the user's rights, limit the permission to some programs, use sandbox, etc) and put at the PC a knowledge person (like you or me , that possible to dispenses one only behavioural analyzer without any AV.
For instance, why IE has full access to all folders and files on a PC if just for normal functioning it's need only to have an access and ability to change to a pair of the files? It is possible to limit IE (either as the other applications). However the Windows possibility do not allow to realize it in full amounts.
I suppose that stated applicable to the protection of home PC.