back to article McAfee dumps signatures and proclaims an (almost) end to botnets

Signature-based malware identification has been around since the dawn of the computer security industry, but McAfee has said it's dumping the system – or rather, adapting it – in an upgraded security suite which will (it claims) virtually eliminate susceptibility to botnets. McAfee's malware signature database has grown to …

COMMENTS

This topic is closed for new posts.
  1. Don Jefe

    Effective

    Telecoms people have been using a very similar thing for years to control revenue leakage. It works very well. I hope it works as well for this.

  2. Snake Silver badge
    Facepalm

    Huh?

    But in the last review of anti-virus products by a web magazine, McAfee rated DEAD LAST with largest number of allowed intrusions. Which is disconcerting as a friend I know uses McAfee, and I must therefore get him to switch away from it. More likely, do the switch for him.

    Kaspersky got the top rating in the test results.

    1. Anonymous Custard

      Re: Huh?

      Ah yes, but I bet McAfee didn't sponsor that review...

    2. Annihilator
      Coat

      Re: Huh?

      "But in the last review of anti-virus products by a web magazine, McAfee rated DEAD LAST with largest number of allowed intrusions"

      "Ah, but that was the last version", said the sales rep looking nervous and sweaty, "the next version will be the best ever and will stop all botnets!"

      Note though, that they're only claiming success for botnets, not every other type of virus out there.

    3. Anonymous Coward
      Anonymous Coward

      Re: Huh?

      Kaspersky is a solid consumer product and should always test well for botnets....as consumers are the intended targets.

    4. Rambler88
      Trollface

      Re: Huh?

      Let's not be judgmental, now. McAfee's doing pretty well for a bunch of junior guys in a converted warehouse in Bangalore.

      Oh. You mean that's not what they are? You say INTEL owns them??!! Odd, that. To their customers, they certainly seem like a bunch of junior guys in a converted warehouse in Bangalore.

  3. Anonymous Coward
    Anonymous Coward

    Wow

    So McAfee is trying to copy Webroot. Who'd have thought?

    1. Anonymous Coward
      Anonymous Coward

      Re: Wow

      I thought they were copying Trend Micros DEEP Security with their DEEP Defender and Trend Micros DEEP Discovery with whatever the McAfee (DEEP) sandboxing technology happens to be called...

  4. Robert Helpmann??
    Childcatcher

    Tight as a ... goose?

    McAfee says it has ... integrated its various modules much more tightly with each other.

    McAfee, like so many other tech companies, has made a business out of targeted acquisitions. They have a number of products that do a number of things, most of which are complementary to each other. What they do not have is good integration. See how well multiple admins can set up rules in the DCM/DLP module at one time within ePO for an example of this (hint: only one at a time, per ePO server). Heck, they don't even have internal consistency for some products. Menus and permission sets are pretty much in the same condition they were found in when when the various products were acquired. Data is sent to databases but cannot be accessed from within the application's reporting system. Not what I would call good integration.

    I look forward to seeing this promised improvement, at which point I will believe it.

  5. Hungry Sean
    Trollface

    cure still worse than the disease?

    Why should I care about "improvements" if putting mcaffee on a system still borks it harder than any virus? Whenever I see a relative's computer running butt slow, either it or Symantec are almost always to blame.

    1. BongoJoe

      Re: cure still worse than the disease?

      Or the recent release of Kaspersky...

    2. Fatman
      Linux

      Re: cure still worse than the disease?

      OK, I'll bite.

      If, by disease, do you mean the entire malware laden WindblowZE ecosystem, then the only cure is Linux.

      1. Anonymous Coward
        Anonymous Coward

        Re: cure still worse than the disease?

        "If, by disease, do you mean the entire malware laden WindblowZE ecosystem, then the only cure is Linux."

        "WindblowZE"? Really? Are you twelve, or just another Eadon sockpuppet?

        1. Fatman
          Linux

          Re: just another Eadon sockpuppet?

          NOPE!!!

          I just DO NOT like Windows!!!

          I consider it the scourge of the internet.

          Tux - for a reason!!!!

          1. Anonymous Coward
            Thumb Down

            Re: just another Eadon sockpuppet?

            So... Eadon sockpuppet = yes.

  6. Anonymous Coward
    Anonymous Coward

    Malwarebytes?

    Isn't this what Malwarebytes already does? And better than any other tool, including McAfee?

  7. taxman

    AV vs Persil

    "We can catch things that no one else can in the industry."

    Yeah, well just make sure you don't pass it on!

  8. Silverburn

    McAfee has said it's dumping the system – or rather, adapting it – in an upgraded security suite which will (it claims) virtually eliminate susceptibility to botnets.

    Just like you said in the last big release then. Ho hum.

  9. Anonymous Coward
    Anonymous Coward

    False positives?

    I can't wait to see what entirely innocent programs just happen to meet McAfee's half-tested heuristics and get sidelined. Probably on someone's main cloud server framework.

    It would almost be funny, except that our corporate IT policy is to run McAfee, and I can't connect to the company network if I dont :(

  10. Anonymous Coward
    Anonymous Coward

    What do they mean, susceptibility to botnets?

    I'm not even sure I understand their marketing message.

    A botnet is a collection of computers carrying out tasks (such as spam, DDOS, web proxying and sometimes even hosting) on behalf of the bad guy. It isn't something a computer can be susceptible to. Perhaps they mean that it prevents them from being infected with an item of Malware which turns the computer into a Bot. Interesting... bots can be installed by mass mailers, targeted trojans, malware hosted on compromised websites, malware on USB sticks and even by idiot users who decide to become part of a hacking collective and voluntarily install a bot onto their machine.

    So perhaps what they are trying to say is that their new improved protection NOW prevents computers from being infected with malware (unlike before)? Or, perhaps what they are saying is that they have realised that reactive, signature based, malware detection is no longer sufficient to protect computers in the modern era now malware has the ability to spread globally before the AV companies have a chance to create and distribute a signature and if this is the case then WTF do they think that they have been doing since Bubbleboy was released in 1999???

    No, No, I think I've got it... What they are really trying to say is "BUY OUR STUFF, It's less bad than it use to be"

    Please note, I am not specifically anti-macafee, I am anti-marketing bull.

    AC as the views of the voices in my head may not be acceptable to my employer.

  11. TeeCee Gold badge
    Meh

    "..all our systems now work on behavior and reputation,"

    Oddly enough, my decision making processes for purchasing have worked on behaviour and reputation for some time now.

    Which is one of the main reasons why I won't be buying any McAfee products.

  12. oldcoder

    Interesting...

    "they have done this over the next three years"...

    So they also have time travel...

    That would make it easy to cure bots - Identify them now, then tell the AV about it yesterday....

  13. Richard Tobin

    Suspicious figures

    "100 per cent rating at killing rootkits, compared to 83 per cent for Microsoft and 67 per cent for Symantec". Did they by any chance test exactly 6 rootkits?

    1. Fatman
      FAIL

      Re: Suspicious figures

      Read that part very carefully, I have quoted it below:

      As for rootkits – a particular Intel bugbear – McAfee touted a recent test by AVLabs that it sponsored that highlighted the effectiveness of part of its suite at cutting this attack vector short (although it did not specify testing criteria). The tests give McAfee a 100 per cent rating at killing rootkits, compared to 83 per cent for Microsoft and 67 per cent for Symantec.

      Did you note the emphasized words?

      So, I agree, Suspicious figures or paid for lies? You decide.

      1. Michael Wojcik Silver badge

        Re: Suspicious figures

        Read that part very carefully, I [am foaming at the mouth] below...

        Yes, thanks, no one else reading the article noticed that McAfee sponsored that study, or has ever considered the possibility that research might be affected by its funding source, sometimes to the point of being completely compromised. Had you not pointed that out, we all would have taken the McAfee statement as gospel.

        But, hey, you wouldn't want to miss yet another opportunity to accuse someone of shilling.

        Really, please, grow up. Even if a single reader here is likely to base their opinion of that "test" - about which we have so little information as to render it meaningless - on the question of whether the outcome was influenced by McAfee sponsorship, your pointing that question out will come as a surprise to exactly no one. Boldfacing some words in the quote, then pointing out to your readers that you'd boldfaced them, is childish and inane.

  14. John Smith 19 Gold badge
    Black Helicopters

    Has anyone considered what it *really* takes to go completely malware free?

    Obtain multiple Linux distributions.

    Select apps and kernel source code you want to run. Avoid ones that require a virtual machine running on top of the hardware.

    Cross reference across versions to locate any changes between them IE potential trap doors. Do this with 2 different comparison tools to avoid one that's fixed to ignore trapdoor code if it receives a specific marker, or code your own. You'll do this for any future apps you load.

    Define new processor architecture with opcode bit patterns chosen at random (to prevent guessing if samples of your object code fall into the wrong hands) and implement it. For extra obfuscation make it a stack architecture running an unusual bit length.

    Hack code generators for the apps and kernel languages you're going to compile.

    Re-build kernel & apps to new architecture & install on system.

    Change delete any default accounts/passwords. Set up low privilege working account(s) where you do most of your work, view your p0rn etc.

    Change default router password and set router to ignore all calls from the internet to your address (so you're invisible except to your ISP). Disable universal plug and play (and most other things).

    Congratulations. You should be malware free and anything that gets into your system (infected email attachment?) will have no way to execute. Like a border post backed by a 1000 Km of desert. Anything that gets in will die.

    Now how many of you are paranoid enough to actually implement this strategy?

    1. Rob Carriere

      Re: Has anyone considered what it *really* takes to go completely malware free?

      Actually, the probability that your v1.0 of all that will be bug free is low enough that it would be safe to bet the rent there's a vulnerability there somewhere. Your actual protection stems not from all the mucking about, but from the fact that you created a one-off configuration and nobody can be bothered to crack it.

      1. FrankAlphaXII

        Re: Has anyone considered what it *really* takes to go completely malware free?

        >the fact that you created a one-off configuration and nobody can be bothered to crack it.

        Which would also completely embody the discredited idea of security through obscurity.

        As there is going to be a vulnerability somewhere in your configuration, given the right motivation someone will eventually crack it. There is nothing which is completely secure, you just have to figure out a way to make the amount of time, money and work it would take to breach your configuration large enough to deter an aggressor.

    2. volsano

      Re: Has anyone considered what it *really* takes to go completely malware free?

      Having done all that, of course, I'd run my target OS inside a VM which itself is inside a VM which itself etc to maybe a depth of 12.

      Each VM (different implementations of course) is running separate virus detection / fire walls / etc, so only incoming data that passes all of one VM's sniff tests makes it to the next level.

      For an infecting virus that is trying to reach my app in the target OS, the effect would be like running the gauntlet in a very-hard-to-win first-person shooter with no ability to save at crucial points.

      With a 12-core processor, my nicely snuggled app would not even notice the latency in handling incoming data.

    3. Christian Berger

      Can be done simpler

      There is some research going on into assisted proof of software.

      Essentially whenever you write a piece of code you need to proof that it works correctly. This proof will be checked by the compiler. (just like some compilers can already check for array boundaries, etc) The current research is about how to make a language which integrates code and proof in a good fashion so it's not to much overhead.

      In the end you can for example proof that data marked "private" will never reach the network card driver. And that you will never overwrite your stack. Some people even go further and add types to the memory so your CPU can check for types. Those types can include features like "private" or "local" or whatever you want to.

      This is of course a long term goal, but it's being worked on. And ideally you don't loose any/much speed.

    4. Gordon Fecyk
      Go

      I have. Right here.

      Has anyone considered what it *really* takes to go completely malware free?

      Part 1. More parts are following, along with using Software Restriction Policies in coming parts.

  15. dajames
    Windows

    There's only one thing I miss in McAfee's security products ...

    ... the ability to deinstall them, quickly, easily, completely, and cleanly.

    Seriously, this crap comes preinstalled on many big-name Windows boxes, and getting rid of it takes most of a day -- it's quicker to wipe the drive and reinstall.

    1. John Smith 19 Gold badge
      Unhappy

      Re: There's only one thing I miss in McAfee's security products ...

      "... the ability to deinstall them, quickly, easily, completely, and cleanly."

      A "feature " they seem to share with Norton.

      Less an installation, more an infection.

      1. Anonymous Coward
        Anonymous Coward

        Re: "feature " they seem to share

        If more than one vendor exhibits this behavior, perhaps the issue is in the OS and not the app.

        Not that the app maker should be excused mind you. I find this more annoying with Java than the two mentioned pieces. At least those will partially uninstall whereas Java on Windows is just completely buggered if something gets corrupted with the install.

    2. Fatman
      Linux

      Re: There's only one thing I miss in McAfee's security products ...

      I suggest a slight change to this:

      Seriously, this crap comes preinstalled on many big-name Windows boxes, and getting rid of it takes most of a day -- it's quicker to wipe the drive and reinstall install Linux.

  16. MrWibble
    Facepalm

    "Customers no longer have to worry about botnets; we will take care of that for them."

    Taking bets on how long that will take to bite him in the ass. I reckon less than 6 months.

    1. John Smith 19 Gold badge
      Facepalm

      "Taking bets on how long that will take to bite him in the ass. I reckon less than 6 months."

      I bid 6 weeks, but I think that's generous, but when it's discovered is another matter

      For the successful cracker (who keeps it secret) this is the perfect target.

      The sense of smug complacency that will set in could allow them to establish the biggest botnet the internet has ever seen. OK that's a bit of hype but certainly quite large.

      I've heard this "It's uncrackable" spiel a few times. A classic was the SKy digital TV encryption system.

      The channel coding remains (AFAIK) unbroken with a 2048bit PKA key.

      The cards were not. Giving free TV channels to those in the know.

  17. Mayhem

    The problem with Heuristics analysis

    is that if you get it really right ... you don't get to sell regular updates to the software.

    I know of several different AV providers who went out of business for that reason back in the day. The technology was quietly bought up by Symantec and allegedly merged in with Nortons.

    To be fair, the change to 64bit windows would have killed their product anyway without some significant rewrites, but it worked brilliantly for 7-8 years without an update.

    1. Ilgaz

      Re: The problem with Heuristics analysis

      Another thing is operating system itself may behave like a virus. It is in nature of operating systems.

      Unlike mcafee who seems to have "invented" heuristics after decades of use, that is the main reason why companies do crazy things like virtual machines, cloud based white listing, machines left open to internet on purpose etc.

      Poor Intel wasted their billions.

  18. Ilgaz

    Genius

    In a world which companies and even end users expect a common security suite which will work similar on all their devices from a cheap Huawei to top of the line i7 workstation, they ship software which will work fine only on Intel cpu.

    If someone at Kaspersky or Sophos came up with such an idea,he would be fired.

    Also, heuristics and behaviour analysis are old news in real security scene. Signatures are only a first line in defense. It has been same since IBM&F-Prot.

  19. Gordon Fecyk
    Stop

    McAfee rewrites history?

    Signature-based malware identification has been around since the dawn of the computer security industry

    Bollocks.

    Stiller's Integrity Master, a profile-based virus detector, existed before John McAfee sold a cheap and lazy media on Virusscan:

    I love it! I have been a fan of integrity checking (IC) ever since my first big software conflict trashed small parts of a few files of the 2,000 + files on my disk in … 1986

    (Sadly, that article is only on Google's cache now.)

    CERT formed before McAfee did, in 1988, to combat the Morris Internet Worm. McAfee opened his doors in 1989.

    1. Ilgaz

      Re: McAfee rewrites history?

      Don't forget Thunderbird (originally hardware based, converted to software) or A-Tool for Amiga which didn't need signatures at all.

      1. Ilgaz

        Thunderbyte, not Thunderbird

        I confused the brand with email app. It was thunderbyte antivirus from Netherlands.

    2. Michael Wojcik Silver badge

      Re: McAfee rewrites history?

      Signature-based malware identification has been around since the dawn of the computer security industry

      Bollocks.

      I am baffled how anything you posted is a refutation of the statement you quoted. In fact, your evidence appears to support it: if "the computer security industry" is defined as software companies selling security tools for PCs (a dubious definition, but we'll get to that in a moment), then the statement is clearly true, since signature-based identification in fact clearly predates that "industry", and thus "has been around since" (and indeed before) it began.

      If we define "the computer security industry" in the rather more useful sense of organized work to improve security in IT, then Integrity Master and its predecessors would be a part of that "industry" (in the sense of "work", not necessarily "commercial product'), so they wouldn't be counterexamples to the statement either.

      However, IM isn't relevant to the statement at all, because it's not a signature detection system. Signature detection systems scan data for sequences that may indicate malicious code. IM is a change detection system; it computes hashes of existing files (at least originally CRCs; the article doesn't indicate if it later used stronger hashes) to see if they match the hashes from the previous pass.

      So a complete miss then. But really I can't see what you're all worked up about. Thomson isn't claiming McAfee (or anyone else) invented signature detection, just that it's been around for a long time.

  20. ADJB

    As the argument rages about this OS being safer than that OS with respect to nasties does anybody have any figures on how many viruses actually use windows as the directly attacked platform as opposed to using some third party program (Adobe & Java - looking at you) as the attack vector which then goes on to compromise the OS.

    I suspect that 'modern' windows, say Versions 7 & 8, are actually very robust and the vast majority of the infections are due to third party applications.

    I can see this as being a major flaw in 'phone and tablet OS'es where they request, and are inevitably given, permissions far in excess of those required for purely operational needs in the same manner as many windows programs have "needed" administrative permissions in the past and thus provided an easy foothold into the OS.

  21. Wardy01
    FAIL

    Eadon

    You're a douchebag ... deal with it !

    Go flame some other forum.

    The most epically failed statement ever:

    100% of all viruses are for windows

    ... riiiiight ... I know of at least 3 for mac and i've read somewhere on here recently that some hackers are chucking together android viruses ...

    http://www.bbc.co.uk/news/science-environment-17623422

    http://www.bbc.co.uk/news/technology-20768996

    And those are just in the top 2 results for some basic google searching ...

    What a total tard!

    Anyone else fancy confirming what a tool Eadon is ... upvote this comment!

    As for McAfee ...

    I generally hear good things about them, but me personally, I wipe my machine clean and restore from an image (network stored) every few weeks so I don't bother with AV.

    I'm also very careful about where I download and run executable code from.

    Have I ever had a virus?

    yeh once ... when I used to use AV, and it's solution was to destroy my OS install.

  22. Anonymous Coward
    Flame

    "We can catch things that no one else can in the industry"

    "We can catch things that no one else can in the industry."

    Well that's certainly my experience - our PCs running McAfee catch things that users of other vendors don't seem to get. Whenever I submit a sample to virustotal.com McAfee consistently does not detect anything but 90% of the other vendors do.

  23. Anonymous Coward
    Anonymous Coward

    100% effective... at press time, for our test cases

    I've run keygens in a VM for obvious reasons. More often these days, they detect that they're in a VM and refuse to run. Appearing innocuous.

    Sandboxing doesn't always work

  24. teebie

    Now

    Shouldn't they have done this 5 or 10 years ago?

  25. Herby
    Trollface

    One of these days, they will recognize that...

    Windows itself is the virus, and needs to be eliminated. It just keeps morphing every few years and changing a number (3.1, 95, 98, 98SE, Me, NT, 2000, XP, Vista, 7, and 8 to name a few) and re-infecting systems.

    Of course, they need a platform to run on, and they chose the absolute worse processor (the X86 family) to do the job, also counting the viral effect.

    (*SIGH*) One of these days.....

    1. Miek
      Coat

      Re: One of these days, they will recognize that...

      Sorry, I guess the guys are running low on downvotes after all the Eadon posts earlier

  26. Tom 13

    Re: The end result could crush botnets

    but that's nothing compared with what it will do to crush your Windows software!

    I know. The last time we had major down because of malware where I work, it was McAfee whacking the login dlls from the system directory.

    1. seansaysthis
      FAIL

      Re: The end result could crush botnets

      sometimes the cure is worse than the disease.

  27. Anonymous Coward
    Anonymous Coward

    I do wish the moderators here would stop all this personalised bashing of individual posters that is being targetted against specific individuals who post here.

    Seriously. If you don't like what he says, the prove him wrong. If you can't do that, then don't bother commenting, about what he says. Your personal thoughts about him are irrelevant. All this ridiculous name calling just makes you all look like children.

    1. diodesign (Written by Reg staff) Silver badge

      "I do wish the moderators here would stop all this personalised bashing of individual posters"

      The trouble with deleting comments that bash individuals is that it spirals into a "he started it!" nightmare. The general rule I like to see people follow is "play the ball, not the man". So if people stick to that then things work out.

      C.

    2. Galidron
      Unhappy

      You can try, but people who reject all evidence or utilize irrelevant technicalities to make themselves fell right will never change their mind. When you combine that with a strong desire to evangelize everywhere people will naturally get tired of constantly bring forth the same evidence proving them wrong over and over again. Ignoring them doesn't really work because then they could possibly convince someone new that they are correct. Over time the will eventually piss someone off enough to respond to them with an attack of some kind and with the number of readers hear there will always be someone new being pushed over the edge.

    3. RyokuMas
      Thumb Up

      "Personalised bashing"

      @Dave Dowell - imagine, if you will, a fly buzzing round your head. You try to shoo it away, but it keeps coming back. You can either keep trying to just brush it aside, or become increasingly more annoyed trying to swat it.

      This is what has happened here.

      You're absolutely right about trying to counter-argue posts you don't agree with - however, I can understand some posters getting frustrated when faced with a continual barrage of provocative posts that usually lack any form of evidence or back-up, especially when the poster in question (I think we all know who we mean here) refuses to acknowledge any counter-argument that does not fit in with his own philosophy and just continues to "buzz around our heads" - to use the earlier analogy.

      It's why I think a "report complaint" facility - similar to "report abuse", but for more general use - would be a good idea.

  28. Boris the Cockroach Silver badge
    Windows

    I suppose

    a few rules to avoid the malware would be better than AV software that bungs up your system/network/entire internet

    1. Phone chargers for all staff : stops them plugging their phones into those handy usb ports on the front of the PC

    2. remove Java and flash from the browsers

    3. Anyone caught with a USB stick is fired.

    4. Anyone opening an e.mail attatchment is set on fire.

    And lastly for those really serious about stopping malware from seizing vital data

    Install Linux

    1. seczine.com
      Devil

      Re: I suppose

      "4. Anyone opening an e.mail attatchment is set on fire."

      Surely you fire the email admins for letting the attachment through with out running through a sandbox first?

      1. Boris the Cockroach Silver badge
        Flame

        Re: I suppose

        Who cares.... after the first few examples, everyone will remember

        Flames...... and why not

    2. Hungry Sean
      Happy

      Re: I suppose

      I've visited companies where to enter the campus, everyone sends their belongings through a metal detector, phones are checked to make sure cameras are taped over, sd cards or flash drives are banned, etc. etc. In the government sector too, there are some pretty extreme measures taken for security (e.g. supercomputers that are physically partitioned so that confidential simulations can't possibly be spied on by other code).

      Generally though, I assume the powers that be look at the relative cost of preventing malware via draconian measures (quality of employee, worker happiness, inefficiency in working with clients who want to use e-mail attachments) and decide that it's much better to employ a handful of smart people to setup firewalls, IDSes, monitor developments in the security field, etc. and basically hope that the risk is reduced sufficiently.

      Similar considerations apply to safety from muggers-- if you wanted to make sure you'd never get mugged, you could hole up in an underground bunker with 80 years worth of non-perishable food, cases of ammunition and high powered weapons, hopped up on methamphetamines monitoring your CCTV, and you'd have a pretty high confidence in your personal safety. On the other hand, it might not be a very happy existence.

This topic is closed for new posts.

Other stories you might like