Panda commits hara-kiri

Sat, 03/14/2015 - 09:46 -- admin

Greatest new of today: Panda detects itself as a virus and send some of its core files to quarantine.

Besides the irony inside those very words, to me the issue is doubly ironic because some days ago I found myself thinking about to what degree the AV and antimalware tools have grown themselves in part of the problem, rather than the solution.

I see that at my daily job. Some machines that worked flawlessly two years ago begin to not being able to cope with the tasks they always did without problem. Finally, they stop being usable at all. The problem: as AV's grow, the resources of the machine stop being enough to keep up with the rest of its basic tasks and the computer becomes the private playground of the spoiled brat that the AV is. Today (year 2015) Xp can't work with an AV if you have less that 1GB of RAM (half that used to be enough three or four years ago). And that's just the bare minimum, if you start opening tabs in your web browser you'll know what I mean...

If we speak about 7, then you roughly get there with 2 GB. When it came out, just 1GB used to be enough for basic tasks.

In which respect the cpu, forget about using anything below two cores with any modern AV, since one of the cores will be devoted entirely to running it. And better not get started with celerons and the likes of it.

Add to that the fact that current AV's do not only do their work but also a plethora of other things. They literally put "hooks" which alter in more or less radical ways third programs such as your web browser, your e-mail client, your filesystem drivers, your network, etc.

If you start reading the previous paragraph in the middle it could seem that I am describing the concept of "virus", and not its antithesis, but the truth is that in a lot of cases the tactics used by both are identical.

Even more, AV's do use shielding techniques that are very similar to those used by viruses, with the aim of avoiding being unloaded or modified by other programs (viral or otherwise). Once more, viral tactics.

If you think about it for one second, everyone has some kind of AV software running, but ruling out the machine I administer myself, I haven't ever found a computer which wasn't infected with one or another kind of malware, That is, since the DOS era. And while all that happens, the AV sits there just as happy as a child in the birthday party.

Something smells here...

This, unavoidably, takes me to several conclusions.

It is true that we are, nowadays, way more exposed than we used to. We have permanent connections to the internet, and it is also true that the size of the net has grown exponentially. But it is also true that we now have tools that we had not before. In the DOS days, it was truly rare when someone ran a TSR (resident/real-time) AV software. We just ran a scan when before inserting a rotten disk into our computer.

Nowadays, we have resident AV's, which are always watching, but, the cleanest computer in Spain nowadays it probably dustier than Chernobil.

To me, what changed clearly over the time was the usage pattern and the average user mentality. Years ago, to be able to use a computer you had to learn some basic concepts. Besides a heap of random commands and a "hocus-pocus" that, at first, where quite hard to understand, we were given some notions about the computers themselves.

We were taught that there was a hierarchic system of files and directories. Files were just blocks of information with a meaning, to which we gave a meaningful name in accordance with their contents, and which could be of many different types (keep this in mind for later reference) and that every file type was uniquely distinguished by three characters that were put at the end of the file name, after a dot. We called that, the file extension. Just looking at this extension you could tell if a file was a photo (maria.jpg) or a spreadsheet (jan81.xls).

Directories were nothing but a special file type which could contain other files within them (at filesystem level this is not necessarily true, but it's an easy and clear way to visualize it).

Programs were also files, but with an ".exe" extension. There were also other programs which were ".com", and some other were ".bat". "How" these were written was unclear to me at that moment (except for bat files, which we could open in a simple text editor), but the important thing is that a programs was simply a file, just like everything else, and that thrown quite a lot of light over the mystery.

Even my operating system was nothing but a bunch of files inside a directory in my hard disk!

Knowing this, and looking at how a typical antivirus of the time worked, I got to know that a "virus" is nothing else but a particular kind of program, just like a word processor or a videogame. It's just that its purpose in life is a very different and unusual one: to do harm (or at least, to annoy).

All the mysticism slowly faded away, and I noticed that the thing was truly simple: if you don't want to use your word processor, you just don't run it. Same goes for viruses, there's nothing more to it. A virus is not some intangible force coming from a digital inferno, not an electrical quirk as some tend to think. It is just, simply put, a program just like any other.

In a number that's very close to 100%, infections are ran by the user. There are more complex ways to infect a computer, but I am not going to talk about those here and they truly represent but a drop in the ocean, statistically speaking. If the issue at hand is really that simple, why is such a common problem? What is truly the root of it?

Well. I'll give you my theory.

The first problem is that the average user of nowadays has only a very rudimentary idea about what a file is. People just see thing in the screen and click around without having a clear idea on what will happen. A very interesting side-effect of this is that they don't even know how to maintain a structured "folder" (just to use the mainstream word for directory) tree, and the funny consequence is that it isn't rare to find tremendous problems involving four or three versions of the same spreadsheet saved in different folders or with slightly different names that differ only in an extra dot or a blank space.
Con el tiempo, los hay que desarrollan un vago concepto (muy vago) sobre el asunto, pero pocos pasan de ahí.

In which regard the file extensions, well, most people don't even know they exist, and if you talk to them they don't even know what they are. This was probably caused by the coming of Windows. Someone in Microsoft thought that it would be nice to hide them because it's useless info that will do no good, and the users don't need to know about that.

Said and done. In Windows, extensions are hidden by default.

The worst thing is that this will all probably sound like greek to anyone that hasn't been at least for 20 years in computers.

Aside from what the reader might think about me being a nostalgic dumb freak dinosaur (and a bit pedant at that) the true thing is that a given user can't really tell at first sight a file containing a photo from another containing a pdf report, or, what's worse, another containing a program. That is, unless s/he open it. But, if it is a malign program and you have opened it, then we are late, already.

Let's think. We go to a web in search of a photo of Leonardo diCaprio, and we see a link to download the photo (that, or someone sends it by mail, it's the same). When we are about to open it, we see that the photo is not an image file (.jpg, .png, .bmp, .gif, .tif) but a .exe. Logic and common sense dictates that a photo is not a program, so, if it is supposed to be a photo but it's a program, then someone has tried to trick us into running something that we are not supposed to run.

But that will not happen, because extensions are hidden. All you see is a silly icon that can be easily tuned to trick you. And even if extensions were there no one would know what they mean, because we have been living 20 years without them.

This all takes us to the point of acknowledging that most of the security problems, when it comes to computers, is to alphabetize the masses, just like prevention of AIDS: it serves no purpose to share out condoms if the user does not know how to use them and s/he doesn't know basic hygienic measures and why they are so indispensable.

Equally, AV software is useless when it is the user with administrative privileges (ugh, I could write a book about that) who orders it to shut the fuck up and stay out of the way while ask toolbar, babylon and search protector rape them in a savage gang bang.

Mi mother (yeah, I also have one) has been using the same OS for years, and there has been no need to "re-format" (that word doesn't mean what you think it does, but I'll use it nonetheless just for the sake of making this comprehensible to everyone). That computer doesn't have an AV installed, and it doesn't need it, because it has a clear usage pattern that doesn't involve much risk. At least, not the kind of risk an typical AV would block anyway.

To me, the best AV is common sense, and some basic notions about computers. A sensible configuration also helps, along with a good update policy.

AV's can help sometimes, just like airbags, but they aren't necessary strictly speaking, and, that's for sure, they can't drive for you and they can't avoid a car crash.