Since its introduction in 2006, Microsoft's Windows Live OneCare has altered the antivirus landscape. With Tuesday's announcement that Microsoft will no longer be selling the product in retail outlets but offering a new free version, code-named Morro, starting in the second half of 2009, it's sure to change the field once again.
Since Microsoft bought Romania-based antivirus firm GeCad five years ago, there has been fear among the commercial antivirus vendors that the software giant would simply bundle its malware protection within the next version of Windows. While that didn't happen--and it's unlikely to happen--Microsoft's addition to the market has forced its competitors to make some changes even though Microsoft hasn't become the huge player once feared.
Even before the first beta in 2005, McAfee and Symantec were talking about plans to go head to head with the software giant. McAfee announced plans around Project Falcon, and Symantec launched Project Genesis.
Microsoft OneCare entered the market in May 2006 as a "desktop IT department" and inspired a new breed of "omni security suites" that went beyond the traditional Internet security suite. I wasn't impressed. Although OneCare offers the revamped GeCad antivirus engine, Microsoft Windows Defender antispyware protection, and the Windows Firewall, along with system diagnostic tools, backup capabilities, and a way to monitor home networking, I think that the interface is clunky and that the tools aren't necessarily top of the line. And, I'm on record as calling OneCare SopranoCare since it seems wrong to me to have to pay the company that broke your operating system to fix it.
But at its introduction, Microsoft did shake up the antivirus landscape. OneCare was priced at an absurdly low $49.95, and it protected up to three PCs. At the time, Symantec's Norton Internet Security and McAfee's Internet Security were both priced at over $100 for their three-user packages. Today, three-user packages well under $100 are common.
Symantec responded in 2007 with its Project Genesis-produced Norton 360, a unified product that took Norton Internet Security and added online backup. But Symantec didn't just add to its existing product, it reinvented the product, producing a new one with a fully integrated interface marketed for the average home user. And at around $70, it could be used on up to three PCs.
McAfee also responded with its Project Falcon-produced McAfee Total Protection, also priced around $70 for up to three PCs. It too offers home network monitoring and premium or enhanced versions of the McAfee Internet Suite.
But McAfee and Symantec both had something Microsoft did not: effectiveness.
Almost two years ago, independent antivirus-testing organizations faulted OneCare for missing known malware. Andreas Clementi of AV-Comparatives.org wrote in his February 2007 report (PDF) that OneCare did not meet the minimum requirements for participation. "Due (to) that, its inclusion in future tests of this year (will) have to be re-evaluated."
Microsoft began hiring longtime antivirus experts from competitors, and it appears to have paid off. A few years ago, Vincent Gullotto came over from McAfee to head Microsoft's Security Research and Response team. Microsoft has since added experts from F-Secure, Sophos, and elsewhere to the team. And it shows. In the latest On Demand scanning test from AV-Comparatives.org, Microsoft OneCare 2.5 scored as well as McAfee VirusScan Plus 2008.
All is not perfect, however. In May, Microsoft mistook Skype for a piece of malware. And the Windows Firewall, while Microsoft insists otherwise, is not a truly two-way firewall; there are a great many outbound exceptions within the Microsoft version. A Microsoft representative said "If we turned on outbound filtering by default for consumers, it forces the user to make a trust decision for every application they run which touches the network." Given that other firewalls have outbound filtering, I still don't see why Microsoft can't.
The free version of Morro won't have all the current bells and whistles of OneCare; Microsoft says the diagnostic tools won't be included. Although the final feature set won't be known for a while, just having a free antivirus/antispyware/personal firewall product from Microsoft is bound to shake things up.
With traditional antivirus protection perhaps becoming obsolete, maybe it's time that Symantec and McAfee start offering free versions of their own antivirus products--something that I've said for years.
Taking a cue from Morgan Spurlock who lived on fast food for 30 days in the Super Size Me documentary, McAfee gathered volunteers from around the world who would, for one hour a day, surf the Internet, signing up for various newsletters, filling in various forms. As they did so, the participants were asked to blog about their experiences.
On Tuesday, McAfee released the results of the experiment it called S.P.A.M., or Spammed Persistently All Month.
Over the course of the month, McAfee's test subjects accumulated 104,000 spam messages, or roughly 70 per day per recipient. Put another way, 87 percent of all the e-mail captured on the test laptops was considered to be spam. That isn't too surprising.
What is surprising, according to Dave Marcus, director of security research and communications for McAfee Avert Labs, is the amount of foreign language spam, with Germany and France having the highest percentage of local language spam.
Other findings include:
Men received more spam than women (76.6 per day vs. 60.6 per day).
The United States received more total spam, followed by Brazil and Italy.
Nigerian scam e-mails are more popular in the United Kingdom than in the United States.
What's also interesting, at least to me, is that the McAfee results were similar to results released by Symantec. McAfee used about 50 real-world participants while Symantec used its DeepThreat Network of thousands of computers worldwide.
You can hear more of Dave Marcus' observations on the McAfee results in this week's Security Bite's podcast.
A new contest to be held at this year's DefCon in Las Vegas in August hopes to prove that signature-based antivirus is dead, a move that one leading antivirus researcher says is "not a good idea."
The goal of the Race to Zero is simple: obfuscate a malicious code so that it evades well-known antivirus engines.
Contestants will be given a sample set of viruses and malicious code that they must modify and then upload through the contest portal. Once accepted, the sample will be sent through a number of leading antivirus engines (perhaps using VirusTotal.com to provide real time test results). The first team or individual who manages to evade all the antivirus engines wins that round. The organizers promise that each round will increase in complexity.
On the contest site, organizers list six reasons for hosting this event:
- Reverse engineering and code analysis is fun.
- Not all antivirus is equal and poorly performing antivirus vendors should be called out.
- Signature-based antivirus products can be easily circumvented.
- It's easier to modify malicious software than it is to write signature protection for it.
- Signature-based antivirus is dead.
- Antivirus is just part of the larger picture, you need patching, firewalling and sound security policies to remain virus free.
But Dave Marcus, security research and communications manager at McAfee Avert Labs, said: "Encouraging research that results in better evasion techniques for malware writers is not a good idea. How many identities will be lost and how much data will be stolen from users as a result of the new techniques and evasions that are created? Security research should center around bettering detection not evasion."
DefCon 16 will be held August 8-10 at the Riviera Hotel in Las Vegas.
Public-information kiosks are supposed to allow users to find out more about a company or government agency, and that's all. But on Saturday afternoon, Shanit Gupta, a senior consultant at McAfee Foundstone, demonstrated several ways that he and others have been able to map the internal network on a system running XenApp, formerly Citrix Presentation Server.
On the demonstration screen at ShmooCon, an East Coast computer hacking conference, Gupta showed how the familiar toolbars and browser frame are missing on a system running XenApp. The idea is that on a kiosk the public can click on links only within the single page. But if there's a keyboard or a mouse present, which there often are, Gupta was able to open additional sites, exposing the internal network.
Starting with Ctrl-H, he was able to pull up the browser's history. If the history revealed no outside search engines like Google, one could also type Ctrl-O and then type in Google there. If all else fails, one could also hit Ctrl-N and open a new tab, which will show the usual address bar and toolbar for navigation.
Opening a Web site not on the public tour could allow an attacker to download and install NMAP and run a port scan of the internal network. If the browser supports Javascript, one could also run a Javascript port scanner.
Typing Ctrl-P calls up the printer; however, Gupta pointed out that you can also save to file there and, while doing so, see the internal network.
No keyboard, no problem. Gupta says simply right click on any image and chose Save As ...
Gupta's demo concluded prematurely, hampered by an overall loss of Internet connection at the conference.
Citrix says on its site that when running XenApp, "built-in endpoint scans and policy controls take into account each user's role, device characteristics and network conditions to determine which applications and data they are authorized to access." However, Gupta said that the flaws were first called to his attention at a government agency. Using the standard Internet Explorer keyboard hot keys, Gupta and partner were able to see inside the agency's network.
On Thursday, the Anti-Spyware Coalition will meet in Washington. Included will be experts from McAfee, Google, and the Pew Internet & American Life project to discuss the latest in spyware trends. In addition to the well-known damage caused by spyware--hawking advertising, stealing passwords, and slowing down PCs--McAfee is calling attention to a little known aspect of spyware: domestic abuse.
"Using spyware for surveillance in cases of domestic abuse is a serious matter," says Anna Stepanov, who manages the Anti-Spyware program at McAfee Avert Labs. She's written a report titled Spyware: A Morphing Campaign (in PDF), which chronicles recent spyware trends including domestic abuse. "Monitoring a victim's online, cell phone, or general computing activity is of more value than ever in controlling or hurting a victim."
The National Network to End Domestic Violence offers these computer use tips to protect against such abuse.
- prev
- 1
- next
