There's a need for a division of labor here. The downloading function in a browser shouldn't be allowed to look at the contents. The guard/sanitizer function shouldn't be allowed to do anything other than say yes or no, or modify the downloaded file. After processing each file, the guard/sanitizer function is flushed and reloaded, so that if it was corrupted, it can't affect other files.
Symantec could have chosen to ship only the minimal filesystem interface code in the kernel and run the huge, complex inspection code in an isolated low-privilege thread, just like the Windows NT guides recommended in 1993.
Symantec could have performed basic diligence and updated their dependencies when security updates were released.
Symantec could have followed recommended practice for code auditing, fuzzing, etc.
In each case they chose not to spend the money it'd take to be minimally competent, correctly realizing that most of their customers will never check and are unlikely to change their buying habits. Based on my experience running their enterprise management tools and dealing with their support, I'm pretty sure someone just made the business decision not to spend the money because most of their customers have audit requirements to buy something and nobody else in the industry is significantly better.
The problem is selling that better way.
If they had done things the way you say, their price point would have been higher, while everyone else who didn't do it is lower.
I've been in many budget meetings where Product X does A, and Product Y does A too. Both products let you put a check in the audit box. Product Y is 20% cheaper than Product X. Without a glaring fault in Product Y, nobody will spend the extra money for Product X.
The audit question is often worded: Is a centrally managed antivirus product installed on every PC? Are the definitions for the product kept up-to-date? Good! Pay us for verifying that(among other similarly useless questions) and here's your SAS70/SSAE16/SOC1 papers.
Customer says "are you audited? can I see your papers? Good. " -- due diligence is considered done.
The people performing the audits rarely have a clue other than knowing that there's supposed to be a check in that box.
It's all a game of CYA and security theater, with very little real security being practiced.
[previous Symantec employee]
and this is where you already failed. Antivirus software is pretty much snake oil in 2016, it was already snake oil in ~2010. Running antivirus as your main security policy is how you recognise technically clueless CIO/CSOs (not that you will find many competent ones, all the education is leaning towards compliance over real security)
https://www.youtube.com/watch?v=DzC8jJ0ESJ0 https://www.youtube.com/watch?v=8Z7L498dNB0 https://www.youtube.com/watch?v=XdgDr1CIoqU
Totally poor sales program but great way to boost security and I'd wager more effective than antivirus.
That's not hard to do, but it's very restrictive. You can open a USB drive, but can't copy files from it. So, having achieved isolation, then what?
Tools like SandboxIE and other wrapper/shims are in an arms race that they will eventually lose.
Is this an explanatory simplification, or is it really only files that get scrutinized?
I would be equally concerned, if not more concerned, about network traffic (vulnerable daemons, clients vulnerable to maliciously crafted responses, etc) vs. files.
eg at least two or more employees must be required to be involved in any decision making process. and separation of duties as per your suggestion for a start.
I have found that MSE is very lightweight and catches almost everything. I have not found a reason to use anything else.
(I manage about 10 Windows PC's at work.)
(Protip: run such connections in a VM. This has a number of benefits:
* when they require a full scan it takes next to no time as the vm is almost empty
* when they cut off the rest of your network except for their site you can still reach google or your company server in the host machine.
* who honestly wants to run all those weird drivers on their day-to-day dev or sysadmin machine?
)
Disappointing either way.
But at least it's free!
> You know, it’s interesting that before I became the CEO of a startup, the only time I thought about “conversion rates” of emails in my career was when I was involved in phishing campaigns.
Edit: It's interesting to me that phishers are evil bad etc., and yet more interested in responding well to the rhetorical situation than people with careers.
No interaction is required to trigger the exploit. In fact, when Ormandy sent his PoC to Symantec, the security firm’s mail server crashed after its product unpacked the file.
[1]: http://www.securityweek.com/critical-vulnerability-symantec-...
> I think Symantec's mail server guessed the password "infected" and crashed (this password is commonly used among antivirus vendors to exchange samples), because they asked if they had missed a report I sent.
> They had missed the report, so I sent it again with a randomly generated password.
I'm not 100% sure I buy it. The follow up comment is about how he had mistakenly sent them a wrong testcase, and he had sent them similar exploits in a zip with the password infected before (see https://bugs.chromium.org/p/project-zero/issues/detail?id=81... from April 28th).
It would be incredible for Symantec to guess the password "infected" for ZIP files. It's possible though!
Another reason not to run any "antivirus" on your personal PC
"tl;dr: If you use software with “Symantec” or “Norton” somewhere in its name, stop what you’re doing and remove it completely."
They're primarily a rent-collecting entity that leverages the requirements of regulating industries like PCI as a way to tax businesses.
That why all these simple logical steps to make their product better aren't (and won't be) implemented.
