[nobodyorother]

So they're basically admitting that their antivirus tools aren't secure enough to handle a basic code review?

Yup, totally makes me want to buy copies.

"No, guys, security by obscurity totally works in this one case! Because it's us! Come on, you trust us right?"

[macspoofing]

To play devil's advocate, they may not be worried about vulnerabilities in their code but rather vulnerabilities in their method of virus detection, the same way Google doesn't share details about their search algorithm partly so it isn't gamed by spammers. Actually this is common in software that is meant to protect against sophisticated attackers. Blizzard and Valve used to have periodic mass bans but they would never say what exact action triggered a ban. In fact you would get no information and the ban itself may have come months after some hack was used so that crackers wouldn't know what specifically triggered it.

[solatic]

> To play devil's advocate, they may not be worried about vulnerabilities in their code but rather vulnerabilities in their method of virus detection

This is an argument for factoring out the means of virus detection into a closed-source plugin/module, while opening the source of the rest of the code. Particularly since detection is presumably pure (i.e. functional programming notions of purity and referential transparency), and thus much less likely to be a source of vulnerabilities, compared to the rest of the client which actually interacts with the OS, disks/files, etc. and is therefore much more likely to be exploited. Because the vulnerability scanner would still be a closed-source binary blob, the public would need to trust the company that the blob is actually pure, but seeing that blob within the context of an open-source client which is handling I/O makes that trust easier.

Yes, it makes it easier for malware creators to test their creations against the closed-source module before releasing their malware into the wild. But sophisticated malware writers are already doing that, by installing the anti-virus client into a VM, updating it, disconnecting it from networks, then loading the malware into the VM and seeing if the malware is detected or not. So malware writers don't gain that much from the opening of the rest of the codebase (unless they succeed in finding vulnerabilities that the rest of the world doesn't), and the white-hat public gains a much more trustworthy security tool.

[fjksksvdjsjd]

Well, that’s an argument they should have made! I think it’s extremely charitable to assume this is why, though, when every indication points to code-audit fearmongering.

But, you’re also forgetting that these virus scanners can also be vulnerabilities and exploits in themselves; i seem to remember one virus exploited a flaw in the compression code of a virus scanner to establish some type of malware. Just because something is a trade secret doesn’t exactly lessen the risk of it existing.

[colordrops]

What's the difference between vulnerabilities in code and vulnerabilities in virus detection? Isn't the virus detection done in code? Is security through obscurity valid for virus detection but not code?

[mrighele]

I don't think the parent is talking about vulnerabilities, but the fact that if you know how the antivirus engine works it may be easier to write a virus able to avoid detection.

[danielbarla]

That makes sense, though I think there's still a large difference between the virus detection and ranking algorithm comparison. The entirety of the virus detection code is running on the client's PC; surely it can be reverse engineered and understood fairly successfully?

The same can't really be said of Google's algorithm, as it's essentially a hugely complex black box, and you can barely interact with it. That's kind of like reverse engineering a chip purely using its inputs / outputs.

[colordrops]

Sounds like a vulnerability. Isn't that how the argument went about source code? "If you know how the program works it may be easier to write an exploit." But then experience taught people that exposing source code to the bright sunlight by opening its source could actually make software more secure through many eyes finding holes. Why is this not applicable to virus detection algorithms?

[mrighele]

Now that I think about it, you have a point. In general when I think about a (software) vulnerability I think about taking advantage of some bugs or unforeseen behavior of the software. If the software is acting as intended but can not protect you from a certain kind of issue can we say it has a vulnerability ? My answer was no before, now I am in doubt :-).

[ksk]

>If you know how the program works it may be easier to write an exploit."

BTW, this is true. Seeing the source code versus having to go through assembly listings - I know which one I'd pick if I had to find logic bugs.

>Why is this not applicable to virus detection algorithms?

Its not an algorithm, but a heuristic. If you want to look for a suspect, you don't announce "I'm looking for someone 5 feet 5 inches tall with a buzz cut who drives a ford and wears size 12 nike sneakers". In much the same way, security via heuristics doesn't mean creating a perfect detection system, because it doesn't exist. They want to make the game harder to play by hiding the rules of the game, not because they're sure that they're going to win. This is a real, tangible benefit for the customers. There is nothing really special about it, we've been using such ideas for centuries.

[colordrops]

How do you build a heuristic if not with an algorithm? Perhaps the entire AV model employed by Symantec is flawed.

[disiplus]

because its not that easy. if i write some part of the code to detect if you are a good human and will you go to hell or heaven, to evaluate that for me would be hard. and if you had a access to my source code you could check what i am looking for and could maybe cheat.

the vulnerability i would call is if i sent you to hell and you found a way to escape.

[kccqzy]

I can second that. A lot of virus detection basically boils down to detecting this particular substring. Which is usually quite easily bypassed.

[TruthSHIFT]

Somebody please reply to this. Both this comment and the above comment seem reasonable. I don't know what to believe!

[raesene9]

For me Worrying about "vulnerabilities in their virus detection method" seems unlikely.

We're talking about downloadable software here, not a cloud service like google. Once a hostile nation state has access to your binaries (as they would with an installed product like A-V) they can just fuzz the A-V detection method to find bypasses.

Heck that's what pentesters and red teamers do on a regular basis, A-V bypass is a common thing in that world, so if people at that level can do it you can bet that nation state actors can do it.

[tedivm]

Yeah, when I worked at Malwarebytes we did not really care about this issue. If people are doing to download it they are going to reverse engineer it.

We also did third party security audits on a regular basis, but still wouldn't be comfortable allowing that to be done with other countries. Purely my own opinion here, but my concern wouldn't be a security one so much as an intellectual property one- it's pretty well known that other governments (China, Russia) have strong links to their commercial sectors and little regard for IP protection.

[CamelCaseName]

I believe the latter post (obfuscating the method of detection) over incompetence.

Don't forget that nation states also produce malware (Recall Stuxnet?) [0] and evading detection is substantially easier when you know exactly what to avoid doing.

[0] https://en.m.wikipedia.org/wiki/Stuxnet

[ryanlol]

Evading detection is easy if you have the slightest clue of what you're doing. Antivirus evasion simply isn't difficult enough for this to be a reasonable explanation.

[criley2]

You're intentionally conflating "basic code review" with "politically charged state actor performing code review", which are not the same thing.

Did they say they allow no audit or outside code review?

Or simply that political nation states who have intelligence agencies that actively subvert security solutions to compromise computers (the very things AV companies work to prevent) shouldn't have access to the very cookie pot they work to steal from?

Frankly, I have no idea why you'd let people review your source code who have a vested interest in finding exploits that they will use against people using your software.

[raesene9]

Usually companies allow source code review beccause they're trying to sell their solutions in the countries in question.

Look at it from the perspective of those countries

Symantec "hey buy all our security software it's super-great"

Foreign Gov. Customer: "sure can we check the source code first to see if there are any heinous security bugs or NSA backdoors"

Symantec "Oh gee no, allowing to you see the source code of products we want you or companies in your country to run might compromise it's security"

Foreign Gov. Customer: "..."

[PeterisP]

They're completely okay with that response. What they're worried about is that customers in U.S. government would consider their product more secure if they can ensure that the potential attackers in e.g. Russian government don't have access to that source code.

You can't please all customers if customer wants you to protect them from another potential customer of yours, you have to pick a side and stick to it.

[raesene9]

Well in this case it's not a big problem, as stated in the article Symantec didn't do much business in Russia.

However lets extrapolate and say what if the same thing were applied to Apple or Microsoft, who sell a very large amount of software to countries like China.

Should they forbid China access to their source code due to concerns from US customers.....

Would their shareholders be happy if they did? China is a large market, loss of access to that would be bad for a companies finacial health.

[criley2]

Symantec: "No, our code is audited professionally by the most reputable international firms along international standards of quality. You can review our audit reports and engage with the international body responsible for regulating audits to raise any concerns"

Foreign Gov. Customer: "But what I really want is for my tech spooks to scan pre-selected high value modules for already known and suspected zero day exploits for our own clandestine use"

Symantec: "...."

[raesene9]

What "interational body for regulating audits" would that be, I'm not aware of any such body...?

Also If Symantec won't trust their customers to that degree, why should a foreign government or their key industries trust symantec software?

If a US audit firm audits US software, why should an international government trust that there isn't a US backdoor in there? Or perhaps that the US audits have uncovered issues but instead of patching them they handed them to the NSA for later use in their TAO teams... (wannacry anyone?)

Obviously symantec are free to withdraw from a given market as they have here, but to suggest that trust is a one-way street seems well a bit unbalanced.

[criley2]

I do not personally believe in todays world that national security and software can be separated.

As an American, I certainly would not trust any non-American AV software.

I would assume that all AV made in another country is compromised by that countries government intelligence. That would be a safe assumption.

I would be safer user American AV as an American because despite what the anti-gov propaganda wants us to believe, it's far harder for the NSA to spy on Americans than non-Americans.

Regardless, this entire thread (and your post) seems to treat nation-state actors as inherently innocent, which is so blindly naive that it's difficult to rationally respond to.

But this is the nature of cyberwar. Damaging, effective, wide-spread--- and invisible and plausibly deniable.

Symantec giving source to Russia should be seen as a violation of American national security at this point, because it gives a hostile foreign government a blueprint to attack US networks.

[raesene9]

You've picked me up entirely incorrectly if you think I'm of the opinion that nation state actors are innocent.

My point is if the US treats foreign gov's as dangerous then those foreign gov's should treat the US as dangerous equally, including US software.

Given US software companies international sales volumes that's a massive existential threat to the US economy.

If China/Europ/Russia etc stop using US software products then what will happen to the profits of Microsoft/Google/Apple et al....

My other point was the apparent one-way nature of trust that I felt you were implying. that foreign gov's should trust US software whilst at the same time accepting those software companies do not trust them...

[yardie]

Well we all are citizens of one country or another. So what exactly does outside code review mean? American code can only be reviewed by American code reviewers?

Would you trust Chinese software that was only ever allowed to be reviewed by Chinese auditors?

[criley2]

Private firms earn their reputations by their behavior. We have international / multi-national / NGO's which can exist beyond the politics of the nation states they reside in.

You should trust a firm to review your code not based on their nationality, but based on a wide criteria.

Included in that criteria for me would whether or not the organization is committed to the work of subverting your software through intelligence operations.

But, that's just an end-around because all countries with markets worth selling in have intelligence agencies which subvert AV and other software for clandestine purposes, so all nation states are excluded.

W.r.t Chinese auditors, because of their oppressive and authoritarian government which goes so much further than western governments to control business and speech, and which has a much deeper history of subverting any control structure outside of the Communist Party, I would certainly treat their work as suspect by nature, but if there were a Chinese auditing firm renowned for its quality, privacy and separation from their government, I don't see why I wouldn't consider it.

[hannofcart]

Well, to be fair, they don't really have a choice in the matter.

Open it out to code review by only a few number of people, mainly governments, and you are opening it out to a small set of people doing code review explicitly driven by the primary intention of finding vulnerabilities in it. This would apply to even the US govt, who routinely request software vendors to delay patching or even disclosing 0-day vulnerabilities till they have sufficiently exploited it.

Allowing more scrutiny will work only if enough eyeballs are devoted to it driven by benevolent intentions. Best results would be to open source the whole thing but that would not make business sense to the company.

Basically, either you open it out completely or not open it up at all. Opening out to a few government funded hackers is probably the worst choice they could make.

[KGIII]

Obscurity is a valid part of some security schemes. It shouldn't be the only method, of course.