[carussell]

Two comments:

The way its written, I first took the mention of finding this "during the analysis of a prominent antivirus product" to mean that you were reverse engineering some AV thing and found that it was scanning for this vulnerability (i.e., to protect against bad archives). After a second read, it seems like maybe not, and that the AV itself re-used parts of 7-zip for its own implementation and was therefore vulnerable itself. Still not sure, though.

The way the stylesheet makes the "rendered" form (especially section headings) resemble markdown source is pretty neat.

[landave]

You are completely right with the first comment. The antivirus product itself reuses parts of 7-Zip and is vulnerable itself. I mentioned this mainly because I did not analyze the original 7-Zip software, but only discovered that it was affected as well after I had found the bug in this antivirus product.

I admit that this is confusing, so I'll probably try to rephrase this.

[woodson]

Seems like a possible license violation then (7-Zip is LGPL).

[ciupicri]

LGPLG is let's you use a library without distributing the source code of the whole program.

[Laaas]

Read section 4 of https://www.gnu.org/licenses/lgpl-3.0.en.html, there are some things you still have to do.

[arka2147483647]

It's common knowledge that AV programs scan files inside compressed archives. Obviously you need to run the decompression code to do that.

[blattimwind]

It's also common knowledge that the AV industry has a huge software quality and engineering problem ("let's unpack malware and emulate x86 in kernel space, because that never backfired before!").

[katastic]

I've actually heard many people (including one Chrome developer) that they don't even use AV anymore except Windows Defender because 99% of AV break Windows/applications by using non-standard hooks and may even introduce new vulnerabilities with their kernel drivers/etc.

https://it.slashdot.org/story/17/02/01/1334219/google-chrome...

Honestly, if they can't even stop viruses from infiltrating closed systems like Android and iOS, I don't see how an anti-virus suite could ever win the battle against a user intentionally installing a virus.

(Of course, desktop apps are a different ballpark than web apps/websites where you're merely connecting to a website vs installing a dedicated application with filesystem access.)

[kbenson]

I'm one of those people. I would be really interested in seeing what percentage of exploits, malware and spyware is caught by each feature of the common AV suite. I suspect that Defender is at the sweet spot.

Additionally, I see the entire AV market as a leech that was only able to grow as it had because Microsoft was able to shirk its responsibilities with respect to security for so long. Now that Microsoft are trying to handle the problem the AV companies are crying foul because they think they deserve the right to exist, which means Microsoft shouldn't do too much to help their own customers.

AV companies are the car dealerships of the digital realm. Superficial middlemen ensconced in a bygone era leeching money from the unwary. We should be careful, lest we legally formalize that relationship as we have with the dealerships.

[hutzlibu]

My experience so far (helped maintain lots of non IT people's computers) was also, that the performance gain from removing antivirus software (and just using defender) was worth the theoretically less protection.( If even so)

Besides, with the behavior of most free Antivirus I could not really distinguish from common spyware. Everything needs to call home these days ...

So when friends ask me if this computer is now virus/spyware free .. they are usually a bit disappointed when I tell them, probably not, even if we delete everything and remove windows (but it would help).

But most people, including me, need windows from time to time, so it's allways a compromise. But common (free) Antivirus is really just snake oil.

[proactivesvcs]

Many of my customers run the common free anti-virus programs and I can assure you that they are not snake oil. The logs and alerts from blocked infection attempts are testament to this.

I certainly would say that most of the free anti-virus is pushy, hungry and generally not a particularly great marketing exercise.

[hutzlibu]

Sure they do things - but they promise real security and protection - which is a laughable claim, when you look at detection statistics. They are not much better than defender. But unlike defender, they themselves act like spy/adware sometimes. Showing advertisement on the desktop etc. and communicating with the server a lot and not for updating.

Oh and my experience with most of their logs is, that they log and alert allmost everything - even when it is trivial as a tracking cookie - but make it look like a real threat to the ordinary user to show what good work they are doing. And especially on older computer really slow things down.

So I cannot recommend them and rather stress the importance of updates and not mindlessly install/click random things. (but with updates allmost everything important does that automatically now anyway)

[freeflight]

> The logs and alerts from blocked infection attempts are testament to this.

Infection attempts by what? Scans of phishing mail attachments they wouldn't have opened anyway? At least if they know what they are doing. In addition, many AV have this annoying habit of reporting quite a bit of false-positives based on sys-calls or some weird heuristics, this leads to the situation where even totally legit software, from a trusted source, triggers a warning.

Which then conditions people to just click past the warning, at that point you might as well not even run the AV at all and instead just scan individual files online through some virustotal-like service and teach proper user behavior.

Due to this dynamic installing a good ad-blocker will probably do more for the security of the average windows user than any AV software ever would.

[Hello71]

https://en.wikipedia.org/wiki/List_of_rogue_security_softwar...

[alkonaut]

I don’t think I know of windows users that use anything other than defender these days on their personal machines, but I (am forced to) use McAfee on my work machine. I suspect that the enterprise tooling is better for third party AV and that’s the only thing other than inertia keeping corporate desktops on those old AV products.

[sp332]

While I think that's a pretty reasonable approach to antivirus these days, Defender was one of the scanners that was doing that. https://arstechnica.com/information-technology/2017/05/windo...

[floatboth]

Yeah, anti-virus is a crap idea.

Real security is proactive security (exploit mitigation, sandboxing, correct code, safe languages).

Reactive security kinda sucks. You have to patch known vulnerabilities, sure, but detecting exploits? Ugh. Eww. Do not like.

And indeed users mostly install malware these days, because self spreading (actual "viruses") is hard (we're not in the DOS/Win9x days anymore). So users should be proactive as in not clicking on TotallyNotMalware.exe :)

[quotheth]

This is really just not accurate. You can say that AVs are crap, but please don't put all of your eggs in the 'proactive security' basket. At one point that was actually the prevailing attitude, and it just failed absolutely miserably.

Instead, today, we see more companies invest in what's called "incident response". Part of a healthy incidence response program is signature detection - AV plays a role in this.

If you don't have good detection capabilities you're missing a huge portion of what makes an organization secure.

Relying on proactive users is also a recipe for disaster and not a realistic goal at all, nor should it be.

[irundebian]

Of course you should be able to respond on security incidents. If you have a security incidents it's often too late and security boundaries are already borken. In the long term we want to have secure systems which are secure by design and by default. We have to invest heavily in incident response because we have have all of these shitty and broken systems. We should already have started heavily on building secure systems and secure languages and should call on everybody to invest time to build these instead of building reactive technologies like AV.

[Nadya]

I'm also one of those people.

When it runs code to detect if it is a virus, you have to trust the sandboxing and frankly I've yet to see a sandbox that at some point hasn't been taken control of and exploited (this goes for web browsers too). So it's better to just not execute code than to trust the AV's VM to execute the code without being compromised.

I use programs on a whitelist basis and only update for security patches. This avoids issues like what happened with Transmission.

AV also detect have pitiful detection rates - something like <50% of exploits daily. It's "something" but once you're compromised you're compromised and using an AV just gives a false sense of security.

E: I imagine the downvotes are from my claims of pitiful detection rates or claims that AV is basically security fanfare. Don't take my word for it then.

[0] https://www.theguardian.com/technology/2014/may/06/antivirus...

[1] http://www.blackhat.com/presentations/bh-europe-08/Feng-Xue/...

[2] http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-whe...

[3] https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1916708

[alibert]

I also believed this for a long time but recently I stumbled upon this https://www.malwarebytes.com/remediationmap/

Obviously this is an anti malware company PR (but please look at the MS Consumer (defender) failed detection rate). This made me research again the AV landscape and then I found this https://fatsecurity.com/tools/test-results-calculator?compan... A website that seems to aggregate a lot of AV independent tests in an easy to use UI.

MS Defender is not really good now. Even free AV are better and have lesser performance impact than Defender (but obviously come with ads, less privacy, etc.).

(I submitted recently the map to start a discussion about it but did not seem to interest anyone)

[rootw0rm]

AV sucks, Defender sucks more, brain behind the keyboard is king.

[digi_owl]

Well the definition of a "virus" have expanded greatly over the years.

The original definition was a piece of code that would latch onto binaries, and be spread that way. And those had telltale signatures (a virus may have added a jump at the start of the binary to the end, where a copy of the virus code resided, and then jumping back to the beginning of the actual program code).

And i am not so sure there is much distinction between visiting a JS heavy site and running a program locally these days. After all, we are seeing the likes of Google exposing USB and Bluetooth via JS APIs now.

[proactivesvcs]

"because 99% of AV break Windows/applications"

This statement does not at all pan out in my experience. It is very rare for me to come across broken applications or a faulty Windows installation because of anti-virus software.

[pixl97]

Your experience seems very limited.

Be a MSP with thousands or tens of thousands of different configurations, all the different antivirus software you can think of, and 20+ years of doing it and you'll see anti-virus break everything you can think of.

AV prevents windows from shutting down. AV prevents windows from booting up. AV prevents windows upgrades. AV prevents windows updates. AV causes blue screens. AV quarantines critical windows system files. AV blocks network resources unexpectedly. AV cripples network performance. AV breaks hardware drivers. AV causes programs to unexpectedly close or crash.

Are just a common list I have to deal with.

[proactivesvcs]

I'd suggest you don't know what experience I have.

I've certainly had problems with anti-virus programs, but no more than I have had with any program, operating system, driver or hardware problem really. Mostly they behave, sometimes they misbehave.

I've rarely seen anti-virus causing shutdown problems. Boot problems have almost always been faulty storage devices or operating system corruption. I've fixed more faulty WU instances that are broken because of Microsoft (recent Win7 authcab problem, IE cumulative years ago, etc). than because of anti-virus. The programs that I have come across that are crashing are rarely solved by removing anti-virus software.

If anti-virus was as widely and horrendously crap as some people keep repeating then I'd know about it because I'd be saying the same thing.

[katastic]

Addendum:

Anyone remember GStreamer being a Linux vulnerability because it had a 6502 CPU emulator to run... NES music files, and hackers managed to jump outside of the VM.

https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit...

It makes me wonder how easy it is to break out of a particular anti-virus vendor's VM, in a vulnerability that wouldn't exist if you weren't even running AV (outside Defender) at all.

[carussell]

I don't know what this comment contributes to the conversation besides being vaguely condescending. I didn't ask why an AV product would be re-using 7-zip code.

[Promarged]

> The way the stylesheet makes the "rendered" form (especially section headings) resemble markdown source is pretty neat.

As far as I see it's just section headers, but I agree the stylesheet is very nice. The section header prefix (###) could be an anchor to the section though (<a href="#section">).