08-23-2012 04:10 PM
From the NIS 2012 Forum:
We've seen a lot of explanations of why the repairs are so difficult - but little about why identifying and blocking this sort of attack can't be done. I for one, would be much happier with an over-aggressive blocking approach in place of this sort of "too late" approach...
From SendOfJive: I don't think you would be happier with an over-aggressive approach. Currently, the best means of preventing infection by polymorphic malware is through reputation-based file blocking - the notorious WS.Reputation.1 detection. Even in its present state, this approach blocks many legitimate, albeit lesser known, programs and causes considerable grief for small developers, and users alike. Making it more aggressive would cause an even greater number of false positives, and result in the removal of still more completely safe installation files. In the case of Zeroaccess, the malware often covers its installation behind a legitimate Adobe Flash Player installer. Can you imagine the headaches and complaints that would result if Norton removed the Adobe installer every time users tried to update Flash?
We have not been infected (yet) because I do virtually everything suggested (except sandboxing) and have for years. But that's me and a relatively few other experienced users. The huge majority of Windows users are not going to do this stuff and for them an overly-agressive secuity suite (even at the expense of issues for some developers and users) would be vastly preferable to infection.****
From Garlen: If we assume that Norton can't fix these issues, then they should prevent them and protect inexperinced users, that's why a lot of people buy suites and that's how Norton markets their products.
Or they could just market to experienced users and say “have a nice day” to everyone else. They're trying to have it both ways and this forum proves it isn't working.
Interesting addendum: Secunia PSI just picked up updates to Adobe Air and Flash Player. If we assume that many/most of these issues are caused by sytems/software not updated – then maybe Norton/Symantec should license and include Secunia PSI on their products or create something similar themselves. This would force people to know their potential vulnerabilites and accept some responsibility if they fail to act. Now, it's almost impossible for most inexperienced users to know if they have have outdated software that puts them at potential risk.