back to article Life after antivirus: Reinventing endpoint security

Security professionals still talk about “antivirus defences,” but in the space of a handful of years what is meant by this term has undergone a dramatic shift. On the surface, things look much as they have always done. Businesses still run what used to be called “AV protection,” reinvented some time ago as the all-purpose “ …


This topic is closed for new posts.
  1. Marty McFly Silver badge

    Missed opportunity for El Reg...

    Article should have been titled "Sophos yells 'me too' and tries to catch up with the rest of the industry".

    1. Danny 14

      Re: Missed opportunity for El Reg...

      We were contemplating intercept x. I wasnt aware of any other anti ransomware esq alternatives (centrally managed for hundreds of pcs). Can you recommend an alternative?

      1. StomperUK

        Re: Missed opportunity for El Reg...

        Indeed there are new players. Sophos is definitely taking the 'me too' approach. Take a look at SentinelOne. They're the leading visionary in Gartner's endpoint security magic quadrant published a couple of weeks ago. They provide a single agent that does prevention, detection, forensics, mitigations and remediation. They're the leader everyone is following. And yes I work for them.

        1. Anonymous Coward

          Re: Missed opportunity for El Reg...


      2. Tom Paine

        Re: Missed opportunity for El Reg...

        I had the opportunity to work with FireEye web and mail appliances a while back - they pop open file attachments (for mail, or just downloads for web) in a sandbox and watch what it does. I'm sure it's not perfect, but it was catching a lot of stuff my then employer's mainstream corporate desktop AV was missing. I gather it's ferociously expensive, although as they just fired a load of sales ppl perhaps that's changed.

        I assume that as FE have been doing this for several years now, that competing products doing the same sort of thing are available; I just haven't heard of them.

    2. Anonymous Coward
      Anonymous Coward

      Re: Missed opportunity for El Reg...

      Exactly - just a year ago they were shouting down 'next-gen' as ineffective..... please.... all aboard the next gravy train ! Choo Choo!

  2. tr1ck5t3r

    When testing their new XG UTM, I could still take it down with a silly little ip address.

    I don't see manufacturers providing software to authenticate the firmware on their device chips, and I don't see enough people checking the open source code that works with compromised firmware and drivers.

    I don't see any of these points being addressed after all these years.

    1. Tom Paine

      When testing their new XG UTM, I could still take it down with a silly little ip address.

      I don't understand what this means, could you explain a bit more? Are you talking about handing it traffic with spoofed IPs ? Setting the src IP field to What?

      WRT bootkits and embedded microcode, there are in fact various schemes using variations on crypto-signed hashes to check integrity of such microcode. The hot (relatively) "new" unaddressed HW vulnerabilities seem to mostly be around attacks on busses such as USB, SATA, PCI-E &c.

      However this is all irrelevant if you're not doing at least basic threat modelling. Bootkits, microcode exploits and suchlike are very unlikely to be used outside of targeted attacks on high value targets by nation state actors; for almost everyone else, there are much easier ways of getting the job done.

  3. J 3
    Thumb Down

    Gee, I gave up in the middle of this text. Boring as hell PR thing, that is what it sounded like to me.

    1. Bronek Kozicki

      Well, you have to admit that it clearly stated Promo at the start!

      1. Tom Paine


        Oh, is it? I actually stopped reading half way through and scrolled up to look for some sort of "advertorial" disclaimer, but couldn't see one, so I assumed it was just rather poor writing... sorry, Mr Author!

  4. anthonyhegedus Silver badge

    The problem as I see it is that if a device is capable of running its own antivirus to protect itself, then logically, it's also capable of running a virus/malware. And if you and I can run the antivirus, then so can the people who make the viruses, which means they'll hammer away at it until it can be worked around.

    1. Brian Miller

      Well, yes, that is how it works. And then there are those who will blow through half-a-dozen prompts in order to run that malware they received, or even shut off the scanner.

      It's always a challenge to defend the benign-and-stupid against the clever-and-malignant. That's what scanners try to do.

  5. Baldy50

    When I....

    Need to use W it's in a VM, nearly always air-gapped and I never save the machine state, so a fresh, pristine install every time.

    Maybe the future of computing is destined to load up a hardened OS like Whonix or better and then run your preferred poison and if you think something hinky is going on, for example, fans kick for no reason, processor usage suddenly goes through the roof etc, shut it down and re-start, doesn't take long.

  6. P. Lee

    AV is a sign of the failure of Windows security policies.

    Where are my switches for starting applications? /nochildspawn /nonetwork /nochangeprivs /nopermwrite /flagsecviolations /noproxyuse /nopublicipaccess /currentdoconly /noforeignmimefiles etc?

    Putting in some sensible defaults would kill most security issues, since they are mostly down to users not knowing or caring and being hit by drive-by infections operating at the level of the user. We need to be more fine-grained that than.

    Set the security policy to sandbox the application before you start. Maybe even get the OS to add metadata used by the original application security policy when the file was written. These would be worthwhile OS upgrades, not the "Modern" interface.

    1. Tom Paine

      AV is a sign of the failure of Windows security policies.

      Really? So how do you account for the existence of AV products for Macs, iOS, Android, Linux and (IIRC) even one or two on BSD?

This topic is closed for new posts.

Other stories you might like