Symantec's Bad Week

We need ways to run &quot;antivirus&quot; software with fewer privileges. One way to do this is what some DoD high-security systems call &quot;guards&quot; and &quot;sanitizers&quot;. When files come in from the outside, they&#x27;re diverted to a jail, where something has to examine them and decide whether they can get through, and what changes have to be made to them. The guard and sanitization software runs jailed or on a separate machine - it has few privileges. All it can do is look at files and say yes or no, or remove something from the file.<p>There&#x27;s a need for a division of labor here. The downloading function in a browser shouldn&#x27;t be allowed to look at the contents. The guard&#x2F;sanitizer function shouldn&#x27;t be allowed to do anything other than say yes or no, or modify the downloaded file. After processing each file, the guard&#x2F;sanitizer function is flushed and reloaded, so that if it was corrupted, it can&#x27;t affect other files.

I love the (military, not Zombieland) &quot;double tap&quot; nomenclature for follow-up phishing emails that pretend to be warnings about recent phishing emails. It&#x27;s a pattern in social engineering that I&#x27;ve seen used a bunch, particularly in &quot;vishing&quot; phone calls [1], but never had a good buzzword for until now.<p>[1] <a href="https:&#x2F;&#x2F;youtu.be&#x2F;h8kWcggio5A" rel="nofollow">https:&#x2F;&#x2F;youtu.be&#x2F;h8kWcggio5A</a>

Is there any reason for a Windows user to use anything other than Microsoft Security Essentials (or Defender as it&#x27;s been called since Windows 8)? It&#x27;s free and everything I&#x27;ve seen and read indicates it works just as well if not better than commercial antivirus suites.

From SecurityWeek&#x27;s writeup on the same topic [1]:<p><i>No interaction is required to trigger the exploit. In fact, when Ormandy sent his PoC to Symantec, the security firm’s mail server crashed after its product unpacked the file.</i><p>[1]: <a href="http:&#x2F;&#x2F;www.securityweek.com&#x2F;critical-vulnerability-symantec-av-engine-can-be-exploited-sending-email" rel="nofollow">http:&#x2F;&#x2F;www.securityweek.com&#x2F;critical-vulnerability-symantec-...</a>

&gt;&quot;These vulnerabilities reminded me of phishing and the Double Tap for two reasons. First, every one of these vulns can be exploited by just sending an email. Since the product is an antivirus, so it’s going to scan every file that touches your disk and every email you get for viruses. You don’t have to get your target to click a link or even open the message you sent — Symantec will happily try to parse every email you receive.&quot;<p>Another reason not to run any &quot;antivirus&quot; on your personal PC

So, do the &quot;stop what you&#x27;re doing and upgrade&quot; links in the article actually go to Symantec&#x27;s site, or are they phishing links? Because that would be a perfect example of the type of highly effective phishing the article is talking about.

For anyone who doesn&#x27;t know the title is a pun on <a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;PiHKAL" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;PiHKAL</a>

Footnote 1 <i>is</i> very interesting (and so is the rest of the post):<p>&gt; You know, it’s interesting that before I became the CEO of a startup, the only time I thought about “conversion rates” of emails in my career was when I was involved in phishing campaigns.<p>Edit: It&#x27;s interesting to me that phishers are evil bad etc., and yet more interested in responding well to the rhetorical situation than people with careers.

fixed that:<p>&quot;tl;dr: If you use software with “Symantec” or “Norton” somewhere in its name, stop what you’re doing and remove it completely.&quot;

I think everyone is confused because they don&#x27;t understand Symantec&#x27;s business model.<p>They&#x27;re primarily a rent-collecting entity that leverages the requirements of regulating industries like PCI as a way to tax businesses.<p>That why all these simple logical steps to make their product better aren&#x27;t (and won&#x27;t be) implemented.