this post was submitted on 26 Aug 2024
56 points (100.0% liked)

Cybersecurity

5683 readers
45 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] flying_sheep@lemmy.ml 15 points 2 months ago* (last edited 2 months ago) (2 children)

No, that's not the take-away.

Going without AV as a computer-savvy person is perfectly reasonable, as AV companies can't be trusted, and AVs are notorious for having deep seated privileges and bad security themselves – therefore increasing your attack surface.

The take-away is that if you're deciding for an institution that's contractually obligated to do a thing, you should do it.

[–] jet@hackertalks.com 8 points 2 months ago (2 children)

I think it's important to be clear about the difference between antivirus, and an in resident black box agent.

An antivirus that you run on static files, is perfectly fine in any environment. t's controllable it's known you know the inputs you know the outputs. You know what you're exposing to it. Even if the antivirus itself is a black box, you spin up a VM with the files you want to scan, you get the output of the scan, you destroy the virtual machine. So you don't leak anything

An agent that stays with privileged access to the machine, is basically a root kit, and they're often black boxes. So a black box root kit is a huge security risk, especially if that black box needs to phone home to a service outside of your network. That's just crazy. That's more than an antivirus, that is I don't even know the right word, but it's a lot.

[–] flying_sheep@lemmy.ml 6 points 2 months ago* (last edited 2 months ago)

Very true. I doubt the researcher in question would object to use a virus scanner like you described.

Every consumer antivirus software works like the black box rootkit you described, AFAIK.

[–] stringere@sh.itjust.works 2 points 2 months ago

That’s more than an antivirus, that is I don’t even know the right word, but it’s a lot.

I think SIEM is what you're looking for: Security Information and Event Monitoring

[–] Ajen@sh.itjust.works 2 points 2 months ago

Depending on how the contract was written, running a clamav scan periodically may have been sufficient.