Complete Transcript of Interview – Randy Abrams - ESET
Let’s Talk Computers Radio Talk Show
Host Alan Ashendorf
January 27 2007
Alan: Now that Vista is launching and it is supposed to be the most secure Windows Operating System ever – right out of the box – do we still need 3rd Party Anti-Threat software? Our guest today, is Randy Abrams, Director of Technical Education with ESET. Welcome back to Let’s Talk Computers, Randy.
Randy: Thank you, Alan. It’s good to be here.
Alan: You worked many years at Microsoft before joining ESET. You really know what it takes to make a Windows Operating System secure. So, what can you tell me about the about the built-in security in Vista?
Randy: I worked there for twelve years. We worked with various Security Groups, as well. And Microsoft has done some really good stuff with Vista. Even Microsoft which is selling Windows One Care, which has an anti-virus component, that runs on Vista. Microsoft certainly is confident that you still need anti-virus software. In fact, I worked at Microsoft at twelve years and for much of that time we could not get onto the Microsoft Network if we did not have anti-virus software running on our computer. Now, I am sure that Microsoft Corporate IT is going to tell the users that pretty much they have to be running Vista. And yet they don’t let them on the network without anti-virus software. Still.
Alan: It’s not just the operating system, itself. It’s people, it’s machines and it is the operating systems that you have to look at to keep safe, because people can cause a lot of damage, can’t they?
Randy: In addition to the operating system, there are applications, which can be vulnerable too. In the past few days we have been seeing these worms and Trojans being spammed out – thousands and thousands of them. None of them run by themselves. All of them require a user to double-click on an executable file. And Vista doesn’t change that. If the person double-clicks on an executable file, while Vista might warn them that they are about to run something that’s potentially harmful, if they say, “that’s ok – just run it”. They’ll run it. And if it’s bad, it’ll do bad things.
Alan: So, you can still shoot yourself in the foot, no matter how secure you are, even with the most elaborate operating system. You need somebody to watch over what you are doing, right?
Randy: Right unless you are so sophisticated that you understand what every program is going to do and notice that when something’s a little bit awry, you all need security software to help us protect ourselves.
Alan: Microsoft, in their new Vista came out with something called User Account Control, or UAC. What is it and how does that keep us safe?
Randy: What it really is, is a means to allow users to run their computers without being full-fledged administrators. There are certain things that you can’t do with a lower account level. When you need to do more privileged operations, in many cases, Vista will prompt you and let you temporarily run it as an Administrator. For most things, you don’t need to be an Administrator. You don’t need to be an Administrator to play games or defend e-mail or to surf the Web. In previous versions of Windows, you’ve always been an Administrator. So, if you’re surfing the Web and you come across a site that has something malicious that is exploiting the Zero-date vulnerability, you just were infected, just by visiting that Website. With Vista, with the lower account access, or UAC, you’re not the Administrator. Not only do you get prompted, saying, “this is trying to run something”, even if it is a Zero-date vulnerability, if it does run, it’s not allowed to do as much to the operating system. And that means it is a lot easier to recover.
You’re still well advised to have anti-virus software, because you don’t want to let the stuff run at all. If something gets in and steals your information, then Vista can’t stop identity theft if someone’s able to get you to run software that sends the information back. However, Vista can help make it so that the system never gets completely wrecked in the process.
Alan: Even with the new Internet 7 that will be included in Microsoft’s Vista, it still has some vulnerability that can be exploited.
Randy: Even running with IE 7 you can be infected and affected by malicious software, all the time, 24 hours a day on the Web. There are sites out there that are keeping zero days, using non-vulnerability and if people aren’t patched, they are very vulnerable, as well. And even patched, people configure things for convenience and one of the conveniences is letting things run automatically. If you let good software run automatically, the bad stuff runs automatically. And that’s where the UAC is going to annoy some people, too. Because, Vista won’t just let good software run automatically in all cases. In many cases, depending on what the good software is doing, the user will get a prompt, saying, “something is about to run” and the user will say, “Yeah, I know, I clicked on it”. That’s not what it’s about. It’s - what about the times you don’t click on it? And how does Windows know what you meant to run?
Alan: This is the biggest problem that you have with software that prompts you constantly, telling you “well, we’re blocking this and we are not going to let you do this”. After a while, people by nature get annoyed. The first thing that they do is that they turn off the annoyance, turn off the warning messages. It hasn’t bothered me since. It won’t bother me now. I’ll turn it off and I can just surf very smoothly.
Randy: And people who do that are going to loose a significant portion of the security enhancements in Vista. The other thing about Vista though, is it’s not going to be appropriate for all people. A professor in New Zealand wrote an article, indicating that with Vista, if you want to record your own CD’s for your own legitimate use, if you don’t buy a hardware that’s got special patent protection measures built-in, Vista actually degrades the sound quality. And so, decreasing the computer experience, Microsoft tends to put a barrier to getting the added security of Vista, as well.
Alan: Well, this is where ESET comes in. NOD32 runs on the new Vista Operating System and you put a wrapper around the Operating System, to keep us safe, don’t you?
Randy: That’s one way to look at it. We monitor what’s coming into the Operating System in and out - and in applications like Office, as well. Vista might limit how much the bad software can do; ESET’s all about not letting the bad software do anything, at all.
Alan: And, a lot of times, you don’t even get a message because you can turn all the messages off and still be completely safe because you are trapping the bad guys in the background and you are quarantining them for us (or actually deleting them), when someone is trying to send us a virus in e-mail.
Randy: That’s the kind of protection you want. You want multi-layered defense. Defense in depth. And part of that is having a more secure operating system, part of it is using the configuration for software that you have, like Office, shutting the macro security up to high; and part of it is using Anti-Threat software, like ESET’s NOD32.
Alan: One of the things I like about ESET is that you only have one version. It is always the latest. It’s always the most up to date. It always has everything in it. There’s not different for a Corporate Edition and a Consumer Edition. You put everything in the same engine and it protects us.
Randy: There is no reason to give any group better or lesser protection. We give all of them the best that we are able to do. Because of that, we don’t need to have different versions. Consumer Version is perfectly appropriate for protecting desktops. There’s a slight difference in one file that enables the remote Administrators on the Corporate that can manage it. But all the rest of the technology is entirely identical – the signature files, everything is identical - heuristics, everything.
Alan: ESET only does one thing – make Anti-Threat software. They don’t sell other types of software, so that if a virus gets launched in the wild, this is your only job, to protect us from Anti-Threat s and you’re going to jump right on it, because your reputation depends on it, doesn’t it?
Randy: We have built our reputation on having the best pro-active protection, detecting more unknown threats than anyone else does, without signature updates. All the other products that do use a signature and do update them. Our heuristics, the rule that we use to detect threats that we’ve never seen before, are much stronger than everyone else’s.
That’s what we focus on. And it’s not just virus, anymore, there’s also all kinds of Trojans, we’ve got bots, we’ve got root kits, there’s worms. The threats are what ESET focuses on. We don’t focus on disk imaging, browsers or on backing up your software; we focus on protecting you from threats.
Alan: In most cases, these threats that come out as you mentioned, zero day threats, others wait until they get a signature to combat them. If NOD32 didn’t even have signature protection, you would catch just about every virus out there in the wild and you do.
Randy: The heuristics are extremely strong on viruses. They also work very well in Trojans and other types of threats. And we are always trying to increase the effectiveness of the heuristics. But the viruses, the ones that replicate on their own, our heuristics are phenomenally strong.
Alan: We hear the word heuristics – I know everybody basically banters it back and forth. Everybody has a different definition. What is the definition of heuristics as far as ESET is concerned and why does that really protect our computer systems?
Randy: Heuristics is a rule-based approach to solving problems. Rather than saying “here’s the problem. This is exactly what you do.” We use rules that define the problem. When we evaluate software, the scanner is scanning it, looking to say is this good or bad. It has a set of rules that have been very finely tuned. And if software meets the criteria of these rules, we can pretty well say, that this is not something that you want to run.
But, we do it in a variety of ways. We actually have three different types of heuristics. One of the approaches is called “generic signatures”. And those are rules that measure how close something is that something that we know is bad. So, you might have seen a dog on the street before and you didn’t know what breed it was, but you knew it was a dog, because it’s so similar to all the other dogs. You use that generic signature if you will, in your brain to identify that as “yes, it’s another dog”. You don’t need to know what breed it is. We do that with a lot of families of viruses. You know, we’ve seen these bagles and these mytobs and now the spurn worm, if you will, but with the right heuristics, it says, something that’s really, really close to that is essentially that.
Then we also have what we call “passive heuristics”, which some people call “code analysis”. We look at the program that is about to be executed and try to determine what it is that it’s going to do. Does it look like it’s writing to the Registry and sending e-mail and opening up an IRC Channel, things like that? And if it’s doing too many of those things, it is a safe bet that it’s bad stuff.
And then we also have “advanced heuristics”, which is emulation that actually executes the program in a “sand box”, a safe environment to see what it really does. And from that, we can catch a whole bunch more of these threats.
When we take all those three heuristics and we combine them and add to that, traditional signatures for known viruses and now you have a very effective solution that’s not only uses traditional signatures, but has an incredibly powerful heuristic engine behind it, too.
Alan: And that’s the reason why you have won so many 100% Awards from Virus Bulletin, isn’t it?
Randy: Well, Virus Bulletin 100% Awards really are just about the dedication to quality. We pretty much detect everything on the wild list, with our signatures alone. There may have been a couple of times where we fell back on the heuristics. When you look at the
Virus Bulletin 100% Awards, you are talking about detecting viruses and it is only viruses that you have known have been out in the wild for a couple of months at the very least.
And you know, when there’s something out there affecting your customers and you’ve known about it for two months, shouldn’t you be able to detect it, all the time? We are the only product in over eight years of Virus Bulletin testing has not missed a in the wild virus.
Alan: And that’s says something right there. And if somebody would like to find more information about NOD32, how it can protect the home and also how it can protect you the business environment, where would they go?
Randy: You can go to http://www.eset.com and go to the products page and feel free to download an evaluation copy; it’s fully functional for 30 days.
Alan: And when you say it’s fully functional, it’s not stripped down and you actually get the new definitions, the new updates during this 30-day trial, don’t you?
Randy: We don’t say, “we detected something bad, send us money and then we’ll then we’ll remove it”. It’s a fully functional copy of NOD32.
Alan: Randy, I want to thank you for being our guest here on Let’s Talk Computers and explaining why we still need the anti-virus software like ESET to run on top of Vista to keep us safe. And we look forward to having you back on the show again, next time.
Randy: Thank you Alan. It’s great to be here.
