On Fri, 6/6/2025 4:02 AM, chrisv wrote:

Tyrone wrote:

Windows 10 will continue to get AV updates.

If you pay extra for that extended support, right?

These are updated daily. When you air-gap a Windows, you can "bring over"
a definition update and install it on an OS. I've done this on numerous occasions, to give the AV something to do :-) Naturally, there are two
parts to these -- if a definition needed a newer parser to read it, that's
an issue. For unsupported OSes, that is less likely to happen. At a minimum this gives a rough equivalent to a Cisco TALOS ClamAV (in other words,
limited heuristic capabilities, but still has some value and could
detect Sality inbound).

https://www.microsoft.com/en-us/wdsi/defenderupdates

"Windows Defender in Windows 7 and Windows Vista 32-bit | 64-bit"

But effort is put into those, and it "counts as support". It
gets done, because it's a part of the active support structure
for the later OSes, and is just a derivative output file. Just as a lot
of "junior AV companies" may rely on ClamAV for their definition files.
Roughly a third of branded AV products are junk (but you have to start somewhere). For example, Malwarebytes started as a heuristic product,
only detecting "novel intrusions" and stopping them. Only later
did it get signatures to scan, and so it would have started on
a diet of ClamAV at first. It might take a staff of 200, to do a
viable ClamAV equivalent. Three guys in moms basement, can't keep up.

The junk AV products, don't have the 30 unpackers necessary to check
obfuscated files. And this shows up as a recurring pattern in
Google Virustotal scan results (product "could not open" file).
That's how you can tell what is junk, if it can't even handle an executable-packer. The companies with a staff of 1200-2000 are capable
of making worthwhile products (that's if they don't add too much FUD junk and snakeoil).

Paul


--- MBSE BBS v1.1.1 (Linux-x86_64)
* Origin: A noiseless patient Spider (3:633/280.2@fidonet)