Does this product contravene UK consumer protection legislation?

---

Oldwilliam wrote:
This seems to be a very useful software tool for patching/warning the home user about vulnerabilities and about malware such as trojans, but as it's labelled as an "anti-virus" product, and no-one has ever yet demonstrated the existence of a virus for a *nix-based operating system (or else they would have claimed the substantial prize offered for many years by Netproject for infecting a properly-configured Linux box with a virus!), does this product breach UK consumer protection legislation? It certainly claims, by implication, that *nix viruses exist, the truth of which Sophos would have to demonstrate publicly (e.g. to the Advertising Standards Authority) if a complaint was made.

---

First of all, is this how you react to someone offering you something? Your first response to a free software product is to accuse who is offering it of something illegal?

Second point, what is this Netproject prize you are referring to? I'm not implying that it doesn't exist, I'd just like to know more about it.

Third, and I will answer this in two parts:

a) a anti-virus running on a Mac or Linux machine can also be useful for detecting Windows virus. Why is it? It is stopping you from spreading a malicious file to your friends, family or even to other machines inside your company.

b) while there aren't any virus TODAY for MacOS, there may be one or many TOMORROW. If by that time you already have a running, self-updating anti-virus, you are automatically protected. From the Mac free anti-virus product page: «As Apple computers grow more popular than ever, they're an increasingly-enticing target for hackers.»

Best regards,

Joao

Your first response to a free software product is to accuse who is offering it of something illegal?

So, if you spot something being offered illegally, you download it first and then worry about whether it breaks the law? That sort of ethical stance might get you a criminal record, dude... ask the RIAA!  (I ought to point out that I dislike that organisation with a passion, as it protects no-one and nothing except the corporate self-interests of a handful of mega-corporations)

what is this Netproject prize you are referring to?

Eddie Bleasdale from Netproject Ltd offered a substantial sum of money many years ago (mid 1990s, I think) as a prize for anyone who could infect a properly-configured Linux machine with a virus... the point (obviously) was to re-inforce the fact that a Linux kernel, having been designed as a multi-user operating system, doesn't suffer from the inherent security weaknesses of Windows, which (due to its origins as a single-user consumer product with no formal security model and questionable reliability, e.g. due to memory leakage) will never be fit for purpose unless re-written from scratch.  That's why we have a whole generation of computer users who think that having to re-boot their computer a few times per week is a natural feature of computer operation.  No, it isn't!

Needless to say, no-one ever claimed the prize because, although Linux has vulnerabilities as does any software product, there can never be a Linux virus.

anti-virus running on a Mac or Linux machine can also be useful for detecting Windows virus

Agreed enthusiastically - I run Clam on my mail server for exactly that reason.  But Clam isn't anti-virus for Linux, it's anti-virus for Windows that just happens to run on Linux.  That's not the same thing at all, which is what I'm trying to point out here.

there may be one or many TOMORROW

No.  Vulnerabilities, yes... a self-replicating infectious item of computer malware, no.  If someone is silly enough to run untrusted software as root, and it turns out to be a malware trojan, then sure, that machine is compromised.  But where is the mechanism that provides, in userspace, a self-initiating infection vector on a properly-configured Linux machine that will compromise the machine?  That's what Netproject was prepared to pay for, and that's what no-one has ever demonstrated in over a decade!

If by that time you already have a running, self-updating anti-virus, you are automatically protected

No.  That's the language of scareware, and even Sophos will tell you that a heuristic approach to malware detection can never be 100% successful.  A zero-day exploit can nail a "virus-protected" Windows machine as surely as a completely-unprotected Windows machine, and you just can't invert that logically to prove that "anti-virus for Macs" will offer "automatic protection".

I'm at the front of the queue of supporters for the installation of anti-virus for Windows (although I don't use Windows at all myself!), indeed I'm amazed at the hypocrisy of Microsoft at selling anti-virus solutions when their own marketing people continually overrode the protests of their (few) security analysts, e.g. when things like the "preview" feature in Outlook and Outlook Express were implemented, thus making the product in a virus magnet - and of course ActiveX probably made virus writers burst into spontaneous applause!  But, at the end of the day, "anti-virus for Macs" is like selling "elephant repellant for cherry trees"... spraying it on and showing you have no elephants in your cherry tree doesn't prove that it really works!! :)

So, if you spot something being offered illegally, you download it first and then worry about whether it breaks the law? That sort of ethical stance might get you a criminal record, dude... ask the RIAA!  (I ought to point out that I dislike that organisation with a passion, as it protects no-one and nothing except the corporate self-interests of a handful of mega-corporations)

There is a pretty big difference between downloading pirated software, and downloading legal software which may have a few advertising problems. I don't think that YOU are breaking the law by downloading a piece of software that has been misrepresented. Also, the software is aimed at preventing all sorts of threats including viruses, torjans (note: Apple has even been busy patching OS X against some trojans), and worms.

a prize for anyone who could infect a properly-configured Linux machine with a virus

infect a properly-configured Linux machine

properly-configured ... Linux machine

So 100% of OS X users are running a properly configured linux machine? Let's say that you set up a parents/friends/whatevers OS X machine for them properly but they still insist on clicking on every link that is e-mailed to them or running any program that is offered. Those people could definitely use some protection against themselves.

Agreed enthusiastically - I run Clam on my mail server for exactly that reason.  But Clam isn't anti-virus for Linux, it's anti-virus for Windows that just happens to run on Linux.  That's not the same thing at all, which is what I'm trying to point out here.

The first words on the Clam AV website: "Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX"

No.  Vulnerabilities, yes... a self-replicating infectious item of computer malware, no.  If someone is silly enough to run untrusted software as root, and it turns out to be a malware trojan, then sure, that machine is compromised.  But where is the mechanism that provides, in userspace, a self-initiating infection vector on a properly-configured Linux machine that will compromise the machine?  That's what Netproject was prepared to pay for, and that's what no-one has ever demonstrated in over a decade!

Even OS X and Linux users are capable of being silly. Why not help protect them?

No.  That's the language of scareware, and even Sophos will tell you that a heuristic approach to malware detection can never be 100% successful.  A zero-day exploit can nail a "virus-protected" Windows machine as surely as a completely-unprotected Windows machine, and you just can't invert that logically to prove that "anti-virus for Macs" will offer "automatic protection".

I'm at the front of the queue of supporters for the installation of anti-virus for Windows (although I don't use Windows at all myself!), indeed I'm amazed at the hypocrisy of Microsoft at selling anti-virus solutions when their own marketing people continually overrode the protests of their (few) security analysts, e.g. when things like the "preview" feature in Outlook and Outlook Express were implemented, thus making the product in a virus magnet - and of course ActiveX probably made virus writers burst into spontaneous applause!  But, at the end of the day, "anti-virus for Macs" is like selling "elephant repellant for cherry trees"... spraying it on and showing you have no elephants in your cherry tree doesn't prove that it really works!! 

An alternative point of view: Let's say you happen to be immune to a particularly nasty virus, but none of your friends are (they get it and they are as good as dead). You are also quite capable of being a carrier for that virus (the virus can live in you but won't cause you any harm).  Don't you owe it to your friends to engage in some safe practices, especially if they don't really inconvenience you?

---

Chrisnichols wrote:

I don't think that YOU are breaking the law by downloading a piece of software that has been misrepresented. 

Chris, thanks for taking the trouble to respond in detail... reading your points carefully, I actually don't disagree with any of the points you make.

But you've neatly brought the subject back to the point at which I started... this product is something that will lead less-technical Mac users to believe that such a thing as a *nix or OS/X virus actually exists (as opposed to malware), and Sophos - knowing the truth - markets it as such. My original point is still sound: will Sophos be able to provide proof of the existence of a *nix or OS/X virus to the Advertising Standards Authority if the latter investigates a misrepresentation complaint?  That's the way the ASA approaches this sort of thing.

I believe that the answer is most definitely: "No".  And that will mean that this product thereby contravenes UK consumer protection legislation - QED.

I don't understand why you are waying that a MacOS virus is an impossible thing. I don't think it is.

Also, can you please provide any references to the Netproject prize you referred?

Oldwilliam,

If you search Wikipedia for "Linux Malware" you will find a page that lists over a dozen AV applications for linux as well as 30 items under the "Virus" category. It does also mention that the danger of any of these is quite minimal. I know wikipedia isn't the most reliable of sources at times, but I think this is proof enough that viruses ARE possible.

I know that mailcious code run by a user account can only affect things that the user can affect (ie. not much), but I seem to recall their being a few privlege escalation vulnerabilities in the past (I can't remember where I saw these). Also, I think that OS X users are much more likely to blindly trust software they download and be using an account with root access than a linux user. All it takes to access system files is a single password which most users are probably used to supplying when installing various applications.

I don't understand why you are waying that a MacOS virus is an impossible thing. I don't think it is.

You need to undertake some study on how viruses work, and the mechanisms that they use for self-replication, which is what defines a software virus.  On Unix/Linux operating systems, there just isn't the mechanism for this to happen.  That malware exists for all software is a truism, because all software has vulnerabilities, but *nix operating systems were written from the start as multi-user machines, with the superuser ("root") processes providing services for user processes, and the security model was designed to keep these two separate from the start.

For greater protection against malware and software vulnerabilities, hardware memory management is a definite bonus, but as there are no mechanisms for self-replication, no virus for *nix has ever been produced.

Compare that with Windows, which will always only ever be a single-user consumer product that has outgrown its market space, and will always be inherently insecure until re-written from scratch (i.e. never).  By co-incidence, I was just reading today about attacks on Windows CE ATMs - cash machines:

http://www.net-security.org/secworld.php?id=10189

Madness! There's a number of internet sites that collect photographs of various types of non-PC appliances that run Windows, displaying Windows error messages - it's a hoot!  It even includes giant public displays from the Olympics... how embatrrassing, and easily avoided by using an OS written and developed for real-time utility computing - imagine having to install an anti-virus package on your Walkman or your mobile phone!  And yes, I'm aware that phones running Windows Phone 7 permanently destroy some microSD cards used with them...

http://www.ebaumsworld.com/pictures/view/859147/#

http://daimyo.org/bsod

http://randomfunnypicture.com/funny-fail-pictures/nine-inch-fail-blue-screen-of-death/

If you search Wikipedia for "Linux Malware" you will find a page that lists over a dozen AV applications for linux as well as 30 items under the "Virus" category. It does also mention that the danger of any of these is quite minimal. I know wikipedia isn't the most reliable of sources at times, but I think this is proof enough that viruses ARE possible.

No.  Nothing on Wikipedia, by its very nature, can ever be evidence of anything, far less proof.  I was tempted to look up the page to which you refer, and to amend it to "prove" that you can use Windows to hack into US Government IT systems and fire nuclear missiles, but it just isn't necessary.

And I haven't bothered to do so myself, but go through the list to which you refer, and strike out all those that are packages for running on Linux mail transport agents to detect and/or quarantine Windows viruses, e.g. Clam AV, etc.  Then, post the remainder (if any) on this thread.  I promise to take those results and investigate further, even if it's only to protect anyone who might otherwise be tempted to pay good money for snake oil, which is what "sofware to deal with Linux viruses" is, by definition.  I've already acknowledged that the Sophos package deals with Trojans, malware, and vulnerabilities, and anything that might store or pass on Windows viruses... but not Linux viruses.

I seem to recall their being a few privlege escalation vulnerabilities in the past

Sure.  I acknowledged "vulnerabilities" right from the start.  But a "vulnerability" isn't a virus, which is what this thread is about, and the word "virus" is used in the name applied by Sophos to the product, which brings it right into target as far as legislation governing product descriptions is concerned - my basic point.

Also, can you please provide any references to the Netproject prize you referred?

Bear in mind that this has been going on since long before the Web was a popular medium!  Get in touch with Eddie Bleasedale of Netproject Limited... you should find references to the company in relation to the scandalous practices of Newham Borough Council and Microsoft when the council ran a Linux pilot project, found that it saved them a fortune in running costs, then struck up a closed-doors post-contract negotiating session with Microsoft for a special one-off licensing deal that neither party will disclose publicly.  It meant that Newham got the best deal in the end but only at rates that Microsft refuses to give to anyone else, because it was determined not to lose a public sector customer to Linux at any cost whatsoever.

My own view is that what went on was criminal, because public bodies are legally required to follow EC procedures for contract negotiation, and display openness and fairness to all tenderers, but then Microsoft has already paid over a billion Euros to the European Court of First Instance for criminal offences in relation to abusing its market position, so I don't get too worked up about it... :)

OldWilliam, as one sample of a virus for OS X, I'd like to bring your attention to the Macarena/MachOMan virus, which, while proof-of-concept, is a Mac OS X virus that infects Mach-O binaries.  The author breaks down exactly how it works on his website, and I think you'll agree that it definitely exhibits virus-like activity.  While the replication method is not the same as that used on Windows, neither was the replication method for classic Mac viruses (which yes, didn't have privelege separation).

I'll also note that he published it in October 2006.  Sophos products detect it.

There are always mechanisms for self-replication on a computer system; the only difference from one model to another is how many and what systems have to be subverted in order to achieve it (sometimes, the end user has to be tricked into privelege escalation as part of the infection process).  On Unix/Linux systems, usually the virus has to be executed as root or some other priveleged user, which means a secondary process (rootkit) needs to be invoked first in order to escalate priveleges.  I'm sure you'll agree that there are definitely rootkits for Unix/Linux.  However, on OS X, you can actually have processes running at the user level (from ~/Applications/, for example), and these processes have full access to userland data, even if they can never touch files at the system level.  Hardware memory management definitely helps, but it can still be manipulated.

I'll also add that while the technical use of "virus" in computer security refers to self-replicating malware that infects a host file/system, the use of the term by the general public (similar to the use of virii as a plural form) is accepted in the vernacular to mean malicious and/or unauthorised software that replicates through any mechanism, similar to how the term "hacker" refers to one who takes a product designed for one use and uses it for another, but is generally used by the public to refer to someone who abuses weaknesses in computer systems to gain illegal access.

However, it's my guess (not my knowledge) that SAV for Mac is so named because it uses the same detection engine as the rest of Sophos' SAV line, which has been around since before malware other than viruses were very prevalent on computer systems.

I hope this answers some of your concerns.