Antivirus getting less relevant?

The place for all kinds of software for all kinds of operating systems.

Moderator: Dposcorp

Antivirus getting less relevant?

Postposted on Fri Sep 06, 2013 12:50 pm

It seems like some security professional's faith in AV software is wearing thin since it's mainly a reactive type of defense and does a horrible job against new exploits. Ive used various AV software from microsoft, norton, trend micro, avast, avg etc but whenever I've used custom exploits on test systems protected with AV software, it doesn't do a good job at protecting it. Sometimes it's behavior heuristics will protect it but tweaking a few parameters here and there, and creating a new malware that's undetectable by current definitions is relatively trivial.

Over the 16 years that I have used AV software, I can honestly say that I have been semi-protected by it only once, as it erased a known old malware on a colleague's flash drive that needed autorun to exploit on windows XP. Once when I was much more naiive, before i graduated from college, and before I had IT security training, my laptop was pwned by a keylogger with a interesting payload. The AV software (was using symantec AV at the time ~ 2002) detected it, but the AV software was a bit late, and the software got corrupted and the malware's payload retaliated against detection by systematically deleting system files and the system was completely inoperable even to safemode. It was a throwaway laptop I used for testing but I was a bit surprised at how ineffective the AV software was at protecting my laptop. A simple reformat and reinstall made the laptop work again.

I still think it's worthwhile for internet newbies, and tech illiterates... but for people like me, and I suspect most people on TR forums... it's just kinda useless. But even for those people I still doubt it's usefullness. My mom's computer (was running AVG at the time) was riddled with viruses... and after backingup documents and pictures, Avast rescue disk was only able to detect 80% of them, and kaspersky rescue disk only detected up to 89% of them. I had to plug the drive on a linux box to systematically delete the virus file by file from the drive since the antivirus software's "rescue disk" missed a lot of them. Then booted the drive and used procmon, and other monitoring software to see if I missed anything, and go back to linux to delete malicious files. Had to repeat the process several times and restore corrupted or subverted system files. It was a PITA! It had everything from scareware, keyloggers, trojans, botnets, etc etc... It was the worst infestation that I have ever come acrossed... and it was running AVG, though it was rendered inoperable by one of the malwares on the system.

And for the average client, I see a lot of systems infected with malware even though they have uptodate antivirus programs running. Usually either the malware disabled the antivirus or its a rootkit that the software is incapable of detecting... and a lot of times I see the user disabling it themselves after "thinking" that it's a false positive or ignoring the warnings. Rarely it's a new malware. Other times the client failed to keep it up to date, subscription expired, definitions several years old etc etc.

What do you guys think? Have anyone been saved by Antivirus programs, or do you think they are kinda worthless?
CB5000
Gerbil XP
 
Posts: 365
Joined: Wed Mar 26, 2008 4:46 pm
Location: NW region

Re: Antivirus getting less relevant?

Postposted on Fri Sep 06, 2013 1:34 pm

There is a good use for them even for the experienced IT professional. It helps protect your system from infection by assumed safe sources. Perhaps a disk/USB stick that you've borrowed from a friend or a web site that you have visited many times before. Those can become sources of viruses/trojans and infect your system unless you have some form of protection. That doesn't mean you need to go overboard with protection by running multiple AV programs at once but running something is a good idea unless you have a system that you never connect to the Internet and never install anything new on the system.
nanoflower
Gerbil First Class
 
Posts: 191
Joined: Wed Mar 04, 2009 1:10 pm

Re: Antivirus getting less relevant?

Postposted on Fri Sep 06, 2013 2:08 pm

If a n00b is using the computer, it's a must.

If you know what you're doing, you can pretty much go without on Win 7 and Win 8.

I don't have an AV on my Windows 8 desktop, but I did put Avast! on the Win 7 living room PC in case the wife makes a n00b mistake.
i7 3820 @ 4.4, Custom Water Loop | ASRock X79 Extreme4 | 8GB G.Skill 1600mhz
EVGA GTX 670 FTW | BenQ XL2420T 120Hz | Samsung 840 250GB |WD Black 1TB | Win 8 Pro x64
X-Fi Titanium Fatal1ty Pro | Sennheiser HD555 | Corsair TX850V2 | Fractal Arc Midi R2
Prestige Worldwide
Gerbil XP
 
Posts: 487
Joined: Mon Nov 09, 2009 10:57 pm

Re: Antivirus getting less relevant?

Postposted on Fri Sep 06, 2013 3:10 pm

A pure antivirus is surely becoming pretty obsolete today, as you said. Which is why I'm running MSE. Free, small footprint, very small impact. It sure doesn't take care of everything depending on what you test for, but it's decent for the standard things. As a contrast, the only two time's I've been infected was back In the XP days when the first time, I wasn't running anything at all, and it just deleted my whole drive, although data was recoverably, the second time I was running a known good one, Nod32 which at the time, had a very good record, and still got infected because I ran an executable of non-reputable origin. I Thought it was the same as I had used before, but alas, it wasn't. It was a dropper infection that downloaded a slew of other things. Had to clean that one up manually by setting blocks in the firewalls against everything not safe, then tracing all file changes and activity through the sysinternals toolset. It was alright, but was a bit hairy since I could only do it via RDP since I wasn't living at home at the time due to reconstruction.

After that I make due with MSE and good habits instead. Where the last part is what really counts. You can get hit by things anyway, but being educated and not doing stupid **** it was makes the biggest difference today. At this point I only wish I had a better firewall that could run a few of the better services, but that requires more money at this point then I want to spend. So my Juniper SSG-5 have to make due for a while yet until I upgrade my internet to >100Mbps.


If you look at the enterprise side, there is AV around, but that AV usually is integrated with malware/adware protection and seconded by a slew of other tools that do patch management and logging of activities'. On the infrastructure side, you often have a slew of different things that is layer upon layer of protection, and pure AV, is a very tiny thing of that. But at current, a normal enterprise might use the following combination of tools depending on the design.

* Firewalls - duh. segregation and perimeter protection, today with the next-gen firewalls, often integrated with several of the below categories.
* Spam Filtering - Either in house or a hosted service, or a comination, often reputation based with a certain measure of heuristics. Funny thing is that you can easily see that about 98-99% of all email are thrash and not legitimate emails.
* Proxy + inline AV-scanning of all downloaded files and web streams.
* IDS/IPS - Protection of things not in the AV realm, often part signature and behavioral based .
* Anti DDOS services - Inline boxes outside of the firewalls for slow-attacks, hosted services alá Arbor on the ISP side for the volumetric DDOS.
* Dynamic Malware protection - One of the latest things that are up and coming, not all too common as an every day tool, but becoming more available. I've only had training on the FireEye products, but the big point of this category is that it works mainly on behavior and correlation on what the programs does itself instead of only relying on the communication streams like an IDS/IPS.
* Security Monitoring - basically, a way to add intelligence and correlation on top of all the other services doing logging and correlation of all the above sources to catch things that neither of the other product based things would be able to catch because they only see a subset of the activity by themselves.


That's only the technical side. On the soft approach, having a developed critical thinking spread out over your workforce and have good processes in how to handle sensitive information is pretty much a must of you want to be safe. The products above do a whole lot for the everyday security of people surfing the web, etc, but they really doesn't do much against either insider threats or not necessarily people with bad habits that drag bad things in from the outside or the home through various means. You could of course do hard measure to protect against several of these too, but there is the other side to, doing to much hard blocks, also makes it harder to work and have a flexible workforce that get things done, so it might just cost more then it gives you. Education and having security in mind from the start it was makes it really successful, especially in development. If it's not there from the beginning, you will have a lot of trouble in making something truly secure since it's only a tacked on piece on the side.
Aphasia
Grand Gerbil Poohbah
 
Posts: 3468
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden

Re: Antivirus getting less relevant?

Postposted on Fri Sep 06, 2013 3:51 pm

Aphasia wrote: MSE. Free, small footprint, very small impact. It sure doesn't take care of everything depending on what you test for, but it's decent

LOL... If a "0 out of 6" score for detection (most important aspect of antivirus/antimalware software) is "decent" enough for you - you might as well remove this thing:
http://www.av-test.org/en/tests/home-us ... yjun-2013/
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1889
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Antivirus getting less relevant?

Postposted on Fri Sep 06, 2013 4:10 pm

Seems pretty variable from testing period to testing period. The previous testing period wasn't as bad. I guess MSE users should just hope the next test period they fare better.

It failed another test suite, too: http://securitywatch.pcmag.com/security ... virus-test

At one time when MSE was introduced, it actually outperformed most other AV products. Back in 2009, mind you:

http://arstechnica.com/information-tech ... impresses/

I still include it on machines I make for other people because they are too stupid to do the once-a-year renew registration for AVG or Avast! or whatever one required that. Many a time have I had to fix a system that hadn't renewed its free AV for months or years. Been a while since I ran into that so maybe that's changed but it's too much effort to go back now.
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Antivirus getting less relevant?

Postposted on Fri Sep 06, 2013 5:31 pm

I run MSE but all I've gotten were false positives. I keep clamwin on my machine which gets run once a month but as someone else said - if you're careful you rarely need antivirus.
I have nothing against humanity that thousands of years of nuclear winter won't take care of.
destroy.all.monsters
Gerbil
 
Posts: 90
Joined: Sat Dec 20, 2008 7:07 pm

Re: Antivirus getting less relevant?

Postposted on Fri Sep 06, 2013 5:40 pm

Scrotos wrote: Back in 2009


Ding ding ding!
i7 3820 @ 4.4, Custom Water Loop | ASRock X79 Extreme4 | 8GB G.Skill 1600mhz
EVGA GTX 670 FTW | BenQ XL2420T 120Hz | Samsung 840 250GB |WD Black 1TB | Win 8 Pro x64
X-Fi Titanium Fatal1ty Pro | Sennheiser HD555 | Corsair TX850V2 | Fractal Arc Midi R2
Prestige Worldwide
Gerbil XP
 
Posts: 487
Joined: Mon Nov 09, 2009 10:57 pm

Re: Antivirus getting less relevant?

Postposted on Fri Sep 06, 2013 9:40 pm

I wouldn't say AV is useless but threats have changed significantly since AV's heydey in the 90s and these days you're better off with something with a focus on malware.
NovusBogus
Gerbil Elite
 
Posts: 520
Joined: Sun Jan 06, 2013 12:37 am

Re: Antivirus getting less relevant?

Postposted on Sat Sep 07, 2013 7:22 am

Scrotos wrote:I still include it on machines I make for other people because they are too stupid to do the once-a-year renew registration for AVG or Avast! or whatever one required that

:lol: I'd rather prefer people bringing in their laptop to me once a year than every month (or more often) because they just tried to download a "Facebook private profile viewer" and MSE did nothing to warn them about the fact that it is their own "private profile" (at Facebook or Google or their Blizzard's account) that will actually be "viewed" by other people :wink:

destroy.all.monsters wrote:if you're careful you rarely need antivirus.

If you're an old, antisocial hermit - sure :wink: But if you have a lot of friends/relatives/coworkers on internet who like to spam your inbox with various stuff and you like to "evaluate" various software for various purposes (legal or otherwise) and you like to "enhance" your various games (especially multiplayer ones) with various add-ons (mods or cheats) - a good antimalware/antivirus software is a must. In an addition to regular backups, of course.
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1889
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Antivirus getting less relevant?

Postposted on Sat Sep 07, 2013 8:58 pm

JohnC wrote:LOL... If a "0 out of 6" score for detection (most important aspect of antivirus/antimalware software) is "decent" enough for you - you might as well remove this thing:
http://www.av-test.org/en/tests/home-us ... yjun-2013/

Is it actually to much for you to a. read what I write before replying...
An apple failing a orange juice test is not a surprise, if it didn't fail it, that's what would be surprising.

"MSE. Free, small footprint, very small impact. It sure doesn't take care of everything depending on what you test for, but it's decent"
Aphasia
Grand Gerbil Poohbah
 
Posts: 3468
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden

Re: Antivirus getting less relevant?

Postposted on Sat Sep 07, 2013 9:07 pm

Aphasia wrote:An apple failing a orange juice test is not a surprise, if it didn't fail it, that's what would be surprising.

WTF are you talking about??? MSE is an antimalware program. Just like the other programs in that test.

Aphasia wrote:It sure doesn't take care of everything depending on what you test for,

No antivirus/antimalware program does. Why are you emphasizing this extremely obvious part so much?
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1889
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Antivirus getting less relevant?

Postposted on Sat Sep 07, 2013 11:08 pm

You know what, I actually had a very nice post all typed out and ready to go, but I just realized that if you can't be bothered to actually look for the underlying info or try to puzzle everything together before you post a link and make a claim in how bad something is, why should I be bothered to do it for you, because there is a pretty good chance you wont care for the answer.
Aphasia
Grand Gerbil Poohbah
 
Posts: 3468
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden

Re: Antivirus getting less relevant?

Postposted on Sun Sep 08, 2013 6:46 am

Apology accepted.
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1889
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL


Return to General Software

Who is online

Users browsing this forum: Bing [Bot] and 2 guests