Personal computing discussed

Moderators: renee, Dposcorp

 
CB5000
Gerbil XP
Topic Author
Posts: 388
Joined: Wed Mar 26, 2008 4:46 pm
Location: NW region

Antivirus getting less relevant?

Fri Sep 06, 2013 12:50 pm

It seems like some security professional's faith in AV software is wearing thin since it's mainly a reactive type of defense and does a horrible job against new exploits. Ive used various AV software from microsoft, norton, trend micro, avast, avg etc but whenever I've used custom exploits on test systems protected with AV software, it doesn't do a good job at protecting it. Sometimes it's behavior heuristics will protect it but tweaking a few parameters here and there, and creating a new malware that's undetectable by current definitions is relatively trivial.

Over the 16 years that I have used AV software, I can honestly say that I have been semi-protected by it only once, as it erased a known old malware on a colleague's flash drive that needed autorun to exploit on windows XP. Once when I was much more naiive, before i graduated from college, and before I had IT security training, my laptop was pwned by a keylogger with a interesting payload. The AV software (was using symantec AV at the time ~ 2002) detected it, but the AV software was a bit late, and the software got corrupted and the malware's payload retaliated against detection by systematically deleting system files and the system was completely inoperable even to safemode. It was a throwaway laptop I used for testing but I was a bit surprised at how ineffective the AV software was at protecting my laptop. A simple reformat and reinstall made the laptop work again.

I still think it's worthwhile for internet newbies, and tech illiterates... but for people like me, and I suspect most people on TR forums... it's just kinda useless. But even for those people I still doubt it's usefullness. My mom's computer (was running AVG at the time) was riddled with viruses... and after backingup documents and pictures, Avast rescue disk was only able to detect 80% of them, and kaspersky rescue disk only detected up to 89% of them. I had to plug the drive on a linux box to systematically delete the virus file by file from the drive since the antivirus software's "rescue disk" missed a lot of them. Then booted the drive and used procmon, and other monitoring software to see if I missed anything, and go back to linux to delete malicious files. Had to repeat the process several times and restore corrupted or subverted system files. It was a PITA! It had everything from scareware, keyloggers, trojans, botnets, etc etc... It was the worst infestation that I have ever come acrossed... and it was running AVG, though it was rendered inoperable by one of the malwares on the system.

And for the average client, I see a lot of systems infected with malware even though they have uptodate antivirus programs running. Usually either the malware disabled the antivirus or its a rootkit that the software is incapable of detecting... and a lot of times I see the user disabling it themselves after "thinking" that it's a false positive or ignoring the warnings. Rarely it's a new malware. Other times the client failed to keep it up to date, subscription expired, definitions several years old etc etc.

What do you guys think? Have anyone been saved by Antivirus programs, or do you think they are kinda worthless?
 
nanoflower
Gerbil Team Leader
Posts: 281
Joined: Wed Mar 04, 2009 1:10 pm

Re: Antivirus getting less relevant?

Fri Sep 06, 2013 1:34 pm

There is a good use for them even for the experienced IT professional. It helps protect your system from infection by assumed safe sources. Perhaps a disk/USB stick that you've borrowed from a friend or a web site that you have visited many times before. Those can become sources of viruses/trojans and infect your system unless you have some form of protection. That doesn't mean you need to go overboard with protection by running multiple AV programs at once but running something is a good idea unless you have a system that you never connect to the Internet and never install anything new on the system.
 
Prestige Worldwide
Gerbil Elite
Posts: 765
Joined: Mon Nov 09, 2009 10:57 pm

Re: Antivirus getting less relevant?

Fri Sep 06, 2013 2:08 pm

If a n00b is using the computer, it's a must.

If you know what you're doing, you can pretty much go without on Win 7 and Win 8.

I don't have an AV on my Windows 8 desktop, but I did put Avast! on the Win 7 living room PC in case the wife makes a n00b mistake.
8700k@5GHz, Custom Water Loop | ASRock Fatal1ty Gaming K6 | 32GB DDR4 3200 CL16
RTX 3080 | LG 27GL850 144Hz | WD SN750 1TB| MX500 1TB | 2x2TB HDD | Win 10 Pro x64
X-Fi Titanium Fatal1ty Pro | Sennheiser HD555 | Seasonic SSR-850FX | Fractal Arc Midi R2
 
Aphasia
Grand Gerbil Poohbah
Posts: 3710
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden
Contact:

Re: Antivirus getting less relevant?

Fri Sep 06, 2013 3:10 pm

A pure antivirus is surely becoming pretty obsolete today, as you said. Which is why I'm running MSE. Free, small footprint, very small impact. It sure doesn't take care of everything depending on what you test for, but it's decent for the standard things. As a contrast, the only two time's I've been infected was back In the XP days when the first time, I wasn't running anything at all, and it just deleted my whole drive, although data was recoverably, the second time I was running a known good one, Nod32 which at the time, had a very good record, and still got infected because I ran an executable of non-reputable origin. I Thought it was the same as I had used before, but alas, it wasn't. It was a dropper infection that downloaded a slew of other things. Had to clean that one up manually by setting blocks in the firewalls against everything not safe, then tracing all file changes and activity through the sysinternals toolset. It was alright, but was a bit hairy since I could only do it via RDP since I wasn't living at home at the time due to reconstruction.

After that I make due with MSE and good habits instead. Where the last part is what really counts. You can get hit by things anyway, but being educated and not doing stupid **** it was makes the biggest difference today. At this point I only wish I had a better firewall that could run a few of the better services, but that requires more money at this point then I want to spend. So my Juniper SSG-5 have to make due for a while yet until I upgrade my internet to >100Mbps.


If you look at the enterprise side, there is AV around, but that AV usually is integrated with malware/adware protection and seconded by a slew of other tools that do patch management and logging of activities'. On the infrastructure side, you often have a slew of different things that is layer upon layer of protection, and pure AV, is a very tiny thing of that. But at current, a normal enterprise might use the following combination of tools depending on the design.

* Firewalls - duh. segregation and perimeter protection, today with the next-gen firewalls, often integrated with several of the below categories.
* Spam Filtering - Either in house or a hosted service, or a comination, often reputation based with a certain measure of heuristics. Funny thing is that you can easily see that about 98-99% of all email are thrash and not legitimate emails.
* Proxy + inline AV-scanning of all downloaded files and web streams.
* IDS/IPS - Protection of things not in the AV realm, often part signature and behavioral based .
* Anti DDOS services - Inline boxes outside of the firewalls for slow-attacks, hosted services alá Arbor on the ISP side for the volumetric DDOS.
* Dynamic Malware protection - One of the latest things that are up and coming, not all too common as an every day tool, but becoming more available. I've only had training on the FireEye products, but the big point of this category is that it works mainly on behavior and correlation on what the programs does itself instead of only relying on the communication streams like an IDS/IPS.
* Security Monitoring - basically, a way to add intelligence and correlation on top of all the other services doing logging and correlation of all the above sources to catch things that neither of the other product based things would be able to catch because they only see a subset of the activity by themselves.


That's only the technical side. On the soft approach, having a developed critical thinking spread out over your workforce and have good processes in how to handle sensitive information is pretty much a must of you want to be safe. The products above do a whole lot for the everyday security of people surfing the web, etc, but they really doesn't do much against either insider threats or not necessarily people with bad habits that drag bad things in from the outside or the home through various means. You could of course do hard measure to protect against several of these too, but there is the other side to, doing to much hard blocks, also makes it harder to work and have a flexible workforce that get things done, so it might just cost more then it gives you. Education and having security in mind from the start it was makes it really successful, especially in development. If it's not there from the beginning, you will have a lot of trouble in making something truly secure since it's only a tacked on piece on the side.
 
JohnC
Gerbil Jedi
Posts: 1924
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Antivirus getting less relevant?

Fri Sep 06, 2013 3:51 pm

Aphasia wrote:
MSE. Free, small footprint, very small impact. It sure doesn't take care of everything depending on what you test for, but it's decent

LOL... If a "0 out of 6" score for detection (most important aspect of antivirus/antimalware software) is "decent" enough for you - you might as well remove this thing:
http://www.av-test.org/en/tests/home-us ... yjun-2013/
Gifter of Nvidia Titans and countless Twitch donation extraordinaire, nothing makes me more happy in life than randomly helping random people
 
Scrotos
Graphmaster Gerbil
Posts: 1109
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Antivirus getting less relevant?

Fri Sep 06, 2013 4:10 pm

Seems pretty variable from testing period to testing period. The previous testing period wasn't as bad. I guess MSE users should just hope the next test period they fare better.

It failed another test suite, too: http://securitywatch.pcmag.com/security ... virus-test

At one time when MSE was introduced, it actually outperformed most other AV products. Back in 2009, mind you:

http://arstechnica.com/information-tech ... impresses/

I still include it on machines I make for other people because they are too stupid to do the once-a-year renew registration for AVG or Avast! or whatever one required that. Many a time have I had to fix a system that hadn't renewed its free AV for months or years. Been a while since I ran into that so maybe that's changed but it's too much effort to go back now.
 
destroy.all.monsters
Gerbil
Posts: 96
Joined: Sat Dec 20, 2008 7:07 pm

Re: Antivirus getting less relevant?

Fri Sep 06, 2013 5:31 pm

I run MSE but all I've gotten were false positives. I keep clamwin on my machine which gets run once a month but as someone else said - if you're careful you rarely need antivirus.
I have nothing against humanity that thousands of years of nuclear winter won't take care of.
 
Prestige Worldwide
Gerbil Elite
Posts: 765
Joined: Mon Nov 09, 2009 10:57 pm

Re: Antivirus getting less relevant?

Fri Sep 06, 2013 5:40 pm

Scrotos wrote:
Back in 2009


Ding ding ding!
8700k@5GHz, Custom Water Loop | ASRock Fatal1ty Gaming K6 | 32GB DDR4 3200 CL16
RTX 3080 | LG 27GL850 144Hz | WD SN750 1TB| MX500 1TB | 2x2TB HDD | Win 10 Pro x64
X-Fi Titanium Fatal1ty Pro | Sennheiser HD555 | Seasonic SSR-850FX | Fractal Arc Midi R2
 
NovusBogus
Graphmaster Gerbil
Posts: 1408
Joined: Sun Jan 06, 2013 12:37 am

Re: Antivirus getting less relevant?

Fri Sep 06, 2013 9:40 pm

I wouldn't say AV is useless but threats have changed significantly since AV's heydey in the 90s and these days you're better off with something with a focus on malware.
 
JohnC
Gerbil Jedi
Posts: 1924
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Antivirus getting less relevant?

Sat Sep 07, 2013 7:22 am

Scrotos wrote:
I still include it on machines I make for other people because they are too stupid to do the once-a-year renew registration for AVG or Avast! or whatever one required that

:lol: I'd rather prefer people bringing in their laptop to me once a year than every month (or more often) because they just tried to download a "Facebook private profile viewer" and MSE did nothing to warn them about the fact that it is their own "private profile" (at Facebook or Google or their Blizzard's account) that will actually be "viewed" by other people :wink:

destroy.all.monsters wrote:
if you're careful you rarely need antivirus.

If you're an old, antisocial hermit - sure :wink: But if you have a lot of friends/relatives/coworkers on internet who like to spam your inbox with various stuff and you like to "evaluate" various software for various purposes (legal or otherwise) and you like to "enhance" your various games (especially multiplayer ones) with various add-ons (mods or cheats) - a good antimalware/antivirus software is a must. In an addition to regular backups, of course.
Gifter of Nvidia Titans and countless Twitch donation extraordinaire, nothing makes me more happy in life than randomly helping random people
 
Aphasia
Grand Gerbil Poohbah
Posts: 3710
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden
Contact:

Re: Antivirus getting less relevant?

Sat Sep 07, 2013 8:58 pm

JohnC wrote:
LOL... If a "0 out of 6" score for detection (most important aspect of antivirus/antimalware software) is "decent" enough for you - you might as well remove this thing:
http://www.av-test.org/en/tests/home-us ... yjun-2013/

Is it actually to much for you to a. read what I write before replying...
An apple failing a orange juice test is not a surprise, if it didn't fail it, that's what would be surprising.

"MSE. Free, small footprint, very small impact. It sure doesn't take care of everything depending on what you test for, but it's decent"
 
JohnC
Gerbil Jedi
Posts: 1924
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Antivirus getting less relevant?

Sat Sep 07, 2013 9:07 pm

Aphasia wrote:
An apple failing a orange juice test is not a surprise, if it didn't fail it, that's what would be surprising.

WTF are you talking about??? MSE is an antimalware program. Just like the other programs in that test.

Aphasia wrote:
It sure doesn't take care of everything depending on what you test for,

No antivirus/antimalware program does. Why are you emphasizing this extremely obvious part so much?
Gifter of Nvidia Titans and countless Twitch donation extraordinaire, nothing makes me more happy in life than randomly helping random people
 
Aphasia
Grand Gerbil Poohbah
Posts: 3710
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden
Contact:

Re: Antivirus getting less relevant?

Sat Sep 07, 2013 11:08 pm

You know what, I actually had a very nice post all typed out and ready to go, but I just realized that if you can't be bothered to actually look for the underlying info or try to puzzle everything together before you post a link and make a claim in how bad something is, why should I be bothered to do it for you, because there is a pretty good chance you wont care for the answer.
 
JohnC
Gerbil Jedi
Posts: 1924
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Antivirus getting less relevant?

Sun Sep 08, 2013 6:46 am

Apology accepted.
Gifter of Nvidia Titans and countless Twitch donation extraordinaire, nothing makes me more happy in life than randomly helping random people

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On