It seems like some security professional's faith in AV software is wearing thin since it's mainly a reactive type of defense and does a horrible job against new exploits. Ive used various AV software from microsoft, norton, trend micro, avast, avg etc but whenever I've used custom exploits on test systems protected with AV software, it doesn't do a good job at protecting it. Sometimes it's behavior heuristics will protect it but tweaking a few parameters here and there, and creating a new malware that's undetectable by current definitions is relatively trivial.
Over the 16 years that I have used AV software, I can honestly say that I have been semi-protected by it only once, as it erased a known old malware on a colleague's flash drive that needed autorun to exploit on windows XP. Once when I was much more naiive, before i graduated from college, and before I had IT security training, my laptop was pwned by a keylogger with a interesting payload. The AV software (was using symantec AV at the time ~ 2002) detected it, but the AV software was a bit late, and the software got corrupted and the malware's payload retaliated against detection by systematically deleting system files and the system was completely inoperable even to safemode. It was a throwaway laptop I used for testing but I was a bit surprised at how ineffective the AV software was at protecting my laptop. A simple reformat and reinstall made the laptop work again.
I still think it's worthwhile for internet newbies, and tech illiterates... but for people like me, and I suspect most people on TR forums... it's just kinda useless. But even for those people I still doubt it's usefullness. My mom's computer (was running AVG at the time) was riddled with viruses... and after backingup documents and pictures, Avast rescue disk was only able to detect 80% of them, and kaspersky rescue disk only detected up to 89% of them. I had to plug the drive on a linux box to systematically delete the virus file by file from the drive since the antivirus software's "rescue disk" missed a lot of them. Then booted the drive and used procmon, and other monitoring software to see if I missed anything, and go back to linux to delete malicious files. Had to repeat the process several times and restore corrupted or subverted system files. It was a PITA! It had everything from scareware, keyloggers, trojans, botnets, etc etc... It was the worst infestation that I have ever come acrossed... and it was running AVG, though it was rendered inoperable by one of the malwares on the system.
And for the average client, I see a lot of systems infected with malware even though they have uptodate antivirus programs running. Usually either the malware disabled the antivirus or its a rootkit that the software is incapable of detecting... and a lot of times I see the user disabling it themselves after "thinking" that it's a false positive or ignoring the warnings. Rarely it's a new malware. Other times the client failed to keep it up to date, subscription expired, definitions several years old etc etc.
What do you guys think? Have anyone been saved by Antivirus programs, or do you think they are kinda worthless?