Is Antivirus Dead?

This essay previously appeared in Information Security Magazine, as the second half of a point-counterpoint with Marcus Ranum. You can read his half here as well.

Security is never black and white. If someone asks, “for best security, should I do A or B?” the answer almost invariably is both. But security is always a trade-off. Often it’s impossible to do both A and B—there’s no time to do both, it’s too expensive to do both, or whatever—and you have to choose. In that case, you look at A and B and you make you best choice. But it’s almost always more secure to do both.

Yes, antivirus programs have been getting less effective as new viruses are more frequent and existing viruses mutate faster. Yes, antivirus companies are forever playing catch-up, trying to create signatures for new viruses. Yes, signature-based antivirus software won’t protect you when a virus is new, before the signature is added to the detection program. Antivirus is by no means a panacea.

On the other hand, an antivirus program with up-to-date signatures will protect you from a lot of threats. It’ll protect you against viruses, against spyware, against Trojans—against all sorts of malware. It’ll run in the background, automatically, and you won’t notice any performance degradation at all. And—here’s the best part—it can be free. AVG won’t cost you a penny. To me, this is an easy trade-off, certainly for the average computer user who clicks on attachments he probably shouldn’t click on, downloads things he probably shouldn’t download, and doesn’t understand the finer workings of Windows Personal Firewall.

Certainly security would be improved if people used whitelisting programs such as Bit9 Parity and Savant Protection—and I personally recommend Malwarebytes’ Anti-Malware—but a lot of users are going to have trouble with this. The average user will probably just swat away the “you’re trying to run a program not on your whitelist” warning message or—even worse—wonder why his computer is broken when he tries to run a new piece of software. The average corporate IT department doesn’t have a good idea of what software is running on all the computers within the corporation, and doesn’t want the administrative overhead of managing all the change requests. And whitelists aren’t a panacea, either: they don’t defend against malware that attaches itself to data files (think Word macro viruses), for example.

One of the newest trends in IT is consumerization, and if you don’t already know about it, you soon will. It’s the idea that new technologies, the cool stuff people want, will become available for the consumer market before they become available for the business market. What it means to business is that people—employees, customers, partners—will access business networks from wherever they happen to be, with whatever hardware and software they have. Maybe it’ll be the computer you gave them when you hired them. Maybe it’ll be their home computer, the one their kids use. Maybe it’ll be their cell phone or PDA, or a computer in a hotel’s business center. Your business will have no way to know what they’re using, and—more importantly—you’ll have no control.

In this kind of environment, computers are going to connect to each other without a whole lot of trust between them. Untrusted computers are going to connect to untrusted networks. Trusted computers are going to connect to untrusted networks. The whole idea of “safe computing” is going to take on a whole new meaning—every man for himself. A corporate network is going to need a simple, dumb, signature-based antivirus product at the gateway of its network. And a user is going to need a similar program to protect his computer.

Bottom line: antivirus software is neither necessary nor sufficient for security, but it’s still a good idea. It’s not a panacea that magically makes you safe, nor is it is obsolete in the face of current threats. As countermeasures go, it’s cheap, it’s easy, and it’s effective. I haven’t dumped my antivirus program, and I have no intention of doing so anytime soon.

Tags: antivirus, computer security, consumerization, debates, essays, whitelisting

Posted on November 10, 2009 at 6:31 AM • 98 Comments

Comments

josephdietrich • November 10, 2009 7:02 AM

A minor quibble: As someone who is a long-time user of AVG in both it’s paid and unpaid versions, the claim that you will not notice a performance degradation is, well, untrue, at least in my (anecdotal, I know) experience. I suppose it depends on your hardware, but on all of the machines that I have ever had, the anti-virus programs that I have used have caused definite performance hits during startup and/or when running a disk scan.

clvrmnky • November 10, 2009 7:12 AM

The biggest problem is that Windows (and, maybe one day, OS X) does not have this built in to the OS. The performance hit that most “real-time” AV has on a system is tremendous (often measured in hundreds of percent slower disk access, startup times and overall CPU.)

Basic AV may be a fact of life now, and there is value. What is poor value is letting third-parties reverse engineer the OS and insert themselves into every call stack. The OS vendors should be working on proper hooks that third parties can use.

This, in my opinion, is an excellent place to use trusted computing techniques and enforced code-signing.

As for me, I practice save computing but disable the AV on my work computer (except for scanning email.) The hit on my system, and the resulting performance issues, is too high a trade-off for any value I get. I’ve got work to do, and active RT AV represents real lost hours every week.

Gomez • November 10, 2009 7:32 AM

Or, don’t use Windows. Ta-da!

Kevin S • November 10, 2009 7:35 AM

End Node Security.
The greatest risk, IMHO, to well-managed/defended networks is allowing users to VPN in from untrusted, unmanaged, insecure computers that are used for everything else. Malware is readily inserted deep in the network and sensitive, intellectual property is readily lost — either intentionally or not. In short, the company can’t trust the user’s harddrive. The Air Force attempts to limit this by issuing and maintaining laptops (at great cost & inconvenience). The Software Protection Initiative (spi.dod.mil) provides a simple alternative – a LiveCD that boots a pristine, trusted OS in RAM and technically prevents data from leaking (no harddrive drivers, no printing, etc.). Called LPS, Lightweight Portable Security, it comes in both a public version and a stronger, accredited federal (and contractor) version.

AppSec • November 10, 2009 7:37 AM

The idea of banishing computer viri is similar to the idea of stopping a flu pandemic. You can slow it down, but it is never going to be non-existant.

And @Gomez: Ask the iPhone users who got Rick-Rolled if Windows is truly the problem.

And for the record: Whitelisting is the best. Personal users that click — at least there is notification. Corporate users that don’t know what systems are running: it’s a good way to get that list going.

Kilgore • November 10, 2009 7:39 AM

@Gomez

Or, don’t use Windows. Ta-da!

…which is not an option for many in the real world. Ta-da!

wiredog • November 10, 2009 7:47 AM

“Consumerization” has been going on for decades. That’s how PCs came into a lot of workplaces. That’s why the company I’m at built an iPhone app to access our web app that’s only used by DoD, in house.

Uri • November 10, 2009 8:02 AM

@Kilgore

or maybe it’s time for Microsoft to realize that dragging bad code since the time of NT4 is bad and they should re-write the whole OS from scratch and designing it for security from the very beginning. TA-DA!

Jared • November 10, 2009 8:03 AM

I’ll agree with much of the post. Most anti-virus programs I’ve tried at one point or another have missed something or other being installed that I didn’t want to be (is it a virus? adware? bundled adware with something I want? wanted adware with something I want?). Making anti-virus programs is tough work, and with viruses that mutate it gets even tougher. It’s important to have an up to date anti-virus program to minimize your personal risk of exposure to known threats.

If you, as Gomez apparently does, use a non-windows operating system, you still have an obligation as someone in-the-know to run at least a minimal anti-virus that scans your e-mails. Just because you won’t get infected by the latest Windows-targeting worm, doesn’t mean that your colleagues / friends won’t. And I seem to recall a botnet numbering in the millions of nodes comprised of Mac OS X based machines that got infected by installing pirated software… so yeah; even if you run something other than windows, there could potentially be threats to you.

Practical prevention is about many things. Not doing things that are very likely to get you infected is a great start. Not pirating software which is modified by anonymous people unaccountable for their actions in both a legal and moral sense is a start. I also run ClamXav on my OS X machine because I routinely help my non tech-savvy friends with their problems, and if I should somehow find something that I think they need which, unbeknownst to me contains a virus, I’d be up the creek without a paddle. Well, at the very least I’d be on the hook for restoring their computer to a clean state.

Those reasons are why I run anti-virus software on my relatively secure OS X box. Could I get away without it? Yeah; probably. ClamXav has a low enough CPU load to make installing it have a negligible effect on performance. On my Windows box, I use Avast because it’s free, light, and has done a good job of scanning not only files I’ve downloaded but also webpages I’ve visited that contain malicious content.

If the difference in both monetary and time cost to you is negligible, why not run an antivirus?

Scott W • November 10, 2009 8:10 AM

@AppSec,

The tiny handful of iPhone users were people who knowingly a) had jailbroken their phones (violating their warranty), b) were running an ssh daemon, and c) did not change the default root password on said daemon. This is a separate class of security problem from antivirus.

I agree with Kilgore that not everybody can get away from Windows, but we have to admit that this is almost exclusively a Windows problem (at least for the past 15 years or so).

That will likely change in the future as other OSes become more mainstream, but that hasn’t happened yet (in 15 years of predictions). The people I know who have the least trouble with Windows security are the ones who make their installation look as little like Windows as possible: they turn off all network services, disable all of the automatic features, and use none of the default applications. This pretty much defeats the advantages of Windows, but being stuck with it leaves you with few options.

AlanS • November 10, 2009 8:16 AM

Most Windows users normally run with admin privileges so of course they need anti-virus and a zillion other security apps to protect their computer from themselves.

sooth sayer • November 10, 2009 8:19 AM

I have been using PC’s for 25+ years and never have used “anti-virus” software. Even now I have 3+ windows machines running “naked”.

My view is that if you are even half intelligent you don’t need these things – if you aren’t; then these these things can’t help. Most anti-virus software is ineffective in cleaning after an attack – AV is one of the biggest snake oil being sold.

Clive Robinson • November 10, 2009 8:25 AM

@ Bruce,

“And — here’s the best part — it can be free. AVG won’t cost you a penny”

Err no it’s not free and it does cost but not directly.

The problem with the AV distrubution model is it puts an ever increasing load on the Internet and on users systems.

In a market place where goods are tangable they have a direct distrubution cost. Minimising this cost is in a manufactures interests.

Not so for software and AV distribution. These means that the manufactures have no incentive to minimise their footprint or improve efficiency as there is little cost to be saved.

This has a knock on effect in that as the distrubution costs are minimal and mainly bourn by the customer and not the manufacturer there is little or no incentive to do thorough testing prior to release. Afterall a Service Pack can be released when enough customers complain.

At some point soon the internet will not be able to support AV updates and endless Patch Tuesdays and the effect will be either traffic managment or charging.

Neither option is desirable as it will effectivly force “restricitive connectivity” onto all.

Personaly if it comes I’m infavour of charging for data sent not received but this has obvious downsides as security is not sufficient to prevent a financial attack that would make current DoS attacks look pitifful.

Tomasz Wegrzanowski • November 10, 2009 8:32 AM

Ask any sysadmin for fun stories – and you’ll invariably hear about spectacular performance degradation, and all sorts of weird problems resulting from anti-virus software.

JohnJS • November 10, 2009 8:38 AM

I agreed with everything in your article Bruce until you said “I don’t even want an Xbox”

David • November 10, 2009 8:50 AM

An iPhone that hasn’t been unlocked is using a whitelist. The only general purpose programming language it runs is Javascript in the browser. Everything else was either obtained from the App Store, or specifically installed by a registered developer on a test basis. As long as Apple keeps the App Store apps clean, an iPhone can’t really be infected.

The cost of that, of course, is that it isn’t a general-purpose computer, but rather a very fancy appliance. Any system where the user can install or whitelist a program is potentially insecure, since it’s generally possible to convince some user to make a wrong decision.

AppSec • November 10, 2009 8:51 AM

@Scott W:
I realize the conditions. It is a simple fact that it is not a Windows based machine which has an known vulnerability. They do exist. Going non-windows is not the solution — as the average user is not going to be savvy enough to manage that system.. And those that are savvy enough will open other holes..

Hence my comment: You’ll never element computer Viri.

BF Skinner • November 10, 2009 8:54 AM

@Bruce “antivirus software is neither necessary nor sufficient for security”

Hi Bruce. Okay I get the not sufficient. But I don’t see where you substantiate not necessary.

You do discuss whitelisting but would a white list protect you from a worm that takes advantage of a buffer overflow in a system service like sendmail?

@Kilgor “@Gomez

Or, don’t use Windows. Ta-da!
…which is not an option for many in the real world. Ta-da!”

…or any computer at all since viruses and malware exist for them all. Ta-da!

What OS was the morris worm written for? Window 95? uh, no.
Solaris Sunrise …does Sun write Windows OS? uh, no.
What is Slapper and Scalper propagating on; linux? uh, yeah.
Who is releasing an ever increasing number of patch for security holes, Apple? uh yeah.

Really tired of OS religious zealotry me. *nix users need to get past their unjustified smugness…It demonstrates an inexperienced, uneducated mind. Any system is subject to exploit.

HJohn • November 10, 2009 9:01 AM

I run as Admin at home for convenience. I don’t want to log on/off every time I update, defrag, and a host of other things.

I do use DropMyRights for any application that connects or might connect to the web. Especially my wife’s web browser.

Anyone besides me use DropMyRights?

Kashif • November 10, 2009 9:04 AM

@Uri

You of course realize that one of the main advantages of Windows is it’s backswords compatibility (for customers as well as software vendors). Otherwise Microsoft could make their life much easier by dropping old code (actually they started that already and include virtulization – Win7 & XP mode – in their OS).

SteveJ • November 10, 2009 9:07 AM

Heh, Marcus says: “I don’t see what’s so complicated about that–after all, I’ve been running all of my systems that way for the last six years and have only had a single malware infestation.”

Conversely, I have been doing it Bruce’s way for the last 10 years and have had no malware infestation at all. Hurrah for anecdotes. I’ve also never trapped a virus with my AV software (unless you count EICAR) on a system I own. It has occasionally found tracking cookies and whatnot, which I’ve removed and blocked. I’d call that a no score draw.

Looking at my “installers” directory, I do have some apps which I haven’t changed in any way in the last 6 years, not even to take a new version. Windiff and frhed, for instance. But had I tried to make a list 6 years ago of the 14 applications I actually need, and then used only those applications, I would be stuffed. I would not have been able to install Firefox, OpenOffice, or TrueCrypt. Neither could I have taken critical security patches to PuTTY and GPG.

So obviously I need a way to whitelist new apps on a frequent basis. This is firstly because in a drive-by-download world, I want to take security updates to programs which handle untrusted data. It’s secondly because I’m a professional programmer, so my living relies on me taking new compilers, emulators, and other toolchain components. I’m the very nightmare of the IT department Marcus describes – I cannot do my job unless I can run software I’ve just downloaded off the internet, on company hardware.

All of which makes Marcus’s and Bruce’s strategies identical. Both prefer whitelists, but must acknowledge that people have to get work done. The big difference is that Bruce uses one particular tool to help him increase his confidence in a proposed new binary, whereas Marcus chooses not to use that tool. It seems to me, Marcus is really talking about IT policies inflicted on people who don’t understand the risks, by those who do, and saying that AV just isn’t good enough. Bruce is talking about IT policies inflicted by people who do understand the risks, on themselves, and pointing out that AV is frequently better than no AV.

I agree with this, though:

“I look at my friends who work at companies with a “must update your antivirus every month” policy and wonder what’s wrong with them.”

Either update AV every day, or don’t bother with it at all. If you think you need AV, then you should think you need up to date signatures.

kevinm • November 10, 2009 9:09 AM

I don’t have antivirus running on the Windows PCs that my wife and teenagers use. They have only limited accounts and cannot write to the folders that SRP allows executables to run from. Sure, it’s a pain when they want to install something but I have never had a virus problem and I have used Windows since 3.0 (and BSD for real work) so it’s worth it. I do a monthly full scan of each PC with AV running off a booted CD, just in case, but have never found a virus infection. My kids prefer it that way as their PC is faster.

AlanS • November 10, 2009 9:15 AM

@HJohn

I use DropMyRights on my XP machine at work where it is impossible to run as standard user. At home I just installed W7 and so far haven’t had any issues running as standard user. Kids are still on XP at home and they also run as standard users–but they prefer to boot into OpenSuse.

kangaroo • November 10, 2009 9:17 AM

Or run windows in a vm with snapshots. Any performance you lose by running in a vm, you’ll lose with an antivirus program, and you gain real snapshotting capability, NAT, external firewalling, etc.

Unless you play games of course — the directx libraries aren’t quite there yet.

Guillaume • November 10, 2009 9:25 AM

An anti-virus :
– Runs with admin privileges
– Opens and parses every crap hitting the computer, from any sources
– As bugs, like any other software

So I run with low privileges (old school, not UAC or dropmyrights), without an anti-virus, and I do not open attachements I didn’t request. No exceptions.

I might be infected without me knowing it… But for the record, the P3 I use at home is as fast as my 2y old, anti-* laptop at work.

HJohn • November 10, 2009 9:29 AM

I just upgraded to the new version of AVG yesterday, and it has this new featured called “Optimize Scan.” What it seems to do is scans for trusted files that do not need virus scanned and omits them to increase performance.

I haven’t used this yet since I haven’t had the time to research it.

kangaroo • November 10, 2009 9:42 AM

OT: The current rash of shootings in the US is an example of how the “color” coding doesn’t work, but something similar could.

Predicting terrorists is very, very difficult. But predicting cultural waves of violence is not so hard. Violence could be expected from the current economic downturn, and once you get two close together, you immediately know that an extended series of attacks will occur — the conditions are ripe, and the cultural signal has been sent.

So, then is the time for schools, businesses, etc, to be extra cautious, to use any security tools they may have to try to at least limit/slow down any problems that may occur.

Our greatest threat is always ourselves.

UACForMe • November 10, 2009 9:43 AM

@HJohn
“Anyone besides me use DropMyRights?”

I don’t use the DropMyRights application, but I manually set Software Restriction Policies on my WinXP computers where my user accounts have admin privilege, which accomplishes the same thing – to run applications without admin privilege.

Like others, I don’t run AV software on some computer systems, like a dedicated Media Center HTPC, which don’t use web browsers and where the only user interface is the remote.

@Bruce
“… and you won’t notice any performance degradation at all.”

Perhaps, if you have multi-core processors (i.e. Core2Duo, C2Q) in all your computers! I provide support for some non-profits which have many slightly older, single core computers, and I can say that AV software has a quite noticeable impact on performance (esp. during boot-up and when performing full disk scans).

AV hasn’t always been such a resource drain, and a few years ago, AV ran fine on a single core processor. Not any more, it seems that in the past few years (since multi-core processors have become a bit more common), the latest AV software almost requires a multi-core processor in order to run “transparently”.

David T-G • November 10, 2009 9:45 AM

@Bruce: “getting” link == broken

ClamWin has no out-of-pocket acquisition cost, either. No comments on the ‘net bogging down into unusability because of signature updates, though, Clive.

@josephdietrich and others: agreed, though, that scanning and general operations makes quite an impact

@JohnJS: what about an xbox??

I wish I could get the rest of my family to consider anything but MS Win, but I lost that battle a long time ago. Although they mostly run as standard users, which is a start, now they have to live with automatic updates (both OS and apps) and like it because I don’t have the time to chase everything manually. The worst is the stack of FF or OO updates in the download folder that did come down — repeatedly! — but then never got run 🙁

😀

David T-G
see http://justpickone.org/davidtg/email/

jgreco • November 10, 2009 9:45 AM

@BF Skinner

Everyone here already knows that absolute security is unobtainable. The question is what measures do we have to take to obtain reasonable security.

If I only run signed packages on my linux box, with no services to the outside, I don’t run a mail server, and I don’t forward attachments to others, am I really not actually secure since I don’t run antivirus? Perhaps more importantly, if there even is a security flaw in this setup, would antivirus really make me more secure? (this is not a contrived example, my actual computer usage looks like this).

Is choice in operating system a magic security pill? Obviously not. Is antivirus always needed for security? Also obviously not.

HJohn • November 10, 2009 9:48 AM

@UACForMe: “I don’t use the DropMyRights application, but I manually set Software Restriction Policies on my WinXP computers where my user accounts have admin privilege, which accomplishes the same thing – to run applications without admin privilege.”

I used to do that, I just found DropMyRights to be more convenient since sometimes I want to run apps as admin and sometimes not. I run my computer as admin for convenience, and changed all the icons of web facing apps to call DropMyRights. Then I keep icons to call the programs unrestricted for when I need to.

Downside of DropMyRights is it does not protect you unless you run the application first. (i.e., if you double click on a word document, it will open word as Admin).

It’s a trade off. Since it is just my wife and I, it works fine. I’ll rethink it when my girls are old enough to use a computer.

HJohn • November 10, 2009 9:49 AM

@jgreco: “Everyone here already knows that absolute security is unobtainable. ”

True, and security is only one consideration.

ebrenes • November 10, 2009 9:55 AM

@clvrmnky: Microsoft wouldn’t be able to bundle anti-virus software even if it wanted to. Netscape et al. took care of that.

Maybe when they revert to having Apple’s current market share they’ll be able to do such things.

Carlo Graziani • November 10, 2009 9:56 AM

Here’s something I’ve wondered about: why do AV scanners rely on signatures?

I mean signature scan is an obvious first approach to detecting malware, but it has the problems Bruce alludes to, as well as more generally providing a static target for evasion tactics to adapt to.

Human experts are much better at noticing anomalous processes/files/behavior on computers than AV software is — we just have a better Hinky-sense, I guess. That will probably always be the case. However, in the past decade a lot of software has gotten better at tasks that used to be human-only functions — voice recognition comes to mind. Very hard problems in recognition and decision have been attacked successfully at very sophisticated levels, resulting in real products for sale in real markets.

Why, then, does AV lag so badly that signature recognition is still the standard state-of-the-art? Is there really no way to code a reasonable facsimile of a security guy’s hinky-sense? To analyze process behavior (network activity, file access etc.) for anomalous patterns, and trace those back to malware? (And do so less uselessly than Vista’s undiscriminating, 99% ignorable, nagging dialogs…)

I’m just asking, maybe there’s a good reason this is harder than, say voice recognition. OK, admittedly voices don’t actively try to avoid recognition, while malware does. But still, there has to be a better way than signatures, no?

A Nonny Bunny • November 10, 2009 10:01 AM

I kicked AVG off my system, because it did cause performance degradation and I haven’t had a virus in a long long time (as far as AVG knows). I occasionally do a scan with a portable antivirus program (which doesn’t run in the background and so doesn’t cause performance degradation, unless I run it manually).

Matt • November 10, 2009 10:04 AM

What I currently run into as a forensic investigator is that people who use their own equipment to connect to the work network simply refuse to hand over their hardware for an investigation. This is a good reason why companies should hand employees laptops / phones / pc’s to work on, so they can say: ‘That is my equipment, I want it back so I can do an investigation’ and there is nothing the user can do about that.

HJohn • November 10, 2009 10:07 AM

@Carlo: “Human experts are much better at noticing anomalous processes/files/behavior on computers than AV software is”

I think this goes back to the trade off thing again. Most computer users aren’t experts, so signatures provide exact assurance on known threats. Key word: Known.

Most AV have heuristics, mine does. Problem with heuristics is when it doesn’t allow a user to do a valid task (false positive). A user may be more likely to ditch an AV product for a false positive than a false negative (if they ever know about it).

AV, like all products, have to keep users happy, which can be a tough balance between security, performance, and in the case of heuristics, whether the number of false positives vs false negatives is reasonable.

Nomen Publicus • November 10, 2009 10:10 AM

@BF Skinner – The Morris Worm was 21 years ago. I well remember having to clear out the garbage from our first Sun server.

Exactly how many Solaris worms or viruses have been found in the wild since? And no, you can’t get away with saying that Solaris is a minority operating system and will not be targeted; Many major services run on Solaris and there is no reason why someone wouldn’t target a high visibility site such as Twitter.

However, this does being up the question of application security. It seems to me that apps are still in a terrible state, especially those that run on multiple platforms (for example PHP.) While it may be possible to securely configure such apps, there seems to be few experts around that can do such a thing.

richrumble • November 10, 2009 10:14 AM

We have 5000+ worldwide users with no AV installed. Not using IE turns out to be as effective as dropping the users into the Users group. We reduced so our helpdesk calls and infection rates so much that we finally rid ourselves of the outsourced helpdesk, and hired a handful of IT admins, and were much better for it.

AV is a bandaid on a cancer, and user education never paid off, so we had to lock down users, which has been great. We have rotating AV scan’s of users machines, with our locked down settings, using FF and staying patched (sorry Marcus, our users and servers do infact need them) have paid off in spades. We’ve been running this way since Jan07 and pissing off McAfee/Symantec etc each time they come calling.
-rich

Felipe Alfaro Solana • November 10, 2009 10:20 AM

Not using Windows is unfortunately not the right solution, since other platforms like Mac OS X have security bugs. The more people start using Mac OS X the more these vulnerabilities will be exploited.

Also, code-signing is absolutely worthless. Any hacker can get its code signed and pushed to you. You run the code, get a trojan or infected with signed code. The only thing that code-signing makes more difficult is getting a trojan or a virus hacked, but I’m sure any good hacker can deceive the signing authorities. Also, by the time you get infected it will be difficult to know what infected your system, so I think code-signing is the wrong approach to security.

HJohn • November 10, 2009 10:26 AM

@richrumble: “AV is a bandaid on a cancer”

I agree to a point. I woudln’t call it a bandaid, I call it a prescription. It won’t cure it, but it lessens the symptons and leads to a longer and higher quality life.

If one can cure the disease, great. If not, it’s better than no treatment at all. The reality is that the majority of users aren’t experts.

Ichinin • November 10, 2009 10:29 AM

I also use DropMyRights(DMR), result is that when mallicious code tries to “do its thing”, the browser crash. Intrestingly enough, some newspaper sites i regularly visit also crash when i revisit the same page again 😛

DMR is just one way to go, you can also reduce the risks by creating and running system services under different accounts, or change the service account from say localsystem to either localservice or networkservice. Or run stuff in VMWare.

And whitelisting is also a way to go, i wrote “Procwall” a while back (Currently offline since geocities died) that created SHA-256 signatures of “legit” files and slapped on a easy-to-use GUI so even my mom could use it. Other vendors like SE46 did the same thing but added features like CA signed filesignatures.

So yes, there are other ways to go than AV.

Jason • November 10, 2009 10:31 AM

@Carlo Graziani and the “hinky” system

Most AV already uses “heuristics” for the same sort of thing. It looks for virus-like behavior and triggers a generic signature.

Unfortunately, there are legitimate applications that do things that look virus-like.

This comes up with buffer-overflow protection, as well.

Also, heuristics are much more processor-intensive than signatures.

skeeto • November 10, 2009 10:32 AM

Speaking of trade offs, if you’re a developer and you really want to kill your productivity, that Bit9 Parity thing mentioned is the way to go. Nothing is better than having to click OK in a popup dialog box every time you recompile the code. This also completely breaks your SCM’s bisect functionality.

They did this to us at my workplace, so I grabbed one of the official Ubuntu VM images they provide us, which is clear of this kind of security software. I now do much of my work inside of it, opaque to Bit9.

(Fun facts: it’s trivial for non-admin users to permanently shut off Parity anyway, so I doubt it’s offering very much protection. And, despite being a very simple whitelist program, it consumes a couple hundred megabytes of memory.)

HJohn • November 10, 2009 10:38 AM

@Ichinin: “So yes, there are other ways to go than AV.”

I use a layered approach. I don’t break my neck on any one thing, and I try to keep things convenient since security is just one consideration:
* frequent backups, rotated offsite. (probably the single most important thing, recover from almost anything)
* I use AVG with heuristics, updated daily.
* Zone Alarm set at the highest level, never allow connections from anyone.
* the firewall on my router is activated and set to the highest level.
* Run Spybot Search and Destroy ocassioanally and set it to immunize
* DropMyRights for anything that uses the web.
* WinPatrol to keep things from making changes or running on boot when I don’t want it to.
* I run windows update weekly (I don’t do automatic updates, the computer crashed twice–both times I was out of time and my wife couldn’t fix it)

I also encrypt what I don’t want others to see and scrub my computer automatically using CCleaner.

Sounds like a lot, but it really isn’t. I don’t break my back on any one thing, but I don’t have any one point of failure either.

Jeff • November 10, 2009 10:42 AM

“*nix users need to get past their unjustified smugness…It demonstrates an inexperienced, uneducated mind. Any system is subject to exploit.”

People who use locks on their doors need to get past their unjustified smugness…It demonstrates an inexperienced, uneducated mind. Any lock is subject to lockpicking.

Nostromo • November 10, 2009 10:49 AM

@BF Skinner
“*nix users need to get past their unjustified smugness”

Seems to be a typo in your message, BF – you mean “that justified smugness”.

jgreco • November 10, 2009 10:52 AM

@Felipe Alfaro Solana

Code signing is definetly not “absolutely worthless”… provided it is implemented properly. As implemented by the major linux distributions (I cannot speak for other code signing schemes) the signing authority is the distribution itself, not a third party like verisign. The idea is that you trust the distribution (if you don’t then all bets are clearly off anyways). Signed packages enable you to ensure that the packages did indeed come from your trusted source.

Now, it is possible that an attacker could first comprimize the signing server (this has happened in the past, though it is rare), or that the attacker is a packager for the distribution (assuming this, you may as well assume that your AV company is also evil). Code signing isn’t a solution to everything, but it certainly is a very valuable tool.

Iain • November 10, 2009 10:54 AM

“Your business will have no way to know what they’re using, and — more importantly — you’ll have no control.”

Only if you choose not to have. We have remote access via Citrix but its locked down by MAC address to approved machines. Sure thats a trade off in terms of flexibility, but its not true to say you can’t stop people connecting via ” cell phone or PDA, or a computer in a hotel’s business center.”

People coming into the office and plugging in their own devices is probably more of a threat.

On AV I tried AVG for a while at home but didn’t find it very easy to use – went back to Norton suite which does more and is only £20 pa.

Clive Robinson • November 10, 2009 11:00 AM

@ Carlo Graziani,

“Why, then, does AV lag so badly that signature recognition is still the standard state-of-the-art?”

Because there are no business drivers to make it anything but a signiture system.

If you designed a system that actually detected a virus by it’s activites (ie hinkyness) then there would be little or no incentive to spend money with the AV companies next year.

As I noted above the AV companies do not realy have distrubution costs so there is no incentive to make them change as the cost would far out weigh the savings.

Likewise they don’t have a financial insentive to release properly tested code (pick your own metrics for that 😉 as long as it works “well enough” for most then the users will do the testing for them.

So not only are AV companies using long out of data techneques because there is a financial incentive to do so, they have also outsourced software testing to their customers…

As has often been said “follow the money”…

Patrick G. • November 10, 2009 11:02 AM

Additionally, an ever increasing number of applications on any PC use/require an internet connection, thereby exposing the Apps themselves to certain threats.

So keeping one’s applications up-to-date is vital IMO, even with a virus scanner running in the background.

Sadly that requires more expertise and effort on most PCs, so finding applications that are as old as the OS installation itself is not uncommon.

To make up for Window’s lack of a packet manager, I personally use Secunia’s free Personal Software Inspector (PSI) on my PC (and the PCs I happen to fix). It’s a really nifty tool to search for vulnerable versions of applications and plugins installed and it gives official download links, patch notes and so on for most standard popular applications and tools.

There are other programs that do the same trick, but Secunia’s investing quite a bit into that one (and gathering anonymous data on the way!) and their App-/Version-Database is really extensive…

P.S.: I don’t want to do advertising, so form your own opinion. There are reviews out there and comparisons, so be sure to check em and read the fine print before installing.

Skeptical Fanboy • November 10, 2009 11:02 AM

I think whitelisting can be a good thing, but I think it needs to be federated in order to reduce the burden.

In this age of Web 2.0-style crowdsourcing, I think we need a Slashdot-style rating, karma, and meta-moderation system: Allow anyone to rate the trustworthiness of a given executable, but take their opinions lightly until they’ve developed a history of (A) correctly identifying good and bad code; and (B) doing so relatively early in the lifecycle of a piece of code.

You can also give trusted software publishers the ability to vouch for their code in some way. Perhaps you’d simply whitelist code that was signed, and all other code would get a “trustworthiness” score assigned by the user community.

Obviously, malware authors and others will attempt to game the system, so you’ll need a karma system and meta-moderation to keep things from getting too out of hand.

I’m not familiar with either Bit9 Parity or Savant Protection, so perhaps they already do what I’m proposing, and they’re still too clunky.

A quick check of their product pages seems to indicate they’re primarily used by IT departments to centrally lock down applications. My proposal wouldn’t take on the IT function of locking out harmless-but-undesirable applications. It would only handle the prevention of malware, thus making it much simpler from an end-user perspective.

I’m sure there are numerous flaws in my proposal, but I’m curious to see what others think about such a scheme.

jgreco • November 10, 2009 11:05 AM

@Iain

I assume you mean your remote access via Citrix is locked down by IP address, not MAC address. MAC addresses can only be checked locally, or on a LAN and are absurdly trivial to change.

Saying you are secure because you do MAC address filtering is like saying you are secure because you log into your remote system with telnet but your password is strong.

Fred P • November 10, 2009 11:15 AM

@sooth sayer

I may be computer literate enough to avoid nearly all malware, most of the other users of my home computer aren’t – and at least one needs admin access to run what (to them) are basic programs.

So anti-virus software allows me to identify a good percentage of the problems (and they give me enough information that I can then recover from an attack). Similarly, the firewall I’ve installed (I’ve found windows firewall to be nearly useless) allows me to find suspicious executables and prevent them from emitting or downloading while I’m verifying what they are.

clvrmnky • November 10, 2009 11:15 AM

@ebrenes:

Re-read my comments. I suggest that the OS should provide “hooks” for third-parties, not that they should replace the functionality that some third-parties provide.

Eugen Bacic • November 10, 2009 11:57 AM

I recall my research into viruses and anti-virus software back in the 80s. At the time we determined that anti-virus was not an acceptable long-term solution, especially as connectivity increased, etc.

We examined a lot of solutions in my research lab and we determined that control flow was the most likely solution to be long-term viable. Unfortunately, it was fairly slow on era hardware. We did build control flow and execution flow solutions against a number of Unix variants to good effect. Some of the research was published but because of major impact on performance it was deemed inappropriate to control malware via control/execution flows at that time.

Perhaps now, with much faster hardware, it may well be time to re-examine controlling malware by providing informed flow controls within operating systems. I know other research has looked at controlling flow via various methods and some have even determined efficient ways of learning what’s “normal” within a given system.

Although no solution would be perfect, the advent of zero-day attacks and the sheer interconnectivity of everything means we need to look into more complex solutions for the malware problem that are predictive in nature.

For those interested they should look back into research done on information flow, execution control, etc. Though much of that work was done in the 80s and early 90s, I think it is now more relevant than ever.

Alfonso Maruccia • November 10, 2009 12:00 PM

Good point, Bruce, even though I’d recommend Avira AntiVir (both the free and commercial version) instead of AVG for its better detection capabilities (as stated by the AV-Comparatives folks)….

Mark R • November 10, 2009 12:08 PM

White listing can be very effective, but I think it’s incomplete without also defining what your trusted applications are entitled to do (a la SELinux). Malware doesn’t necessarily have to change the executables themselves to infect your system.

Richard • November 10, 2009 12:26 PM

I have been running XP and now Windows 7 on my home PC and Laptop plus my work PC as a non-Admin for over 4 years.

I’ve also not had any AV software installed/running on any of them the whole time.

Running as a non-Admin in XP was a bit of a hassle, but in Windows 7 the experience is great.

Admittedly I’m an IT Pro so I’m not the kind of user to click on something malicious but running as non-Admin also gives you a great deal of reassurance.

HJohn • November 10, 2009 12:30 PM

@Richard: “Running as a non-Admin in XP was a bit of a hassle… Admittedly I’m an IT Pro so I’m not the kind of user to click on something malicious but running as non-Admin also gives you a great deal of reassurance.”

I think you nailed they key problem. Most users aren’t IT pros, so when they set themselves up as admin everything works. Functionality is why the purchaed the thing in the first place.

TS • November 10, 2009 12:50 PM

@sooth sayer

In 25 years of computing, I have never unintentionally infected any of my machines. Some good friends who are also IT types have never infected themselves. Not much of a problem when you know what you’re doing.

On the other hand, with 8000 users, there is a large number who probably couldn’t tell you what a computer virus is in the first place. Who don’t give a second thought to opening an attachment from an unknown sender. Who just aren’t aware that there is a risk.

Remember “I Love You”? There were a lot of people tricked into opening that one. And “Anna Kournikova”? I remember people asking if we could unblock it for them. Then there was Klez, which spoofed the sender so the old “don’t open messages from people you don’t know” wasn’t quite as effective.

As the saying goes, “You can fool some of the people all of the time…” which is why you need AV on corporate systems.

solution • November 10, 2009 12:59 PM

OpenBSD! At least the attitude is correct

AlanS • November 10, 2009 1:02 PM

@HJohn

“Most users aren’t IT pros, so when they set themselves up as admin everything works.”

I think it is worse than that. Most users don’t even understand that there are different types of accounts. Microsoft’s goal is supposedly to get everyone onto running as a standard user by default. It will be interesting to see how they pull that one off.

HJohn • November 10, 2009 1:17 PM

I find this an interesting converse to the previous blog post on “Laissez-Faire Access Control.” The points on both sides of both AV and AC topics are “permit the good” vs “detect the bad.”

I think both are necessary, since we can never get either one exactly right. Trying to do either exclusively can not only too difficult, but destructive.

PackagedBlue • November 10, 2009 2:06 PM

Is antivirus dead? Maybe, if you buy into the claims of Trusted Computing.

http://en.wikipedia.org/wiki/Trusted_Computing

David • November 10, 2009 3:32 PM

@HJohn: Microsoft Windows is hampered by its legacy of backward compatibility extending to when there was no such thing as user privileges, and the single user simply controlled the whole computer. This is in contrast to the Unix tradition of using user accounts for everything but system administration tasks. Apple was willing to dump a lot of backward compatibility when moving from the traditional MacOS to MacOSX, but Microsoft wasn’t.

Up through XP, there was an expectation that users would run with full admin privileges. Many software developers just used admin accounts, and didn’t test on more limited accounts. This was less true for business software, but was pretty much standard in personal software. One of the purposes of UAC was to push developers into making their software work on limited accounts, but that came out with Vista, recently and as part of a very unpopular OS.

sad • November 10, 2009 4:54 PM

Whitelisting is nice, but it seems to be an enterprisey thing. For Windows, it’s only available in the Profressional line of products. Third-party whitelisting seems to also target the enterprise. Are there any consumer-level application-whitelisting vendors out there?

Clive Robinson • November 10, 2009 6:08 PM

@ TS,

“As the saying goes, “You can fool some of the people all of the time…” which is why you need AV on corporate systems.”

You did not compleat the saying,

“… and all of the people some of the time.”

As was once said

“The only fish that you cannot catch is one that does not eat, you just need the right bait.”

From the AV perspective if you have a clean machine that you never put bytes on from other media, where the bytes might have originated from the outside world then you may not need AV software.

But if it where not for the mess AV software makes of MS OS’s I would say “load it and run it when required”.

I could not in honesty recomend any AV software that “integrates” it’s self with an MS OS as I’ve yet to find one you can fully remove without consiquences.

Which is why I connect to the outside world via a “boot from CD” Linux distro and use a USB memory key to put downloaded data on. This I then scan for malware on another Linux box, before putting it any where near any of the MS OS machines I have to use from time to time.

It’s not perfect as malware that has no sig can still get through.

Each of my MS OS machines is dual boot with a linux partition with the appropriate tools on I scan the files on the MS OS partition and see if any have been changed via an MD5 checksum scan. If a file is new or has changed with good reason I update the checksum file. If not I restor from backup or wipe it.

I also have utilities that zero all the slack space and zero and remove temp files etc.

It’s a bit belt and braces but it has once caught a virus file that got through the AV scanner as it was “to new” to have a sig. As an aside it was a researcher doing something similar to this that led to him discovering the Sony Root Kit. Likewise do not trust “instalation media” if you think back the original “word macro virus” came out on a Microsoft update CD…

But like a commenter above I’m starting to use virtual snapshots for running MS OS’s virtually. This is on a high end Linux box and when I have some time I will investigate using remote desktops on a diskless client with it. If it works OK then I’ll build another “Safe Server” just for the fun of it 😉

Another little trick for home users who’s ISP is not kind enough to malware scan your EMails for you is leave your Email on the ISP server.

Then with linux and an appropriate script pull down a copy of any “unread” messages and scan them. If a message fails delete it off of the server. If it’s OK mark it as read on the server, or forward it to a private mail server. You can do similar with “spam”.

Then “only when you have to” connect to the ISP mail server with your MS OS / MUA, you can read the “read messages” but not the unread ones as they have not yet been scaned.

Clive Robinson • November 10, 2009 6:18 PM

@ solution,

“OpenBSD! At least the attitude is correct”

The attitude might be but the kernel could be a lot more secure if it was broken up and had least privelage mechanisms built into device IO and other data flows with a security hypervisor etc.

The question as always is “what’s the trade off” you are prepaired to make…

Security -v- performance / efficiency / …

Brandioch Conner • November 10, 2009 8:17 PM

@Carlo Graziani
“Here’s something I’ve wondered about: why do AV scanners rely on signatures?”

How about “Why do AV scanners rely on the WRONG signatures?”

It’s EASY to get signatures for known good code on a machine. Pretty much it’s just getting the signatures of the files installed by the OS and any apps you INTENTIONALLY install.

This would be a white list used by the AV scanner.

Anything not on that white list is NOT installed without making the user jump through 3 different hoops.

The best part is that even if the user DOES jump through those hoops to install some crap, the same white list can be used to identify any files that are not on it and quarantine them.

Then you just pay the AV company for the updated signature list so you can install the latest games and such.

The BEST part is that even if don’t pay the AV companies, you’ll still be as safe as the day you got the machine. Except for any vulnerabilities in the AV software itself. Perfect for Grandma.

Stefan W. • November 10, 2009 8:31 PM

I’m running linux as a desktop system for over 10 years now, nearly full time, without AV and without malware.

Slaper and Scaper where worms, not virii, and infected apache, which isn’t a typical desktop app, and since then 7 years have past. 🙂

Running AV-soft with an empty signature file does not make too much sense.

Email: Well – There are only few people who would send me mails with attachment – beside spam, and of course I don’t forward spam. I would forward a link to a funny page, but if you run a MS-system, you have to protect yourself.

And I don’t run AV-software for pure solidarity reasons. 🙂

Bruce Barnett • November 10, 2009 10:07 PM

I’m surprised that no one has mentioned that Microsoft just released a free anti-virus program: http://www.microsoft.com/Security_Essentials/

Nick S. • November 10, 2009 11:37 PM

For those of you who default to running as administrator and then pick-and-choose apps to run with less privileges, why not just run as a regular user account? 95% of any maintenance just requires a right-click, Run As… The only thing that doesn’t work for is a couple of things in the control panel that require a little extra work with rundll32. I ran this setup on Windows 2000 for YEARS without a problem.

Kashif • November 11, 2009 2:33 AM

@Bruce Barnett

Actually MS free Antivirus seems to even have a reasonably good detection performance and almost no system impact (at least from my observation on my netbook).
And it does not try to upsale you to a “better” version like AVG ec.

James Gentile • November 11, 2009 4:52 AM

“People who use locks on their doors need to get past their unjustified smugness…It demonstrates an inexperienced, uneducated mind. Any lock is subject to lockpicking.”

Unix has no more locks on it’s doors than modern versions of Windows, so your analogy fails, and in many cases Windows is better than unix, but suffers because of it’s ubiquitous nature.

lk • November 11, 2009 5:27 AM

To all those “I never has antivirus and never had any viruses”. Please run the antivirus already!

I’m sick and tired of getting spam silently sent from your zombiefied computers.

Viruses don’t work like in movies from the ’80s. Your screen melt or files disappear.

You won’t ever see when your computer is infected. Viruses these days are trying to be as silent as they can to remain undetected for as long as possible.

lk • November 11, 2009 5:28 AM

s/has/had/
Sorry for sounding like a lolcat.

Clive Robinson • November 11, 2009 6:06 AM

@ James Gentile,

“Unix has no more locks on it’s doors than modern versions of Windows, so your analogy fails, and in many cases Windows is better than unix, but suffers because of it’s ubiquitous nature.”

Ah the analogy does not fail 😉

The number of locks alone is not enough to secure a door.

Each lock must be sufficiently strong to do the required job. If you have ten weak locks and I have one strong lock I might be more secure.

Then of course there is the “brand issue” you refer to. As a lock picker I’m going to practice on the most common type of lock as that gives me the best oportunity advantage.

That’s the trouble with an analogy people have different perspectives 8)

More seriously the various MS OS’s do have security features as do the various flavours of *nix.

You could argue the merits of these various features till you get old and grey, as in the main they make little or no difference.

What does make a difference is,

1, How secure the OS is “out of the box”.
2, How secure the user choses to set the OS up.
3, what the user choses to do with the OS.

The main trend of the argument here is MS have in the past chosen usability out of the box over security.

And that overall the users of MS OS’s tend to be less technicaly savy than those who use *nix.

And that many users of MS OS’s are more reckless in what they do with their computers than *nix users.

When you then compare the market share of MS OS’s to *nix OS’s the number of non savy MS OS users is several times that of the total of *nix users.

Acording to the “Myths and Legands” of computing the original architect of MS’s New Technology Dave Cutler (lead on DECs VMS & RSX11) went to MS in the late 1980’s supposedly promising to make a “better unix than unix”. Work officialy started in Nov 88 to forfill MS’s commitment to IBM over OS/2.

Unfortunatly MS Sales and Marketing had other ideas, MS Windoze 3.1 on top of MesS DrOS had suddenly taken off and rather than go down the original OS/2 2 API route for NT MS switched to Win 3 API’s. The rest they say is history…

BF Skinner • November 11, 2009 7:46 AM

@Nomen Solaris is a minority operating

There is a difference in the operating enviornment and level of control applied between backoffice servers established at a real estate office and ones supporting mission criticals supervised by administrators.

I won’t talk to twitter ’cause I don’t know how they’er configured. Got a feeling that they are exploitable.

My observation isn’t directed at the OS but the operators. My belief and experience has been that any OS can be configured to be hard to crack in hostile or protected enviornment, including Windows NT4. Because I’ve done it. But it takes effort. During the Nimda/Code red summer when worms ran riot through a client’s enterprise. They had people reimaging their servers that were found and compromised by worms before their initial reboot was finished.

Our facility (with thousands of windows servers, workstations, webservers, and SQLServers at all version levels) lost A workstation to the worm. That was due to the AV. Is AV sufficient? No. I won’t argue that it is. But it is necessary. After we installed AV products on the *nix servers we found we were taking 2 to 3 pieces of malicious code off the *nix enviornment a month. Enough that once shown the *nix admins agreed that it was necessary.

Smug *nix admin to me. “The only way to know your craft is to handbuild all your systems. This is easy with *nix. System Imaging with windows makes for stupid SA’s”
Me. “Oh good. Wait. Look at this chart I’ve made from the IG report. It shows that our critical/high technical vulnerabilities 100% are in the handbuild *nix enviornment which comprise 20% of our production enviornment. And these are different vulnerabilities on each server… While our stupid image windows (80%) enviornment has moderate and low vulnerabilities that are the same problem across platforms.”
*nixadmin “Oh.”

Smug *nix admin to me. “We can configure the OS in any way we want loading only those packages needed.”
Me “Good. that meets our least service control. Oh wait. Why does everyone of your solaris servers run bind?”
*nix admin “oh well that’s our default build. We do that for all machines.”
Me “Why. Is every one of your servers serving DNS?”
*nix admin “Well no.”
Me “Take bind off”
*nix admin “We don’t know what’ll happen. It’ll take months of testing”
Me “Take it off, carefully”
Since this was BIND8 it was kinda important. Oh, and this happened last year.

Smug *nix admin “We don’t have to trust the vendor. We can look at all our code and compile it and know that there’s nothing malicious in it.”
Me “Excellent. Wait. Why did you download and install this compromised Sendmail package from Sendmail.org”
*nix admin “we did’nt know it was compromised because we didn’t check the MD5 hash against the downloaded package.”
Me “So you’re not even doing the simple task of checking the md5 hashs and you expect us to believe your tracing out thousands of lines of code and checking the response of every function? By the way. Are you a programmer?”
*nix admin “No.”
Result of the afteraction of an admin installing the trojaned Sendmail package in an mission critical enterprise app.

Just because you can do a thing doesn’t mean the admins do it. But hey…they know best right? My observation here is not about the technology but on the unjustified belief that you’ll hear in a constant singsong if you listen..that *nix is perfect, windows sux. That’s religious bigotry, not engineering, and yes–unjustified. Look @jeff and @nostromo’s reactions. Those are emotional reactions. It leads to arrogance and a ‘why bother’ mindset that has made our current set of onerous and often stupid FiSMA requirements necessary.

Bithead • November 11, 2009 7:52 AM

and you won’t notice any performance degradation at all.

Are you on drugs?

David • November 11, 2009 8:45 AM

@Brandioch: No set of whitelists is ever going to be good enough. For example, I don’t know what goes on in the Tuesday World of Warcraft updates. Presumably files change. If I play WoW, I want all those changes, but I really don’t think there’s any way Blizzard is going to supply hashes to AV vendors far enough in advance to be useful.

Moreover, it would have to whitelist all the stupid little things people download now (and get infected from), because they’re going to download a lot of them anyway. In order to stop them, they need software that will be pretty accurate in filtering them. If such protection flags too many of those as potentially harmful, the protection gets either turned off or ignored.

I don’t see it happening in a home environment, and you can already prevent a lot of similar dangers in a work environment.

jgreco • November 11, 2009 9:31 AM

@BF Skinner

I’ll assume you missed my response (at November 10, 2009 9:45 AM) to your previous comment. Your initial comment implied that AV was always needed, regardless of configuration or other safety precautions taken. I assert that it is trivial to create a situation in which AV is not worth the effort, and that such situations indicate that you statement (“AV is always needed”) is untrue.

If you’d prefer getting yourself involved in a flamewar over the percieved merits and limitations of various operating systems, then I will leave you to that…

Joe Judge • November 11, 2009 9:56 AM

Bit9 Parity & Savant Protection look like fine solutions — but apparently unavailable to the end/home user.

What other application whitelisting choices are there?

UACForMe • November 11, 2009 10:45 AM

@David
“Up through XP, there was an expectation that users would run with full admin privileges.”

Unfortunately, this is still the case with lots of business and educational software, and is still quite common with consumer software, especially games.

For example, just about any current/popular computer game requires the use of an admin-level user account. Making matters worse, just about all games these days require Internet access, even for solo, non-multi-player gaming (i.e. CoD4MW2), with the worst offenders (i.e. Blizzard) trying to setup torrents for patches.

To try to keep some sense of security, my kids computers are connected to the Internet through a screened subnet, where the router/firewall whitelists Internet access to only those sites required by the games to function. This prevents the games (or any other software) from accessing “who knows what” on the Internet, and also prevents use of torrents (many games still have some form of fall-back to a real server to download patches).

One of my pet-peeves though is the use of multiple different root domains by the same game company which makes whitelisting unneccesarily more difficult/complex. For example, the recent CoD4MW2 game requires the use of Steam (even for solo offline play), where the main site is steam.com (simple to whitelist). However, is also uses steampowered.com, steamcommunity.com and a growing list of other domains I am finding through the blocked access alerts in the firewall logs. There is absolutely no reason these couldn’t have been setup as subdomains off the main domain (i.e. community.steam.com).

Unfortunately, this problem of “too many domains” is not unique to game companies, as many businesses don’t seem to “get it” or just don’t have IT “architects” smart enough to figure out how to utilize a common root domain. Although some are starting to “get it”.

Besides, an inconvenience for whitelisting, this is also a serious security problem which can lead to phishing, since users can’t easily identify a company’s website when several different root domains are used.

mashiara • November 11, 2009 10:53 AM

None of the large AV companies have used purely signature based engines since ages ago.

F-Secure (=FSC, full disclosure: I worked for them 8 years ago) for example has had purely heuristic engines (using signatures only to remove false positives) alongside more traditional ones for 10 years.

Note that there are many kinds of heuristics, the “traditional” is to analyze the executable and look for potentially bad behaviour, another (that Bruce often has called for) is to basically attach as (like debuggers do) between the program and rest of the system and analyse the program as it runs (the true “hinkyness” analyzer) and if it tries to do bad things prevent and/or ask user (these are policy decisions). At least FSC has been doing things like this also for some years now (and yes: it’s quite heavy on the system).

I understand that Bruce is cryptographer and thus AV isn’t really his field, but I’d like that people did a little more reseach on how things are actually done these days before complaining that everyone still uses static signatures for detection.

See for example this white paper: http://www.f-secure.com/system/fsgalleries/white-papers/f-secure_deepguard_2.0_whitepaper.pdf

And realtime (regardless of the scanning engines) AV of course always affects performance, on multi-core machines and standard office workloads it’s just not that noticeable since the other core(s) would be idling anyway.

Pat Cahalan • November 11, 2009 11:16 AM

I take Marcus’s approach on my personal machine (my laptop), and Bruce’s approach on everything else, including my other personal machine that I share with the famdambily. My laptop is mostly trusted. Nothing else is regarded as particularly trustworthy.

Of course, I don’t bank online, or store all my financials on untrusted machines, so there’s that.

JD Bertron • November 11, 2009 2:24 PM

This is why zero-day detection is important. In fact, it’s the only detection that’s needed. Because it works even for a unknown crypto-virus.
ThreatFire

berkutturan • November 11, 2009 3:12 PM

I also afraid of viruses and decided to use anti-virus software on my servers and clients. Then I noticed that there are no viruses in wild for Ubuntu.

Come on Bruce. Its you the vulnerable. Use anti-viruses that slows down your computer. Use anti-malware. Use anti-hijackers. Its dead end.

You would choose the one that is least vulnerable, wouldn’t you? We have a saying that do what your teacher says, don’t what he does.

berkutturan • November 11, 2009 3:29 PM

By the way, Bruce is doing something right. How could you sell security to someone secure? Windows is right for him. Lots of threats, viruses, malware, unsecure software supply channels. Sorry for my last comment, anyway. Its just business.

Eric • November 11, 2009 11:22 PM

Very interesting comments… There is Software Restriction Policies built into windows, for the people wondering “What other application whitelisting choices are there?”. Configured with limited user privileges is a strong configuration. Using the the default directory rules with a default deny policy is pretty powerful starting point in creating a strong environment.

BF Skinner • November 12, 2009 6:59 AM

@berkutturan “You would choose the one that is least vulnerable, wouldn’t you?”

no. It’s not just our own box. I would choose the one(s) that are most suited to the application being developed. There are technologies that are mature on one OS but not another. Clients need function.

Security costs are a factor but what if the decision to go ubuntu means having to recruit and hire, train and maintain personnel (users and admins) who know how to run it in a large enviornment?

One client I worked at spent 9 months trying to find a suitable *nix admin to come work at their out of the way site.

Another time I was at a MSCSE certification class and a bunch of people in it with me were sweating, unhappy and obviously under the gun. They weren’t having fun with technology. I asked them about it and they told me that their company had just switched from Novell to Windows. They were being “retrained” in a certificaton class. Further they were told that they passed their tests or they were fired the next week.

Jack • November 12, 2009 8:30 AM

Hi all,

Some one has correctly pointed out:
“What does make a difference is,

1, How secure the OS is “out of the box”.
2, How secure the user choses to set the OS up.
3, what the user choses to do with the OS.”

AV as Bruce said is not THE solution. If AV coupled with a correctly set up Windows (not running in Admin and with Autorun permanently turned off), it can be as safe as many other OS, differs by only how elegant it handles privilege elevations and others. All my machines run in this manner.

What makes Windows, particularly XP, so bad in the eyes of security experts lie squarely with Microsoft. The enforcement of file system security was introduced with Windows 2000 and hence MS should have been shouting at the development communities to get on board.

Not only that: It did not provide any form of debug tools to alert developers of security violation or requiring too much privilege. As a result, I would say 90% of the developers are ignorant of the need to use the least privilege principle and to understand the OS’s security policy. Most just turn them off by running in Admin. I actually had a length debate in a well-known (not MS) development company’s forum educating their developers to do so.

As a result as one commented that most games need to run in Admin mode but in fact do not. That is a sign of totally sloppy and ignorant programming condoned by their equally ignorant management.

The spreading of Conflicker via USB is nothing new. In the days of floppy disk, this was a well known trick to put some malicious boot code in a floppy disk waiting for someone to leave it in the drive for the next boot. How can Microsoft be so ignorant of this danger and blatantly making out this to be a cool feature. Now with the helping hand of Microsoft, the attacker does not even need to wait for a reboot!

If you are a Conflicker developer, good on you to exploit Microsoft’s stupidity. Apparently now Win7 has that ‘feature’ turned off. Finally after all that time which they could have easily issued a registry setting to turn it right off as a security update.

Recently I was operating a machine AVG and helping to eradicate trojans and the downloader literally ran amok under the nose of AVG by infecting my USB drive. Fortunately, it will not do much damaged in my locked down environment.

Hence in addition to AV, tighten your OS security to the max as most trojans/virus will not be able to take root in such an environment.

Mzazi • November 12, 2009 10:11 AM

Pls tell me how I can kill recycler for good, it keeps coming back.

HJohn • November 12, 2009 10:32 AM

@Jack: “AV is not THE solution. If AV coupled with a correctly set up Windows (not running in Admin and with Autorun permanently turned off), it can be as safe as many other OS, differs by only how elegant it handles privilege elevations and others.”

Good post.

I sort of view it like my wife’s cancer treatments. She is on medication to prevent/alleviate some of the side effects of the cancer. However, the medication is not a cure for cancer, and the cure for her cancer (surgery) does not protect her from the lingering affects of the illness.

This is really how I feel about AV. The computer should be locked down best it can be to mitigate the damage that can be done, be it viruses, zero day exploits, attackers, etc. However, just because a system is locked down doesn’t mean it is beyond damage, so deploying antivirus, antispyware, firewalls, patches, etc., are still sensible actions.

Also, considering the average user probably does not know how to do any one solution with expertise, layers of protection are more effective overall. For an expert, one or two solutions briliantly configured may be great; however, for the average user, running several protections with mediocre or even default configuration may be more realistic.

Please note I’m not saying default and mediocre configurations are desirable, I’m saying we must consider the skill set of the users.

Andy Whittal • November 14, 2009 11:27 AM

I somewhat agree with you considering the number of new viruses coming out daily. It is almost impossible to keep virus definitions updated to minutes and seconds. There is always a chance of picking up a new virus that your security cannot detect. But don’t you think that an average computer user should be educated not to download whatever comes across. I see so many people downloading those fish tank screen savers and downloading all sorts of funny executable files off the internet, for them internet is a safe place where they can download anything without paying its price.
Until such novice computer users stop clicking “punch the monkey” and win free goodies, the virus creators won’t stop doing all the evil. If an average computer user becomes a little more smart, bad guys won’t find much success in all their evil doing. Just my opinion.
Andy.

Pierre • April 29, 2010 7:20 AM

Even the venerable “The Economist” claimed recently that AV vendors are only exploiting end-users’ ignorance to sell their stuff (at a premium).

But, given the kind of people (no less than secret service agents) involved in the AV business, one might argue that the prospect of having a good excuse to index and scan people’s disks and call home daily (to get incremental updates) is not something that they want to stop doing any time soon.

Hence, maybe the extraordinary long life of this completely pointless “technology” created by another “security expert” (did you notice that Windows is the only virus playground?).

This is all about “business opportunities” my friends. Nothing else.

Jamie • September 14, 2010 3:08 PM

Great article.
I’m one of those non-IT people, and after reading all the posts, I have just one question. If the IT people can’t decide,how can I decide ? Can anyone recommend an AV software, or combination, to help protect us from the “bad guys” out there….

Karsten • October 1, 2010 4:05 PM

Unfortunately Antivirus in not dead even with all its shortcomings.

As long as applications can use up 100% CPU time and eat away all of the available RAM, eventually forcing the machine (OS) into an unresponsive state and without the tools to monitor all activity and an application level based privilege system using certificates for all services offered by the OS, the need for blacklisting will continue to exist.

Whitelisting is a nice idea but it doesn’t work in many cases, and the “trusted” applications/files are still often vulnerable (like Acrobat Reader, Flash Player, MS Office…..). Microsoft improved the security of Windows greatly over the last years, but it’s no use if the rest of the market doesn’t react.

Also sorry for my English.

Is Antivirus Dead?

Comments

😀

Leave a comment Cancel reply