Are you for/against AV software?

exampasser

I've questioned the effectiveness of antivirus programs for some time. I don't buy into the mentality that your computer will immediately become infected with malware if you don't run AV software. I've seen computers using AV software (predominantly Norton) that still end up becoming infected.

I have also had things happen to me such as certain AV software claiming that some of my programs were malware and automatically deleting them without my permission. My biggest issue with some products is that they often bog down some computers (mainly older p4 computers) to a crawl.

From my experience I have concluded that the best defense against malware is a knowledgeable user (with the help of Google). Common sense things such as safe web browsing habits, backing up important files (and even imaging your hard drive), and downloading security patches makes a big difference from what I have seen. If I am unsure of a website I often use a virtual machine to check it out just in case.

Knowing you computer well is another big one. On my older xp machine I stripped down alot of unnecessary processes that speed up my machine considerably but it also allow me to easily investigate any suspicious processes that were running in the background (I did find a spyware service and got rid of it.)

So are you for or against AV software or does it depend on the situation?

earweed

Depends upon the situation. I have AV software on my wifes computer because she has so much crap running and goes to so many questionable sites (anything that'll give her free games) and I don't have the time or want to constantly monitor her computer. Is the AV totally effective? no That's why I occasionally check it but I do know that it has probably saved me a lot of time by not having to check her PC as often.
I also have it on mine as I don't want to have to "do it all by hand" if I got infected. I recommend AV to anyone I know without it but also caution them about what kinds to get.

Zartanasaurus

I think a savvy IT user, who doesn't engage in high-risk internet behavior can avoid viruses for an indefinite amount of time. I can't remember the last time I got a virus alert that wasn't related to me downloading something I knew might be risky. Most people can't do that though, and it's nice to be able to insure against the long-tailed risk.

tiersten

For AV. Even if you're the safest and most knowledgable user in the world who only visits a specific set of reputable sites doesn't mean you shouldn't have an extra layer of protection.

High profile legitimate websites have been broken into and infected with malware. Retail hardware/software has come with malware before. Your friends may send you malware. You may hit a typo squatter site which has malware.

Having AV software doesn't mean you can browse and run whatever you want though. You still need to exercise a certain amount of common sense and safe practices when using a computer.

Don't use a bad AV package however :P

alan2308

It doesn't matter what web sites you do or don't go to if you bought one of those ipods with a prepackaged virus or a Sony music CD with a built in rootkit. These kind of things aren't that common, but they do happen. Does it really hurt to run AV software and run a spyware scan once in a while?

blargoe

I guess your argument would apply to .1% of computer users. The vast, vast majority of computer users are too stupid to understand good computing habits.

Selfmade

I came very close to saying that this is a stupid thread, but you gotta figure that the people who don't use AV keep us IT guys in business!!

So, shouldn't we be against it? lol

kidding, kidding!

dynamik

tiersten wrote: »

Even if you're the safest and most knowledgable user in the world who only visits a specific set of reputable sites doesn't mean you shouldn't have an extra layer of protection.

This advice can also be used as a metaphor for sexual relations. Tiersten, you are a fountain of wisdom.

Plantwiz

I agree on earweed's "It depends".

For a business who has an established "Acceptable use policy" on the books and an already busy IT team, it is a small cost of insurance to keep things running and monitored while the IT team is managing other aspects. Per node cost for 1 year is so low (less then $1 per week, per node) that one could figure the ROI on this for their specific environment, but user down-time costs the company quite a bit.

Even a small company with only 3-5 users...if one machine is infected and they need to call me, then not only are they out 'cleanup/disinfecting' time, but that employee's time (unless they have another workstation ready-to-use).

Still $15-50 per year per user is much less costly then 1-3 hours of onsite time of $100ish per hour.

tiersten

dynamik wrote: »

This advice can also be used as a metaphor for sexual relations. Tiersten, you are a fountain of wisdom.

Unfortunately you can't just wipe it clean and start over in that case *cough*

tpatt100

I really can't see how you can say safe browsing habits can reduce the need for AV. I mean do people have their registry memorized or something? How else you going to know you have something unless your thinking along the lines of viruses making it obvious you have one. I figure you need to monitor outbound connections 24/7 to see if malware is phoning home. Need to memorize your registry so you can tell if changes were made etc etc.

Even if you got a virus and have AV the AV let you know you had it where as without it the user would have no clue

Devilsbane

I'm quite fond of the new Norton 2010. Very lightweight and it gets the job done.

As far as should you use them? I think so. It doesn't guarentee protection, but it often helps. User common sense is the best antivirus. Clicking on all of those stupid ads and allowing software to install is the worst thing you can do, and there are a lot of people that do that.

wastedtime

If you want to operate in a secure computing environment you need to practice Defense in Depth. An AV product would fit into that idea by providing some prevention.

dynamik

tpatt100 wrote: »

I mean do people have their registry memorized or something?

regshot | Download regshot software for free at SourceForge.net

mikedisd2

To be honest I've never used an AV product at home since starting in 1994. I've haven't had any problems until last year when my wife clicked on the wrong link.

L0gicB0mb508

For it.

If you don't run AV how do you know you aren't actually infected? Are you checking your open ports, doing random packet caps from the machine, or using some type of HIPS? If not, you really have no idea whether there is a trojan or other type of nasty sitting on there. What about worms that scan for random machines?

Acceptable use policy also will not save you from a major virus outbreak on your network. Sure its a means to punish the end user, but it's not going to help you when you have 750 bots sitting on your network.

Devilsbane

L0gicB0mb508 wrote: »

If you don't run AV how do you know you aren't actually infected?

An excellent point.

But even if you do use an antivirus, how do you know that you're not infected?

L0gicB0mb508

Devilsbane wrote: »

An excellent point.

But even if you do use an antivirus, how do you know that you're not infected?

It's all about being proactive. AV is definitely not 100%, but its a pretty good starting point if you update regularly. There is always going to be something new and crazy, or something customized to the specific target, but the common stuff would be taken care of. I think you should be doing the packet caps, port scans, and so on just to be sure period. I do think not running AV at the enterprise level would be probably one of the worst ideas ever. It's also a bad idea at home, just for the fact that you are part of the problem. You are making an easy platform to compromise and attack other targets.

MentholMoose

Running a general purpose PC without AV is a lot of work. You have to be super diligent to make sure everything (OS, all apps) is fully patched immediately after the patches are made available. Otherwise it's just a matter of time before something gets exploited, and you're still not particularly safe due to 0day exploits. In any case, I like to have an extra layer there to save me from a reformat (I'll never trust a PC once it's been infected).

jojopramos

From a sys ad point of view, using AV is a very essential part in protecting our system/database/data's (in depth defense) and I'd better be spending money on AV's than putting my business computing/home computing at risk. Paranoia is good...

laidbackfreak

I think AV's are a dying beast. That's not say they dont serve a purpose but I think we will see a shift in tackling this viri\malware etc in the coming years.

L0gicB0mb508

laidbackfreak wrote: »

I think AV's are a dying beast. That's not say they dont serve a purpose but I think we will see a shift in tackling this viri\malware etc in the coming years.

I think we will change how the AV detects malware, but I think AV is here to stay really.

tpatt100

dynamik wrote: »

regshot | Download regshot software for free at SourceForge.net

Ok so your comparing your registry every time you use your PC? And what do you do if you notice an unauthorized change? Probably run an AV to remove it.

excalibur1814

Doesn't matter what AV a user uses as they will all let in the nasties.

If every user would at least change some of the Internet Explorer security settings the world would be a safer place. Heck, the Pop-up blocker is set to medium, which should be on High!


The biggest one of all: Everyone runs as admin.

At times I cry. At times I think it's pointless.

Oh well

tbgree00

I never used to use AV and haven't had an infection in as long as I remember. Then I got married and my wife took over my computers. She didn't feel safe using them because she thought her identity would be stolen at every click. It stopped after I installed AV and she uses it more than I do now. The mental effects of an AV program's icon in the system tray is worth the cost to most users. I use Microsoft Security Essentials so it's even a free solution.

I don't think that I would ever suggest a client run without AV and I have sold myself out of clients before when convincing them to buy the paid version of malware bytes. People aren't going to stop going to their favorite sites even if they are poisoned so they need some layer of protection.

earweed

I used to have a lot of people that needed virii cleaned from their computers. At the time the best free solution I knew of was Spybot Search and Destroy. It worked but sin't really set up for consumers to use, really. I'd then uninstall Spybot S&D and set them up with one of the free AV programs. I've been in contact with a few of these people (just checking, follow up) but haven't had to go back because of a virus.
My niece had downloaded one of those supposed free scan AV programs which immediately planted itself and would lock up her computer wanting her to buy the pro version. I couldn't uninstall it in programs and features (It wasn't Listed) but Spybot Search and Destroy detected it as Malware and took it off for me. I then instructed her on what kinds of free antivirus to use.

dynamik

tpatt100 wrote: »

Ok so your comparing your registry every time you use your PC? And what do you do if you notice an unauthorized change? Probably run an AV to remove it.

Wow, someone's touchy

I would do this: Introduction to Malware Analysis - Lenny Zeltser - Malware Tutorials on Vimeo

It's just fun to play around with; I wasn't advocating that as a corporate practice...

tpatt100

dynamik wrote: »

Wow, someone's touchy

I would do this: Introduction to Malware Analysis - Lenny Zeltser - Malware Tutorials on Vimeo

It's just fun to play around with; I wasn't advocating that as a corporate practice...

I wasnt being touchy lol. I mean if your doing it for fun/learning then yeah it makes sense. I kind of get a kick trying to remove malware from family members computers. I just see it as reactionary rather than being proactive.

subl1m1nal

I think running a computer without AV is like driving a car without insurance. You still might get in an accident, but the impact of a bad situation is less if you have insurance. 1 oz of prevention is 1 lb of cure.

Computer security, and network security in general needs to have a layered approach. Not only that, worms exist. What if network user B gets infected with a worm and it traverse's the network to find your machine? Bam, you're infected.

If you want a good test, load up a virtual machine and take a snapshot before loading AV and infecting yourself. Go to some known bad sites and infect yourself (google for these sites). Then, restore back to the snapshot, install some AV, and throw some more shitware at it. I bet you'll have an easier time removing it as some of the stuff will be blocked.

We have some older machines on our network. We were using Symantec products, but I wasn't happy with the performance I was having with some older P4 machines. We've switched to Vipre Enterprise and have had great success with it. Low footprint and catches just as well as SEP.

kriscamaro68

AV is definitely needed no matter who you are. Like others have said defense in depth is the best approach. From a business standpoint av is great cause it cuts down on the time it takes to have to fight the infection. When it comes to my home computers though if it gets infected and the av cleans it I still reformat cause once infected always infected to me. I also use a firewall and an IPS as well. Plus a lot of the computers are Mac's and we all know those don't get viruses.

bradtechonline

exampasser wrote: »

I've questioned the effectiveness of antivirus programs for some time. I don't buy into the mentality that your computer will immediately become infected with malware if you don't run AV software. I've seen computers using AV software (predominantly Norton) that still end up becoming infected.

I have also had things happen to me such as certain AV software claiming that some of my programs were malware and automatically deleting them without my permission. My biggest issue with some products is that they often bog down some computers (mainly older p4 computers) to a crawl.

From my experience I have concluded that the best defense against malware is a knowledgeable user (with the help of Google). Common sense things such as safe web browsing habits, backing up important files (and even imaging your hard drive), and downloading security patches makes a big difference from what I have seen. If I am unsure of a website I often use a virtual machine to check it out just in case.

Knowing you computer well is another big one. On my older xp machine I stripped down alot of unnecessary processes that speed up my machine considerably but it also allow me to easily investigate any suspicious processes that were running in the background (I did find a spyware service and got rid of it.)

So are you for or against AV software or does it depend on the situation?

I am totally for it. In a large scale environment you can see the good that an AV does especially if your IT does not have the political power in the organization to make users not plug in thumb drives, do not have web filtering, or a documented security policy signed off by the organizations legal staff.

In an ideal environment your WSUS is patching approved security patches, you got content filtering, All your users are running Limited User Accounts, you have up to date AVs on your clients/servers, Linux web servers etc are also being patched, VLAN segmentation.. The Internet is so dangerous anymore especially with b33f/metasploit and hooking browsers. I've had plenty of users on their lunch break go to legitimiate sites, and get a drive by. Outside of a Software Restriction Policy that thing is going to execute, and at least infect the user profile if it gets passed content filtering, or your AV. There's so much you have to do to keep your environment secure ranging from code review, network review, systems review, user training. AV's do fall in there and are very important IMO..