Are you for/against AV software?

in Off-Topic
I've questioned the effectiveness of antivirus programs for some time. I don't buy into the mentality that your computer will immediately become infected with malware if you don't run AV software. I've seen computers using AV software (predominantly Norton) that still end up becoming infected.
I have also had things happen to me such as certain AV software claiming that some of my programs were malware and automatically deleting them without my permission. My biggest issue with some products is that they often bog down some computers (mainly older p4 computers) to a crawl.
From my experience I have concluded that the best defense against malware is a knowledgeable user (with the help of Google). Common sense things such as safe web browsing habits, backing up important files (and even imaging your hard drive), and downloading security patches makes a big difference from what I have seen. If I am unsure of a website I often use a virtual machine to check it out just in case.
Knowing you computer well is another big one. On my older xp machine I stripped down alot of unnecessary processes that speed up my machine considerably but it also allow me to easily investigate any suspicious processes that were running in the background (I did find a spyware service and got rid of it.)
So are you for or against AV software or does it depend on the situation?
I have also had things happen to me such as certain AV software claiming that some of my programs were malware and automatically deleting them without my permission. My biggest issue with some products is that they often bog down some computers (mainly older p4 computers) to a crawl.
From my experience I have concluded that the best defense against malware is a knowledgeable user (with the help of Google). Common sense things such as safe web browsing habits, backing up important files (and even imaging your hard drive), and downloading security patches makes a big difference from what I have seen. If I am unsure of a website I often use a virtual machine to check it out just in case.
Knowing you computer well is another big one. On my older xp machine I stripped down alot of unnecessary processes that speed up my machine considerably but it also allow me to easily investigate any suspicious processes that were running in the background (I did find a spyware service and got rid of it.)
So are you for or against AV software or does it depend on the situation?
Comments
I also have it on mine as I don't want to have to "do it all by hand" if I got infected. I recommend AV to anyone I know without it but also caution them about what kinds to get.
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8%
High profile legitimate websites have been broken into and infected with malware. Retail hardware/software has come with malware before. Your friends may send you malware. You may hit a typo squatter site which has malware.
Having AV software doesn't mean you can browse and run whatever you want though. You still need to exercise a certain amount of common sense and safe practices when using a computer.
Don't use a bad AV package however :P
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
So, shouldn't we be against it? lol
kidding, kidding!
This advice can also be used as a metaphor for sexual relations. Tiersten, you are a fountain of wisdom.
For a business who has an established "Acceptable use policy" on the books and an already busy IT team, it is a small cost of insurance to keep things running and monitored while the IT team is managing other aspects. Per node cost for 1 year is so low (less then $1 per week, per node) that one could figure the ROI on this for their specific environment, but user down-time costs the company quite a bit.
Even a small company with only 3-5 users...if one machine is infected and they need to call me, then not only are they out 'cleanup/disinfecting' time, but that employee's time (unless they have another workstation ready-to-use).
Still $15-50 per year per user is much less costly then 1-3 hours of onsite time of $100ish per hour.
_____
"Grammar and spelling aren't everything, but this is a forum, not a chat room. You have plenty of time to spell out the word "you", and look just a little bit smarter." by Phaideaux
***I'll add you can Capitalize the word 'I' to show a little respect for yourself too.
'i' before 'e' except after 'c'.... weird?
Even if you got a virus and have AV the AV let you know you had it where as without it the user would have no clue
As far as should you use them? I think so. It doesn't guarentee protection, but it often helps. User common sense is the best antivirus. Clicking on all of those stupid ads and allowing software to install is the worst thing you can do, and there are a lot of people that do that.
regshot | Download regshot software for free at SourceForge.net
If you don't run AV how do you know you aren't actually infected? Are you checking your open ports, doing random packet caps from the machine, or using some type of HIPS? If not, you really have no idea whether there is a trojan or other type of nasty sitting on there. What about worms that scan for random machines?
Acceptable use policy also will not save you from a major virus outbreak on your network. Sure its a means to punish the end user, but it's not going to help you when you have 750 bots sitting on your network.
An excellent point.
But even if you do use an antivirus, how do you know that you're not infected?
It's all about being proactive. AV is definitely not 100%, but its a pretty good starting point if you update regularly. There is always going to be something new and crazy, or something customized to the specific target, but the common stuff would be taken care of. I think you should be doing the packet caps, port scans, and so on just to be sure period. I do think not running AV at the enterprise level would be probably one of the worst ideas ever. It's also a bad idea at home, just for the fact that you are part of the problem. You are making an easy platform to compromise and attack other targets.
MCSA 2003, LFCS, LFCE (expired), VCP6-DCV
I think we will change how the AV detects malware, but I think AV is here to stay really.
Ok so your comparing your registry every time you use your PC? And what do you do if you notice an unauthorized change? Probably run an AV to remove it.
If every user would at least change some of the Internet Explorer security settings the world would be a safer place. Heck, the Pop-up blocker is set to medium, which should be on High!
The biggest one of all: Everyone runs as admin.
At times I cry. At times I think it's pointless.
Oh well
I don't think that I would ever suggest a client run without AV and I have sold myself out of clients before when convincing them to buy the paid version of malware bytes. People aren't going to stop going to their favorite sites even if they are poisoned so they need some layer of protection.
My niece had downloaded one of those supposed free scan AV programs which immediately planted itself and would lock up her computer wanting her to buy the pro version. I couldn't uninstall it in programs and features (It wasn't Listed) but Spybot Search and Destroy detected it as Malware and took it off for me. I then instructed her on what kinds of free antivirus to use.
Wow, someone's touchy
I would do this: Introduction to Malware Analysis - Lenny Zeltser - Malware Tutorials on Vimeo
It's just fun to play around with; I wasn't advocating that as a corporate practice...
I wasnt being touchy lol. I mean if your doing it for fun/learning then yeah it makes sense. I kind of get a kick trying to remove malware from family members computers. I just see it as reactionary rather than being proactive.
Computer security, and network security in general needs to have a layered approach. Not only that, worms exist. What if network user B gets infected with a worm and it traverse's the network to find your machine? Bam, you're infected.
If you want a good test, load up a virtual machine and take a snapshot before loading AV and infecting yourself. Go to some known bad sites and infect yourself (google for these sites). Then, restore back to the snapshot, install some AV, and throw some more shitware at it. I bet you'll have an easier time removing it as some of the stuff will be blocked.
We have some older machines on our network. We were using Symantec products, but I wasn't happy with the performance I was having with some older P4 machines. We've switched to Vipre Enterprise and have had great success with it. Low footprint and catches just as well as SEP.
Plans for 2010: MCITP:EA and CCNA
70-648 - Done
70-643 - In progress
70-647 - Still on my list
70-680 - Still on my list
www.coantech.com
www.thecoans.net
www.facebook.com/tylercoan
www.twitter.com/tylercoan
www.linkedin.com/users/tylercoan
I am totally for it. In a large scale environment you can see the good that an AV does especially if your IT does not have the political power in the organization to make users not plug in thumb drives, do not have web filtering, or a documented security policy signed off by the organizations legal staff.
In an ideal environment your WSUS is patching approved security patches, you got content filtering, All your users are running Limited User Accounts, you have up to date AVs on your clients/servers, Linux web servers etc are also being patched, VLAN segmentation.. The Internet is so dangerous anymore especially with b33f/metasploit and hooking browsers. I've had plenty of users on their lunch break go to legitimiate sites, and get a drive by. Outside of a Software Restriction Policy that thing is going to execute, and at least infect the user profile if it gets passed content filtering, or your AV. There's so much you have to do to keep your environment secure ranging from code review, network review, systems review, user training. AV's do fall in there and are very important IMO..
CIW Database Specialist 1D0-541 90%
CIW Server Administrator 5%
CIW Inter-Networking Professional 5%
MCITP Pathway
c|EH