Are you for/against AV software?

excalibur1814

kriscamaro68 wrote: »

Plus a lot of the computers are Mac's and we all know those don't get viruses.

That kind of thinking may get a WHOLE lot of people in trouble one day

Macintosh Security Site - Security for Mac Platform MacOS X Security Firewalls Desktop Network Security secure mac os x Virus Encrpytion PGP macosx

rsutton

My problem with AV is how people understand it, or fail to understand it.

Often times people have AV installed and assume they are immune to virii/malware. Will the choir please join me in saying that AV is only one layer out of many in the security game. I know I have personally had to explain this to management while they were yelling at me because they are paying for AV which should prevent the trojan downloader infection they got after opening an apparently harmless Halmark card from a friend.

Also, there isn't really a good reason to not use AV. There is AV out there with a much smaller foot print than Norton. Check out NOD 32.

kriscamaro68

excalibur1814 wrote: »

That kind of thinking may get a WHOLE lot of people in trouble one day

Macintosh Security Site - Security for Mac Platform MacOS X Security Firewalls Desktop Network Security secure mac os x Virus Encrpytion PGP macosx

Ya I know. I laugh when I hear my wife who is a Mac lover say to everyone "I love the fact that Mac's don't get viruses" then I chime in and say "Babe I have already told you thats a lie put out by the devil himself Mr. Jobs."

Devilsbane

laidbackfreak wrote: »

I think AV's are a dying beast. That's not say they dont serve a purpose but I think we will see a shift in tackling this viri\malware etc in the coming years.

I disagree with that. I think the market is just opening up. Two days ago I read about a lot of viruses hidden in blackberry games.

Our phones are the new target, and next will probably be our cars. There are so many computer components in them these days.

Decided to add more to my Cars concerns.
How many of you have seen that programs that hijack your computer, and will only release it after you have paid them money? Those are bad enough. What happens when you get in your car in the morning and your stereo warns you that if you don't pay $100 your car will kill you?

fly2dw

laidbackfreak wrote: »

I think AV's are a dying beast. That's not say they dont serve a purpose but I think we will see a shift in tackling this viri\malware etc in the coming years.

Maybe, however as the AV's change so too will the virus/malware.

AV's are very important, just like firewalls. Practising safe browsing is good enough to keep away the obvious viruses that may hit you, but you may not know some of the other things happening in the background.

Remember viruses are constantly evolving. This time tomorrow you may be hit with a virus that does not even need you to browse a web page. You just don't know.

AV companies work with viruses everyday, they may have time to react to new types of viruses a lot quicker than even the most competent users. They can put this in an update which will be distributed to the user of their products when they next update.

I think it can very much depend on the AV you are using, some are better than others. However I agree with some of the other views on this thread, it is better to be safe than sorry. For the people who do not use AV's I am glad nothing has happened to you at the moment, but don't take that for granted.

JDMurray

For those that don't know about it, I'd like to mention the www.virustotal.com Web site. A business in Spain came up with a very clever idea to make multiple Malware scanning engines freely available online as a batch scanning service.

You can upload files and see if any or all of the (at last count) 41 different scanners flag your file as known Malware. In many cases, the file you upload may already have been scanned (as indicated by its hash) and you can see the previously generated report.

What is espectally interesting is seeing what other scanners flag you file as Malware, but your own scanner missed. It can be very sobering, and has made me drop one free A/V scanner from my toolbox.

As always, never upload any personal or business information to any Web site that you do not know and implicitly trust.

dynamik

JDMurray wrote: »

It can be very sobering, and has made me drop one free A/V scanner from my toolbox.

It's funny you mention that. I uploaded something out of my gmail spam folder the other day just for fun. Only 5/41 found something...

arwes

We're pretty much forced to use AV software at my office. Before I came to work here, my boss listed every email address in the organization on our corporate website. I made him aware of crawlers, and he took it down but the damage was done. We use Appriver for our anti-spam, but occasionally viruses do slip through (the DHL/UPS "tracking" virus was one). When I last looked, less than 10% of the email sent to our organization is legitimate email.

JDMurray

dynamik wrote: »

Only 5/41 found something...

And those can either be false positives or overly-strict scanning parameters. I sometimes see 1/41 for these reasons. Try uploading nc.exe or vnc.exe and see what each of the scanners return. Every Anti-Malware vendor has a different opinion of good/bad/indifferent.

DevilWAH

tbgree00 wrote: »

She didn't feel safe using them because she thought her identity would be stolen at every click. It stopped after I installed AV and she uses it more than I do now. The mental effects of an AV program's icon in the system tray is worth the cost to most users. I use Microsoft Security Essentials so it's even a free solution.

Although I would not run a general purpose PC with out AV's, one problem with it is that it makes people complacent.

there are worms and such like that anti virus is good at stopping, things that don't require user intervention to infect PC's....

the trouble is more and more malware relies on the user installing it, for the very purpose of bypassing the AV's. Many users think that having anti virus software will protect them from any thing so jsut click and install any thing.

colemic

Plantwiz wrote: »

I agree on earweed's "It depends".

For a business who has an established "Acceptable use policy" on the books and an already busy IT team, it is a small cost of insurance to keep things running and monitored while the IT team is managing other aspects. Per node cost for 1 year is so low (less then $1 per week, per node) that one could figure the ROI on this for their specific environment, but user down-time costs the company quite a bit.

Even a small company with only 3-5 users...if one machine is infected and they need to call me, then not only are they out 'cleanup/disinfecting' time, but that employee's time (unless they have another workstation ready-to-use).

Still $15-50 per year per user is much less costly then 1-3 hours of onsite time of $100ish per hour.

The cost for businesses that lose data due to malware are much, much higher - in 2008, it averaged $202 per RECORD lost. So when someone ganks your database, (from a business) you WILL pay for it... there are also legal requirements to protect data, with potentially hefty fines for not performing due diligence to protect PII.

The cost of AV/malware detection is a pittance compared to what the cost would be for compromised information, from a business perspective.

I realize that really isn't what the thread is about, but I wanted to point out the potential costs for not having AV protection (from viruses/amlware designed to steal information.)

Statistics | DataLossDB

jovan88

anyone running av on a linux box?

JDMurray

jovan88 wrote: »

anyone running av on a linux box?

Clam AntiVirus

DevilWAH

jovan88 wrote: »

anyone running av on a linux box?

Yep CLAM here to, in a production network you would be crasy not to...

dynamik

JDMurray wrote: »

And those can either be false positives or overly-strict scanning parameters. I sometimes see 1/41 for these reasons. Try uploading nc.exe or vnc.exe and see what each of the scanners return. Every Anti-Malware vendor has a different opinion of good/bad/indifferent.

Ah, no. It was malicious. No one is gratuitously sending me executable "adult movies." I really don't think that uploading popular "backdoors" (or whatever they classify netcat/vnc as) is an great way to measure AV's accuracy. I'm more interested in how well/quickly they detect new threats, and I really haven't been impressed. People put way too much stuck in AV IMHO. I wouldn't recommend running without it, but people think they're much more protected than they are.

JDMurray

The recent breed of Malware with signature mutation engines is making signature-based A/V less effective than it was. On average, it take three days for a zero-day Malware sample to be analyzed, identified, categorized, named, and pushed out in a signature definition update. This is a very ineffective process for Malware that can mutate its signature every hour or so. And mutation engines are available as kits, so any Malware writer can add this capability to his custom Malware arsenal.

The solution? Use a HIDS with behavior-based anomaly detection next to your signature-based A/V scanner. I really like Blink from eEye Digital Security for a complete solution.

dynamik wrote: »

I really don't think that uploading popular "backdoors" (or whatever they classify netcat/vnc as) is an great way to measure AV's accuracy.

I suggested this as an example of how different A/V vendors classify the same "Malware" sample, and not as a measure of accuracy.

dynamik

JDMurray wrote: »

The solution? Use a HIDS with behavior-based anomaly detection next to your signature-based A/V scanner. I really like Blink from eEye Digital Security for a complete solution.

Agreed. Unfortunately HIDS can be a major PITA to tune properly, especially across a large organization where business units perform diverse operations. I like eEye in general. If anyone's interested in playing around with an open-source HIDS, check out: Welcome to the Home of OSSEC

JDMurray wrote: »

I suggested this as an example of how different A/V vendors classify the same "Malware" sample, and not as a measure of accuracy.

Dude, I get to experience that joy every time I download/update a tool...

Ahriakin

I think a major source of disparity here is our definitions of AV software. Simple signature based file scanners on one end and advanced multi-point solutions on the other (download scanning, HIPS, System Integrity protection etc.). The former is definitely becoming outdated but many AV vendors are working to meet the challenge of blended threats. I'm a big Kaspersky fan, but only of their Internet Security Suite and not the vanilla AV, you need the full compliment of components for it to be truly effective. They just added registry and system file integrity checking and roll back which is a great addition imho, besides anything else it shows they are advancing the role of the software to match current threats and not just bloating their signature engines (much akin to spinning your wheels in mud these days).
Overall I'd say yes AV is still very much necessary, you just need to make sure to use a comprehensive package and also to tune it correctly for your system. However even for home users it is only one component of defense-in-depth and is not good enough on it's own.

JDMurray

Ahriakin wrote: »

advanced multi-point solutions...

The latest marketing buzzword for this is "Endpoint Security."