re: The efficacy of anti-virus

Jeff K. — Wed, 07 Jul 2010 16:32:36 GMT

Terry:

Depending on how we define the term "A/V software", I would heartily disagree that it is "an essential product." Pure A/V, intended to be faced only towards viruses, offers little in terms of benefits (as you well show) while demanding much in terms of resources. Norton/Symantec's antivirus product comes to mind. I used to work at a large University that had a site license for A/V, Client Security, and (eventually) whatever the newest catch-all offering was whose name I'm now drawing a blank on. When talking with end users, I would be frank about my opinion that I would rather have most viruses (*not* worms/trojans/rootkits) than I would have Symantec A/V installed on my system. Client Security offered A/V+firewall, so I pushed them towards that.

I started working at the University in 2006, having left my job to return to school and finish my degree, and at the time I was still running Win98 SE on my PIII 450 at home. I ran that machine as my exclusive home system until 2008, never had an issue even though I did not have any A/V installed. That's because you and Brian are absolutely correct, there is no substitute for "common" sense. Using it mitigates the need for A/V, and not using it mitigates the usefulness of A/V to the point of making the cost/benefit tradeoff of A/V a bad one. When I first supported user machines as a local/network/server admin (small company, I was the web guy) in 2001, half of them ran ME and all the users POPed their email, and I fought Gator like I was Steve Irwin. Those machines needed A/V. Now, with the introduction of XP SP2's firewall, mail being web access for most, and the enlightenment of users on dodgy shareware, pure A/V just requires too much. Any realtime protection that isn't a firewall (which should ideally be implemented elsewhere in the OSI, anyway) has to prove its worth via marginal protection added against marginal resource use. A/V doesn't, in my opinion.

What *is* needed, and what is installed on far too few machines, thanks to the brainwash of the A/V industry simultaneously convincing users that they *must* have A/V and that A/V is *all* they need, is proper malware software. A proper Ring-0 capable rootkit detector. Something to monitor attempted changes to startup items/scheduled tasks/helpers etc., vectors for the actual impact of malware to manifest. I personally have found that a combination of WinPatrol (automated monitor of key entry points), MBAM (without the protection module, just a weekly scheduled scan), RootkitUnhooker (one of maybe two rootkit detectors that can actually live up to its name and protect against serious rootkit methods), and Windows Firewall works for me. This is a system that doesn't solely rely on signature-based detection to succeed, which reliance causes the issues you note with A/V such as time lag for protection. Next to no resource suck, and best of all, it's 100% free.

re: The efficacy of anti-virus

tonyr — Tue, 29 Jun 2010 15:48:26 GMT

I think I've read this somewhere and its that the hackers just decompose the security fixes and then try to out race the update deployment. I think that ms should in cooperation with all the av vendors should put out the signature 1st then the security hotfix. Of course somehow the hackers would get that and decompose it ... oh well we are screwed..