http://www.infoworld.com/article/06/09/08/37OPsecadvise_1.html?source=rss&url=http://www.infoworld.com/article/06/09/08/37OPsecadvise_1.html

is an interesting opinion piece arguing that AV software must evolve or die. I agree but unlike the author believe it will.

Fairy

PS- wasn't sure if this was right place to post this. soz.

fairyliquidizer,

This is the best location for this discussion. I'd certainly agree that some level of significant adaptation is needed. However, the following paragraph struck me:-{ Quote: "The reality is that I deploy defenses that don’t allow malicious code to get to their desktop. I convert all e-mail to plaintext; I block most file attachments and spam; I use perimeter and host-based firewalls. I keep my systems patched, and tightly controlled. I approve all software installs. I harden configurations. That’s it. No secrets." }-Spoken like an IT pro who seemingly can't step into the shoes of a casual user. Realistically, most users will read that as-{ Quote: "The reality is that I blah blah blah.........blah blah blah blah. That’s it. No secrets." }-This is where an even marginally appropriate AV or related package steps in. The blah blah... is preconfigured and automatically handled. There will always be a market for that, whether it is a pure defensive scanning/sieving approach or something a tad more sophisticated. The current problem is that most packages that strive to proactively address these newer level of threats simply provide a cascade of user alert windows that, again, are blah blah... to most casual users. There are currently a couple of exceptions to this (Prevx and AntiExecutable spring to mind, but there are probably others I can't recall at the moment), but they are not the norm at the moment.

Blue

I agree with you 100%! I also agree with the author who hints that behaviour can reduce risk of infection (as much as if not more than antivirus software). However "Joe Public" doesn't know how to "harden configurations" moreover his article sends a message that almost says "you don't need antivirus" and that message is dangerous as if you don't have the knowledge then you need the tools to protect you.

He also points out that he managed to spread an infection from a machine that is off-net onto his LAN. That goes to prove that we all make mistakes and therefore need AV software.

One interesting angle is that he highlights the need for firewalling by describing his own set up and I would argue that a firewall is more important than AV but the layered approach that the author uses is the best approach and without that layered approach his AV software would have been a lot busier.

It is this last point that he misses and those "not very tech literate" family members are all being protected by his "pro" setup. Joe Public typically isn't.

Fairy

He refers that most of the malware nowadays is going undetected,or is only detected by a few scanners at jotti or virustotal,on initial release of new malware this as always been the case due to the fact that AV vendors have to react and this takes time,in fact it is slightly better now due to better heuristics than it was in the past!

I started another thread on this subject (BY MISTAKE) at the NOD32 Forum, and for that I apoligize.. But since I'm here, the only conclusion I can come up with is the guy who wrote the article in question is either touting heuristics (which is fine by me...) or is killing time.. He does make a point about how virus writers may be using online scanners against the public. Wouldn't be the first time someone used something meant for good instead for evil...
On the other hand, if a 100% correct heuristics only Av is ever created, that probably WOULD be the end of the antivirus.. LOL..

BTW, I am not implying any AV is better than the other.. Many Av's have their strong points..

Hi Jim..long time no see.

Seems to me the author was just touting Safe Computing. Note that he reads (and his teenagers also) all email in plain text and doesn't open attachments. That is part of Safe Computing. The other things he mentioned are also a part of safe computing.

I don't quite understand Blue's comment about users reading blah..blah..blah?

-{ Quote: "However "Joe Public" doesn't know how to "harden configurations" moreover his article sends a message that almost says "you don't need antivirus" and that message is dangerous as if you don't have the knowledge then you need the tools to protect you." }-
Goog point, as long as "Joe" will exists, the anti-software will be allways needed.
Recommending no AV is a bad idea, a user will find out himself, when it is useless.

Although prevention is better protection than using AV, which can fail to stop infection.

There is no 100% detection of unknown, new malware. This is simply impossible. If you can do that, you could write an algorithm to calculate the next lottery jackpot numbers too. ;-)

Let the malware authors use those online scanners to test their viruses - the samples will end up in the vlabs of the antivirus companies very fast. ;)

-{ Quote: "Hi Jim..long time no see.

I don't quite understand Blue's comment about users reading blah..blah..blah?" }-


I think I do, take a look at all the security forums with HiJackThis logs posted. I think Blue is referring to these types of individuals which seem to be large in number.

-{ Quote: "Hi Jim..long time no see.

Seems to me the author was just touting Safe Computing. Note that he reads (and his teenagers also) all email in plain text and doesn't open attachments. That is part of Safe Computing. The other things he mentioned are also a part of safe computing.

I don't quite understand Blue's comment about users reading blah..blah..blah?" }-Mele20,

What's not to understand (ahh, there's irony there)....

My point is a simple one. The vast majority of users, i.e. the mass market which drives this industry, would have no idea of what to do after finishing reading that article.

Admonishing people to use safe computing? It's like telling someone to take care of themselves. It's not explicit, there's no explicit action to follow. It's not translated to a level that is accessible if you don't already hold the same view or possess the same experience base.

I use perimeter and host-based firewalls. Please...., am I the only one who believes (based on experience by the way) that this is speaking a foriegn language to the only audience the piece should be directed to?

Security applications (AV/AT/AS/and the rest) exist to assist users in dealing with malware. For the most part, a PC is a black box to these users. We all have black boxes in our lives, be they PC's, internal combustion engines, and so on. We don't want to deal with their inner workings, we want them to function in the context that we use them. Security applications take an unsafe black box and inject it with a modicum of security. They are not a panacea, a user can overdo it, but in the meantime a user can be safe without coming to grips with the inner workings of a device that they generally don't want, or need, to know. These security applications are another level of black box. It would be nice if everyone could understand the inner workings of PC's since their lack of understanding can often spill over the borders of their existence and impact the rest of us, but that's not about to happen.

PC's need to be safe and secure delivered as a turnkey device. Currently, that is nothing more than a pipedream.

Blue