-{ Quote: "Companies are wasting money on security processes — such as applying patches and using antivirus software — which just don't work, according to Cisco's chief security officer John Stewart.

Speaking at the AusCERT 2008 conference in the Gold Coast yesterday, Stewart said the malware industry is moving faster than the security industry, making it impossible for users to remain secure.

"If patching and antivirus is where I spend my money, and I'm still getting infected and I still have to clean up computers and I still need to reload them and still have to recover the user's data and I still have to reinstall it, the entire cost equation of that is a waste.

"It's completely wasted money," Stewart told delegates.

He said infections have become so common that most companies have learned to live with them.

"There are too many companies in the world that actually believe infection is just a cost of doing business and are getting used to doing it — as opposed to stopping it completely. That's dangerous," he said.

A better way of dealing with the unknown is to use whitelists — where only authorised or approved software can execute, said Stewart.

"I'm sick of blacklisted stuff. I've got to go for whitelisted stuff — I know what that is because I put it there," he said.

Security software vendors did not agree.

Gavin Struthers, regional director for McAfee Australia and New Zealand, said that although installing antivirus and updating patches are not a perfect solution, they certainly aren't a waste.

"I disagree that it is a complete waste of money... Against today's sophisticated attacks, antivirus and patching won't stop these threats, so you need a layered approach and defence in depth," he told ZDNet.com.au.

Chris Thomas, technology specialist for CA's Internet Security business unit, said that antivirus alone did not provide enough protection.

"It's not a complete waste of money. If it's the only level of protection that someone has, it's probably not going to be enough. The arms race between the malware writers and antivirus researchers is a constant race," he said.

Thomas agreed, however, that whitelists are a good idea: "The way security is moving now is, as John Stewart said today, whitelisting, as in 'trust what you know’, as opposed to the black list signatures."" }-
ZDNet Australia (http://www.zdnet.com.au/news/security/soa/Antivirus-is-completely-wasted-money-Cisco-CSO/0,130061744,339289122,00.htm)
.

-{ Quote: "A better way of dealing with the unknown is to use whitelists — where only authorised or approved software can execute" }-

Which is what any decent PC-based firewall does; however, by itself that will not prevent drive-by infections, although using Firefox with a script blocker can help in that regard.

Excellent, provocative, blog by Kurt Wismer. the anti-av revolt (http://anti-virus-rants.blogspot.com/2008/05/anti-av-revolt.html)

It goes to show that the av isn't dead at all. It is and always was meant to be run with other types of protection. And in that respect nothing has changed. Granted the malware is getting more difficult to manage but a good av product along with several other types of protection can still give good protection. We will just have to wait and see how this all plays out in the future.

bigc

well the av industry arent just gonna say ye antivirus is a wasted cost because they dont want to go out of business.
thats why heristics and proactive protection needs to be improved in products.
which most antivirus companies are doing. i think most people will always use antivirus for part of their secuirty. the challege is adding proactive protection that doesnt confuse the user. because if the user gets loads of prompts and doesnt understand them and allows everything then its 0percent protection.
try finding a product that can block all new malware,doesnt ask questions and never needs updating,no fp's. ye right good luck lol.

-{ Quote: "well the av industry arent just gonna say ye antivirus is a wasted cost because they dont want to go out of business.
thats why heristics and proactive protection needs to be improved in products.
which most antivirus companies are doing. i think most people will always use antivirus for part of their secuirty. the challege is adding proactive protection that doesnt confuse the user. because if the user gets loads of prompts and doesnt understand them and allows everything then its 0percent protection.
also businesses should have very locked down limited user accounts so that malware shouldnt be able to excute." }-

This is a hard one, because Microsoft deliberately left open myriad possibilities of disrupting potentials from clever coders of malware & viruses IMHO to create & expand business startups globally to cover for those limitations.

HIPS came along AFAIK helped to offset a lot of missed opportunities where AV's took it hard on the chin with their missed coverages that couldn't possibly handle them all, at least not always on time enough to secure their customers from inevidable disruptions or worse.

The only safe protection to suppliment such failing fell to Image BackUp Apps IF users were up to speed enough to impliment those emergency protections.

One thing i noticed over the years in my incognito infiltration of virus sites is that they worked intently on subverting AV's with great enthusiasm, all of them, as well as firewalls; but the never counted on introduction of HIPS and Behavioral Blockers as well as Virtual Machines and Sandboxes, and to this day they seem to still focus efforts on AV's and i read a lot of their experimentations on forming BOTS, but still these other innovations get in their way and theres little they can do about it really. Of course a BackUp Image Restore can go a long way in recovering but can you imagine having to return again and again to forge another image restore because their AV is been bit again and bypassed?

The best thing AV's have done is add these same type ProActive HIPS and not so much Heuristics IMO, but this is not my expertise but only speculation on my part, but it does seem to hold some truth against complete AV bypassing potentions.

As far as money for license and that as concerns AV's, i think they already know it's a real threat to their overall bottom line and is encouraged AV's to add better alternatives then simply depending on BlackLists alone, because it's just not always enough to keep their customers safe.

EASTER

Depending on what AV you choose it's wasted money...
No one AV is 100% and some popular AVs (I won't say the names to block discussions) are less than 10% and it's a wasted money if you buy it.

i still cant seem to understand why is HIPS better then heuristic.?

-{ Quote: "i still cant seem to understand why is HIPS better then heuristic.?" }-

An explanation for this would be appreciated :)

As far as I know (and PLEASE correct me if i'm wrong), the difference is that heuristics try to identify malicious patterns on the code of files. So theoretically no signatures are needed, because it can identify when a file does bad things. They are better and worse heuristics, and of course, as with signature based AV's, no heuristic can catch 100% of bad files.

HIPS on the other side are system monitors that keep track of everything that happens on the computer, good and bad things. If a program executes, HIPS will now, if a DLL loads, HIPS will know, etc... It then asks the user to allow or deny that action. Some malware can bypass HIPS (or claims that it can), but HIPS are stronger than heuristics. They weakness is that they rely on user choices, and the user can make mistakes (deny good things and allow bad).

EDIT: more info on HIPS, here (http://wiki.castlecops.com/HIPS_FAQ)

-{ Quote: " What about heuristics offered by anti-virus , don't they offer pro-active protection?

A: Most of the heuristics used by anti-viruses are fairly effective in detecting variants of the same malware family. Using methods such as passive heuristics (analysis of code sections) and active heuristics (limited emulation of code within a virtual machine to reveal otherwise obscured logic such as packers), they can provide some protection against modified malware. However, none are fully reliable particularly against completely new malware simply because they are too many ways to obfuscate malicious code to avoid detection by heuristics, while other heuristics are too broad and generate too many false positives.

Note some AV companies talk about HIPS in their products for example Sopho's Behavioral Genotype® Protection , but aren't really HIPS (except in the broad sense in which all AVs are hosted based) using our definition. They emulate the code, log its actions and decide if it is dangerous. Other examples are Bitdefender's HIVE, ESET's advanced heuristics etc. Malicious code is prevented from executing at all, whereas runtime HIPS can only interrupt code that has already partly executed. On the other hand, emulation has it's limitations e.g anti-emulation tricks, memory requirements etc.

For the purposes of this document (also based on common usage), HIPS does not refer to using emulation to detect malicious code, we talk only about runtime HIPS (as defined above) where code actually runs (partly or fully) and is stopped midway. There are some antiviruses though that provide run-time HIPS like functions however ,see next question.


" }-

I think the key word is "companies". To tell you the truth, I really can't think of a reason why a whitelist isn't better and cheaper for the majority of corporate machines.

these comments are absolute BS to me.

myself, and thousands/millions? of others im sure have been using computers for many years with only an antivirus with no problems.

fact is, its these people who are happy.... who dont speak up.

only the complainers - complain and question their products.

im not going to say its a perfect solution, as there is always something out-there on the WWW that can get past, however.... for protection, on home users, for the majority, an antivirus is a perfect and cost effective way of protecting their usage.

Whitelistening executables won't protect you from exploits in data files (PDF, Flash, QuickTime, Office) that don't drop files on the hard disc but directly execute in RAM. SQL/Slammer, anyone?

So as soon you recieve data files from the outside world, you are a potential target.

And company computers are a defined environment. The policy which software is allowed can be very strict. It's easy to use whitelistening here. But that will simply won't work with normal private users. They install new, unknown software all day, try new games, shareware and so on.

On last VB, BIT9 (company which does whitelistening) said they get 50.000.000 new clean executables per day or something like that. Have fun with the database maintaining that! And guess how BIT9 does determine if those executables are really clean/safe or not? Yeah right, they scan with various virus scanners! DUH!

There are no simple solutions. And the malware industry will surely target and bypass everything if it's worth the effort - too much money is involved now. As said in this thread, you need a multi-layered protection AND options in case your computers got infected anyway. There is no system that is 100% secure.

AV maybe very misleading for some... one AV company will call a virus sig one thing and the other AV company may classify it as mal-ware and some may not consider it a threat at all. in any case by the time a sig is found and summited and classified. lots of pc have already been infected and will keep on doing what the bug was designed too do. because as we all know some AV are good at finding bugs but can not remove it or they can not find the bug but may be able to remove the infection. and then hips was found and does do a very good job (for the ones that know how to read and understand the alerts) the end result is the bug makers will win until there is some kind of set standard by all security company's to have a main stream classification process and change with the times. witch some say they are but are still using 80's techniques to catch 20+ yr's of refined and proven techniques of infecting a computer.

Simplifying... I understand that while a black list blocks what the users registers as "bad" the whitelist (HIPS) will block all but what the user classified as "not bad"... It's the reason why HIPS is better than heuristic... When heuristics doesn't detect something as "bad" it can still be bad... but when HIPS detectes something as "not bad", suposing that the user knows what is doing, it won't be bad... HIPS can be very boring sometimes...

Right?

-{ Quote: " HIPS can be very boring sometimes...

Right?" }-


Perhaps because there is little in the way of threats out there for those who take an interest in how their machines are set up ?

Like many others I "wasted" money on various AV programs in the 90's but not for a long time since.

Many things can be awaste of money. However, if one gets enjoyment out of the product, than where is the waste? I personally only use freeware or programs I have received a free license for, and while I would never pay for any of them, I can certainly understand why many people do. They are simply fun to use.









ThePheonix always rises.

-{ Quote: "Whitelistening executables won't protect you from exploits in data files (PDF, Flash, QuickTime, Office) that don't drop files on the hard disc but directly execute in RAM. SQL/Slammer, anyone?

" }-

So Boclean has its uses (blacklister),its mainly a memory protector.

Ronjour, thanks for that link.

Everyone, there have been a few days around here where I thought this forum was going downhill despite all the best efforts of the mods. This thread is a definite uptick.

I don't really know what to do myself. OS hardening has been my main strategy for several years. Things are really bad when you read that 500,000 sites have been compromised in an automated attack. The bad guys definitely seem ahead of the good guys.

HIPS can be effective, but only in the hands of an expert, IMO. Products for the non technical person that work are needed. What use is is something that throws pop up warnings every day that Joe Sixpack does not know how to answer. At work its worse, as they stop working and make a call to support which costs $'s.

Postscript: Diver is finishing up 2 weeks of scuba diving on Roatan in Honduras. Its just glorious. Everyone around here, get outside, ride a bike, walk, run, climb, swim, dive, sky dive or do something.

-{ Quote: "Ronjour, thanks for that link.

Everyone, there have been a few days around here where I thought this forum was going downhill despite all the best efforts of the mods. This thread is a definite uptick.

I don't really know what to do myself. OS hardening has been my main strategy for several years. Things are really bad when you read that 500,000 sites have been compromised in an automated attack. The bad guys definitely seem ahead of the good guys.

HIPS can be effective, but only in the hands of an expert, IMO. Products for the non technical person that work are needed. What use is is something that throws pop up warnings every day that Joe Sixpack does not know how to answer. At work its worse, as they stop working and make a call to support which costs $'s.

Postscript: Diver is finishing up 2 weeks of scuba diving on Roatan in Honduras. Its just glorious. Everyone around here, get outside, ride a bike, walk, run, climb, swim, dive, sky dive or do something." }-
I hear you Diver. I think most vendors are trying, but it really is for now a lost cause. I just use Returnil and reboot once a day and pray for the best.

Enjoy your time. We are leaving tommorow for a 2 day motorcycle ride of the Blue Ridge Parkway from Georgia to Virginia. Mine is ready to ride.

My daughter uses Avira Premium, and it has prevented 4 infected downloads in just the past 2 weeks. A complete waste of $$? NOT!

IMO, the Cisco Kid is full of it. IMO the Cisco CEO is another one of those folks who function as contrarians &/or make outlandish stements solely in order to draw attention to themselves.

-{ Quote: "My daughter uses Avira Premium, and it has prevented 4 infected downloads in just the past 2 weeks. A complete waste of $$? NOT!" }-
Well, take a look at the Avira Support Forums, Viruses and other security risks.
http://forum.avira.com/wbb/index.php?page=Board&boardID=140
All well protected by Avira? Or not?

Solcroft pointed it out in this post: http://www.wilderssecurity.com/showpost.php?p=1229953&postcount=18
-{ Quote: "Relatively speaking, antivirus software have since fallen hopelessly behind other defensive measures. They're doomed to be forever inferior to sandboxes, HIPS, behavior blockers, access policies etc simply by the nature of how the technologies work. Antivirus software still have their role to play, but for those people who still cling to the archaic mindset that antivirus = protection, and no antivirus = no protection, you're missing out on the variety of possibilities beyond that very narrow and confined view." }-

And what else as "trust us" should this novice Security Suite vendors like Avira or ESET tell you, when they know that they have basically nothing else to offer than old-fashioned techniques?

Cheers

On first glance of topics on AV forums, it appears the AV products aren't detecting various malware, but most of the time when reading the threads, problems are solved through updates (24 hours later) or by simple methods such as running the scanner in safe mode.

I think Stefan raised a good point that even where white/blacklisting were being used, companies are still relying on anti-virus products to scan and determine whether programs/files are safe (to be white/blacklisted).

All that is happening is just a shift in view. From the view of AV products being a total and complete solution, towards the view that they're an effective part of the solution.

These programs have only just reached a point where many average users have finally found them easy to use. New products would have to be as easy to use before average users would trade up on their AV/security products. I don't see this happening in the near future. In my opinion it's taken about 15 years for the average/basic (mum/dad) computer user to now realise the benefits of having security products, to actually request it when purchasing a computer, and even start speaking about it ("the viruses picked up on the son/daughter's computer").

I don't think AVs are a waste of money now. But later on if this new shape shifting malware becomes the main problem of malware on the net then yes having AVs will become a waste of time.

because this shape shifting malware keeps on changing before AVs can release updates.

http://itnews.com.au/News/76128,shapeshifting-malware-hits-the-web.aspx

This is why I think later on HIPs with white lists will become more widely used.

I agree their approach needs to change to keep up with malware advances, but as the blog posted earlier stated, it will be up to the well known companies (McAfee/Symantec) to introduce the average user to new 'terms' and 'methods' being used.

The answer is simple for the home user. for corporate entities it's a lot more dicey.

A good Virtual System preceeded by known image backups should keep the system honorable enough and keep at bay potential intrusions meant to disrupt or otherwise carry about their other motives which don't belong to them.

AV's are medium at best IMO at protecting, HIPS are even better but you must have someone at the helm at all times to make the decisions.

I believe Blacklisting & White listing approach (Both in one AV product, or a HIPS, etc) Would be a strong point off protection.

Some might have other ideas.

3xist.

Hello,

AV reflects the reality of the past - that is the world is good and you have baddies here and there, so you blacklist them.

This is not an effective.

The policy should be to white only select applications / file types - and then only then, possibly use AV to scan TRUSTED files. No need to scan files you don't trust right?

The implementation for closed-source programs is more difficult. So much simpler for open-source. But let's talk about closed source.

How can one make sure the user is safe using whitelisting, and we're talking people who have difficulty with double-click?

The answer is - impossible. The computer is not meant to be a fun tool, for all our attempts. A complete rewrite is required.

Still...

The closest to practical functionality approach ... Again, we are assuming some basic trust here.

1. Major vendor companies build a simple whitelist of the 80-90% most common apps. Realistically, a list of 100 apps would cut it for most people. Just think about it. This is the baseline.

2. The user then start working, happy happy joy joy. And suddenly he feels an urge to install something.

3. When he tries to execute the file, he gets a prompt telling him his application is not whitelisted (trusted). He then has an option to install, whatever the consequence. Second option is not to install. Third option is to send a feedback about this application to a community based center.

4. At the community based center, worldwide volunteers and even professionals from different companies overview the reported application. Everyone does their share. Some people simply vote if the apps is good or not based on their skills. Others might try this app on a test machine and report the results.

5. After a period of time, the user gets a feedback on his application and decides whether to trust the community report or not.

That's it.

Now, how to make this even more workable? Well, customizable whitelists for advanced users. A virtualization layer built-in into the OS which allows temporary installs before committing to real system.

Lastly, a simple "heuristic" AV (no signatures), which can be used to scan the community-approved apps, should the user decide that the report he's received from the community is not satisfactory.

Naturally, to make all this work, here are some additional tools:

1024-bit digital signature for the apps.
Built-in checksum utility that will check every community-based app.
Optional - some sort of CA, but this opens a lane to potential abuse.

This way, everyone wins - the AV vendors can continue developing their products, focusing on heuristics only instead of maintaining huge lists. The user has a centralized, community based repository that can help him decide if the app he wants to use is safe or not.

Think about it. You wanna install yrrs.exe. You send a report about it and then within a day or so, you get 500-1,000 votes for yes and no, with additional comments, ideas, reports etc. More than most people have today except the vendor's reassurance that their 5-star product is malware free.

Mrk

How come the likes of Avira and Kaspersky regularly score in the high 90% in AV-Comparatives if they're so useless?

-{ Quote: "How come the likes of Avira and Kaspersky regularly score in the high 90% in AV-Comparatives if they're so useless?" }-

Right on! And not just 90%! In the Feb2008 comparatives, almost every single AV scored over 95%, so i don't understand why people like this Cisco guy make such comments! Statistically speaking, getting really infected, is highly improbable! With Avira you are 99.6% protected, so go figure!

http://www.av-comparatives.org

Honestly, myself, i can't understand why people are afraid of infections or why they torture themselves with HIPS and virtualization, when all you need to be almost 100% safe is a 1st tier av.

Maybe Cisco is thinking of selling HIPS or behaviour blockers in the future so they slander AVs? In the last years, there is an orchestrated attack on AVs by various circles, which coincides with the appearance on the market of "alternative" protection methods, which, CLEARLY, according to avcomparatives, are completely useless (specially if you have to pay for them). Yet, these new programs have to sell too. So they organize a slander campaign against AVs, claiming (hear, hear!), that AVs aren't competent enough to do their job! Yet, i challenge you to find many products in everyday life that can take pride in scoring 99,6% efficiency as many AV tests prove!

An good AV and a firewall is all you need. The rest is wasted money. Yeah, admitted you can be that extremely unlucky guy that can encounter that 0,4% of undetected malware, but hey, you can be hit by a meteorite or space junk while walking too.

That Cisco guy has a hidden agenda, i 'm sure. ;D

Heck, i don't have a 99,6% certainty that i won't get killed when driving and yet some people complain about AVs because they only give you such a "low" percentage! :lurking: Unbelievable!

;D

-{ Quote: "Right on! And not just 90%! In the Feb2008 comparatives, almost every single AV scored over 95%, so i don't understand why people like this Cisco guy make such comments! Statistically speaking, getting really infected, is highly improbable! With Avira you are 99.6% protected, so go figure!

http://www.av-comparatives.org

Honestly, myself, i can't understand why people are afraid of infections or why they torture themselves with HIPS and virtualization, when all you need to be almost 100% safe is a 1st tier av.

Maybe Cisco is thinking of selling HIPS or behaviour blockers in the future so they slander AVs? In the last years, there is an orchestrated attack on AVs by various circles, which coincides with the appearance on the market of "alternative" protection methods, which, CLEARLY, according to avcomparatives, are completely useless (specially if you have to pay for them). Yet, these new programs have to sell too. So they organize a slander campaign against AVs, claiming (hear, hear!), that AVs aren't competent enough to do their job! Yet, i challenge you to find many products in everyday life that can take pride in scoring 99,6% efficiency as many AV tests prove!

An good AV and a firewall is all you need. The rest is wasted money. Yeah, admitted you can be that extremely unlucky guy that can encounter that 0,4% of undetected malware, but hey, you can be hit by a meteorite or space junk while walking too.

That Cisco guy has a hidden agenda, i 'm sure. ;D

Heck, i don't have a 99,6% certainty that i won't get killed when driving and yet some people complain about AVs because they only give you such a "low" percentage! :lurking: Unbelievable!

;D" }-


No AV here and I feel quite secure. Even more so then when I ran an AV in real time. ;D

With what is in my sig and a weekly scan with DrWeb CureIt as well as Malwarebytes AntiMalware and maybe SAS I do not worry. None has found anything with this setup anyway. The scan's are for reasureance only.

I'm not saying that AV's are a complete waste of money for everyone.
But it would be for me. ;D

I will say it they have become a total waste of frigging money.

-{ Quote: "I will say it they have become a total waste of frigging money." }-

But,but,but... Don't you read AV tests on magazines and the internet? What more proof do you need that an AV is virtually perfect?!!

This is just a ploy to make you pay money for virtualization, HIPS and the like when the average Joe is pretty much invulnerable with just an AV.

:argh:

I agree but to a point. I would go so far that with a little common sense, a weekly scan of Cure it would suffice with nothing else. Remember awhile back about the dude who wrote about he used Prevx:dry: and nothing else for a year, and never got infected. I bet that same "Joe" could have used SAS and gotten the same results based on his PC habits.

-{ Quote: "I agree but to a point. I would go so far that with a little common sense, a weekly scan of Cure it would suffice with nothing else. Remember awhile back about the dude who wrote about he used Prevx:dry: and nothing else for a year, and never got infected. I bet that same "Joe" could have used SAS and gotten the same results based on his PC habits." }-

With common sense and safe surfing habbits, one can take the risk to stay without AV too. But, what i say, is, that AV tests prove that even an unsafe surfer is virtually invulnerable to malware, when having a top tier AV. I mean, in 100 virus, his AV will catch 99! Most probably, in one year, one won't see 100 virus at all. So, an AV is plenty for protection with a very high margin of safety.

:argh:

Thank God for the AV tests! Otherwise we would have to believe what a Cisco guy is saying. Ok, you may ask why so many people get actually infected everyday while running their super duper AV. Well, one CAN get unlucky and encounter that 0.4-1% that his AV will miss, but that's no argument against the AVs!

;D

-{ Quote: "Statistically speaking, getting really infected, is highly improbable! With Avira you are 99.6% protected, so go figure!

http://www.av-comparatives.org
" }-
First, only links to the main site of AV-C are working. :what:

Second, you deduce your statistically reflection from the wrong test.
AV real life protection has much more to do with AV-Cs "Retrospective/ProActive Test" than with their "On-demand comparative" test.
Most malware doesn't bypass AVs because of their detection of yesterday's threats.
Most malware bypasses AVs because of their lack of detection of today's threats.
AVs blacklisting is always behind the threats by design.

Cheers

-{ Quote: "First, only links to the main site of AV-C are working. :what:

Second, you deduce your statistically reflection from the wrong test.
AV real life protection has much more to do with AV-Cs "Retrospective/ProActive Test" than with their "On-demand comparative" test.
Most malware doesn't bypass AVs because of their detection of yesterday's threats.
Most malware bypasses AVs because of their lack of detection of today's threats.
AVs blacklisting is always behind the threats by design.

Cheers" }-

Dear Subset, my opinion on AVs is that they are full of holes and that AV tests are only good for marketing, promoting X or Y product, according to certain interests. You can see this more clearly in the PC magazines, where each tend to have the same "top AVs" all the time over the years. I just couldn't resist using a subtle sarcasm when i read about AV tests as a proof of why the Cisco guy is wrong.

I only run AV for placebo effects and because i like clicking on "update now". Most of the times i had encountered a malware, my AV missed it. Same happens to a friend of mine who gets infected every month, no matter which AV he runs. I don't know if he encounters "zero day threats" all the time, or variants that the AV's heuristics don't recognize, fact is, that in real life, the AV tests that are on magazines each month, don't worth the paper they are written on. At least for the customer, that is. Because for the vendors and the magazines they worth $$$.

Last time he got infected and phoned me because his PC was acting weirdly, he phoned me and the 2 AVs didn't find it. It was Threatfire that nailed it... I wonder, how many days after the infection zero day threats are still "zero-day"? Because he was having problems for about 2 weeks before phoning me. I guess in tests they use malware one year old, so all the fellas can get over 90% and can all be happy and make some $$$ and come back for the next happy testing.

;D

I don't care about statistics. After seeing my previous AV (1st tier according to EVERY test out there and almost everybody around here) being bypassed more than once by malware, and cleaning completely hosed PC's from friends and relatives with (according to av-comparatives) ADVANCED or ADVANCED+ AV's, I decided that AV, indeed, was wasted money (at least for me).
Changed my approach, and now I live 100% clean, for (almost) free and my PC light as a feather!

I know that with 95+% it should be almost impossible to get infected, but I see it quite often...

-{ Quote: "I don't care about statistics. After seeing my previous AV (1st tier according to EVERY test out there and almost everybody around here) being bypassed more than once by malware, and cleaning friends and relatives PC's with (according to av-comparatives) ADVANCED or ADVANCED+, that where completely hosed, I decided that AV, indeed, was wasted money. Changed my approach, and now I live 100% clean. (for free and my PC light as a feather)

I know that with 95+% it should be almost impossible to get infected, but I see it quite often..." }-

:thumb: I couldn't have said it better myself.

My first criterion nowdays for AV, is for it to be light and free. Because it doesn't worth neither the CPU cycles nor the money for a product that might have to kick in once a year for my habbits, and most probably miss that one time too. ;D

I don't understand why people keep expecting 100% protection from AV's... ::)

For the general public AV's certainly DO provide protection. But because it isn't a 100% protection, it shouldn't be your only line of defense.

Also whitelisting doesn't provide 100% protection, because it's possible to whitelist malicious programs. This is even more true for people who are not computer techs, like grandma...

Virtualization also doesn't provide 100% protection, because if you visit your favorite malicious website while using a full virtual copy of your OS, keyloggers for example can still transmit passwords and the keylogger will keep active until you restart your computer to close your virtual session.

HIPS, while very powerful, also require considerate computer knowledge to be certain what you can allow or should block. If grandma just clicks "allow" on every prompt she gets, then you might as well throw her computer out of the window, because HIPS isn't gonna protect her.

Seems like the common theme is that nothing is perfect.

Recently, I found out a friend had been using his gf's laptop for over a year with no firewall, AV or anything else. I thought it was going to be a 'gold mine', so I ran prevx CSI, cureit, SAS, installed threatfire, ran the scanner...eventually found nothing. Not even a tracking cookie. He kept ThreatFire and the $10 I bet his system was chock full of viruses and spyware.

While another friend didn't even know if she had any AV installed. :wacko: Now that had every top ten threat installed. That was fun! :)

All depends on the user's behaviour (programs/games installed/file sharing) and browsing habits. Some people will most likely not need anything. Others need various layers security.

I don't use AV/AS/AT/AK/AR/...-scanners anymore as a daily protection.
After six months without them, I ran every big scanner as a test, they didn't detect anything, except f/p's like ShadowProtect, Anti-Executable and a few others.
It's very hard for a scanner to detect something in a clean system partition and that's what I have after each reboot.
I don't say my security is perfect yet, but I certainly have a perfect recovery solution (IB + ISR).
No malware is able to survive my recovery, not even the worst like Rustock.C, rootkits, Invisible Things and unborn malwares of the future.
I don't even backup/restore my actual system partition (Windows + Applications) anymore, because it might be infected due to failures of my security softwares. Instead of that I replace my old system partition with a new fresh upgraded system partition, much safer and less stupid. :)

Antiviruses are for computers nothing else than what seatbelt, ABS and airbags are for car. They provide protection but you CANNOT ever expect to provide 100% protection. Even if all of them work perfectly fine you can still get killed in a car accident. Same goes for computers. Even if they work fine and are updated something can get past its defenses.

-{ Quote: "
It's very hard for a scanner to detect something in a clean system partition and that's what I have after each reboot.
" }-
-{ Quote: "
No malware is able to survive my recovery, not even the worst like Rustock.C, rootkits, Invisible Things and unborn malwares of the future.
" }-
-{ Quote: "
I don't even backup/restore my actual system partition (Windows + Applications) anymore, because it might be infected due to failures of my security softwares.
" }-

And thats kinda my problem with this kind of security, you can get infected with malware, but it's not going to survive after you reboot. But during your online sessions malware certainly can do there harm, maybe not in the sense of damaging your system, but more in the privacy section. What is going to stop malware transmitting all kinds of stuff over the internet? Your malware may be completely purged after you reboot... but what protects you between reboots?

:thumbd: the same thing that protected me for 3 years between reboots and with using a scanner that never found anything. I mean, come on folks, in 3 years, one keylogger here. Can I get a two. Yep one keylogger. So just what was my AV protecting me from, all 12 I went through. Nope, I will never buy that crap anymore. If you need something quicker before you reboot, use Sandboxie with Returnil, use SafeSpace by itself, but dont think a AV or a suite is going to safe guard your lockbox at your bank.

-{ Quote: "And thats kinda my problem with this kind of security, you can get infected with malware, but it's not going to survive after you reboot. But during your online sessions malware certainly can do there harm, maybe not in the sense of damaging your system, but more in the privacy section. What is going to stop malware transmitting all kinds of stuff over the internet? Your malware may be completely purged after you reboot... but what protects you between reboots?" }-
I still use security softwares, just like anybody else, but no blacklist scanners anymore, I use a different type of security. Scanners require too much time to run and they are incomplete, unless you believe their message "0 threats found" to make you feel comfortable in your head. :)

-{ Quote: "Instead of that I replace my old system partition with a new fresh upgraded system partition, much safer and less stupid. :)" }-Erik,

I'm going to have to take you to task here.

Guess what - approaches to security not based on an AV are not structurally "much safer and less stupid" as you explicitly state.

There are both smarter and less smart ways to employ an AV, as there are both smarter and less smart ways to employ a reboot/restore methodology. Your own posts here explicitly note a level of AV-based system scanning that certainly exceeds my own many fold over, despite your protestations of not relying on an AV. Spare me your "just making sure" protestations. The fact is, your scheme is not necessarily much safer. It can be under certain conditions, but many users don't meet those constraints. It can also be a lot less stable under some other circumstances.

There are lots of ways to achieve the same end. You choose to focus on the path, not the goal. Ultimately, that's a losing and naive focus.

As for the thread subject, we should probably reexamine what was originally said (emphasis added by me):-{ Quote: ""If patching and antivirus is where I spend my money, and I'm still getting infected and I still have to clean up computers and I still need to reload them and still have to recover the user's data and I still have to reinstall it, the entire cost equation of that is a waste.

"It's completely wasted money," Stewart told delegates." }-That's a pretty simple statement, with a very important "if" as the lead off.

It's not that AV's are a waste of money outright, but that if you employ any effort to achieve X and you don't achieve X, then what you are doing if not worth the effort (time/money). In the specific case considered - the corporate environment - an AV should be just one part of a much larger scheme to control machine and local network integrity. Casually looking at the effort expended to create a secure environment on the corporate network on which I sit, I even don't see where an AV dominates the total per seat cost when all factors are adequately included. Most large corporate groups will employ tightly defined user groups and software restriction policies to carry most of the task. If the application base becomes somewhat diverse, and in some corporate areas (R&D for example) this will happen by necessity, one can actually expend substantially effort managing the application configuration and software policies than corporate AV installations. It's almost as though the Cisco speaker assumed a homogeneous application base, which is generally most applicable to pure office communication centers. That misses a large fraction of the populace.

In a smaller organization which does not have a dedicated IT group, an OS level configuration approach might now work. However, one can readily appeal to approaches based on third party applications (AntiExecutable by Faronics would be an example) to accomplish close to the same end state without additional support required.

It was noted above that-{ Quote: "The policy should be to white only select applications / file types - and then only then, possibly use AV to scan TRUSTED files. No need to scan files you don't trust right?" }-Operationally, users scan files to confirm trust in them. They really don't do it to scan files that are known to be trusted or untrusted (OK - I don't, and perhaps nobody else approaches it this way) except that it is oftentimes easier to scan everything.

If one does not employ a signature scanner as at least a rudimentary determinant of trust, precisely what do you folks do? Do you disassemble the executables?

Blue

-{ Quote: ":thumbd: the same thing that protected me for 3 years between reboots and with using a scanner that never found anything. I mean, come on folks, in 3 years, one keylogger here. Can I get a two. Yep one keylogger. So just what was my AV protecting me from, all 12 I went through. Nope, I will never buy that crap anymore. If you need something quicker before you reboot, use Sandboxie with Returnil, use SafeSpace by itself, but dont think a AV or a suite is going to safe guard your lockbox at your bank." }-

Can you explain something to me?

Suppose I use Sandboxie, unknowingly I visit a malicious website which installs a keylogger. The keylogger is trapped in the sandbox, then using that same sandboxed browser with the trapped keylogger I didn't knew about, I'm going to do some online shopping with my creditcard. But since the keylogger is also still trapped in the same sandbox.... how safe am I from the keylogger still transmitting my creditcard data back to the malicious website if I don't purge my sandbox first?

-{ Quote: "I don't use AV/AS/AT/AK/AR/...-scanners anymore as a daily protection.
" }-

That is a good setup as long as you dont change anything (install software for example) I am also one of them who doesnt care much about malware (using limited account and SRP) anymore. I feel I have the same security as you, not perfect but suitable for me. But I feel the only entry point is when I install software, and I do that alot, that is one situation where a AV comes in handy. maybe it doesnt find the zero day threats but the likelyhood for me to encounter them are so small anyway so I dont care.
As denniz points out your [theoretical] weakness, if you install and execute new stuff, is the time between reboots. But I guess you are like me (one who hasnt encountered malware for many years) make your calculations of the likelyhood.

-{ Quote: "Can you explain something to me?

Suppose I use Sandboxie, unknowingly I visit a malicious website which installs a keylogger. The keylogger is trapped in the sandbox, then using that same sandboxed browser with the trapped keylogger I didn't know about, I'm going to do some online shopping with my creditcard. But since the keylogger is also still trapped in the same sandbox.... how safe am I from the keylogger still transmitting my creditcard data back to the malicious website if I don't purge my sandbox first?" }-

It's simple. All you need is 5 seconds and common sense. You have sandboxie in "autodelete sandbox on exit". So, before doing anything important, like using credit card, just close the browser, the sandbox will be automatically flushed, open the browser again, and you can be sure that the system is clean. It takes 5 seconds. On the other hand, if your AV has missed the keylogger (i know, highly unlikely, but let's say one in a million it happens :) ), there is nothing you can do that will make the transaction safe, other than praying that your AV got nailed every malware on your PC.

-{ Quote: "It's simple. All you need is 5 seconds and common sense. You have sandboxie in "autodelete sandbox on exit". So, before doing anything important, like using credit card, just close the browser, the sandbox will be automatically flushed, open the browser again, and you can be sure that the system is clean.
" }-

I know this, but not all people have this kind of common sense. Let me tell you a short story that happened a couple of years ago... I got a very simple easy short assignment back then "write a short instruction sheet on how to put a video tape into the VCR recorder..." Because it seemed even in these modern times some people still had difficulties putting a video tape into the VCR recorder and press play... As long as these kind of people exist, there is no such thing as "All you need is 5 seconds and common sense". :P

-{ Quote: "I know this, but not all people have this kind of common sense. Let me tell you a short story that happened a couple of years ago... I got a very simple easy short assignment back then "write a short instruction sheet on how to put a video tape into the VCR recorder..." Because it seemed even in these modern times some people still had difficulties putting a video tape into the VCR recorder and press play... As long as these kind of people exist, there is no such thing as "All you need is 5 seconds and common sense". :P" }-

I understand. Well, for such people that can't grasp the idea of "emptying sandbox before doing something important" is good, what can i say... Give them an AV and pray for the best! ;D

If I ever find a scanner, that finds something on my system/data partition, I will change my mind, until then I won't use them.
I've read too many posts, where users suddenly find a strange object on their system and start scanning their computer with any scanner they can get until it is removed. Of course, they don't talk about how much time they have spent on this single object, but I know from the past how much time it takes.
I don't have such objects on my system, because I remove any change and the damage it caused during reboot, including tried softwares with their malware.

They install a new legit software and somehow this software corrupt their system, they can't fix it, also the proposed solutions don't fix it, but the problem remains. I only have to reboot, problem fixed in 2 minuts. I get myself a cup of coffee, while this user is still working at his unsolved problem. That's the difference.
I'm not going to change anything, unless I have some decent proof, it doesn't work.

-{ Quote: "If I ever find a scanner, that finds something on my system/data partition, I will change my mind, until then I won't use them." }-Let me simply note the obvious, this statement is internally inconsistent.

Blue

-{ Quote: "Let me simply note the obvious, this statement is internally inconsistent.

Blue" }-
You are right, but that is not important for me.
1. If I use a frozen system and a security software FAILS it will be removed as a change during reboot.

2. If I use a normal system and a security software FAILS it will remain on my system even when I reboot.

I prefer the first option. :)

Hello,

Blue, you asked about my strategies:

If I don't trust the file - it never gets run.

If I trust the file - say a download from a reputable source, at most I will check on a dedicated test machine or a virtual machine - NOT because the executable might be infected or such - but to see how it fits in the overall scheme of things.

If it's not an application (executable) but a pdf, doc, movie whatever from friends etc, I might be tempted to scan with AV, but rarely. Again, I'll most likely check this file in an alternative environment.

Sometimes, I'll open it using alternative means - doc via OpenOffice, pdf via Foxit or Sumatra etc. Maybe I'll use Linux. Maybe I'll use an application with reduced privileges.

If I fear something but MUST use the file on a production system, I'll make sure there's an image in place.

Sometimes, I won't check, if I really trust the sender and I know that he knows what he's doing - but there are maybe 2-3 such persons.

Finally, I might do an AV scan.

But it goes:

Trust barrier
Alternative system / machine
Alternative applications / reduced privileges / Linux
Good image in place

Only then blacklist scanners

Mrk

If we didn't need Av's we wouldn't have millions of users out in the world complaining of such problems...

-{ Quote: "If we didn't need Av's we wouldn't have millions of users out in the world complaining of such problems..." }-

Sorry but which problems ?

The problems caused by Av's or the problems caused by malware ? and why do those with AV's have problems with Malware and others without AV's do not ?

Just for the record my problems ( slow system) stopped the day I removed my last AV. Still waiting for the malware problem.:argh:

-{ Quote: "Just for the record my problems ( slow system) stopped the day I removed my last AV." }-

OTOH when your AV uses all system resources then there's no memory left for malware to do nasty things ;D ;D ;D So even if it detects nothing by wasting system resources to the limit it protects you "somehow" :argh:

-{ Quote: "No AV here and I feel quite secure." }-No offense but this statement infers a specious syllogism as follow...

Argument
Premise 1: I feel secure without an AV
(Presumption) Premise 2: The way that I feel must exist in actuality.
Conclusion: Therefore, an AV is unnecessary
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Blacklist-based security programs are not a "waste of money" in that they force bad guys (a) to disguise old types of attacks, &/or (b) to try & develop new kinds of attacks.

Ok bellgamin - I'll play.

I feel secure with no real time AV - because I haven't seen any bad stuff. How many years is enough ? or will someone still be saying in another 10 years -"It's only a matter of time" ?

Seems to me that many AV users assume that they are virus free "Because" they run an AV....

Premise 1: I don't feel secure without an AV
I have never been contaminated
Premise 2: so it must be because I have an AV ---- I don't think so :dry:

-{ Quote: "I feel secure with no real time AV - because I haven't seen any bad stuff. How many years is enough ? or will someone still be saying in another 10 years -"It's only a matter of time" ?" }-It's only a matter of time -- AND luck, AND personal practices.

-{ Quote: "Seems to me that many AV users assume that they are virus free "Because" they run an AV...." }-And some persist in assuming that an AV is useless BECAUSE they haven't been infected while NOT using an AV. To wit...

Premise 1: Fred has never been attacked by crocodiles while swimming in the YMCA swimming pool
Premise 2: Fred swims in the nude
Conclusion: Swimming nude protects against crocodile attacks.

-{ Quote: "And some persist in assuming that an AV is useless BECAUSE they haven't been infected while NOT using an AV. To wit...

Premise 1: Fred has never been attacked by crocodiles while swimming in the YMCA swimming pool
Premise 2: Fred swims in the nude
Conclusion: Swimming nude protects against crocodile attacks." }-
he he :thumb:

-{ Quote: "

Premise 1: Fred has never been attacked by crocodiles while swimming in the YMCA swimming pool
Premise 2: Fred swims in the nude
Conclusion: Swimming nude protects against crocodile attacks." }-

Does anyone know the correct term for making a false claim on behalf of a debating opponent ? It is usually covered in philosophy 101 but I'll be damned if I can remember the term. anyway you have given an excellent example. Premise 1 is fine. Premise 2 is fine. The conclusion although funny is not the point being made by your oponents - and we both know it. Perhaps a more appropriate conclusion would be: swimming nude in a YMCA swimming pool can be done safely without the need to carry a whaling harpone.

-{ Quote: "Does anyone know the correct term for making a false claim on behalf of a debating opponent ?" }-Ummm, the example isn't really that (which is to set up a straw man argument). Rather, it is a general example of false analogy (http://en.wikipedia.org/wiki/False_analogy)...., for the logically inclined.

Blue

1. I am going to start swimming in the nude.
2. By that time, I won't care about computer security.


Heck, AV's are not a complete waste of money, but they sure do not provide the degree of protection that they used to with malware authors tweaking their wares daily to avoid detection at 0 day, and using rootkits to hide thereafter. Around when this started to happen with great frequency, Bruce Schneier wrote a post that AV's from the big three vendors were the ones most likely to suffer from this sort of tactic. I mention this from time to time, but no one believes me.

The same solutions keep getting mentioned:

White listing - not perfect as stated above. AV's are used to compile the white list, not to mention the problem of keeping up with software releases. Wars have been fought over less significant issues.

HIPS - Fine, but for experts only. There is no way to give one of these to a secretary.

Behavior based detection - There is a lot of potential here, but the present selection of products is a bit crude. All of the ones I have tried have significant measurable overhead. There seems to be no effective testing of these products and whether they stop infection or simply warn after the fact (like a 2 way firewall) is an open question.

Heuristic signature analysis - So far this tool has reached the point where it is effective more often than not by a handful of AV vendors. The downside is more false alarms.

OS hardening - Its built into Vista, but MS did an awful job with UAC. You can do it with XP, it requires some expertise to set up, but is secretary safe.

Perhaps I should just dive in the nude, or run AV scans...

-{ Quote: "Heck, AV's are not a complete waste of money, but they sure do not provide the degree of protection that they used to with malware authors tweaking their wares daily to avoid detection at 0 day, and using rootkits to hide thereafter.

...

OS hardening - Its built into Vista, but MS did an awful job with UAC. You can do it with XP, it requires some expertise to set up, but is secretary safe." }-These two points are why I tend to view a simple AV and LUA/SuRun is a pretty decent compromise. Not perfect by any means, but very suitable if an AV or suite tends to be on the lean side.
-{ Quote: "Perhaps I should just dive in the nude, or run AV scans..." }-just don't feel compelled to try the other permutations.... :)

Blue

-{ Quote: "No AV here and I feel quite secure. Even more so then when I ran an AV in real time. ;D

With what is in my sig and a weekly scan with DrWeb CureIt as well as Malwarebytes AntiMalware and maybe SAS I do not worry. None has found anything with this setup anyway. The scan's are for reasureance only.

I'm not saying that AV's are a complete waste of money for everyone.
But it would be for me. ;D" }-


-{ Quote: "No offense but this statement infers a specious syllogism as follow...

Argument
Premise 1: I feel secure without an AV
(Presumption) Premise 2: The way that I feel must exist in actuality.
Conclusion: Therefore, an AV is unnecessary
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Blacklist-based security programs are not a "waste of money" in that they force bad guys (a) to disguise old types of attacks, &/or (b) to try & develop new kinds of attacks." }-


Hi bellgamin
Please point out where in my earlyer post that I stated that Blacklist-based security programs are a waste of money.
You may feel that an AV running real time is nessessary and thats fine.
I on the other hand feel that I do not.
I have other measures in place to protect myself well instead of the traditional AV you feel is a must.
I still use black list scanners once a week which find nothing.
Just lucky......maybe.
I guess i'll find out.

-{ Quote: "
Please point out where in my earlyer post that I stated that Blacklist-based security programs are a waste of money." }-I never said you did. Please notice the squiggly line ~~~. To all us Klingons, ~~~ means "I am switching gears. New topic."

-{ Quote: "LUA/SuRun is a pretty decent compromise." }-What is "SuRun"

"Lua" -- Hawaiian word for toilet. As to Lua in the computer sense of the word -- Online Armor had a great idea when they introduced "Run safer" to their HIPS. I hope that other HIPS shall follow suit. Right now I use "Drop My Rights" which isn't nearly so convenient to use as is OA's "Run safer."

-{ Quote: "HIPS - Fine, but for experts only." }-Exception: Threatfire. Set it at level 2 & (99%) forget it.

P.S. My 9-year-old granddaughter is quite proficient with classical HIPS of all flavors. But then, she often beats me at chess, too.

@bellgamin - see this thread for SuRun (http://www.wilderssecurity.com/showthread.php?t=196737).

As for ThreatFire, doesn't it fit better as a behavior blocker? Also if you wanted to use ThreatFire as a HIPS, you would increase the level (to 4 or 5).

And btw, I think it is fairly set and forget at its default level (3).

bellgamin, just a correction....... In your post #69 at the bottom you quoted what Diver said in post #66.....not me.

OS Hardening: LUA/Software restriction policy/SuRun, DEP on for all programs/unnecessary network oriented services disabled.

If you run LUA, SuRun is definitely the easiest way to temporarily elevate to administrative privileges.

One hit of a rootkit that infects your hardware components is enough to keep your computer infected forever. :)

-{ Quote: "One hit of a rootkit that infects your hardware components is enough to keep your computer infected forever. :)" }-

I have read science fiction but didn't realize that software could infect hardware in the real world. Infected for ever ? firmware can be changed, drives formated or "zeroed" so for ever ?

-{ Quote: "One hit of a rootkit that infects your hardware components is enough to keep your computer infected forever. :)" }-

LOL. oh my gosh.

-{ Quote: "
Thank God for the AV tests! Otherwise we would have to believe what a Cisco guy is saying. Ok, you may ask why so many people get actually infected everyday while running their super duper AV. Well, one CAN get unlucky and encounter that 0.4-1% that his AV will miss, but that's no argument against the AVs!

;D" }-

They are only testing known malware. so that 99.*% is only measuring the known files. In reality you can only guess how much your AV is detecting of unknown malware. I myself do not use an AV

-{ Quote: "LOL. oh my gosh." }-

I have said many times this forum is a case study for paranoia.

-{ Quote: "They are only testing known malware. so that 99.*% is only measuring the known files. In reality you can only guess how much your AV is detecting of unknown malware. I myself do not use an AV" }-

Dear friend, you are right. I was being sarcastic actually (if you read further down, you will understand).

AVs are probably the only "dumb" solution for non tech users. For most Wilders members, they won't ever find anything, so they are wasted money in deed. Or even if they could find something, probably one of the dozen other layers that every Wilders member has, will stop it before the AV will. ;D ;D

I will stay with Twister as long as it is stable for my system. I don't care if it would be like Placebo AV in real life, because i don't encounter malware without me willing to or without me suspecting something i downloaded was malware. So, as far as AVs are concerned, i did waste 25 euros, but at least not for a resource hog or for just a year.

-{ Quote: "I have read science fiction but didn't realize that software could infect hardware in the real world. Infected for ever ? firmware can be changed, drives formated or "zeroed" so for ever ?" }-
Yes, motherboard, VGA card, ... can be replaced, quite an expensive scanner. ;D

-{ Quote: "Dear friend, you are right. I was being sarcastic actually (if you read further down, you will understand).

AVs are probably the only "dumb" solution for non tech users. For most Wilders members, they won't ever find anything, so they are wasted money in deed. Or even if they could find something, probably one of the dozen other layers that every Wilders member has, will stop it before the AV will. ;D ;D
" }-

Hey FuzzFas :), Yeah I agree, Av's are a good BACKUP.
Looking at most of these signatures and reading what some wilders members are using is shocking.. What must they be doing to need so much real time and on demand protection.. They change their security apps like they do their underwear.. or perhaps even more so ;D. Quite simply put, if you use common sense you'll be far better off.
I like to use HIPS since it gives me control over what goes on rather then relying on the role of a dice which av's provide.

-{ Quote: "One hit of a rootkit that infects your hardware components is enough to keep your computer infected forever. :)" }-

Line of the week! ;D

I know overheat protection is a built-in feature nowadays, but what happened to those viruses from the 'ye-old' days that would hammer away at my speedy Amstrad's floppy drive until it would burn out?

Were there any that burned out cd/dvd drives? :P

-{ Quote: "Hey FuzzFas :), Yeah I agree, Av's are a good BACKUP.
Looking at most of these signatures and reading what some wilders members are using is shocking.. What must they be doing to need so much real time and on demand protection.. " }-

Oh, don't worry. They don't actually NEED so much protection. Some are hobbyists, some are victims of the paranoia that has at some point come to most of us (including me) when reading everyday about rootkits, keyloggers, Houdini-like intrusions etc. ;D


-{ Quote: "They change their security apps like they do their underwear.. or perhaps even more so ;D." }-

LOL! Yeah, i am in that category too, trying to stop though. Trying security apps and combinations is a sort of fun for perverted Wilders members. I have changed firewall more than 3 times in a week in the last period. ;D

-{ Quote: "Quite simply put, if you use common sense you'll be far better off. " }-

Yes. Between someone who practices safe hex without AV and one that is risky user with an AV, the first user wins. Having an AV IS useful for the safe user too (even for mere psychological reasons), but in my case, i am not willing to accept a slowdown in my system just to run an AV that won't find anything anyway 99% of the time.

-{ Quote: "
I like to use HIPS since it gives me control over what goes on rather then relying on the role of a dice which av's provide. " }-

Hips is more secure than AV, that's for sure. I like HIPS too, but at some point i also get a bit tired of popups , so i change security setup (see hobbyist comment :) ).

I think for an "educated" about the risks, attack vectors etc user, paying 50 euros a year for an AV *is* waste of money (and eventually system resources too). I would stick with a free AV just for placebo or try to find an economic solution in the worst case.

I think the comments of "Fuzzfas" are right on the money.
The regular readers/contributors here are probably amongst the least likely to get infected with malware.
I also think that after you read threads on antimalware you realize how difficult it is to decide which products are "best". There are some good tests comparing AVs but even then people argue about the testing methodology. It also does me little good if a test says it caught 95% of the malware, yet I have no clue what's in the 5% that got missed. Can you imagine if ConsumerReports said a car did well in 95% of its tests and yet they didn't expand on that? Gee, what did it not do well on, the entertainment system or the braking system?
As problematic as the AV tests are, once you try to find information on Antispyware and the like you're usually reduced to internet anecdotes and a few skimpy magazine articles.
Hopefully someday there will be more transparency and it will be easier to decide what is and isn't good security software.
End of rant :-)

-{ Quote: "It also does me little good if a test says it caught 95% of the malware, yet I have no clue what's in the 5% that got missed." }-
I remove the remaining 5% also, that doesn't worry me. I'm more worried about malware that isn't on my HDD, but somewhere else in my computer.

Hello,
Erik, the only place left is in the head.
Relax, enjoy the world.
Mrk

-{ Quote: "Hello,
Erik, the only place left is in the head.
Relax, enjoy the world.
Mrk" }-

Until the coming of nanobots :P

-{ Quote: "One hit of a rootkit that infects your hardware components is enough to keep your computer infected forever. :)" }-

That's sadly true :( Don't know if you've already analyzed the new rootkit ITW that is totally rewriting BIOS. It has real time disassembling and, depending on which bios it's working on, it automatically patches it. Then, every new video card you install on the PC, the infected BIOS automatically patches VGA rom. This is the real rootkit body that'll infect every OS, Unix/Linux/Windows/MacOSX/QNX and so on :(

We're still working on finding out a definitive cure for it but it's sadly difficult and it silently infected ten of thousands of PC around the world. :(

Link to an article about it: http://www.zdnet.com/articles/panic_new_rootkit_infects_BIOS_no_solution_yet.html (http://www.zanyimages.com/Everyday/You%20must%20be%20kidding%20!.jpg)

^
LOL i thought you were serious :D

sheer class Marco;D

Now where's my tin foil hat gone lol

-{ Quote: "My daughter uses Avira Premium, and it has prevented 4 infected downloads in just the past 2 weeks. A complete waste of $$? NOT!" }-
Do you really think he's saying that AV programs have 0% efficacy? Of course any given AV is going to catch a certain amount of viruses. Just because an AV can catch X number of viruses has nothing to do with his premise.