AV's Useless?

[Hungry Man]

All code is attack surface. AVs happen to interact directly with malware. In a situation where an attacker is trying to break into a system they could potentially exploit the antivirus. This would be useful since most antiviruses run as Admin anyways so the attacker gets Admin rights. You can also pretty much guarantee that the AV would interact with the malware if it's doing its job.

Right now this isn't likely for an end user as there are dozens of AVs and none of them has more than 30% of the market. In a direct attack it's possible.

The point made is that there are downsides to installing an antivirus and if it's not pulling its weight it doesn't matter whether "nothing can provide 100% security" - that's just an excuse.

So don't use your seat belt, it is an attack surface because it could hurt you when you have a crash!

AV's are not useless!

[Hungry Man]

Analogies are rarely accurate.

Car analogies are usually the worst. The world of driving is not like the world of computers. There aren't drivers out there profiting from crashing into other users. There aren't special types of car crashes where the other driver doesn't realize they've just been hit. The seat belt is not a critical point of attack.

It just doesn't work...

[luciddream]

Another example: Go to your command prompt once and enter the command "netstat -an" (without the quotes). Close your browser and any other programs first. Naturally, with your browser open there will be connections (whatever rules you have for your browser). With everything closed now... what do you see listed there? Do you see random ports "listening", or worse... hanging wide open? Among those ports do you happen to see 135, 445, or 44080? 135 is DCom. 445 is NetBios. I believe the latter (44080) is the port Avira used for it's Web Guard. That right there is your trusty AV out there looking for malware... daring it. Saying: "go ahead, make my day", like Clint Eastwood. Okay, I'm getting a tad sensationalist here, admittedly.

You know what I see when I type in that command?... nothing at all, that's what. Not only from having no real-time monitoring, but from disabling certain services (like DCom), NetBios over TCP/IP, etc... From hardening my OS. I could conceivably even run without a firewall at all and get away unscathed, not that I'd attempt it, because I have no ports hanging open/listening in the first place, let alone vulnerabilities associated with them.

I don't use my VPN's unless I feel anonymity is absolutely vital for the same reasoning. I feel I'm potentially sacrificing security for that anonymity/privacy. Namely by having svchost.exe connecting out, even with a tight rule set. And openvpn.exe. Just as is the case with the AV (as HungryMan and Mounds mentioned), the chances of this are slim. It would likely depend on several other vulnerabilities/scenarios having to fall in line as well for the attacker to be able to pull it off. Not to mention that your router will be stealthing those ports anyway (or should be). So the black hat would have to depend on some hardware failure as well. Just stating that the chance exists, however slim. And if the product is providing me no benefit anyway, why even take that (albeit slim) risk? Why, when I can simply close my browser, or reboot my computer, and the infection is gone? Why, when I haven't been infected to test that theory in 7 years, since learning about security and taking it seriously?

I personally sleep a lot better being able to look at that netstat list and seeing nothing there. That's how my protection starts... hardening at the OS/kernel levels. Trying to make it so that you could conceivably even run without any 3'rd party security software whatsoever, or a router, and have your box avoid catching an STD. Granted the likelihood of this happening is much less here on my XP system than say Win7, but it's my approach. And I work my way outward from there. And people like "Kees" are really close to pulling it off, if not there already. IMO it's the only model that really makes sense going forward.

But again this is all completely secondary to saving the resources, and your hardware from the wear & tear of real-time scanning. Not to mention your ears... My machine runs noticeably more quiet. When the hard drive, CPU and RAM don't have to work as hard, neither do the fan(s).

[m00nbl00d]

I may be wrong, but I actually think that some malware was making use of a bug in an antivirus to infect systems? I think I've seen it mentioned at Wilders quite sometime ago. Not sure. But, I think it was through a bug in a browser protection component.

[Jim1cor13]

Quote:

Originally Posted by luciddream

Another example: Go to your command prompt once and enter the command "netstat -an" (without the quotes). Close your browser and any other programs first. Naturally, with your browser open there will be connections (whatever rules you have for your browser). With everything closed now... what do you see listed there? Do you see random ports "listening", or worse... hanging wide open? Among those ports do you happen to see 135, 445, or 44080? I believe the latter is the port Avira used for it's Web Guard. 445 probably HTTP scanning. That right there is your trusty AV out there looking for malware... daring it. Saying: "go ahead, make my day", like Clint Eastwood. Okay, I'm getting a tad sensationalist here, admittedly.

You know what I see when I type in that command?... nothing at all, that's what. Not only from having no real-time monitoring, but from disabling certain services (like DCom), NetBios over TCP/IP, etc... From hardening my OS. I could conceivably even run without a firewall at all and get away unscathed, not that I'd attempt it, because I have no ports hanging open/listening in the first place, let alone vulnerabilities associated with them.

I don't use my VPN's unless I feel anonymity is absolutely vital for the same reasoning. I feel I'm potentially sacrificing security for that anonymity/privacy. Namely by having svchost.exe connecting out, even with a tight rule set. And openvpn.exe. Just as is the case with the AV (as HungryMan and Mounds mentioned), the chances of this are slim. It would likely depend on several other vulnerabilities/scenarios having to fall in line as well for the attacker to be able to pull it off. Not to mention that your router will be stealthing those ports anyway (or should be). So the black hat would have to depend on some hardware failure as well. Just stating that the chance exists, however slim. And if the product is providing me no benefit anyway, why even take that (albeit slim) risk? Why, when I can simply close my browser, or reboot my computer, and the infection is gone? Why, when I haven't been infected to test that theory in 7 years, since learning about security and taking it seriously?

I personally sleep a lot better being able to look at that netstat list and seeing nothing there. That's how my protection starts... hardening at the OS/kernel levels. Trying to make it so that you could conceivably even run without any 3'rd party security software whatsoever, or a router, and have your box avoid catching an STD. Granted the likelihood of this happening is much less here on my XP system than say Win7, but it's my approach. And I work my way outward from there. And people like "Kees" are really close to pulling it off, if not there already. IMO it's the only model that really makes sense going forward.

But again this is all completely secondary to saving the resources, and your hardware from the wear & tear of real-time scanning. Not to mention your ears... My machine runs noticeably more quiet. When the hard drive, CPU and RAM don't have to work as hard, neither do the fan(s).

Thank you lucid for taking the time to explain how you handle some of these matters.

Very interesting, and some areas way over my head, but I understand where you are getting at, and the bottom line is that you took the time to learn how to secure a system apart from all the typical tools available, although that would be very difficult to do in say Win7, your strategy would still be very effective, at least the parts of it I actually understand!

Thanks again, very interesting and sure is some things to think about. It sure would be nice to be able to, if possible, get away from some of the typical tools needed to secure a system, and be able to keep some burden off ones system. Sometimes, as good as those tools can be, they can also be our worst enemies as far as system stability.

Have a good day!

[luciddream]

Thanks for the compliment, but I'm nowhere near as adept as some of these people in here. Kees who I mentioned, and HungryMan (who contributed to this thread) are lightyears ahead of me. But at the same time subscribe to the same basic philosophy, I think.

It's better to make sure a boat has no leaks in the first place than to take it out to sea, have them spring up, then try to patch them. Probably another bad analogy, lol...

I screwed up (but fixed) a couple of the ports/uses.

I should mention that if I ran Win7 I "may" just use MSE, since from what I've seen it runs so light on that OS you barely notice it's there. I'd have to run it for awhile to test it out. Also since it's an MS product very little chance of conflict with anything else. Those things are (far) more important to me than a few percentage points on some test using subjective sample sizes, since my chances of getting infected are remote anyway. So the answer to this thread: are they "useless"?... absolutely not! Because of what I just said regarding MSE on 7, and because we here at Wilders do not represent the "average user". To the average user, AV's are pretty much the core of their protection. Because they lack the ability to do any of the alternative stuff mentioned in this thread.

But to the average Wilders user on the other hand... it's an outdated model, and we can do better.

[Brandonn2010]

I just tried looking at my netstat results: there were like 30 or more, and most made no sense. I looked instead at network activity in Resource Monitor. That was much nicer, and I found some listening to the Internet that seem like they have no need, including 3 for Apple Mobile Device Support. However, most are System and svchost, and I have no way of knowing if they need to be or not.

[Jim1cor13]

Well said lucid. The comment regarding MSE makes sense also. Over the years, when I think of the various things I have learned and used, in regards to computing, in many ways, it is a constantly changing environment, both software and hardware, etc. I started with my own computer back in 1996, first one I bought, the old Compaq Presario all in one with a Pentium 75 CPU LOL
All one piece, but what a little work horse.

How things have changed since then, and now after 16 years of doing tech work, etc., I have slowed down and mainly work with my own computers. I spent too much time sitting at these things over the years, messed up my legs, circulation, etc., so now I try and get out more, and get more exercise and it is nice not staring into computers any more all day long, although I still enjoy testing stuff and learning, I am way behind the curve in many ways, but that's ok. The complexity that has come into computing and the dependency that so many have upon them now, in my opinion, is not a good thing. Businesses, etc., all internet driven, for the most basic revenue is a bad idea. Great as far as larger market, etc., bad because most that I have discussed these matters with have NO backup plan in the event of no internet access. I find this incredible and short sighted, but that's just me.

So over time, I backed off the last few years, and what you stated is so accurate: "But to the average Wilders user on the other hand... it's an outdated model, and we can do better."

That goes also for the future direction of computing, and I still fail to see the wisdom for anyone to become fully dependent upon internet, etc., for their entire business model. Certainly it is and has been a great opportunity to expand a business, it allowed us small folks to branch out, but now it has been taken for granted, and I know at some point, we will regret thinking it would run forever without major glitches at some point, not just outages.

I agree, overall, we can do better. For me, getting away from the computer more often has been a blessing!

Thanks again for your insight, and to all who contributed to this thread. Much appreciated, and reminds me of how complex it all has become, but it is sure nice to meet some great folks along the way

Jim

[luciddream]

Quote:

Originally Posted by Brandonn2010

I just tried looking at my netstat results: there were like 30 or more, and most made no sense. I looked instead at network activity in Resource Monitor. That was much nicer, and I found some listening to the Internet that seem like they have no need, including 3 for Apple Mobile Device Support. However, most are System and svchost, and I have no way of knowing if they need to be or not.

Did you close your browser first, and any other programs/windows? Because if your browser was open there will (and should be) inevitably connections.

Also don't drive yourself crazy trying to get yours in the state mine is (empty list). I'm very anal about this stuff. I made many tweaks to get it that way, some of which may not fly on your setup and could even break (necessary) stuff. I run a very bare-bones setup.

As long as your router is properly configured it's stealthing those ports and you're all good. So is your firewall. That post was simply an example of how AV's can actually increase your attack surface. Those connections are almost certainly not putting you at any risk whatsoever. Worst case, probably just eating some resources you could free up otherwise.

On Vista/7 it may not even be possible to get it that way. I know you can't trim down the services like you can on XP. But then again they're not tied to the same stuff/ports either, and don't possess the same vulnerabilities. Then again, since SP2, neither do the XP variety either really.

[ronjor]

Some off topic posts removed. Discuss the software, not other members.

[wat0114]

I wouldn't say resident AV's are useless, just not worth the <100% detection rates they provide at the cost of system resources, monetary cost of annual updates, and potential (likely) bugs they induce upon the system, as well as potential conflicts with other apps. It's too much taxing overhead with little to benefit from.

A well configured browser, running in a Standard account, all apps and O/S updated, EMET, and Win firewall or a router enabled is, in reality, perfectly fine. An on-demand AV is adequate for suspect downloads, but downloads should never be considered suspect if they're obtained from known, trusted sources. As others have suggested, utilize the O/S as much as possible for securing against web-based threats. 3rd party security (not just AV's) should be a secondary consideration only and used sparingly.

[Frank the Perv]

Quote:

Originally Posted by noone_particular

Regarding government malware, don't expect AVs to detect it, even if they can. They're caught between a rock and a hard place on this issue. If for some reason you need a system that's resistant to gov't malware, you're going to have to select, equip, and configure your system from the ground up with that purpose in mind, then be very selective about when and how you use it. No casual use system will suffice here. It will need to take default-deny to the extreme.

Not true.

Governments/military malware writers test their tools against commercial products. Some products detect their work.

There is no collusion in the AV industry with gov/military malware writers. There is no point as AVs originate in so many countries.