Do you use real-time AV?

Then you are a prime candidate for Linux my friend...

I am running SuSE 10.3 at the moment, and enjoying the freedom from ALL of the security apps one usually uses in Win. Kinda nice actually...

 

When I run Xp, I just feel that it's easier to run an AV. For me, if I put Avira on, it's just kind of an install and forget it type thing. What could be easier? Especially if there is no noticeable performance drain. Sooner or later I will want to scan a download or file, or see if my browser cache has some crap in it.

 

Drweb v4.44 with Anti-Spam

Firefox with...

• 
  Adblock Plus
  Noscript
  Ietab
  Fasterfox
  Flagfox
  Cookieculler
  WOT

Rollback RX PRO 8.1
Business Router with Advanced Business Firewall (BT2700HGV)
Windows Firewall / Defender.

its a very good, clean and fast set-up.

id certainly rather have non obtrusive real-time protection, than none at all.

 

I have to have a AV & I have just one adaware to remove other nasties...I don't know why you would want no AV's. There are plenty that are minimal usage wise so that shouldn't be an excuse. If you want to live on the edge but I think no av is just asking for trouble...

 

It's flat still
I don't remember my trials of Dr.Web, but I doubt that it can be soo much lighter than NOD32. And you have the slow scanning speed (playing with VBA32's CLI scanner reminds me of Dr.Web)

 

I just install the on-demand scanner and leave the guard off.

I have realtime protection, it's just non-signature based. I use scanners (I'm no expert) , but not for scanning the same file again and again.

7 years clean on 98SE. 4 years clean on XP. Evidence speaks by itself.

 

I stopped using an AV about 2 years ago. IMO, blacklisting is very much an old school method that's becoming more and more limited in its effectiveness. AVs are fine when the malicious code has been in circulation for a while but are far less effective against newly released threats. Some time ago, I set up a webmail account solely for collecting spam and e-mailed malware. I submitted the address in the worst places I could find. At one point, I was being sent infected mail amost daily. I'd upload them to VirusTotal as soon as I got them. The average detection rates were under 50%, and all of the AVs missed some of them. There are hundreds of thousands of virus, worms, trojans, and other pieces of malicious code. When you include all their variants and other types of adware and other less than desirable code, the number may be over a million. Much of it is spread by botnets so it doesn't take long from the time it (new malicious code) is released until it's widespread. AVs don't hanle new malicious code very well.

Growing ineffectiveness isn't the only problem with AVs. With their detection databases growing to 10 megabytes or more, they're becoming more demanding on system resources and processor time. It's small wonder when they check accessed files and processes against that database to make sure that each one is not one of the million or so items listed in it. It's hard to come up with a more inefficient method than comparing everything that's accessed by your system to a database that large, just to make sure that it isn't one of those items. Even this would be acceptable if it was completely effective but it's not, and it's becoming less effective all the time. There's just too much malicious code moving too fast to rely on an app that has to identify it in order to defend against it.

Some interesting reading that says it better than I can. The Six Dumbest Ideas in Computer Security. Default-permit is secure only when:
1, all malicious code can either be detected and prevented from executing, a complete impossibility in a default-permit environment.
or
2, all the actions of the malicious code can be kept from affecting or changing anything on the operating system and installed software. Sandboxing, frozen snapshots, and virtualization are some of the methods that attempt to do this. All enjoy at least partial success. The problem is that malware writers are always looking for ways to neutralize or break out of such defenses. Sooner or later, they will. Then the vendor will fix that weakness and the game begins anew. Too bad if yours is one of the systems that is exposed to the new exploit method before it's fixed. IMO, this is no different than what we've been seeing all along with Windows operating systems. Find a vulnerability, exploit it, M$ patches it, repeat process.

On my own systems and those of a couple of my clients, I've implemented a default-deny security policy. In its simplest terms, only the necessary system processes and user applications are allowed to run. Each process can only start (parent) or be started by (child) the processes that specifically need to for normal operations. Internet apps are given only the access they need to function properly, nothing more. The allowed internet content is filtered to remove unwanted material, such as banner ads and malicious scripts. Default-deny is a viable option for users who have finished systems that are equipped the way they want them. It's not suitable for users who regularly install new software or like to change things on their system. The policy and the apps used to enforce it are configured to prevent changes and make it inconvenient to do so.

I use a combination of System Safety Monitor free version, the system policy editor, Kerio 2.1.5 firewall, and Proxomitron to enforce the default-deny policy. The initial setup is time consuming and requires that the user understands the interactions of the executables involved. Basically, you're building a whitelist of the executables of your system and user applications. It is absolutely critical that your system is clean and free of all malicious code before starting, otherwise you'll be making rules that allow that malicious code and/or compromised files to run. This whitelist also specifies what each one can do and what else each can launch. It's a time consuming process and many underestimate the time and effort it takes to cover the activities and applications you use. It has to cover all of them, not just the processes themselves but how they interact. Examples, will your browser be launching your mail handler, media player, PDF reader, etc? Will your mail handler be allowed to start the browser? Have you allowed each application you might want to print something from access to the necessary printer executables? Did you cover every process involved in the systems bootup? It takes time to set up without resorting to "allow everything" settings, which defeat the whole purpose of default-deny. SSM is a powerful tool that's ideally suited for enforcing a default-deny policy. Other HIPS are similar. Many who have tried it complain it's noisy. It is until the configuration is finished. When it's done, SSM is silent until something unknown tries to start. With it's UI disconnected, it remains silent. With a finished ruleset and its UI disconnected, a user can use their system normally, provided "normal" doesn't include installing new software or launching unknown executables. Those will be blocked outright. It also interferes with updating, which will have to be done manually.

The majority of malicious code is distributed as installers or actual executables. It may be made to look like something else but it has to eventually launch either an installer or the malicious process itself. These will not be part of your whitelist and will be blocked from executing. With SSM, if you're running with the UI disconnected, you won't be prompted to launch that file. If it tries to self execute, all you'll see is an "access denied" message. Apps like SSM can also prevent many new exploits from performing like the malware writer wanted. Exploit code often works by using a weakness found in one program to gain access to another. An example would be a bit of code that causes your browser or mail handler to launch another process the user would not, like a trojan a malicious site dropped in your temp directory or your registry editor. By limiting what other processes each executable can launch or be launched by (specifying the allowed parent and child dependencies of each process), the exploited process will not be permitted to launch that trojan or access a more critical system executable, like the registry editor.

Default-deny is not for most users. It's for those who know or will learn their systems at a process level. It's for those who have their systems equipped and configured the way they want them. Not for the "install happy" user or those who don't want to dig that deep into their systems working. It's a very effective policy on older systems like 98/ME, which aren't updated anymore and a lot of new software won't run on.

For on-demand scanning of downloads, there's always VirusTotal.

Rick

 

yep

Avira PE, Sandboxie and Threatfire. No system slow down and nothing gets through. A good AV is still the one best piece of security software, regardless of what experts tell you.

 

YES. Always have used AV real time. What I don't do sometimes is a scan regularly on PC 2. If you are worried about resource usage slowing you down and want to baby sit your scan as opposed to overnight. This is a little more understandable when it comes to doing a scan, but not having an AV in real time because of resource usage. I got problems with that one.

 

I agree with herbalist. If you can't be bothered to learn the very basics about protecting your computer, then an AV alone, and a FW will protect you from most 'established' malware.

But the AVs claim that they can't protect you 100% should be rephrased as they can only protect you 70% and perhaps even less (I was also shocked with my recent experience submitting infected files to Virus Total: A real debacle).

An AV + a virtual program or an AV + a HIPS (if you know what you're doing) should definitely improve your odds against infection. Currently I'm using a whitelisting program in conjunction with a virtual program, no AV, and the system is light as a feather (as I'm writing in virtual mode, and everything on, my memory usage is 226 MB and cpu 9%).

 

I don't use AV software anymore. I also don't run as admin.

As has been mentioned here before, Aaron Margosis believes that running under a limited user account without an AV is actually safer that running as admin with an AV. I believe that too.

Unsafe surfing? Create a limited account just for that kind of browsing and delete it when you're finished. On-line banking? Create a separate limited account just for this. As long as your admin account is safe, the banking account will be protected from the others.

Too me, nothing could be simpler or safer (without devoting more resources).

 

yes I do

 

Avira Premium Security Suite, in real time 4ever

 

Yep, kaspersky on one computer, norman on another

 

I failed to mention that i do use NOD32 to scan for finds when researching malware locally. I alternate between two partitions on a single drive to run studies & tests on one then when booted up to the alternate partition i scan the partition i left across lines just to ensure my samples are where they are supposed to be and guard against in case something tested hadn't spawned off additional entries/files without notice.

So in this respect, i must depend on an AV for this purpose.

Otherwise when simply internet browsing and the like, my HIPS shield covered with Power Shadow or Returnil are enough to keep things orderly and honest.

 

I use AV. Because I can. Because One like Antivir seems to use so litle system resources even when I set its settings to the more aggressive levels, there seems to be little impact and memory usage doesn't seem to go over 20mgs unless doing an on demand scan (Whoot!). I think everyone should have An AV for atleast on demand... Most People do download things at one point or another. Its also good for the overall community when one finds something new via Heuristics, etc... Even if my setup already stopped everything 100% I would still use AV. to check new things.

 

I second that.Each time i read in PC magazines about the 99,9% of success that the X antivirus scored,i can't stop laughing.

For my own PC i just use AVG Free without the email scanner,just because it is so light that it is as if you had no antivirus running at all.I don't trust AVG Free at all,but better having it that have not.My main defence is a simple Firewall (like AShampoo Free or Kerio 2) and a free HIPS,like PG or SSM.From time to time i use different combinations for fun.

The people who use all these mastodontic AV suites,which consume "only" 20% CPU,should try a setup like this.Medium CPU consumption 0%.RAM usage : AVG w/o mail scanner: 2MB,AShampoo Firewall: 15,5MB,PG: 7MB.
On occasion i use Dr. Web Cure it for on demand scans.

The joy of booting to Windows at lightning speed and feeling the OS snappy : Priceless.

 

AV is the band-aid, Sandboxie is the antibiotic.

 

Don't use an av, don't need anything taking away resources that could be used to something better. Just use pf and run as a normal user and I am good to go.

BTW, running without a firewall is pretty dumb. If you look at some of the vulnerabilities to operating systems in regard to DoS, many are just from how a computer cannot respond and process properly to a certain packet. Therefore, always run a firewall (a hardware firewall will work as well), if you don't want some kind of attack to be mounted on you possibly. Especially with a new network stack coming into vista, I bet a junk load of bugs will be being found in the future, but we'll see.

Also, a good firewall requires very few resources at all, and will cause an unmeasurable impact on your connection

Cheers,

Alphalutra1

 

Sort of mixed bag here:

All behind a Nat/SPI router
- XP PC1 = A2 Malware (IDS + Blacklist) + WinPooch (Registry + File_) + GesWall Pro
- XP PC2 = TF (with custom rules) Pro (checks virus blacvklist on demand when encountering an anomoly) + DefenseWall
- Vista64 = Avast + PRSC + HauteSecure

Reason:
A Policy Sandbox (like DefenseWall) + Behavior HIPS (like TF with custom rules) should be sufficient for an XP box.

Did some web browsing on nasty sites to check defense. We are using Opera (just because it loads so fast on the XP boxes, IE in protected mode on Vista64 with UAC).

No Av is not old school. Just a matter of taste and your trust in other aps.

 

No real-time av for 1 year and haven't got any malware yet.

Frank

 

I'm glad that my Anti-Virus DOES find anything. And I'm wondering why you use an AV (Windows Defender) when it never finds anything.

OT:
Reading this topic, I might look like a paranoia:

RealTime:
F-Secure (AV)
Sygate (FW)
Scriptrap
AVGAS (AS)
BOCleaner

On Demand:
DrWeb
F-Prot
NOD32
Spybot S&D

Other:
Opera Browser
Thunderbird

Talking about slowing down your machine:
I've no problems with the speed with this old Pentium 3, 550 MHz, 512 MB RAM, WinXP + SP2.
Depends on the configuration, I think. I had stripped and tweaked the OS and I'm sure that is as fast as your dual core 3 GHz, 2 GB RAM, etc.

 

That's a very bold statement.
Anyway, I have the best of both approachs: high-end machine, tweaked OS and very little real-time security.

 

I'll 2nd that...

 

Chato,
Windows Defender, as you should know, is not an anti-virus (it's an anti-malware). Also, it came auto installed via Vista. Although Defender never finds any malware neither has any other program I've tried. Like I've said before I'm a fairly safe surfer. I suggest most people should try Sandboxie if they wish to surf safely. I'm a big fan of Sandboxie now. SafeSpace is another good sandbox...and it's free. Try it.

Later.