HIPS (if ever AppGuard is considered as an hips) + firewall is good anough for me right now, on 7x64 but I like to experiment with various components used for this combo, as we probably all do here on Wilders...
Can either one of you explain why the real-time antivirus approach is better, more efficient than the default-deny (whitelist ) approach? Just curious
Much easier to use. Definitive answers as to whether something is malicious or not. Default deny relies on the user to make decisions, which is not strong at all since the user put the file on their machine and it's quite likely that they did it deliberately.
I can't say why it's better. But I can say this. Well my point is just that a "real-time antivirus/AM" is not just an antivirus these days, period. AV's today got more features than one singel scanner. We got the URL Blocker wich blocks Malicious URL's so users can't even access the site/s (that's prevention) And then we got the real-time Http scanner wich scans http data in real-time and if it founds anything malicious then the download will get interrupted.(also prevention) And after that we got the HIPS wich is present in some AV's ESET V5 for example wich I use (it's quite simple but it will improve over time.) And after that we got the Antivirus it self of course with all of it's modules, Normal Sigs with generic detection, Heuristics, advanced Heuristics, Potentially unsafe/unwanted applications. Behavior-blockers, behavior analysis. Sandboxes, Cloud reputation on files, etc etc.... I could continue but I think you get the point. And all this is solutions that I prefer except the sandbox wich I am not a fan of at all! I want to mention that I watched a youtube test of ESET V5 the other day of 20 malicious links and the URL Blocker blocked around 15. And the rest of links that actually started to download a file did get interrupted by the HTTP Scanner. And I am of course very happy with that result. So when someone say AV's can't really prevent much from getting in, that person is really wrong. Now it's your turn, why is your "solution" better
Say what?? Yeah, I can agree with that, although default-deny isn't exactly rocket science. So antivirus is 100% accurate? The user making a decision and deliberately putting the file on their machine is obvious. But how is the user making a decision not strong at all? What is so difficult about: 1. Obtain file from trusted source. 2. Scan optionally with an updated, on-demand antivirus. 3. Install file. 4. Add to whitelist if not already, depending on the whitelist approach. 5. Enjoy. ? To add…default-deny means no reliance on something running all the time, using unnecessary resources – all the time, introducing potential bugs (don’t’ believe me? Just read a number of the forums of these vendors, and behold the complaints about some conflict, crash or instability issue or another)and providing < 100% protection. Default-deny just works. Anything not on the whitelist is denied. Simple but elegantly effective. That's a lot of stuff all right. Everything but the kitchen sink, I reckon My only suggestion with the antivirus is it's a good enough tool for on-demand scanning only. When not needed, it can be shut down.
I agree with slowness, but that's only on the user side. The computer itself is fast, as it doesn't have to scan all the time. But loud? How? Do you mean classical HIPS, or do you refer to policy-based applications like AppLocker? Also, what is this false sense of security? I think that using AV generates more of this. AV programs can't catch everything, but with whitelisting, it is up to user to decide. With a strong whitelist setup, drive-by attacks are useless. As wat0114 said, AVs of course have their place as on-demand scanners, but I fear that they're not enough, and that they use too much resources.
I'm not sure resources are really an issue anymore. If you have a recent machine and a 2011 Av that is.
1. faster machines with more resources are not a reason to stop making software that is as light and fast as can be 2. an Anti Virus tool has no obligation to monitor URLs and all that "other" stuff they do now. Why the big names decided to become suites is clear, to become the "one stop shop". The down side is, as Swex so clearly described, an AV today likes to do everything it possibly can. Now that they are suites, they should reference #1 above 3. to not use an AV is a matter of choise, the same as being User or Admin. There is no test, no security scheme, nothing at all that will fit all situations. 4. your chosen form of security only has to be effective enough for you, like mine needs to be effective enough for me. I would put my Sandboxie and Chromium setup with my tweaks up against any AV, or any default deny, and come out OK providing there wasn't some SBIE exploit. And the same can be said for Default Deny, as only a specific exploit beats it. AV on the other hand, for someone like me, is at the very tail end of what I would use for security. Those relying on it for thier mid to front line of defense, well, 15 out of 20 is not what I want. 5. Sometimes you can compare apples to oranges, sometimes you cannot. It is hard to say an AV would be better on a persons machine than something else, because each machine can be vastly different. You would also not want a novice to use only Chrome and Integrity Levels as an Admin, you would be more apt to make them use an AV, even if it is slow. 6. When anyone says an AV can't prevent something from getting in, they are wrong. If they say LUA or default deny can't prevent, they are wrong. If they say being Admin without AV/HIPS/Firewall can't prevent something from getting in, they are, again, dead wrong. ANYTHING can work if you have the knowledge, desire and proper habits/methods to make it work. The trick is finding a product/scheme that fits all your known desires, and as many of the unforseens as you can "forsee" Sul.
Woahhhhh lots to respond to =p No, but antiviruses at least give some kind of answer. You can scan with an AV and know or at least have some idea about whether or not a file is malicious. Default-deny relies 100% on the user. Exactly my point. If your file is not from a trusted source (As is very often the case) default-deny fails, you have no way of knowing something is malicious but you'll end up running it anyway otherwise... why download it? You shouldn't have to scan once in a while just to double check that you aren't infected. Default-deny for something as broad as an application running is going to put people into a "default-allow" state where as soon as they run something they whitelist it/ let it run whenever. Playing cleanup after to double-check isn't helpful and scanning every file that you download is just as silly as an AV running "stateful." Most people aren't willing to go through the work for default-deny because it involves steps. There are no steps in an AV. Even UAC is too much for people and all you have to do is click once... and that's just for installing programs! Not even running them! No, it's an unrealistic approach without an OS managed whitelist and if that whitelist isn't implemented properly the security mechanism fails itself. Your security setup should focus on protecting the user with as little common sense necessary and default-deny is 100% common sense based. As Sully said, fancy hardware isn't an excuse for poor programming.
Of course they don't have any obligation. It's not about obligation, it's about protecting users the best way possible. I'll give an example. The free version of AVG antivirus includes AVG LinkScanner. Does the antivirus have an obligation to provide such component? No. Should it provide it? Yes. Why? One more way to fight unknown malware. AVG LinkScanner will do its best to protect against browser exploits. So, even if the antivirus itself has no malware signatures to stop the infection, AVG LinkScanner will stop the exploits that will drop the malware in users systems. avast! now includes sandboxing. I believe the free version also includes it, to some extent... not sure if it's automatic, though. But, the point is, why shouldn't avast! have more than a simple antivirus component? People kept saying antiviruses were a thing of the past, and when security vendors evolve, people blame them because they're evolving to something else than just an antivirus component. Is the problem the antivirus tag? Forget about the term antivirus. Think of it has a security solution. I applaud both whitelist and blacklist. Whitelisting, by itself, doesn't say whether XYZ file is clean. It simply means I want to run it, hence whitelisted. This is where blacklist comes in, for the moments the whitelist fails. I have seen AppLocker failing its task for more than once. It allowed DLL execution in user land, when there were no rules of what-so-ever allowing it. Imagine I had no firewall protecting outbound connections? Imagine these DLLs were malicious. Imagine the blacklist would flag them. Another time, AppLocker's rules simply stopped working. There's no perfect solution, I'm afraid. At some point, one of the security layers will fail to do its task. If you got a nice computer and look around, you'll find a decent and light "antivirus". If I had such a computer, I'd pick a real-time AV versus on-demand. At least, running a real-time blacklist would give me more chances of my system being protected, before an infection could take place. Unlike an on-demand scan, which the infection would already have happened... and luckily the infection was still around for me to know about it.
I'm not disagreeing with Sully's comment "faster machines with more resources are not a reason to stop making software that is as light and fast as can be." But Spysnake seemed to be suggesting that Av 's were sucking all the life out of machines and that there were no resources left to do anything else. That isn't the case speaking in broad terms with modern machines and Av software in general today. I know that there are exceptions to every rule though.
yeah, nothing wrong with, as I mentioned, scanning with on-demand, but why on earth do you need it scanning everything, as Sully wisely alluded to? As for them giving "some kind of answer"...what good is that if you can't trust it to be 100% accurate? It's not "very often" the case with me. Why should it be for others? There are lots of trusted sources to download from. I agree andnever said this was necessary. Default-deny is for applications that attempt to run, as opposed to those already running. Why would one have to play cleanup if they only whitelist safe applications, which is, after all, the general idea. Aren't there myriad options in most of the current av suites today? Seems to me there are steps involved with them. UAC can be easily adjusted to eliminate the prompts, not something I'd recommend, though. Just my opinion. There's also SuRun that can easily elevate trusted processes from a Standard account. BTW, UAC isn't just some desktop Nanny that needs a yes or No to launch a program. Some nice reading here... -http://technet.microsoft.com/en-us/library/cc709628(WS.10).aspx Oh well, I beg to differ. So we should just be able to sit like dummies in front of our machines and let hand holding software make the decisions for us?? Exactly.
The statement was meant to convey that an AV product does everything, as you say, they are no longer just an AV, but a suite. They should drop the term AV and just use another term that truly describes what they do. We can all agree on something I am sure - some people need to use a "security suite", hardly another option. Some people don't. It depends on many things, but we can narrow it down generically to desire and knowledge. Now that we can agree that there is a segment of users that an AV is likely the best tool to use, lets look at the "rest of us". What is your flavor of the week? Layers of whitelists, default denying, HIPs, OS tweaks and policies, virtualization or just good imaging. The "rest of us" might choose to use an AV suite, or we might not. I ask you, (not you, but YOU) is there a real time AV left that isn't bloated? How about one that ran like Fprot of days gone by, or older Luke Filewalker versions of Avira (anyone remeber that ?), those versions that somehow managed to keep thier footprint well under 20mb, while still scanning anything you touched in the file system. But alas, while for those that enjoy the "one stop shop" of the suites, and who don't mind that things get mired down (if you notice it I guess), there are others who wouldn't mind having a resident scanner on board, just as a "safety net", but really what options are there? Cloud based scanners? On demand? Gone are the good old days of an AV that did one thing - watch for files that looked possibly like a virus, and then give you the option of what to do. Ah well, thankfully about the only time out of my life that I give to an AV any more is to periodically wonder "I wonder if any of those files I downloaded were viruses". Then, after nothing happens, I promptly forget such silliness and get on with life. Sul.
Yes, provided that this security software is built into the kernel where all security belongs. I'm sure it works for you but it's unreasonable to think it would work for the average user who needs handholding. And people shouldn't have to know the ins and outs of a computer to use one, it should ALWAYS be on the operating system to provide security and NEVER the user. To clarify, I would not use an antivirus or suite. They aren't helpful to me as a user. They do their best to make decisions for the user and sometimes they're wrong. But the fact that they do that is what makes them far more successful than any HIPS etc.
I voted "other"...it means Firewall + HIPS + AV (not necessarily in real-time) + light virtualisation
I'd like to add the following. Not so long ago, Kees1958 started a thread about avast! antivirus, and how to tweak it to scan only when some file arrived the system, if my memory is still of any good. That's just an example. I'm not justifying the fact that some antimalware applications are heavy, but not all of them are that heavy. And, unless you got a weak machine, are a heavy gamer and need all the resources you can get, I simply don't understand why people would complain over a few resources. If I had a strong machine, I'd be using an antimalware application to provide a real-time blacklist. I'd tweak it, but it would still provide a real-time blacklist. The reason being that I simply have reasons not to fully trust the whitelisting approach, because, at some point, due to some bug/some weird event, it may not be whitelisting at all, rather allowing everything. It has happend with AppLocker, at least twice. So, assuming that I got a strong machine, and that there are considerably light antimalware applications, and that can be tweaked to use less resources, why would I rather use something on-demand, that I would probably forget all about? It's just my opinion... Heck, having to manually check for updates, etc... Too much for me... I'd prefer something that would do it in real-time, that's all. Just a preference. I guess that's what this is all about, no?
It's less that they're heavy and more that they're inefficient. For the resources that they use you would expect better performance/ protection. But yes, it's all personal choice.
But, I experienced that whitelisting (AppLocker) is not 100% efficient, either. Regardless of public and known ways to bypass it, it has stopped protecting at least twice. I'm not saying that people should drop whitelisting. They shouldn't. It should be the primary line. But, not the only one. And, why not couple it with a real-time blacklist, rather than an on-demand blacklist, that may only detect something after the infection already took place? The real-time blacklist at least has the chance to prevent. The on-demand blacklist is all about remediation. Some antimalware apps are pretty decent. So, why not put them to use, in real-time? I see it this way: If a real-time antimalware application is inefficient, an on-demand scanner will increase its inefficiency, won't it? So, why use something that not only is inefficient, but also will only detect after the event has taken place already?
