An AV is useless. Signatures can easily be bypassed, heuristics can by bypassed as well (Not to mention cause false positives if set to high), and AV's add attack surface to your machine. Here are some examples of an AV being used as an attack vector: Sophos Multiple Exploits 2012 McAfee Local/Remote Root Code Execution 2010 (Linux Based AV) Attacking The Anti-Virus [PDF: -http://sebug.net/paper/Meeting-Documents/syscanhk/AttackingAV_BHEU08_WP.pdf-] I can keep listing more examples. A simple search will show most, if not all, popular AV's have been used or can be used as an attack vector. Why would you want to run something that increases your attack surface? Exploit mitigation, MAC/RBAC, and isolation are the way to go. Be pro-active and defend yourself, not reactive. To each their own, but AV's are useless, add overhead, and often cause more issues than they are worth.
You are a perfect example of the type of people who only live in their own narrow minds. What you said is pure BS. If the truth is like what you said, why there are so many AV companies exist and generate billions of revenue? Do you think all IT professionals from Fortune 500 and all major companies are so stupid that they deploy the various AV product to their servers and workstations just so that they can add some convenience to the hackers? Your argument is the stupidest comment I've seen. The examples of AVs being used as attack vectors are true. However, do you have statistics how many exploit by known or unknown malware are blocked by AV software? If you don't, then just STFU. Your argument does not have any logic, which makes me so upset. You are saying that just because you are choked a few times in your lifetime by some food, so you say all food are bad for your health and useless, so you declared all food is useless. This is your stupid logic. Do you see your problems? Talking about proactive, yes I am aware of these measures. Just check out my signature. Now get out of your own ~Possibly offensive phrase removed~ and open up your narrow mind. Majority of reputable AVs are now not traditional AVs anymore. Anti-Exploit features are being implemented. Anyway, bottom line is, IT professionals in big enterprises are NOT stupid, and you'll find an AV on every Windows Server/workstation in those companies.
Let's tone down the personal comments towards each other. Software and computing can be discussed in a reasonable manner.
I have worked inside of many companies (large and small). The ones running Windows may use some form of end-point protection, but NONE of the ones that run linux use an AV on their clients. They use exploit mitigation and MACs. They do run an AV on their network edge (UTM) but not on the clients. A lot of business using linux use an OSSIM or HIDS based system to detect intrusions, not AV. Really? I was only offering a counter-argument to the posts in this thread, I never once attacked you or anyone else personally - I was only showing (with multiple sources and evidence) that an AV isn't the best solution (and in some cases can be the worst solution). The fact you are getting so angry and not actually showing any evidence to support your theory shows you don't understand both side of this argument. Its called marketing. Just because someone can sell something, doesn't mean it is useful. Apple makes billions off of their products, does that mean they are the best? Nope. Again, I am only trying to offer a counter-argument to the original post. I even said: to each their own. I am not trying convince anyone to not use an AV, I am only trying to illustrate they are not the "ultimate" thing people perceive them as. Here is more information about the state of AV's and how easy it is to bypass them: AV's struggle against exploits Evading code emulation: Writing ridiculously obvious malware that bypasses Bypassing Anti-Virus with Metasploit Bypass Antivirus Dynamic Analysis -http://packetstorm.foofus.com/papers/virus/BypassAVDynamics.pdf- [PDF] I enjoy how you keep saying I am narrow-minded, but you are endlessly defending AVs and not even trying to have a proper discussion about the advantages or disadvantage of my argument. Any kernel exploit would allow for bypassing an AV easily (including their anti-exploit features). If you want to run an AV, run an AV. I am only trying to offer a counter-argument to why you may not want or need to. Sure an AV offers a first line of defense (when it works) but it can also add attack surface and overhead. This is why I said run it on a UTM. By running it on a UTM you are getting your first line of defense where it should be, on the edge of the network - before the malware can even touch the computer. If the AV doesn't detect it there, it probably wont detect it on the client ( Unless you are using two different AVs, but most companies wouldn't do this). Again (and for hopefully the last time), I am NOT attacking you personally. I am merely trying to offer another point-of-view. Its up to the person reading this to do research and come to their own conclusions. You keep taking my opinion as a personal attack and yet offer no counter-argument from your point of view. A discussion needs multiple opinions to offer any real value, why not try that instead of taking it personally?
Don't picture yourself as the one who is reasonable in this discussion. I said you are narrow minded, because you only focus on a few examples of how AV got bypassed (one side of the story) but ignored or have no idea about how many times malware are blocked by AVs (the other side of the story). Again, I only believe in statistics. If you don't know this information, then please stop your one-sided story. If I want, I can also google and find numerous links how AV blocked malware. So what? should I draw a conclusion that AV will save you from being exploited? No I can't, because this is only one side of the story. This is exactly your problem. Your argument is so lack of logic yet you refused to acknowledge and keep giving specific links how AV is "useless". So NO, you are NOT doing a meaningful discussion. You are so narrow-minded that you refuse to see the other side of the story. You talked about kernel exploit to show that an AV is useless when the kernel is exploited. This is a very stupid argument. When the kernel vulnerability is exploited, NOTHING can prevent the hacker from getting control on your system. So what do you want? Based on your logic on AV, just because almost any security measures will not prevent a kernel exploit, then we should NOT take any security measures against malware and exploit? If you still can not see your problem, I'll stop arguing with you on this matter. You are the type of person who first draw a conclusion, then try to find every piece of evidence that supports your conclusion, while ignoring the whole picture. This is so narrow-minded yet you refuse to acknowledge. Yeah right, all the IT pros in these large corporations are fools, because they are so stupid that they are owned by AV companies marketing gimmicks, and deployed AVs to their Windows Systems to add attack vectors just so the hackers can have a easier life. LOL, what a stupid argument. Yeah, AV is useless, nothing good about them, and even harmful because they added attack vector. All IT pros who deployed AVs in their company's systems should be fired because they are facilitating the hackers. Hi you won this argument. You are so smart.
Please stop. You seem too angry by this, which is unfortunate. From an outsider's perspective, x942 has done little to warrant such a response. While he's discussing the issue, you're just discussing him. Nothing constructive will come from this.
I explained how to mitigate exploits. It is very easy on linux, harden your kernel with GRSecurity/PaX. Did you forget you are in a linux sub-forum? I am speaking about linux here not windows (where you can't harden the kernel - unless you count EMET). With a kernel that is compiled with GRSecurity/PaX it is extremely difficult to successfully use an exploit, that is the entire point of kernel hardening. IF you have a kernel exploit and target a computer with an unpatched kernel, it will just work and it is game over, with GRSecurity/PaX in place you have to bypass the mitigation related to your exploit before it will even work - increasing the barrier of entry by orders of magnitude. This drastically improves security of your system, more so than an AV would. Ask yourself this: How does malware get on a system? Through downloading? Through exploits? Through running unknown files/programs? You can eliminate the first one on linux because of the repos (Debian also does reproducible builds so we would know if the binary doesn't match the source). Exploits are mitigated through GRSecurity/PaX, and lastly you probably aren't running unknown programs off a flash drive but opening that PDF could be bad right? Well GRSecurity will prevent the exploit yet again. This isn't even including RBAC which greatly increases security around Root. Even if an attacker has root access, it doesn't mean they have compromised the entire system. All an AV does is operate on a black list of what is allowed to run and attempts to fill in the hole of unknown malware by attempting to use code emulation and monitor what the program is trying to do. I showed above how easy this is the bypass. If you want to run an AV, go right ahead, like I said above: "...An AV offers a first line of defense (when it works)..." This is true, if the AV works and is able to detect the threat and stop it before it runs, then that is great! But it is far to easy to dodge an AV, it doesn't even take someone that knows a lot about security. I don't know about you, but I want tried and true security, not some voodoo magic that some slick sales man is trying to sell that may or may not work. As I mentioned above, I have seen far more companies use GRSecurity (or other kernel hardening) for security than AV's. If they run an AV it is on their UTM and monitoring incoming traffic, most of them also block non-essential downloads (PDF, EXE, etc.) based on MIME Type. (Whitelist > Blacklist). Have you worked in these big companies? A lot of the time IT has their hands tied because management doesn't want to fork out money for support (Compile kernels would take more time than updating an AV). Again I would like to mention you are in a LINUX sub-forum, of course businesses use AVs on Windows, you don't have the same level of control as you do with *Nix. For example on windows the best I can do as far as kernel hardening/Exploit Mitigation is EMET and it doesn't come near the level of protection GRSecurity/PaX offers. The last thing I will add is this: I said above that the companies I have been too that are running Windows use AVs. The one running Linux do NOT. I wonder why? EDIT: Because you wanted statistics, I found some relatively unbiased ones: Krebs Computer World To quote Krebs:
Read post 25 and see what I said. "What you said makes sense if you are only using Linux. I use both Linux and Windows, so an AV is not useless to begin with. " And then in post 26 you keep saying an AV is useless even though I said clearly I use both Win and Linux so an AV is not useless to begin with. Now you keep emphasizing this is a UNIX subforum. Didn't you read my post 25 and realize what I was talking about? You seem to forget it. Anyway, you admitted that an AV is not useless by saying that it's the first line defending malware on Win OS. That's my whole point of my posts - that's is, an AV is not useless on Win, or if one is running a dual boot Win/Linux.
I am arguing against AVs in general. They are easily bypassed, I have shown countless examples of this and how low their detection rates actually are against new threats (and existing ones that are modified). I said " ..An AV offers a first line of defense (when it works)..." This is true, if the AV works and is able to detect the threat and stop it before it runs, then that is great! But it is far to easy to dodge an AV, it doesn't even take someone that knows a lot about security." You cleverly left out the part about just how much AVs don't detect: One more quote for from an AV Company Representative: Source
LOL. You are funny. You said an AV is useless. Even use your own example, again, a very specific category of malware (email attachments but not other categories), there is still 1/5 of detection. So in your eyes, an AV is still useless? Please define what is useful for you. 100%? That's hilarious. I admire your ability of not acknowledging your failure to recognize even the numbers are in there. And your example of Flame is again a failure. Following your logic, what about heartbleed and Shellshock? Did kernel hardening prevent these sort of vulnerabilities? These vulnerabilities existed on all Unix systems including Macs for so many years. And I can tell you more will pop up in the future. So does that mean Linux/Unix is a failure? In your logic it should be yes. But normal people would say no. I again admire your ability to use a few specific examples to improperly generalize the whole situation, and then think you got the whole picture. OK now I have to stop here. I have limited time to waste on the Internet. The fact is clear. You can continue to say an AV is useless, and keep slapping your own face.
No. You are the one that wanted statistics( Quote: "Again, I only believe in statistics") , there is a reason I didn't post them before that point. Statistics are useless and can be manipulated to prove any point. THAT was my point. I can easily take a statistic and say " Look only 1/5 are detected!" Just like you can say "Hey! We detected 1/5! That's pretty good!". I don't think you read the source I posted. Read the entire article please. If you don't like that quote, there is this one: Emphasis is mine.
@oliverjia Your logic re Shellshock is incorrect, because of the type of vulnerability it is. It's not a buffer overrun, null pointer dereference, or other memory error; it's a design flaw. The failure is in the program logic, and that failure in turn owes its existence to an ill-thought-out feature in the original design of the shell. Antivirus, exploit mitigation, etc. are all helpless against such vulnerabilities. Access control can sometimes contain them, but correct code is the only real defense. (And heartbleed is another category altogether. Again, AV and exploit mitigation won't protect against such things. There is no substitute for correct code.) As far as antivirus engines, they're a very specific defense against malicious executables. They're useful for some things, but they also interact directly with hostile code, deliberately - so by definition they sacrifice general security vs. exploits for specific security against malware. That is not always a wise choice. On Linux, I do not consider it a good choice, due to the (lack of) prevalence of Linux malware. That is of course putting aside the kludginess of AV as a general solution. Finally, for detecting the presence of an intruder on Linux, there are a number of methods. You might want to look into things like BSD process accounting for instance.
Well in regards to the topic at hand, then I'd have to agree with others that there's currently little use for a real-time scanner in Linux. I can understand why you find it a stretch that an AV is redundant when more effective security strategies are employed, but perhaps it'd be worthwhile for you to consider other viewpoints. I haven't used an AV in Windows either for many years, and can't remember the last time it ever actually was necessary for me in preventing an infection. If there was ever a case where an AV was the deciding factor whether one of my machines were infected, then I'd consider that a failure of my security setup. One has to consider the mechanisms or vectors for infection as the first step. In considering security as a system, why would you rely on a solution that can only be relied on to work a fraction of the time? When lightweight solutions with high success rates can be found for each of the likely vectors for infection, then it's hard to consider a scenario when I'd actually need an AV and the associated CPU usage and disk IO. Exactly what threat category are you vulnerable to, that you need Kaspersky Internet Security?
For the sake of fairness (and because oliverjia won't post any supporting evidence for his side of the argument) here are some sources that are in favor of AV's: [Warning: some of these are not scientific studies and may contain bias] AV Comparatives Test The Benefits of AV LifeHacker Its up to the reader to decide if they want an AV or Not. I was trying to have a debate but when the opposing argument wont provided evidence for their opinion it doesn't allow the debate to help anyone. I tried looking for unbiased whitepapers and scientific research/studies that are in favor of AVs, but I can't find any. If anyone can please post them here for the sake of this debate, we can't have a debate without both side of the argument showing evidence.
@x942 I wouldn't call AVs entirely useless... Yet. I've found the on-demand scanners helpful for revealing trojaned Windows applications, or identifying an extant infection on a Windows system. Vulnerable in one context IMO doesn't mean useless in others. I would not hesitate to call AV as realtime defense an evolutionary dead end, though. Which is probably part of why payware AV suites include things like filtering proxies. Edit: re studies, Microsoft IIRC did one that seemed to justify using a third-party AV. I think that's more a comment on the state of the Windows ecosystem than on AV engines, though.
On-Demand is still useful, although it was out of the scope of my argument - but that was my fault for not specifying. I have nothing against an on-demand scanner because they add nearly no overhead, they aren't always running (limiting the attack surface), and they detect malware they have signatures for. Its basically all of the good parts of an AV without the bad (Overhead/Attack Surface). You are correct that vulnerable in one context doesn't mean in others, that is a totally valid argument. But IMO On-Demand AV is a different beast then a Real-Time AV, Real-Time AV's the risk and overhead outweigh the benefit (There is a reason the industry as a whole is transitioning away from av). Agreed. Although I would argue those features are better suited on a UTM than on the client its self.
