Why use an AV?

I use Privatefirewall and Sandboxie too (along with a few others) and I know deep down they're likely to do a better job of keeping me safe compared to my AV. My AV is my last line of defence if I'm careless and let everything slip through.

 

How many systems have you fixed that had a virus when the AV was up to date? Why am I removing a virus from a machine with an up to date AV engine?

Because, IMO, they are always playing catchup to the viruses. Heuristic scans are an attempt to find unknown viruses, but bring with it FPs. Its a no win situation for them, because too many FPs and they will be thought of as inferior.

Now lets not be too harsh on the anti-virus application It does what its designed to do, it just has to play catchup to do it. Many here don't run them because in order for them to work optimally, they need to scan pretty much everything you do, which can cause some system sluggishness.

Its the best option that exists really (for many). I wish that every AV company had a simple scan only engine that you did not have to install. That would be ideal.

We all have different opinions, none of them being the absolute of course. But look at this thread. Security minded people, or just people who really like learning about computers in general, can "sort of" agree that going without an AV is possible. 5 years ago this question would have had a much different set of responses IMO.

Sul.

 

AV's for me on Windows 98 then XP were a necessary deployment even if they couldn't catch everything.

HIPS came along and offered a new way of avoiding potential intrusions with user control rules setting limits on just which files could enter whatever directory or what could write to your windows registry. Of the few flash-in-pan hips that actually made a positive difference, China based EQSysecure proved for me that it was Extremely Powerful while also being Extremely lite on the system. It's a real shame this one and others like it have virtually disappeared from the scene, but who knows with x64 becoming increasingly more in use anymore and AV's still running their rat race with virii they may have a new window of opportunity to return again in force.

 

Why use one? Plain and simple, they actually do work. I have yet to have a computer hosed due to any AV I used from not working.

 

Reasons (although I am not using an real time AV)
1. Because it is the most simple protection for most people
2. Most AV's provide more than just AV protection, some have Sandboxes, Safe Browsing, Behavioral Blockers, HIPS and Firewalls
3. How great is the actual risk of zero-day infection in real life, even when the AV does catch up. AV's still reduces a very small chance with 95% (see https://www.wilderssecurity.com/showthread.php?t=345717), considering UAC and low Rights sandboxes

 

Don't use one myself, haven't sense '08, that is in real time, of course I'll test one now and again. Between DefenseWall and Shadow Defender I do not need one. I do scan once in a blue moon with four different scanners, none of which ever find anything anyway.

 

1. Most AVs seem to have a 90+% effective rate according to independent tests.
2. This is increased by keeping Windows and programs up-to-date.
3. The extra protection is not worth the hassle the average user faces from a HIPS/Sandbox/anti-exe, etc.

 

I hear a number of XP users say they plan to do just that after support ends next year.

 

While this proves your point as to why you think that your approach works better for you than to use an antivirus program.....it also illustrates why most people DO USE antivirus programs: Because most people simple aren't informed enough to know "which processes are guarded" and not allowed to have anything written to or from them, etc. Most people don't want to have to worry themselves with "whitelists" and "vulnerable areas" and don't know the difference between the two! They don't want "alerts" saying "What do you want to do?"......they simply want protection, and knowing that AVs catch a vast majority of things independent of user response (with a 95% to 96% detection, prevention and removal rate among AV's generally being considered "poor")...most people will trust the professionals in the industry who work at preventing computers from becoming infected to make those decisions for them (as to what is good or bad, and what should or shouldn't run, write, or read from their drive)

Glad it works for you, Pete, but for most people who want to use their computers but not learn all the do's and don'ts and inner workings of security software....an AV is a good start. After all, I enjoy driving my car....but that doesn't mean I want to learn how to rebuild a transmission or an engine.

 

People! You forget some little things - how many unemployed people will be then more, if someone does not buy more anti-virus programs. But they (AV-s) do not really need. Or rather - they do not protect anyone. Think about it, how it could be possible, and how, or why not.
And that's what I'm talking about, do not be simply silly joke. The present world is the main objective - to selling everything, but they are telling, that it is necessary for You (!). Everything is made for sale. (Everything isn't still needed to buy, what is sold.)

 

Everytime this type of question comes up the responses are always the same. Why-oh-why do people keep asking this?

Call me a conservative, but even if was using advanced tools, I'm still gonna use a real-time AV. Not to mention that brain.exe is flawed in most cases. Unless if all AVs jump into the bandwagon of bloatware festival, I don't see anything wrong with using a real-time AV. It's the easiest way to tell if an infection is occuring for now.

 

Haven't run any sort of AV for Years.

I'm still waiting for that sky to fall

 

I don't use AV. If anything does get on my system I'd rather restore from backup as opposed to fussing over cleaning and system repair.

 

I must admit I do like your set up and as you'll know from other threads I've investigated some of the programs you've mentioned. When you use NVT ERP, do you have it in locked down mode? Also, are you using EMET as another safety net?

I couldn't argue against the fact that AVs aren't particularly good against zero day attacks but zero day attacks aren't the only ones that are out there. An exploit that's years old can do as much damage to my system as one that no one knows about and the AV will likely do a good job of protecting me from an old and well known exploit.

Another thing, is that I use Steam, and I can't protect it with AppGuard, I'm not sure how ERP would protect me but I do have it protected with EMET. I'm very much reliant upon Steam making sure that their product is safe without having much to safeuard against it.


As for the Windows updates, lol, I've got enough to get my head around considering not using an AV, I can't even think about not installing updates.

 

That's why I use antivirus software. I personally hate receiving lots of prompts from security software.

But, having said that I can do a very good job of avoiding infection without using any security software at all.

 

Agreed... Less attack surface interacting directly with malware. No connections/ports hanging open trying to listen in on these bad guys, trace them, or whatnot with their Web Shields/Guards. Let them go ahead and probe away at their hearts content and find only stealthed, unresponsive ports at the other end, and no vulnerabilities sticking out like a sore thumb to use to get in (url scanners/java/js/.net fw/remote (insert shady service)... and move on to the next target.

But to answer technically... I do use "an AV". A few in fact. Only on demand though, not in real time. I scan new downloads with VT Hash Check before unsandboxing them. MBAM if it's over the file size limit (which I forget but I know just went up). And after every patch Tue. I run full scans with Hitman Pro, MBAM, CCE & TDSSkiller. None have ever found a thing except legit files and GPO tweaks I've made myself (MBAM especially).

 

Yep, that's my approach too. Haven't had a virus in ah. . . still counting.

 

That includes only well known viruses, which are abandoned as soon as detected, daily tests show max 60% detection by the best AVs (and less) of zero day viruses.

Well put. I love sayings, that your PC will burn in hell as soon as connected to the internet. I do not bother with on demand scanning too much, just 2-3 min scan with HitmanPro once a year or so. The chance of getting infected is so ridiculously small these days, that you could say, that I do not even believe in viruses anymore.

 

Two arguments being used in this discussion are according to my information biassed, I will explain for arguments sake so others can shoot at it

1. FUD-bias (Fear Uncertainty Doubt)
For complex risks such as the risks of a nuclear power plant nearby most humans have difficulty with a risk greater than zero. The AV-companies have fed this FUD-bias by overrating the actual risk of infection risk (percentage).

On average one needs at least a few months of very dodgy internet behaviour and high risk computing to get infected. While AV companies try to convince us that on average one will be infected with a virus withing a day or an hour of low risk PC activities.

Feeding the FUD bias by the AV-companies, also has a down side. When one is knowledgeable enough to setup a different kind of protecting and discovers that it is possible to stay safe and sound one has a fsair chance of crossing over to the other bias (see 2).

2. BDG-bias (Been there, Done that, Got the t-shirt)
The nagging thought most people have when having an alternative setup is that 'we want to know for sure' they are safe (or at least safer without an AV than with an AV). That is why we see a lot of Wilders Members trying out PoC's, 0-day's on their own setup. Compared to real world, I see none of my neighbours throwing rocks at their front windows, just to check whether it is solid enough.

Then we conpare it with an AV and convince ourselfves that half of these tests (often PoC's) the AV does not stand a chance and is bypassed, hence the accepted idea/common knowledge at this forum is that AV's only protect against 50 to 60% of the threats at best.

The point I am trying to make
This BDG-conclusion is as biassed as the FUD-threat risk is biassed. I have a friend who is a security professional working at reverse engineering malware. He tells me that according to general belief amongst experts actual 0-days and Exploits are less than 2 to 3 percent of the malware in the wild. He also states that the problem is larger because up to 20 or 25 percent of the PC-users run with old (or illegal copies) setups and therefore suffer from old 0day/exploits, some of them even going back to being vulnarable to IE6 exploits.

When you have an reasonable modern PC with up to date software, the actual infection chance is very low. Considering the fact that only a few percentage points of these threats consist of 0day (assuming AV's protect against all old virii), an AV is in practise a pretty effective security.

Also I am very optimistic about future trends as auto-sandboxing and reputation scoring will increase detection rates of 0-day, see https://www.wilderssecurity.com/showthread.php?p=2218399#post2218399

 

The one truism is that what works for any individual does not necessarily work for the next.

There is still no mythical silver bullet that will protect a PEBKAC from themselves only attack surface mitigation and subsequent recovery.

There never will be with mainstream OS architectures as the human is often the weakest link in the chain.As long as there are PEBKAC's there will be holes to be exploited by the bad guys irrespective of what is in place on their computers.

 

I use an AV that doesn't slow down my computer noticeable. No problems at all.

 

There was a time when I didn't know a thing about security and every few months had to get my computer de-bugged by a tech. Got tired of that and started looking around on the internet for solutions and found places like Gizmo's http://www.techsupportalert.com/pc/security-tools.html and MajorGeeks http://www.majorgeeks.com/. I haven't seen a tech since finding the good people here at Wilders who've given me an education in security.

A big step in that education was when I tried going without an AV, at first only for a few hours before getting too nervous and re-installing. Sort of amusing looking back at it. If Webroot SecureAnywhere wasn't so light, I'd go back to running Mamutu with my mainstay Sandboxie. Might happen anyway, since I've read that the new version of Sandboxie isn't compatible with WSA.

But I'll probably always use an AV for weekly scans. Do that now with MBAM and HMP even though I'm running WSA. But nothing is ever found, nothing has gotten by Sandboxie in the couple of years I've used it.

Reminds me of something I read once and sort of follow: the way to eat healthy is not to buy any food that is advertised. Which means not getting foods that are processed or manufactured. Not sure the non-advertising rule of thumb works for security products though.

 

Out of curiosity, with today's silent threats that can run in limited user accounts and steal data just as happily as if they had administrative access, how do you know when something has gotten onto your system? I know my opinion is biased as I work for an AV vendor, but I've never run without one because I don't have the time to hand-disassemble every software change and constantly watch to see the state of my systems.