Also of note, there is an AV that works by whitelisting. It is PCMatic. Recently they have expanded into the corp. server market.
Exactly, I'm personally not a fan of AV's because of the bloat and spying, but I'm afraid they are still needed to protect the average user. Especially on Windows where there is no walled garden, but even on Google Play and the Mac App Store there is malware available.
AV has never been my first layer, Sandboxie and Shadow Defender should take care of 0 days threats. If I'm hit, I will never know unless I see system strange behaviour, in which case I would restore an image. AVs are still useful to "quickly" check downloads, and to name malware when identified. Very effective for average users which means the majority.
The entire article to me is centered around "AV's still a thing?" I dont see how AV's can be obsolete unless there are still some products using the same old tradational cat and mouse type only simple signature engine based product. Most AVs today are using a fine blend of technologies and advancements in other features too that's why AV's are still a thing.HIPS is great and all but it can still be bypassed.There is no one stop shop to bad guys.If the industry migrates so will they.Leaving everything upto the user or a sandbox is dangerous if the man behind the gun isn't smart enough and what happens when legit programs that are whitelisted get infected? Malware is just more complicated than what is usually thought.Most malware today that are causing chaos have a infection chain in the way they spread.Even their binaries have stages.Like for example Ursnif.Packed binary>>unpack via self injection or creating new process>>intermediate loader (x32/x64)>>injection module(client.dll or rpvcrt4.dll) >> injected payload into iexplorer.exe.
To supplement the above #30 well stated posting, I will add this. Despite all the recent disparaging about signature detection being obsolete and the like, it still remains the only 100% positive way to identify malware. Anything else is a best guess approximation. Granted Next Gen machine learning methods show promise in malware detection, they are still quite a way from being 100% reliable if ever they reach that threshold. So for the foreseeable future, malware signature detection coupled with supplementary behavior detection methods is the best approach for the majority of PC users.
Exactly and with all respect for some security enthusiasts, I simple dont see default deny as the solution for home users, it is something for corporate environment that should have a very limited set of applications running. I will use myself as a example: Why should I bother with default deny? I am the only user of my machine and if I want to execute a application, I will do it, the only scenario that I see value of default deny in my machine is if it is hit by a advanced exploit (not going to happen anyway). Ironically, default deny and "advanced tools" have much more value for average users and most of the time they cant use it properly, so antivirus is here to stay and while not perfect they are optimal for many usage scenarios. Some "advanced" security combos that we see often on security forums are more about "geekiness" than security/efficacy, while an antivirus solution usually can offer more for the user (100 % positive way to identify malware).
It's not that difficult to both set up and maintain a default-deny policy on a typical home machine. The time spent doing so is well worth the benefits of the security it provides. Personally, I don't buy the notion that it's only beneficial for corporate environments. Just my opinion based on experience I've had using the default-deny approach, especially when I was using Applocker on Windows 7 Ultimate.
@Nightwalker I agree. I see situation similar as you. Advanced tools are usually for users that don't need them, those that need them don't know how to use them. If they knew how to use them, they probably wouldn't need them.
Actually, Default-deny can hardly be deemed as "advanced". It's really nothing more than a guest list; if you're not on it, you're not allowed in. The mistake some people probably make is in utilizing hash signatures for files. This works great at keeping out those that don't match, but they make for far more maintenance when software is routinely being changed or upgraded. Path or Publisher (if the latter is available) approach is easiest.
I know what you mean, we still see it everyday in this forum. In my case for example, I could easily live without advanced tools, but i like to and know how to use them, and i need them for various reasons.
I agree @Nightwalker AV/AM are still necessary IMHO. Its far easier to use for home users compared to advanced programs/setups. A lot of these advanced programs and or setups (ie: default deny) are really directed towards geeks and the corporate environment. Sure you can take the time to teach someone to use a default deny setup, but for someone like my parents, its way too complicated for them. Believe me, its not that they are not willing to learn how to use such a setup, but I already know that it would be way too much for them and I would have to write everything down. I think it far easier to teach and instill safe computing habits (ie: don't open email attachments, don't click on random links/Ads, etc...) and have an AV/AM running, than to teach them something like default-deny. Having an AV/AM solution and teaching them good habits has kept them malware free and their setup is far simpler to use and is able to meet their needs much more easily. I'm not saying that a default-deny setup is bad or anything, it does its job quite well, but we cannot assume that what may be simple for us geeks, is simple for everyone.
In my past life as repair guy, everytime I fixed a customer's pc due to an infection, i gave them a copy of my safe-habits checklist and I install a set&forget AV. Then I barely get calls from them.
Guys, based on your opinions which default deny would be easier for the common users? Default deny based on prompts or default deny that simply blocks?
I'm a common user and I like prompts whenever a block occurs cause I need to know what's going on in my pc. In the end the user has to try and decide what suits for him.
Easier would be default block which Norton, WD, and some others do. However, as I manage some common users I don't like default block, because false positives. I don't think there is a way to win. No software can always determine what is safe and what isn't. Neither can the users.
Remember that machine learning sauce has been around for a while (AV's have been doing it for longer than what it seems which is only growing) and you simply can't discount it's effectiveness for a security program whether its for generating "simple signatures" or studying malware family behaviours. AV in today's world as I said is just NOT a simple siganture engine as I said.Its a combination of different tech + features thats why its realevent and always will be.