Why do some people (try to) avoid using AV software

You have very good security my friend.
Ice

 

True, but the better anti-malware products have minimal impact -- and, as hardware becomes ever more powerful, this consideration will further diminish in importance.

How do you know that your PC is not infected with malware? For example, have you downloaded and opened a PDF recently?

 

Er - a "suit" is something you wear - a "suite" is a collection of related things, in this case anti-malware!
(In UK English it is also common to refer to a set of a sofa and easy chairs, all matching) as a "three piece suite").

 

Looks like it was a false positive, but they've updated the CIA's cloud database now. Somebody just needs to make sure that the entry says 'Osama' and not 'Obama'.

 

Yep, turned out it was FP, they are working fast in resolving FP's , very fast, you just send logs to support and it's done.
Yes, you can kill explorer , but only the first one who kills it gets that reward, after that it's resolved.

btw I heard they are working on new XtraCloudandRainbow technology, so 'Osama' and 'Obama' wouldn't clash in the future.
There is new beta out, you should check it out.

 

No AV means no FP

 

Another source of information is the chart showing "Threats missed by other security vendors" on the Prevx homepage at https://www.prevx.com/ . This raises the hackles of many, but it paints a different picture from what you describe.

ESET's infection score today is 5024 (18 rootkits) compared to our Russian friends' 2004 (6 rootkits). Of course, you would have to weight these numbers with the (publically unknown?) number of users to decide if A is better than B (which is off limits for discussion here anyway).

The really important message from Prevx's numbers is that thousands (possibly tens of thousands) of infections get past AVs every day - and they can only log the infections on the tiny fraction of internet users who install their software.

As a rough guess, one might say that there could be 10 million Prevx users recording about 20 thousand infections per day. That would make it one infection per 500 days for users with an AV - of course, only a small fraction of those are the really nasty TDSS rootkits etc. But that may be a rough estimate of the infection risk for an average user with an AV.

It's a moot point whether or not above-average Wilders users without an AV will do much better than that.

 

There are also people out there who believe a Firewall or HIPS or Sandbox or whatever is not necessarily required for their security setup.
So if someone doesn't use an AV - what's the big deal?

I mean no one says "Hey, you don't use a HIPS? Why is that? What is the reason?"

I personally don't use AVs because they are a little too much insecure for my requirements.

Cheers

 

AVs=blacklisting.

Imperfect.

AVs can cause many problems.
Remember the McAfee issue some time ago ? Critical system files were deleted.

False positives, slow updates, not to mention the 'if it doesn't work right, uninstall the AV and reinstall', common for many vendors.

AVs are a valid approach, but often there are better solutions.
Sandboxing, checking new files/programs in a number of ways, rollback systems like Returnil etc.

 

Maybe the NOD + Prevx users tend to encounter more "digital dangers" than the Kaspersky + Prevx crowd, I honestly couldn't tell you.
Your post fails to address the fact that the KL Forums are littered with TDSS issues while the ESET Forums are pristine in comparison.
This is discussion is starting to veer a little off-topic here though so I won't be continuing it.

 

Because I feel cool when I'm not using a realtime AV.

 

Lately people have been trusting too much in the "Prevention" layer, we know it's the best but nothing is bullet proof, and AV's are still a good way of protecting yourself!
I'll always have an AV in my setup

 

Following up on tdl/tdss (tdl3) mentioned in this thread have a look over yonder at erikloman's fine blog.

 

I think going without and AV may be valid for those who have put in the time and research to gain the knowledge and the experience. If someone who was inexperienced with computers were to follow the "no AV" advice without spending the learning time, they would likely rack up the infections. If that weren't the case a lot of service shops would be out of business.

Like many things, I think it's something where you have to start with the basics and the training wheels (AV, HIPS, whatever) and then progress up to the "advanced" tools (virtualization, imaging) before you can cast off the basics. Many users, however, don't want to learn or advance in the realm of security because they want to spend time using the computer, not maintaining/securing it. For them, and AV-type product or suite is better than nothing. I think it's dangerous to utter the blanket statement "AVs are old/worthless/ineffectual" because someone might pick up on it and think "oh, I guess I don't really need anything, it's all just hype".

So I'm starting to think that the question perhaps should not be "why avoid using AV software?" but maybe "when can you stop using AV software?". All the answers given so far seem to be "I avoid it by using <whatever>" or "knowing how to surf"; both of which imply having gained sufficient knowledge to know what one is doing.

 

My opinion is that if you depend on manual scanning of downloaded files, it is inevitable that a person will forget to do so. To err is human.

Also the thinking "my system got hosed I'll just restore it" doesn't work for me. My biggest concern is malware that grabs information and runs off with it.

To get away with not using an AV, first you have to be part of the small minority of computer users that is concerned with security. And from this minority, you have to be of the minority that are skilled/disciplined/comfortable enough to not need an AV. I don't think my IT department will ever ditch AVs and rely solely on telling everyone to only download files from safe sites or open attachments from people they know.

 

I scanned through and noticed that nobody listed conflicts as a reason not to use AV software.

Just finished migrating a home based business from Eset to MSE. It turns out that MSE is buggy when it deals with old MS-DOS based applications that access a network drive mapped by it net-bios name. Basically causing all kinds of errors. I found a work around, but this is why many times it is just easier to not have any intrusive AV software and just configure things safely.

 

I'd be surprised if there's much difference in the risks taken on average by users of different AVs. Do reckless users go for one AV whilst careful users go for another? Different types of cars certainly attract different types of drivers, but does that work with AVs (which all seem pretty similar to me)?

Concerning TDSS, Erik Loman of Hitman Pro has produced some pertinent comments at http://hitmanpro.wordpress.com/2010/06/28/large-av-players-jump-on-tdl3-bandwagon/. He describes it as "a rootkit that uses very sophisticated technology and [it] is able to remain undetected by most Antivirus products". (As pointed out by Meriadoc above.)

So, presumably, people only post on their AV forum if/when their AV finally detects the rootkit. An absence of posts could even be down to a low detection rate rather than a low infection rate. Who knows?

Those who are infected may, however, appear as a daily statistic for Prevx or a monthly statistic for HMP (>34% infected). This may sound alarming for those who use an AV. But, of course, the AV probably protects them against various droppers and prevents some infections rather than detecting the rootkit itself.

Those with no AV need to maintain a tight system and strict discipline to foil the dropper if they meet it. Like many others, I use Sandboxie (rather than an AV) as a pretty solid line of defence. But, coward as I am, I like to have KIS and Prevx protecting my system in addiition.

I also run HMP and MBAM every now and then as a check. It's a security policy that Gorbachev referred to in a rather different context as "Dovio no provio" (Trust but verify).

 

How many computers have been infected while having up to date AV? How many simply due to not being updated at all?

If your AV relies on a signature to detect, and you don't have the signature needed, what good has it done?

If your AV throws a FP or worse fails to detect, has it done its job?

What if you rely on HIPS, FW as well as AV? What if you click the wrong prompte 'yes' or 'no'. Has the security suite performed well?

Why can one man use X and another use X, yet only one of them ever gets infected?

The answer to this question does not lie in what you use, but what you do and how you go about doing it.

AV is a safety net for millions, who justifiably need it, but still just a safety net. All security programs are safety nets. If something slips past the first line of defense, your knowledge, and your second line of defense, your habits/methods, then 3rd line of defense and on has to kick in. AV, AM, AS, HIPS, FW, VM, Sandbox, the list goes on. Keeping the bad things from happening at the first and second line of defense are the key.

And that is precisely why I don't use an AV anymore. I would rather hone the skills on point than the rear guard. But, I advise virtually no one to do the same. I would most definately not wish to begin using an AV or other such tools again on my machines.

Sul.

 

yes no av form me , just the wind in my back and the web yellow brick road,,

 

So, Sul, as a virtual nobody, I'm evidently following your advice by not following your example on AVs.

Do you also go rock-climbing without a safety rope? There's an obvious buzz for people who do, minimizing the risk through their skill and experience.

But people who climb without a rope don't generally cite the possibility of the rope breaking as a reason for not using it.

 

I use LUA and SRP and don't need a real time AV. Performance impact still exists on modern machines (unless you have a solid state drive IMO) since AV's scan every single read and write to the hard drive, by far slowest part of the pc. I can't run executable files in my LUA anyways.

I do keep an on demand AV installed and once a month or so will update and scan with it, or scan executables I DL in my admin account along with jotti.com or virustotal.com. Please don't tell me that I'm bound to install malware because I don't have use real time protection. First, I'm anal about what programs I allow on my pc.

Second, I like doing on demand scans because they are waaaaay more effective than real time "protection" of AV software. Latest AV comparatives shows the most effective real time programs (panda, trustport) detect 63% of malware and typically the real time protection of an AV will catch less than 50% of the malware thrown at it. I'll take the performance and security of LUA & SRP against that 100% of the time.

Overall, I don't avoid AV software, I just avoid real time "protection"

 

The obvious difference here is that a rope provides a noticeable and significant increase in safety, even if the rock climber takes all other due care. An antivirus product does not.

The other obvious difference here is that a rope has a much higher chance of not breaking, than an antivirus product has of not failing.

 

Not exactly true. My son rock climbs and yes uses a rope, but also has a safety rope, just in case. He layers.

 

This is something I am currently trying to figure out myself, how to use SBIE and still check files quickly without using a RT AV. Can you tell me how you check your files and programs?

 

Wouldn't it be possible to use a download manager in your browser that allows you to configure it to scan all downloaded files with an anti-malware scanner? Usually the download manager would run the scanner using command line switches after it finishes downloading the file(s).

You still would have to manually scan USB devices.

Edit: You would have be sure to keep the anti-malware scanner updated regularly. You could probably automate this using some kind of scheduler.