running without any AV - no antivirus! opinions?

Running without an AV is quite workable. I haven't used one in almost 3 years and my PC is better off because of it. There's more to it than just uninstalling your AV. An AV can be viewed as a form of process control that blocks any malicious code it identifies from executing. Software restriction policies, HIPS, etc are capable of performing the same function but use different methods and criteria. AVs use signatures, definitions, etc to identify somewhere around a half million bits of malicious code. Keeping such a list current and complete is a formidable or impossible task. With AVs, only the known bad is blocked. Both known good code and unknown (to them) code are allowed to execute. This is referred to as a default-permit policy. Its weakness is its allowing the unknown to execute. The unknown can be a new version of an app you use or a brand new rootkit.

Software restriction policies use the opposite approach, as does a properly configured classic HIPS like SSM. They allow the 50-100 known good processes on your PC to run and block everything else. Neither wastes disk space or resources trying to keep up with a nearly infinite and ever growing list of malicious code. This is referred to as default-deny policy. Anything not identified as good and belonging on your PC is blocked.

A default-deny policy has some disadvantages. The responsibility of determining what is good and belongs on the PC is the users responsibility. You're building your own whitelist of what is allowed, which does require you to be fairly knowledgeable about your own PC. It's not a good policy for users who install a lot of software or are always changing their setups. A default-deny policy prevents change by design and makes constant changing more difficult.

Default-deny is an extremely effective security policy when enforced by either HIPS or software restriction policies. Both control what can execute very well. IMO, HIPS gives the user more control over how processes and applications can interact. How important that control is will depend on who you ask. HIPS also has the advantage of working on older systems that don't have the ability to enforce software restriction policies.

There are other methods that will be brought up. Sandboxing software, virtual operating systems, reboot to restore software, behavior blocking. Each has their advantages and weaknesses. IMO, the best policy is to not allow malicious and unknown code to run in the first place, provided the user is willing and able to make themselves adhere to such a policy. A default-deny policy enforced by system configuration and SSM has served me very well for nearly 3 years, with 6 different people using my PC. It stays clean and fast.

 

there is no SSM for 64-bit vista is there?

 

I don't believe there is. I'm not sure which HIPS will work with 64-bit Vista. Even if there isn't one, software restriction policies are almost as effective.

 

It must be nearly 2 years since I last ran a real-time AV. After 10 years of finding nothing dangerous I thought I would give it a go. So my opionion - if you enjoy playing with programs then fine load up with security otherwise you need to be living dangerously before such programs are really needed.

You can always run with Sandboxie type protection or shadow defender but this still doesn't address the question of whether AV is really neccessary.

My main concern is that so many attribute their lack of infection to having run
numerous security programs when they may well have been just as clean running nothing at all.

If you find that you somehow manage to get infected, and it does actually require a degree of talent to do so, on a regular basis then security may well help. Otherwise remember why you bought your computer - you may have vague memories that it was for reasons other than to run security packages.

 

Hi, I was recommended to ask my question here so I apologize if I'm being slightly off-topic.

Thread I made that got closed:
https://www.wilderssecurity.com/showthread.php?t=228536

I think as someone above pointed out, running without an AV is all up to the responsibility of the user and most of Wilders are tech savy enough to know when they are dealing with an infected pc and have good habits enough to easily set things right. I'm not among those people though so while I don't mind dropping the AV guard, I tend to make such rookie mistakes as inserting an infected flash drive and that's my main concern for dropping an antivirus guard.

I'm not so much afraid of infected files but I still tend to be confused when using Sandboxie on programs that require installations and false positives that are really false positives so I'd rather stay safe by using an HIPS that doesn't constantly nag me to delete a file when I've already ignored it.

I'm also afraid of run by viruses so is there a middle of the road advise that doesn't involve totally forsaking security applications?

I've asked about programs like ShadowDefender and Returnil before but I haven't installed them on my PC yet and I'm kind of holding off installing these programs until a fresh XP, not to mention I can't afford ShadowDefender right now and I'm not sure it's better than newer programs like PrevX Edge.

 

@Paul,

There are a few middle of the road advises:

On XP
- Use Surun/Sudown (see software and services and look for Mrkvonic excellent tutorial, only add a limited user to start with instead of an extra admin user).

On Vista
- use UAC (=run LUA) with Norton's UAC tool

XP/Vista 32 bits
- Enable DEP for all programs
- Add threatFire it checks the Virusbuster AV data base when an intrusion occurs
- for dodgy browsing try Iron a Google Chrome clone with the new webkit engine, this reduces browser vulnability with 70%

You should be fine with this light set up.

Cheers Kees

 

Thanks Kees1958,

I tried Threatfire before per the suggestion of another user here but installation didn't went well so I decided to go with the free version of Online Armor. Any better suggestions?

What's DEP?

and is Iron really that better than both Firefox and Opera?

 

It means Data Execution Prevention

http://en.wikipedia.org/wiki/Data_Execution_Prevention

 

So, SuRun works in a limited user and admin accounts?

 

You add a limited account to the Surunners group, and then you can elevate that account's privileges to admin for the program you want.
Admin is admin, Surun won't do anything with it, only the LUA - but you can however tweak the options from admin account if that's what you're asking.

 

Thanks Pedro

 

Anytime

 

Yesterday, I formatted my Windows XP Pro partition, and choose an Admin Account, so now I will try to change it to a Limited Account to test SuRun, but only after an image backup...

 

What i did, not that it matters now thanks to Crossover , is turn the admin to LUA, and make the hidden "Administrator" visible with password. So i get 1 LUA + 1 Admin + 1 disabled Guest.
Turn DEP on, SRP ..

tlu has advice on his thread regarding turning an account to limited - XP doesn't safely convert the account.

 

Unfortunately I need Windows and its developer tools for my work, so I decided to install it again at home...

What means SRP?

 

Software Restriction Policy, gpedit.msc . I do as tlu suggested, what this good guys says:
http://www.mechbgon.com/srp/
It's simple to use. No unknown execution, except for that super villain who wants your pictures

 

I would avoid this approach since I´ve noticed some "glitches" where it turns out that the restricted user inherits the ownership of certain files/folders/keys in some cases where it shouldn´t. IMO it´s better, for avoiding this possible security risk, to stick with the default created admin account (for updating/installing/tweaking) and create new restricted user accounts, instead of converting admin accounts to restricted user accounts. I know some users here have converted admin to user, perhaps successfully without any issues, but just in case...

/C.

 

Lol, hmmmmm, why go through all of this painstaking setup. Why? To say here you dont use a AV. I dont know, to me, it is easier just to say I use one, any one.

 

I will see if I can create a LUA

Did you already use Linux?
Do you know the security and usability that this program will add to your system?
Do you think that your AV will protect you against what?

I don't know if I will use this in the future, but for now seems to be a must addition to protect my system...

 

Located his post - https://www.wilderssecurity.com/showpost.php?p=1201866&postcount=146
Both his threads should be read imo. I parsed both of them and made notes just to digest it better.

In any case, i agree it would be best to create a new one, but i did what i did and end up with only one admin. I think it's a case of all roads leading to Rome.

 

Protect me against myself.........Will Linux? No, because ultimately there is a opening in every closed entity.

 

If I just trust in AV to protect myself, I would be in trouble for sure!

Fortunately, I just use them as a complement when my common sense fails.

 

I think some AV is better than nothing (generally speaking)... especially if the overhead is low and there's no performance impact.

 

Comodo Defense+ is a hips that works on 64.

 

I stopped for a year running an AV, and it was indeed fine. My AV replacement was very effective, Faronics AntiExecutable: It would deny by default any executable that was not whitelisted in the first place. The new version for Vista (I believe only x32) is even better, and more sophisticated. Unfortunately it doesn't allow FirstDefense PC Rescue to run properly on my system. Maybe future versions will improve the compatibility.

I tried with HIPS to use them simply to deny any executable, but in the end they were complicating my life rather then simplifying it. I run 99% of the time virtualized and sandboxed, and when I want to keep something I find the AV is still the only way to find out if it is known malware.