A radical experiment.

Discussion in 'other anti-malware software' started by JEAM, Nov 13, 2022.

  1. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    I have a spare SSD and a little-used Vista-era laptop that I'd like to use in a security experiment, and I'm curious to get opinions on the following idea from the experts here:

    Is it possible/practical to run Windows securely without the use of anti-virus software (e.g., Norton, Kaspersky, etc.), but relying on "anti-malware" applications (such as HitmanPro.Alert or Malwarebytes Antimalware) and "Windows hardening" programs (like OSArmor)?

    Assuming that you set out to run Windows without AV, which security applications would you install and what other security measures would you take? What would you consider to be the minimum safe setup? Or is there NO reasonably safe setup without relying on AV?

    Just to give an example, I would think about installing HMP.A, OSA, ZoneAlarm Firewall, and VoodooShield, in addition to keeping my browsers and other programs up to date and installing uBlock Origin on the browsers.

    Thanks in advance for any ideas.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    You haven't mentioned what OS the machine will run.

    "... a little-used Vista-era laptop..."
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    FWIW, for my $0.02 if the machine has Vista installed I'd wipe the SSD and install Linux.
     
  4. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    @Krusty, you're right, I shouldn't even have brought up the machine's vintage, as I meant for the focus to be on the theoretical question. My mistake. :(

    FWIW, besides leaving Vista on the laptop, I could install evaluation (trial) copies of Windows 7 or 10. I even have an old DVD with Windows 8 Release Preview on it, which would amp up the radicalness of the concept to including an OS that's not getting any patches, see how these security apps work.

    OTOH, thinking more about this it would still be a sample of 1 machine, far too small to be meaningful in routine day-to-day usage unless I sought out malware to formally test, which I don't think I'm ready to try.

    So the theoretical discussion rather than a practical test is sounding more and more appealing. Barring use of AV, what would a minimum set of security measures look like?

    P.S. Oh, and yes, this laptop is destined eventually to run Kubuntu on it. :)
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
  6. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    In my opinion this would work well enough. Regular backups would go farther than any of this. If something does get through, roll it back to a previous state.
     
  8. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    461
    If you aren't running AV/Firewall, I'd stick with OSs that are modern with security patches regularly coming out. Same with other software installed. Does the hardware not support that?

    After that, it depends on what you do with the computer. Avoiding software from dodgy places would help greatly unless you run the downloads thru VirusTotal before installing. Privacy violations in legitimate software can also be a concern.

    In any experiment you need to state your goals, procedures and methods of evaluation (ie. how do you know you have been successful?)
     
  9. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    You're right. After the original post, it dawned on me that the experiment would be way too small (a sample of 1!) and that the only outcome that would yield any certainty would be an obvious failure, something along the lines of getting the PC's files suddenly encrypted by ransomware. At the same time, the lack of an obvious failure like this wouldn't necessarily mean there was a successful outcome. So I've backed off the experiment idea and decided instead to seek views and opinions about the general concept from the knowledgeable folks here.
     
  10. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    Thanks, I was wondering about the viability of running things that way. And regular backups would definitely need to be in the picture.
     
  11. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    If you run Windows 10 or 11 for this test, you would have to disable their built in antivirus (AV) app in order to run a NO test. It would be easier to do the test if you ran Windows 7 or 8 -- & much more challenging as well.

    I think a NO AV concept could be made PDS (pretty doggone safe) with the following apps & concepts:
    =>One-time: execute System Hardener app by NoVirusThanks PLUS do careful set-up of User Account Control (UAC)
    =>Real-time security: VoodooShield (anti-exe, whitelisting, context-based) PLUS SpyShelter (anti-keylogging & HIPS-behavior blocker) PLUS GlassWire (firewall)
    =>On-demand security: Kaspersky Virus Removal Tool (KVRT) PLUS Imaging app -- must do system image to external storage 3-4 times/week
    =>USER Practices: security conscious at all times, uses no cracks, no visits to web's dark side, maintains strict UAC discipline of self and all other users, THINKS before clicking an Allow* button, runs on-demand scans with KVRT before making each image.
    ~~~~~~~~~~~~~~~~~~~~~~~~
    * If you clicked Allow on a malware, then you failed the test, not the security app. MORAL: Might be better to stop the test & use a full-scope, top-tier AV.
    ~~~~~~~~~~~~~~~~~~~~~~~~
    OP wanted opinions from experts and I am not one so -- Happy Thanksgiving to one and all.:p
     
    Last edited: Nov 15, 2022
  12. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    If you insert the word intentionally before Allow then sure. It is not possible to identify all malware or it wouldn't get through to anyone. These days an ad blocker is probably more effective than anything else. I haven't seen a legitimate popup from my AV in more than a decade. The only reason I run 3rd party AV these days is because it is lighter than what is included with the OS and it is near impossible to disable that without replacing it. I also run a daily incremental backup. Which I trust way more than any AV.
    Also, Happy Thanksgiving to you as well. :D:)
     
  13. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    LOL... and thanks!
    How would something like HMP.A fit into this "no AV" model? Unnecessary?
     
    Last edited: Nov 15, 2022
  14. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    HitmanPro.A is an antivirus. I suppose you could run it on-demand instead of real time -- that way you would still be on a NO AV concept.

    BTW, there are a number of folks who do not run a real-time AV. I did so myself for quite a long while and my computer remained virginal. However, I just may have been lucky, right? By the same token, your test of NO AV cannot avoid the luck factor. You *might* go uninfected for a very long while -- not because your non-AV security apps kept you protected but simply because Lady Luck smiled upon your computer.

    THE VERY BEST security is to scan & image your system regularly & often, as @xxJackxx posted in #12 above. He does sequential imaging, which is faster. I do differential, which is slower but safer.
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Uh, nope! HMP.A is an Anti-Exploit.
     
    Last edited: Nov 15, 2022
  16. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Uhh -- HMPA's home website describes its Anti-Malware module as follows:
    As you will see in the quote below, HMPA's anti-exploit (sic - correct title "Exploit Mitigation") is another HMPA module, distinct from its Anti-Malware module. The website describes Exploit Mitigation as follows:
    I ran HitmanPro for quite a long while and it is definitely an AV. IMO, HMP has become HMPA's Anti-Malware module. In result, it seems to me that HMPA is an AV with additional capabilities thrown in.
     
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Well, HMP.A does not register as an AV within Windows and does not download local virus definitions and does not warn about installing other AVs along side it, so as far as I'm concerned it isn't a true AV.
     
    Last edited: Nov 16, 2022
  18. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    HMPA's Anti-Malware description says it does all its scans in the cloud. It also functioned that way when I was using it.

    However, I get your point @Krusty. It's not like a typical AV in some respects, nor does it claim to be. However, its cloud based scans are at least partly based on malware signatures and those scans are done in real time. Ergo, I would not call HMPA usage a valid part of a NO AV test, but ... tra-la-la -- no big deal either way, wot? :-*
     
  19. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    What is radical about not using AV?
     
  20. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    OP chose the title for this thread. I don't see any problem with that.

    "Radical" means actions or concepts that differ widely from what a majority considers to be safe/wise/normal/etc. IMO, most security gurus would opine that it is NOT advisable for home computer users to have no AV protection. In fact, Windows 10 & 11 make it fairly difficult NOT to run an AV.
     
  21. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I couldn't agree more with that. I have found it quite painful to even try to run without it.
     
  22. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,782
    Personally I prefer a setup that does not include an AV running in real time.
    Just my preference, there defiantly is a learning curve though.
    No dedicated AV with the exception of testing one here and there since 2009.
    I used to pick up crap with an AV, haven't been infected in years.
     
    Last edited: Nov 18, 2022
  23. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    That's exactly what I would have said. Some (many, most) people go TILT if you bring up the idea of running a computer without AV.

    BTW, I didn't mean for the conversation to turn toward whether HMP.A is AV or something else. We could say it's a hybrid product. I was looking at it more from the anti-exploit angle. Maybe a better example to bring up would have been MBAE, or EMET when it was a standalone product. I'm guessing that one of these would be a useful addition to the "no AV" model?
     
  24. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Running WiseVector StopX
    https://www.wisevector.com/en/

    That's the end.
     
  25. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    Thank you very much. Is there anything else similar to it?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.