Antivirus is 'completely wasted money': Cisco CSO

I know this, but not all people have this kind of common sense. Let me tell you a short story that happened a couple of years ago... I got a very simple easy short assignment back then "write a short instruction sheet on how to put a video tape into the VCR recorder..." Because it seemed even in these modern times some people still had difficulties putting a video tape into the VCR recorder and press play... As long as these kind of people exist, there is no such thing as "All you need is 5 seconds and common sense".

 

I understand. Well, for such people that can't grasp the idea of "emptying sandbox before doing something important" is good, what can i say... Give them an AV and pray for the best!

 

If I ever find a scanner, that finds something on my system/data partition, I will change my mind, until then I won't use them.
I've read too many posts, where users suddenly find a strange object on their system and start scanning their computer with any scanner they can get until it is removed. Of course, they don't talk about how much time they have spent on this single object, but I know from the past how much time it takes.
I don't have such objects on my system, because I remove any change and the damage it caused during reboot, including tried softwares with their malware.

They install a new legit software and somehow this software corrupt their system, they can't fix it, also the proposed solutions don't fix it, but the problem remains. I only have to reboot, problem fixed in 2 minuts. I get myself a cup of coffee, while this user is still working at his unsolved problem. That's the difference.
I'm not going to change anything, unless I have some decent proof, it doesn't work.

 

Let me simply note the obvious, this statement is internally inconsistent.

Blue

 

You are right, but that is not important for me.
1. If I use a frozen system and a security software FAILS it will be removed as a change during reboot.

2. If I use a normal system and a security software FAILS it will remain on my system even when I reboot.

I prefer the first option.

 

Hello,

Blue, you asked about my strategies:

If I don't trust the file - it never gets run.

If I trust the file - say a download from a reputable source, at most I will check on a dedicated test machine or a virtual machine - NOT because the executable might be infected or such - but to see how it fits in the overall scheme of things.

If it's not an application (executable) but a pdf, doc, movie whatever from friends etc, I might be tempted to scan with AV, but rarely. Again, I'll most likely check this file in an alternative environment.

Sometimes, I'll open it using alternative means - doc via OpenOffice, pdf via Foxit or Sumatra etc. Maybe I'll use Linux. Maybe I'll use an application with reduced privileges.

If I fear something but MUST use the file on a production system, I'll make sure there's an image in place.

Sometimes, I won't check, if I really trust the sender and I know that he knows what he's doing - but there are maybe 2-3 such persons.

Finally, I might do an AV scan.

But it goes:

Trust barrier
Alternative system / machine
Alternative applications / reduced privileges / Linux
Good image in place

Only then blacklist scanners

Mrk

 

If we didn't need Av's we wouldn't have millions of users out in the world complaining of such problems...

 

Sorry but which problems ?

The problems caused by Av's or the problems caused by malware ? and why do those with AV's have problems with Malware and others without AV's do not ?

Just for the record my problems ( slow system) stopped the day I removed my last AV. Still waiting for the malware problem.

 

OTOH when your AV uses all system resources then there's no memory left for malware to do nasty things So even if it detects nothing by wasting system resources to the limit it protects you "somehow"

 

No offense but this statement infers a specious syllogism as follow...

Argument
Premise 1: I feel secure without an AV
(Presumption) Premise 2: The way that I feel must exist in actuality.
Conclusion: Therefore, an AV is unnecessary
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Blacklist-based security programs are not a "waste of money" in that they force bad guys (a) to disguise old types of attacks, &/or (b) to try & develop new kinds of attacks.

 

Ok bellgamin - I'll play.

I feel secure with no real time AV - because I haven't seen any bad stuff. How many years is enough ? or will someone still be saying in another 10 years -"It's only a matter of time" ?

Seems to me that many AV users assume that they are virus free "Because" they run an AV....

Premise 1: I don't feel secure without an AV
I have never been contaminated
Premise 2: so it must be because I have an AV ---- I don't think so

 

It's only a matter of time -- AND luck, AND personal practices.

And some persist in assuming that an AV is useless BECAUSE they haven't been infected while NOT using an AV. To wit...

Premise 1: Fred has never been attacked by crocodiles while swimming in the YMCA swimming pool
Premise 2: Fred swims in the nude
Conclusion: Swimming nude protects against crocodile attacks.

 

he he

 

Does anyone know the correct term for making a false claim on behalf of a debating opponent ? It is usually covered in philosophy 101 but I'll be damned if I can remember the term. anyway you have given an excellent example. Premise 1 is fine. Premise 2 is fine. The conclusion although funny is not the point being made by your oponents - and we both know it. Perhaps a more appropriate conclusion would be: swimming nude in a YMCA swimming pool can be done safely without the need to carry a whaling harpone.

 

Ummm, the example isn't really that (which is to set up a straw man argument). Rather, it is a general example of false analogy...., for the logically inclined.

Blue

 

1. I am going to start swimming in the nude.
2. By that time, I won't care about computer security.


Heck, AV's are not a complete waste of money, but they sure do not provide the degree of protection that they used to with malware authors tweaking their wares daily to avoid detection at 0 day, and using rootkits to hide thereafter. Around when this started to happen with great frequency, Bruce Schneier wrote a post that AV's from the big three vendors were the ones most likely to suffer from this sort of tactic. I mention this from time to time, but no one believes me.

The same solutions keep getting mentioned:

White listing - not perfect as stated above. AV's are used to compile the white list, not to mention the problem of keeping up with software releases. Wars have been fought over less significant issues.

HIPS - Fine, but for experts only. There is no way to give one of these to a secretary.

Behavior based detection - There is a lot of potential here, but the present selection of products is a bit crude. All of the ones I have tried have significant measurable overhead. There seems to be no effective testing of these products and whether they stop infection or simply warn after the fact (like a 2 way firewall) is an open question.

Heuristic signature analysis - So far this tool has reached the point where it is effective more often than not by a handful of AV vendors. The downside is more false alarms.

OS hardening - Its built into Vista, but MS did an awful job with UAC. You can do it with XP, it requires some expertise to set up, but is secretary safe.

Perhaps I should just dive in the nude, or run AV scans...

 

These two points are why I tend to view a simple AV and LUA/SuRun is a pretty decent compromise. Not perfect by any means, but very suitable if an AV or suite tends to be on the lean side.

just don't feel compelled to try the other permutations....

Blue

 

Hi bellgamin
Please point out where in my earlyer post that I stated that Blacklist-based security programs are a waste of money.
You may feel that an AV running real time is nessessary and thats fine.
I on the other hand feel that I do not.
I have other measures in place to protect myself well instead of the traditional AV you feel is a must.
I still use black list scanners once a week which find nothing.
Just lucky......maybe.
I guess i'll find out.

 

I never said you did. Please notice the squiggly line ~~~. To all us Klingons, ~~~ means "I am switching gears. New topic."

What is "SuRun"

"Lua" -- Hawaiian word for toilet. As to Lua in the computer sense of the word -- Online Armor had a great idea when they introduced "Run safer" to their HIPS. I hope that other HIPS shall follow suit. Right now I use "Drop My Rights" which isn't nearly so convenient to use as is OA's "Run safer."

Exception: Threatfire. Set it at level 2 & (99%) forget it.

P.S. My 9-year-old granddaughter is quite proficient with classical HIPS of all flavors. But then, she often beats me at chess, too.

 

@bellgamin - see this thread for SuRun.

As for ThreatFire, doesn't it fit better as a behavior blocker? Also if you wanted to use ThreatFire as a HIPS, you would increase the level (to 4 or 5).

And btw, I think it is fairly set and forget at its default level (3).

 

bellgamin, just a correction....... In your post #69 at the bottom you quoted what Diver said in post #66.....not me.

 

OS Hardening: LUA/Software restriction policy/SuRun, DEP on for all programs/unnecessary network oriented services disabled.

If you run LUA, SuRun is definitely the easiest way to temporarily elevate to administrative privileges.

 

One hit of a rootkit that infects your hardware components is enough to keep your computer infected forever.

 

I have read science fiction but didn't realize that software could infect hardware in the real world. Infected for ever ? firmware can be changed, drives formated or "zeroed" so for ever ?

 

LOL. oh my gosh.