Since you said "malware" I included my AV. 3 real time, each covering a different vector. 3 on demand.
At the moment I have three anti-malware programs installed. 1) Outpost Security Suite Pro 2009 2) Spybot - Search & Destroy (No Immunize or Resident protection) 3) Malwarebytes' Anti-Malware (Free version) 4) Sandboxie Items two and three are only used occasionally, neither has even found anything. I am thinking of dumping number three soon and even possibly number two.
Yes. However when the mood hits me I use competitors online scanners to double check Eset's results. Today I ran Symantec's and the previous time BitDefenders. Next time it may be Kaspersky's, who knows. I've got at least a half dozen to choose from.
Two, Malwarebytes Free and SAS Free. Neither see much use since SandboxIE kicks every baddie in the hind quarters and tosses them out the door.
Not counting my AV, I use 2 on demand anti-malware scanners. I've also found out that maybe that's a good idea to have at least 2 as one of the anti-malwares doesn't detect 2 of the 3 samples I have. I'm using MBAM and SAS on demand and I just may add A-squared again as a third opinion.
KISS (keep it simple stupid) I've ran Superantispyware and Malwarebytesantimalware,which are both FREE along with Avira Antivirus. No need for multiple upon multiple security crapola like some people think is necessary on these forums
I only use BitDefender Total Security 2009. For the rest I don't use any other scanners. From time to time I rand online scans or I use Drweb Cureit!.
If we talk about pure anti malware, only one: Avira Premium. My real indirect defense is a combination of virtualizer/sandbox/imaging system.
You took the expression right off my face. Those programs have to be fighting like rabid dogs locked up together in cage.
No conflict here. As I said, They each have a purpose. They are also set-up to protect each other from termination\alteration unless I allow it. The on demand are rarely used and only take up about 25 MB of hard drive space and of course 0 resource usage. I know online scanners are becoming the current rage. I am sure they have come a long way. However I still do not like their method, usually active x, nor do I totally trust their abilities. With this set-up, at idle, my PC has 26 processes running and 0% CPU usage. That includes my FW which I did not include in the count of anti-malware programs.
Where is the 0 choice? There's no need for them. If you don't install anything bad, there is no need for an anti-bad program. So keep it clean in the first place and there shalt be no dust. Mrk
Ok, I'll bite. What about all this drive by download and exploit stuff from visiting a legit site that's been hacked?
Drive-by-downloads only work in IE, so if you use a normal browser, this is a non-issue. The only thing that remains is social engineering and XSS, which are universal, but you can avoid this by 1) applying logic 2) using Noscript, a 300KB Firefox extension. Mrk
All of those "problems" can be mitigated using a thought out security policy based on default-deny, enforced by system configuration, software restriction policies, application firewalls (HIPS), or a combination of the above. If you don't let the malicious code execute on your system, there's no need for software to remove it.
A good example is the current massive code injection exploit affecting many web sites. NICK ADSL UK posted an example of one: Mass Injection On John Sands Greeting Card Company Site http://securitylabs.websense.com/content/Alerts/3268.aspx s3c-watch analyzed the code. It is a package of exploits looking for unpatched vulnerabilities in IE, all of which attempt to download/install a trojan executable. Here is a list of some the exploits in this package. I identified some of them by looking up the CSLID # that is in the code. A quick search found the MS-# showing the date the patch was released for the exploits. You might wonder, Why would a malware author use exploits that have already been patched, some as long as 3 years ago? The answer should be obvious... Code: 88d969c5-f192-11d4-a65f-0040963251e5 XMLCore Services (MS06-061) F0E42D50-368C-11D0-AD81-00A0C90DC8D9 ActiveX Control for the Microsoft Snapshot Viewer (MS08-041) BD96C556-65A3-11D0-983A-00C04FC29E36 Microsoft Data Access Components (MDAC) (MS06-014) EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F Microsoft 'msdds.dll' COM Object (MS05-052) obj=cobj("WebViewFolderIcon.WebViewFolderIcon.1"); WebViewFolderIcon (MS06-057) [U][B]3rd party applications[/B][/U]: 77829F14-D911-40FF-A2F0-D11DB8D6D0BC NCT AudioFile2:[B] ActiveX[/B] - US-CERT Vulnerability Note VU#292713 PDF obj = new[B] ActiveXObject[/B]("AcroPDF.PDF"); Even in a 3rd-party application vulnerability, such as PDF, in order to make it a remote code execution (drive-by) exploit, an ActiveX object for IE is required. Exploit packages, such as MPack, have been for sale on the internet for a long time. See: https://forums.symantec.com/t5/Vuln...ssionid=4B66E8121EF706282E1608A569EDF88E#A104 See the link in the above article to the MPack Toolkit for a good description of how these exploits work. Note that the malware executables are not stored on the legitimate site that has been hacked. The injected code simply sends the user to another site which will gladly distribute the malware by remote code execution free of charge! Having said that, no person I know who uses IE is bothered by such stuff. Taking one solution that noone_particular mentioned: I've sent every URL for an IE exploit that I could find to a user to test with Software Restriction Policies (SRP). No drive-by exploit is ever successful. ---- rich
I run older operating systems that don't have the ability to make software restriction policies. Instead I use SSM to accomplish the same result. In both cases, the end result is the same, the payload delivered via a drive-by, application exploit, etc will not be allowed to execute. Until users get past this default-permit mentality that allows an unknown to execute, this will be a continous problem. Internet content is only going to get more interactive, creating more vulnerabilities that can be exploited. These are not a problem in themselves as long as the payload they deliver can't execute. Is it too late to edit the poll? I'm certain I see 3 votes for "0" here so far.