How many antimalware programs do you have intalled on your pc?

Discussion in 'polls' started by rOadToIS, Dec 24, 2008.

?

How many antimalware programs do you have installed on your pc?

  1. 1

    39 vote(s)
    28.5%
  2. 2

    31 vote(s)
    22.6%
  3. 3

    26 vote(s)
    19.0%
  4. 4

    12 vote(s)
    8.8%
  5. 5+

    29 vote(s)
    21.2%
  1. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    0 installed.
     
  2. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    what about 0 as an option ?
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Isn't SSM an antimalware program since it blocks malware from executing?

    What about a stand-alone firewall? Configured properly, it blocks the trojan ports such as 135 (MSBlaster) and 445 (Sasser).

    Is it an antimalware program? My recent log:

    kerio-445.gif

    Software Restriction Policies isn't a separate program, but it is a "program" built into XP,
    and the user configures it just like you do in SSM.

    So, labels like "antimalware" become confusing, or misleading.

    And those who have "0" programs installed wouldn't necessarily not have antimalware protection.

    A more interesting discussion -- not a poll -- would be, "How do you protect against malware installing?"
    Perhaps just avoiding running as an Administrator/Root would be enough. Perhaps not. Many factors need to be considered.


    ----
    rich
     
  4. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,668
    Location:
    Philippines
    I agree with the above poster that SSM is an antimalware program. The only reason one would install such a program is to intercept malware and stop execution. So in that sense it is antimalware. I my post above I did include my firewall as antimalware, though it is a suite the firewall portion is just as much protection from malware as an antivirus program.

    I left out my router, since that is external to my computer and not installed on my pc. I left out Fx add-ons as well since they are enhancements to Fx and not self contained programs.

    I left out Sandboxie also, but now that I think about it, the only reason I installed it was because of malware, it sandboxes malware so Sandboxie is also antimalware. I modified my above post to reflect this.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    READ MY SIGGY BELOW.

    That's just the tip of the iceberg. :cool:
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The best way I can describe the difference would be like this. An anti-malware identifies and removes malware. Like AVs, anti-malware software depends on signatures, reference files, etc in order to identify malware. SSM doesn't differentiate between malware, user software, or system executables. It doesn't use any kind of identification system other than checking that the file hasn't changed. It doesn't remove anything. It allows and blocks exactly what the user tells it to. SSM can be described as a rule based firewall that controls applications instead of internet traffic. An SSM ruleset contains a listing of the applications/executables on that PC. Along with specifying which ones can execute, the rules can also specify what other executables each one can start or be started by, along with specifying whether many other specific behaviors are allowed for each one. Any process, executable, installer, etc not specifically allowed by the rules will be blocked. Assuming that the user hasn't mistakenly allowed it, malware will be unknown to SSM and prevented from executing. In that respect, HIPS can perform the roles of an anti-malware, anti-executable, user access control, etc provided that the user configures it properly. That's the biggest difference between SSM and an anti-malware. With SSM, the decisions and the responsibility are solely on the user/administrator.
    Using that criteria, a router could be considered as an anti-malware device. Since those ports can just as easily be closed by system service configuration, does that make Windows an anti-malware. IMO, it would be more accurate to say that the traffic control of the firewall imparts a certain amount of resistance against some malware and can prevent some installed malware from functioning.

    I very much agree that the terms can be very confusing to the user. Anti-malware is bad enough. The way the term "firewall" is used anymore is much worse. Too many completely different apps using the same name or being compared or rated when they're entirely different. HIPS is another one.
    "How do you protect against malware installing?"

    That would be a much better discussion than just tossing out quantities of programs. Before I adopted the default-deny policy, I used quite a few "anti..." programs. At one point I was up to 9 of them, and dragged my system down so bad it could barely run.

    From what I can tell, we use different methods and tools to implement security policies that are very similar where it counts. I take the position that the security policy is what protects the user and their PC, not the security software. The software, combined with the configuration of the OS and user apps enforces the security policy. Some people consider this a play on words. I feel that it puts the emphasis where it should be, on configuration and planning instead of features, bells and whistles, and test results. I also suspect that your position and philosophy are quite similar.
     
  7. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    I think the OP needs to clarify exactly what he or she means.

    I keep "anti-malware" apps around to scan whatever I remove from Sandboxie which as already stated could be considered an anti-malware app. In that sense, "anti-malware scanners" are extremely useful to me because I don't trust anything I download and I cannot analyze "malware". I also like multiple opinions when it comes to investigating a program I'm about to execute.

    In other words, I trust my updated setup and apps running in Sandboxie and anything I remove from it shall be a fairly known application or file and then scrutinized by my "malware scanners" and/or VirusTotal and Jotti. It's a system that seems to work for me so far...
     
  8. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
    Zero is not an option.;)
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I think so, but I will nit-pick a little bit! So, here is my definition:

    An anti-malware identifies (sets an obstacle) and blocks the malware from downloading. ​

    Nothing to remove.

    The only anti-malware program to my knowledge that does this is Anti-Executable (AE).
    This can be easily demonstrated.

    I used an exploit which downloads a spoofed executable file (.htm file extension),
    renames the file as svchost.exe in the temp directory, and attempts to execute the file.

    Here is the code:

    [​IMG]
    ___________________________________________________________________________

    Here, Software Restriction Policies (SRP) are configured to block the running of any executable file not
    already on the computer.

    test.htm has downloaded and attempts to run as svchost and is denied by default:

    [​IMG]
    ___________________________________________________________________________

    Same test using Anti-Executable. The test.htm file is identified as an unauthorized executable (not on the White List).

    test.htm is denied by default from downloading (Reason:Copy means copying=downloading from a source):

    [​IMG]
    ___________________________________________________________________________

    For the first day of this exploit, no AV had picked up the signature. Later, I scanned both files to
    show they are the same:

    [​IMG]

    [​IMG]
    _____________________________________________________

    While the above exploit is IE-specific, the downloading of malware will similarly be blocked when embedded in
    3rd-party application files, such as

    • Quicktime

    • Flash swf objects

    • Adobe PDF files

    • MSOffice documents
    While both SRP and AE are true Default-Deny, if we are permitted to make our own definition of anti-malware,
    AE is the only one which meets my definition, and additionally, the requirement of simplicity of use.
    And so, in the home situations where I've installed AE, it is ideal because

    • the White List is created automatically upon installation of the program

    • there is only one rule by default: No unauthorized executable permitted

    • nothing is downloaded
    In addition, it is ideal where the parents control the downloading/installing of programs.
    Here, Billy thinks he will download something even though he knows he should ask his parents:

    download.gif
    __________________________________________________________________________

    I can't think of a simpler solution for the home environments I'm in contact with.

    Not so here (using my definition of anti-malware!). If not on the White List, it doesn't download, period. No signatures, etc., required.

    Everything else you mention about "terms can be very confusing to the user" I agree with. Therefore, eliminating all other software you mention (firewall, router, Windows) for a number of home users I know, I'll cast their vote for "1" anti-malware.

    This, of course, is the biggest weakness in any security system, where you are tricked (social engineering). All of such exploits I've seen could be easily prevented by a little common sense. Here is a current one:

    Christmas Ecard Malware
    http://isc.sans.org/diary.html?storyid=5557

    This also brings up the situation where you choose to download new software. From my point of view,

    • You trust your judgment and consider your source for purchase, or download of software

    • You trust your scanners to verify software is not malware

    • Or a combination of both
    While some users I mentioned above use AV, I consider AV to be a detection product, and not an anti-malware product.

    So, you see how each person's definitions fit her/his own strategy! Hence, the confusion and sometimes misleading conclusions drawn by others when these terms are tossed around.

    More important, it seems to me, is to

    • understand the different methods by which malware can install,

    • develop a security strategy that meets your needs,

    • select products accordingly -- to heck with what they are called!


    ----
    rich
     
    Last edited: Dec 26, 2008
  10. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    I use NoScript, and browse virtualized. So when I find an interesting site I start allowing scripts normally blocked by NoScript, knowingly that whatever happens the virtual volume should save me. But for someone who isn't virtualized how is he going to know whether allowing scripts is safe or not? How does one know in advance something might be fishy? Sorry the quote doesn't make any sense, the full context is in post #22 by Mrkvonic.
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,208
    You won't get "owned" if you use Firefox or Opera. They have a robust design, quick updates, and simply do not access the system files. In theory, it could happen, but in practice, I have never seen one example, ONE - in either the hijackthis forums or the web itself, where it shows that someone used FF / Opera, went to a site and got hacked. Not one.
    Mrk
     
  12. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country

    Sorry - I was getting confused again. Zero is the number of malware programs I have ever had running suggesting the need to run no more than 0 antimalware programs o_O
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    As long as we're nit-picking, by that definition, shutting down the services that opened the ports blaster and sasser use makes Windows an anti-malware. IMO, that definition is too broad, but it does point out a problem with how our language is used and how the conventional use of a word doesn't always match the its use in reference to computer technology. By your definition, I think I have one anti-malware, which I'd call an application firewall. IMO, the term HIPS should be lost as fast as it was invented. Best I can tell, it translates into security suite with some form of application control.

    My definition of anti-malware software would be any software that specifically identifies, blocks, and/or removes malicious code. I'd call an AV anti-malware, since most of them detect malware. By my definition, anti-executable would be an application firewall since it controls all executables, not just malware. The name issue here seems to center around the definition for "malware", or the lack thereof.

    This "name issue" is a bit of a dilemma when you look at it from the average users position. There's no official definitions. We're pretty much stuck working with the twisted definitions made by the vendors advertising departments. When dealing with an average user, that makes the first task "damage control."

    Regarding the last half of your post, there's nothing to nit-pick at.
    We say it differently but we're following the same steps. We use different tools but are enforcing the same basic policy. I haven't tried anti-executable. For me, SSM is a perfect fit so I've had no need to look any further.
     
  14. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Norton, MBAM, and various online scanners, such as Kaspersky, NOD32, Panda .. my fav, F_Secure ... OneCare ...
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    There is no software like this, even the AE. AE just blocks all executables whether malware or good ones. So it does not fullfills this definition of Antimalware.

    It is a real anti-executable though, no doubt esp its ability to identify spoofed executables is remarkable. No other security application has this capability. :thumb:
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,208
    Oh, let me ask a philopsophical question:

    Installed programs - and used in real-time to do something - or just installed and periodically invoked to scan and potentially disinfect. Because if you have an anti-X installed and it never runs ... is it really installed?

    Just some food for thought :)

    Mrk
     
  17. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
    A case could be made for a program in your sig Shadow Defender. I had a look at the blurb on their site.» "Features
    1. Prevent any unknown and future virus.
    2. Protect your privacy effectly.
    3. Eliminate the system downtime and PC/laptop maintenance cost.
    4. Surf the internet safely."
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    It looks like we are back to defining what is an anti-malware application!

    The only person I know of who would qualify for running no added anti-malware applications uses Windows Firewall (built in) and Software Restriction Policies (built in). That's it.

    And he also uses IE, that most maligned of browsers!

    You are correct. Normally I use the phrase, "unauthorized executable" (see the alert message in my AE screenshots above), but I use "malware" here since that is what this thread is about.

    Actually, my primary use for AE in home systems is the second example I gave, where parents or an "administrator" on a computer with multiple users want to control what can download.

    Using Opera, I don't see any opportunity for AE to flag a drive-by malware download attempt: I've gone to every such site when the URL has been available, and have never gotten an alert from AE. When is the last time anyone saw a drive-by download exploit in the wild against Opera or Firefox?

    Only when using IE to test these sites do I get an alert from AE.

    Still, I consider AE unique in that not only are malware unauthorized executables prevented from running, they are blocked from downloading.


    ----
    rich
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I believe this is due to the fact that these browsers are not target ATM and have little market share as compared to IE.

    We would have seen this frequently if they had a predominant market share.
     
  20. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Fair Point - however I run my machines 95% of the time without SD. A case could also be made for Shadow Protect as antimalware. Should I ever get infected I could easily restore a clean image. I have recently added SuRun to see how it works. As this could stop a nasty working it might also qualify.

    In practice I rely on a Netgear Router and Firefox which I would define as having zero antimalware programs installed.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I agree.

    :thumb: :thumb:
     
  22. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Just one....NOD32.
     
  23. progress

    progress Guest

    1 antimalware (and 1 behavior blocker) ;)
     
  24. Beavenburt

    Beavenburt Registered Member

    Joined:
    Dec 17, 2006
    Posts:
    566
    I voted 0 ................oh!

    Actually i'm wrong. I run drweb cureit on occasions but it never finds anything. Just router, hardening and alternative browser here.
     
  25. demonon

    demonon Guest

    Well my security setup is in my signature.
    I actually only use on program in real-time.
    I also have two on-demand applications; Macrium Reflect and Shadow Defender.
     
    Last edited by a moderator: Apr 3, 2009
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.