Is the "AV" still the cornerstone of a security setup?.

I am hoping the moderators will give this thread some leway as it could expand into many topics so i ask you this.With software available like HIPS, Deepfreeze,ShadowUser and then finally Rollback RX and FirstDefense ISR, do you feel the role/importance of the "AV" has changed/diminished?.Some people and some products "Prevx1" say that you don't need an "AV" at all anymore ( i'm not too sure about that).What do you think?.Is the "AV" still just as important?.And for what it's worth, i have grown to respect this forum and the knowledge and opinions of it's participants.

 

Yes, I think that an AV is still important.

- However nice all those virtual technologies / recovery programs are, the moment something is executed during a session, you could be in deep problems.

- All the proactive systems are very time consuming, and you need to know what to allow and what not. At the same time, a compromised "safe" allowed program *could* lead to compromise of your machine.

But it is nice to see the development of these systems. Now only to integrate them in security systems (Kaspersky version 6 is a nice look at the future IMO) and we finaly have a nice security-in-depth package.

edit: typo / readability

 

IMHO, I think the key is not to rely on one product (or one type of technology, like an AV for example). For my money, a layered approach to security makes far more sense. Better lots of little walls than one big wall that the bad guys can just walk around

Ned

 

If something is executed (malware) within a virtual volume or a snapshot you could have problems in terms of private info leaking out of your computer (if you don't have a decent firewall) but certainly not for viruses as rebooting or deleting your snapshot would rid your system of any malware.

I agree that an AV is still important, but certainly it's no longer the cornerstone of a security setup. Running an AV as the first pillar of security IMO is dangerous, because you will never know what it doesn't catch (e.g. rootkits) therefore an environment which will be regularly recreated is the only answer to quasi perfect security.

Another issue about AVs (very dear argument to ErikAlbert) is the number of signatures: Can their number increase forever? (1M, 2M...)

 

I mean look at ShadowUser for instance.You can go online in shadowmode and surf wherever you want, do whatever you want.Play games that need to install active x, generally do things that would normally present risk without the thought of " i hope my AV's on its toes here".So in situations like this, the "AV" doesn't matter.And a few years ago, i never thought i'd say that.

 

Well, sandboxing technology has been around for a long time. The merit of an antivirus is that it can spot (sometimes) malicious executables without the need to carefully examine them in a protected enviroment (something that many users would not be able to do anyway); yes, adware and destructive malware can be spotted very easily, but keyloggers and backdoors are made to be run as hidden as possible (altough they CAN be spotted with the right tools).

That said I think that nowadays with a proper setup you don't really need an antivirus in real time, just one on demand. And when I say "with a proper setup" I defintely don't mean just "Windows with the latest patches".

 

I believe that if they can ever prevent the bios and other non OS components from being infected or corrupted by malware then the imaging softwares will probably be sufficent to correct any infestation you might get in The OS. But until then I think an AV is essential to safe operation of your computer.

 

I would unequivocally state that, at present, signature-based antimalware application(s) coupled with some level of communications control (firewall/router) do remain the cornerstone of security for the vast majority of users.

Other approaches (various flavors of virtualization, application execution firewalls, various system monitoring utilities, etc) can be used alone or in combination with success under controlled circumstances. However, since all of these approaches ultimately require some level of user input (even the community based approaches), successful implimentation of these methods requires a rather sophisticated, disciplined, and knowledgeable user. With sufficient discipline and savvy. a user should be able to do extremely well with simply a router or software firewall. However, that scenario does not include the masses.

Layering can be fine as long as it is rationally developed with a clear understanding of what the various components accomplish and how they potentially interact. I tend to depart company with some layering strategies when they fail to have a coherent or rational structure. The other point to realize is that layering generally addresses clear deficiencies in a given approach at the time, which may be addressed in generalized products over time. To some degree I view spyware in this light, although coverage can be spotty depending upon the specific products employed. I appreciate the "don't put all your eggs in one basket" sentiment. By the same token, don't scramble your eggs by continually shuffling them between multiple competing baskets.

There is oftentimes handwringing that the use of automated signature based applications such as AV's provide users with the appearance of security without the users ever coming to grips with what computer security really means. There is a certain level of truth in that sentiment. However, the user also is, in fact, rather well protected as long as the basic application is kept up to date, goes with a default (or more secure) configuration, and follows the recommended actions of the application.

My own advice has been fairly consistent for a while - if asked cold and if I'm unable to delve into the nuances of a specific situation - my base recommendation remains a router and top tier general AV. I personally like to augment that base a bit, see here, but the final configuration relies on some specific functional decisions that I've taken and most of this can, in fact, be realized using a well chosen suite.

Any of the rapid recovery approaches, do precisely that and that alone, which is a rather different outcome than security even though they share many common features. They are good as an adjunct, although I currently do not view them as a replacement strategy.

Blue

 

How bout this scenario.I've gone days sometimes only just surfing, checking email and maybe taking a few snapshots of funny pictures to send to friends, maybe downloading a song or 2 of a new artist to see if i like it.Non of this i actually want to save.Using an AV and router, the AV is very important just doing these few things.In shadowmode, the AV means nothing.I do agree an AV still must be used but depending on situations, it's just not all important like it used to be.

 

Well, if we're going to do hypotheticals, the only time I really suffered from a virus, it was "sent" by a friend via email and executed on preview while I had disabled my AV. This was years ago.

You said you'd send things to friends, so why is the AV not necessarily important in this circumstance? Are your friends on their own when it comes to your communications?

I know, there's lots of steps they could take to protect themselves. However, there's one step you could take to protect them as well. In shadowmode, does an AV still mean nothing?

Blue

 

I guess you are right in that reguard.Even sending a few snapshots would involve some risk to the receiver and i do agree with bigc that there are still some scenarios the products i mentioned in my post can't cover ( yet anyway).But its amazing what some of these products can do take the pressure off relying on your AV.

 

Concerning my new security setup in theory, I'm already sure about this :
1. Separation of OS and personal files.
2. Image Backup.
3. Snapshots.
4. Router.
5. Firewall.
6. Encryption.
7. Another browser, than MSIE.
8. Ignoring/deleting of spam-emails, no matter what you use as email-software

But I still have to agree with BlueZannetti, that rapid recovery isn't a replacement for scanners. I don't like to admit this, because I don't like the way how scanners fight against malware. It isn't even fighting, it's more an incomplete collection of malware-fingerprints, that is used to remove threats.
Heuristics is the only smart part of scanners, if you put the false positives aside.
In order to feed that collection, you have to run after the bad guys and pick up their droppings FOREVER.
If you want to win a war, you don't run after the enemy, you run faster than the enemy and fight with better weapons than the enemy.

Better weapons are :
- HIPS, unfortunately too sophisticated for the majority of users.
- Anti-Executable softwares are good, but it doesn't protect you against exploits.
- Virtual protection, because it isolates the execution of malwares and is more userfriendly than HIPS.

Snapshots aren't weapons against malwares, because malwares can do whatever they want between TWO snapshots and that is a very vulnerable period. Encryption will protect your privacy during that weak period, but won't protect you against the execution of malwares.
One big advantage of CLEAN snapshots is the fast recovery time and removal of any existing, new and undiscovered threat. Scanners take hours to run and don't remove all threats.

So my new security setup isn't finished yet, because I didn't protect myself against the execution of malwares and I don't trust virtual protection enough to do this. They are too vague in what they are doing.
Maybe it's a good idea to work with virtual protection and use scanners to verify how good these virtual softwares are.

 

I fully agree that some of the new software is really amazing. I wouldn't be without FDISR simply because it is so easy to recover from infection or a screw up on my part, or even a bad software install. In the back of my mind I still worry about getting infected by a real bad nasty. But since I got FDISR I don't think about it nearly as hard But I still depend heavily on my F-Secure IS 2006 to keep the the bad stuff out.

 

ErikAlbert,

Obviously there are a multitude of approaches available to one, and many of them are reasonably equivalent in end result.

I see many of the comments noting image backup and/or snapshots as relates to security. I've have a number of occasions in the past when a backup strategy was a deliverance for me, it's just that it has never involved a security related matter. It has always been an errant beta test application or a hardware failure. I have multiple examples of each of these, but none where malware has necessitated a reinstall. I understand the specter of rootkits has many on edge, but a number of steps must occur before one suffers that fate, and handling the issue at those points seems preferred.

Just a bit of context. When I offer my general suggestions here, I often have a new user in implicitly mind. For that population, something along the lines of router/top-tier AV with default install/BOClean is very hard to beat for overall performance and simplicity of use. If a software firewall is desired, go with either the suite flavor of top-tier AV or add a firewall. My own definition of top-tier AV is one that is rated Advanced+ in either or both variants of the www.av-comparatives.org tests. While this suggestion is mine for the masses, I've really not encountered a circumstance where this configuration is wanting from an overall security perspective.

Blue

 

As I was reading this thread the obvious answer to me is a top level AV such as KAV 2006 which I am using and BoClean. You don't need anything else with those two. I think BoClean is useful for the more advanced user as well as the newbie. BoClean, unlike ProcessGuard and its competitors, doesn't need any care and feeding. It just works from the getgo. PG I have become somewhat soured on with constant problems with the latest version and its competitors are even worse...major headaches. Whereas, BoClean, you install it, set it to auto update and that is it. PG you have to constantly interact with and then it has a zillion problems and DiamondCS is not as responsive as Kevin is for BoClean. So, even though I am advanced enough user to be able to properly use PG, I think I am going to dump it for BoClean as I am like anyone else...I like it to just work and BoClean does that superbly.

I certainly don't see how anyone can claim AV is not the cornerstone along with AT (which is a misnomer as it is really antimalware) for any system today. Yes, I have VMWare Workstation 5.5 and I can use snapshots and not use an AV on the virtual machines but I still use AV as who wants to have to revert to a snapshot when an AV can take care of the problem? I have TI also, but I sure don't use TI as my antivirus. Gee, TI is for emergencies only IMO.

 

DeepFreeze guarantees 100% workstation recovery on reboot
Provides password protection and complete security
Protects multiple hard drives and partitions
Protects CMOS
Protects master boot record

I don't know if FD-ISR, Rollback, ShadowUser, ... offer all these protections.

Is there a security software that is specialized in protection against "Hardware Viruses" ?
Because these malwares are very nasty ones.

Most malwares aren't destructive and can be removed with a clean snapshot and you wouldn't need an AV scanner anymore.

I'm more interested in the malwares that cannot be removed by snapshots or can even cause damage in a virtual environment.
If I'm protected against these nasty malwares, I'm satisfied.

 

Using Acronis True Image for some time already and it's as simple to use as it could be.
The program makes a bootable CD with everything on it, in order to find your image and within 6 minutes, you are back on the road!

 

Well, this is what I want and I feel is appropriate for most folks. While constant care/feeding/infinite configurability may be a desired feature to an advanced user, it is not a neutral aspect for the beginner. In fact, in my own estimation, it is generally a decided liability for the less advanced user. Before the comment is raised, I don't believe this is talking down to anyone, it is simply a reflection of objective reality in the real world.

Blue

 

Image backup is already included in my security setup. That doesn't protect you against hardware viruses.

 

Or malware that executes itself DURING a session

 

No, but it sure as hell helps after a disaster, no matter what!

 

Image backup and snapshots do exactly the same thing, they restore your system in a healthy state.
The only difference between both is that snapshots won't save you, when your harddisk crashes, while an image backup on an external harddisk or on another internal harddisk or DVD/CD will put you back in business.
You can't live without an image backup, but you can live without snapshots.
So this problem is solved.

I have other problems, that aren't solved yet and one of them are hardware viruses.

 

I know all that already, but that doesn't answer my question.
I'm looking for a software that is specialized in protecting my computer against hardware viruses.
Is there such a software or not ?