Why use an AV?

Sully (Steve),

Let's be honest, the ones advocating against a simple AV setup are the execeptions on the rule, so let's agree you (and Pete and ... lot's of others) are the exceptions on the rule everyone should use an AV

Same thing could be said about a sandbox, why use a sandbox when your browser and PDF viewer allready have one? What is your take on that?
Why use an anti-executable when your OS allready has got one? Et cetera

Best regards

Kees

 

Yes, that is how i meant it

 

lol, I can't help but always ask "why" when such rules and laws are in place Not that I am a lawless person, far from it. But it always itches in the back of my head, "why can't you do X?", or in this case, why is an AV so critical.

And to answer your question, why not use a sandbox? For me, its always about what makes it tick or why do it that way. Its the only reason why I know what I know today, because I question everything and like experimenting.

My only point is that when someone says it should be done this way or must be done that way, or "the experts" say its this way, is sometimes its just not that clearcut. There are so many dynamics at play, what software/settings/methods you do or don't use to find any type of security almost has to be examined on a case by case basis, and that doesn't even include what each user would add to the equation.

Sul.

 

As far as "accepted standard" goes, I beg to differ. IMO, AVs have never been it and never will be. Here's why:

1. AV companies aren't the only security companies in the market. Even then, they are primarily a product/service provider. There's also the aspect of conflicting interest.

2. Security experts have disagreements and debates on the subject. Each of them is also limited to their field of knowledge/interest.

3. They do not have the legal rights to dictate such "standards". If anything, I'd say they are "recommendations" or "guidelines".

For "basic fundamentals", I'd say security is a process; a state of the mind. Acknowledge that there's weaknesses and flaws. Learn how to accept these as risks. Aim to prevent them or reduce their impact.

In essence, members here are saying that there is more than one way to skin a cat. They are sharing different approaches and why they make such choices. No one is obliged to follow and no one should be held responsible for merely stating their chosen path. One is free to choose what one deems fit in relation to the risks one is exposed to. Why not appreciate the diversity rather than conforming to the mentality of "1 size fits all"?

Most importantly, realize that security is not merely the use of XXX. Security software are just tools to assist, not the be-all and end-all.

 

This is well said.

There is no "right way" or "wrong way". Different people think differently and believe that different methods work better for them.

Is an AV + firewall/HIPS type setup right or wrong? Answer: Neither. For the person more comfortable using them, it is right. For someone who wants to use a Sandbox/clean image type approach it might be considered wrong. But to each their own. I'm not prepared to say that one way is right or the other way is wrong...it's whatever works for the user and that they are comfortable with.

That said.....reading through this thread did seem to indicate that some were suggesting or "hinting" that they don't use ANY security software. Here is what I'm referring to:

^ with no mention of what "measures" he IS using.

^ which, as I pointed out earlier, fails to mention definitively what IS being used....just metaphorically what "might" be used "in a particular instance" (i.e. - IF sharing the computer OR installing programs)

^ Again...no mention of what he DOES use.

^ Talking about what he'd do afterward "IF" he discovered that something had already happened.

^ In response to Keatah's comment.

etc., etc.

The absolute BEST comment made in this thread was by m0use0ver, who said:

 

Problem is, some people keep differentiating real-time AVs and OD scanners. In my book, they both fall into the same category. Only work in different ways. I'm not saying AVs are "accepted standards" per se, but that's probably the easiest and most distinct way to know if file X is infected or not. Therefore, it became such a recommended method of security.

Slightly OT, but I bet some people stopped using a real-time AV because of pure hatred of their performance in the past. Pretty much like some ex Windows users who moved to Linux or Mac and love to badmouth Windows because they simply misconfigured the OS or just plain not being careful.

 

@JRCATES

You can find them having posted their security setups on this forum here in other threads.

Peter2150: Online Armor, NVT Exe Radar Pro, AppGuard
bo elam: Sandboxie
Boost: Geswall, CTM

 

Forgive me, safeguy.....but I'm not going to make that much of an effort by stalking other posts made by other members just to discover what type software they use.

If they want to disclose that at the time they post, they certainly have that option.

 

As mentioned earlier in this thread FUD (Fear Uncertainty and Doubt) has worked marvelously through the years in convincing billions of computer users that without an AV a computer will stop working properly if infected. Somebody else wrote "It's an accepted standard of using an AV and Firewall. These are the basic fundamentals which are stated by known international security companies... ". Kaspersky website reported not long ago that 70,000 new types of malware are created everyday...

Some conspiracies theories even suggest a possible relationship between virus makers and antivirus companies might exist, who knows? The fact remains that all AV companies that are talked about in this forum are making an awful lot of money with a business model that must be sustainable: the yearly subscription.

Is it needed? I don't think so, but certainly for average users it is a way to delay or contain damage due to ignorance or nonchalance. In my humble experience (8 years of concerned computing) I had no issues with threats from the internet, but a lot of malware detected in third party flash drives.
My current security is based on sandboxing and checking suspicious flash drives with a couple of scanners.

I had countless problems with configuration issues, drivers, corruption of files, conflicts DUE to installation of antimalware applications, not a single issue due to viruses et al. If one has a reliable imaging system really an infection should only be experienced as a ten minutes headache.

Wilders newcomers are generally attracted to the antivirus and antimalware sections first, learning to reliably backup a system seems to be the last skill in their priorities. I think it should be the other way round.

 

I believe AMIGA500 was referring to real-time AV so my reply and use of the term "AV" in that post was referring to the same. I'm not AV-antagonistic because I see the value in it. I've said earlier on that most of us, especially Windows users, still benefit from AV, even if we do not use it real-time. Neither do I see the AV industry dying nor do I hope for it to happen. I just happen to disagree with calling it "accepted standard". Then again, I'm just voicing out my opinion.

 

I know. I was referring to the people who said real-time AVs are useless and just resource hogs for no apparent reason.

 

I tend to think those who would be anti AV would not, in a broad sense, say AV are useless so much as in a much smaller scope, useless for them. And even then, I would bet that most would admit they can be of service, just not what they want to rely upon.

At least thats the impression I have had when such things have been said.

Resource wise, I would not say people say that for no apparent reason. I've seen very apparent reasons myself.

Sul.

 

Well I would not say that you can't get infected, but I believe that if you are very careful about what you let get installed on your computer, it is very hard to get infected - even with absolutely no security software installed, Windows Defender disabled and just running Windows firewall.

I have in the past, often had a setup like this, and despite visiting lots of unsafe sites - e.g. if Google warns me about visiting a site because it is infected - I just copy and paste the URL and visit it anyway, I would get infected probably at the absolute most 4 times a year - that's with daily internet use.

When I have got infected almost always it's been due to launching an infected download. If was I careful about what I ran then my infection rate would be close to zero. Maybe I would get infected once a year.

 

Uhhmmm. It's a matter of perspectives.

E.g. Joe

Joe doesn't use mail clients. He uses web-mail. He doesn't use torrent clients. His primary threat gate is the browser and main concerns: drive-by downloads and others executing code. If he uses AE/sandbox, his primary concern is alleviated.

He doesn't worry much about software or other stuff he downloads since he has a good track record so far. There might be a possibility of a real-time AV catching something that he executes by mistaken trust but at the same time, he considers the risk of that happening low. The AV, while technically is useful, presents nothing much of added value to him compared to the costs (price, bandwidth, resource usage, dealing with FPs).

E.g. Jane

Jane can't be bothered with AE/sandbox/HIPS. She finds it annoying and breaks her workflow since she downloads and runs a lot of programs as part of her work/hobby. She is concerned about the the stuff she downloads but at the same time she can't afford to scan each file manually to verify. In her case, she finds it easier to run a real-time AV in the background doing the AI analysis.

What I'm saying is security also involves feelings. This can easily be seen when one says he/she feels its "safe enough" for him/her. This is why I find it ridiculous for someone to tell another person what's right/wrong. You're not in his/her shoes. Sure, you can advise but there has got to be a limit - let the individual do his/her risk assessment and find that comfort zone.

 

Indeed. It's just similar to the discussions in admin vs LUA, or Chrome's sandbox vs Sandboxie, or Windows vs Linux vs Mac etc. I'm just afraid that, while this kind of thread would yield creative ways to securing Windows (or OS in general), it might potentially "inspires" some people to run-no-av with the reason of just beacuase*, without knowing what they're actually doing. Maybe I'm too paranoid, but most people out there can't handle HIPS or virtualization or anti-exe or other advanced & non-linear methods. Yeah, you can say "don't do that", but there are some people which are so persistent in doing no-av. I'm worried about that.

Not that I feel objected with this kind of discussion, but in the end security would be divided into some small groups and oftenly turned into some kind of extreme-fascism (lol). I'm starting to smell such a thing now.

Oh my, I'm getting OT. Where am I heading now...

*it's not a typo.

 

Doesn't everyone start "new things" by being inspired to do something they've never done? Who is inspired to do what they already know? Whenever you do something you've never done, you always do it without knowing what you are doing. Thats how you learn, by doing.

Sul.

 

Counter-question: Why not use one? There are few of us in the world who can look at lines of code and declare "Yep, malicious!". The only sensible answer I've seen so far is because someone has image software and has backups offline.

 

Note that the inspires word is in quotation marks. And I can't believe you missed the epic beacuase lol.

It's true that you learn by doing things you have never done before, but that doesn't mean blindly trying some new methods you just heard/read 5 minutes ago. I wouldn't use EMET before I read some documentations and guides first.

 

To be fair, that really is beyond anyone's control. Human beings are "awarded" with brains to think and to decide. To put it in my terms:

"If I eat ****, it doesn't mean you have to eat **** too".

That being said, sometimes people imitate so as to learn better/faster even if they do not understand what they are doing initially. Why should we be critical? Isn't that what we do since we were young? If we are scared to try things, we would have never learnt how to walk.

Of course, we are adults. Like everything else in life, if you are smart (or stupid) enough to take action, you are held responsible for your action. No one else is to be blamed. Live and learn from mistakes.

 

I did mention SBIE in my first post, either I was not clear when I wrote that post or you misunderstood what I wrote. Spanish is my native tongue so probably was my fault. Anyway, what I meant to say on that post is that if I was sharing my computers with my wife or anyone else or if I was a user that installs new programs all the time, then I would use an antivirus like MSE along Sandboxie. FYI, I use NoScript and SBIE.

Bo

 

Don't you love it when we can learn different things from a same scenario. In my case though, I prefer to play safe nowadays and always prepared plan B, C, D, and so on.

 

English is not your native language then?

While I am not a teacher of english, the quotes around inspires EMPHASIZED the word, thus giving it some importance in the statement. It is logical then to assume that "inspires" is one of the main concepts that you wished to communicate.

Not sure why because* is epic really. When you say "just because" it would imply that there is no specific reason or "just because you can" or "just because its there".

So what I got from it was quite literally what you wrote, that some people might be inspired, by reading such threads as this one, to not use an AV. The because* part did not really fit with inspires (how can you inspire someone to do something "just because"?)? Since the word inspire was quoted, it seemed natural that it would be what you wanted to convey.

I guess maybe I did not understand. It doesn't matter I guess, but you can certainly explain and I would be glad to try again

Safeguy is doing a great job of explaining this to you. You might not try EMET before reading documentations, but I did. I almost always do, with everything. Some things I fix that don't even have a manual. Maybe its intuition or "flying by the seat of your pants", but whatever it is, I am really good at it. Different from you as you are from me

Sul.

 

lol, thats why I come here! Sometimes its not the ideas from those that know a lot that are valuable, but thoughts from those that don't know as much, because they are not trapped by "how things should be" and tend to have ideas that are off-the-wall. I love those things, it often causes me to think about things in a way I would not have otherwise!

Sul.

 

I seen the above in another forum, it usually happens in threads like this one when people talk about not using an antivirus and doing things differently.

Bo