AV software bothers me so much. It's not just that it's generally ineffective. It's that when you bother dissecting it, you usually find it make users less safe (e.g. non ASLR/NX injected binaries, dangerous root certs, vulnerable hooks and format handlers, etc.). That said, Avast has caused me unique pain, and my personal experience correlates with the author's.
Chrome's sandbox blocks all access to system resources, so it's a very bad idea to inject hooks into our sandboxed processes, because they usually just break. So, we often have to use the sandbox's loader hooking mechanism to block third-party DLL hooks that are known to cause crashes (ie. "security" software and other process-hooking utilities). Of course, Avast shows up regularly as a crasher, so eventually I added their DLLs to the block-list and then tried to start Chrome.
So, imagine my surprise when blocking the offending Avast DLLs breaks Chrome by preventing all content--even internal content--from loading. I dig into it a bit more and find that Avast is hanging all our sandboxed processes, because their system-level hooking is so invasive that they won't let any process run if their injected DLL hooks don't attach. At that point I was forced to give up, because there's not much you can reasonably do against such recklessly invasive software already present on the system. It's really not very different from malware.
You have to take into account that Microsoft can modify their own OS and implement what needs to be done in a proper way. On the other hand, third-party vendors can only use the public interfaces exposed by the OS, or resort to unreliable and/or undocumented methods that may break at any time.
There probably is no solution to that, any third-party software that needs tights integration with the OS is going to have that problem.
MSE for windows XP had no associated patch or service pack, was using the same api as every other AV out there, and was about a thousand time better.
One could argue Microsoft doesn't need to turn a profit so they can afford to be less intrusive, but the truth is that I would pay for MSE. I wouldn't pay for any of the others.
That argument is indeed the core of it. Every other antivirus needs to be in your face constantly so you think you're getting value out of the purchase. They all suffer from the "this rock keeps tigers away" problem, that their enemy shows up too infrequently to justify their own existence. So they need to noisily invent enemies.
MSE's existence makes a ton of sense when you realize the reason for its creation. It was developed to reduce Microsoft's own support workload, as a significant proportion of Windows support tickets are caused by both malware and belligerent antimalware. MSE justifies its existence by reducing OS support costs rather than by annoying users into paying for antivirus. So Microsoft's incentive is simply to have users use MSE, which is nicely aligned with delivering a clean quiet positive user experience.
To be honest with you, my point of view is that no antivirus is going to protect me 100%, I always have to care about what I open, where it's coming from, ...
What I want from my AV then, is to catch the most obvious (and thus numerous) ones, and do so in a way that doesn't bother me. MSE just doesn't get in the way. It updates silently. It scans silently. It detects silently, ask you for something but take the safe course by default. You are in a full screen app ? It doesn't crash everything trying to take control, it just deals with the threat and show a red icon in the tray.
It doesn't make my computer safer than the other, but it makes me lose way less time when it does its job.
Fair enough, I use Lavasoft because its free version is incredibly well featured and it routinely outperforms MSE in AV tests.
I'm just confused by all of the mad-love for MSE. It's good, but I never thought it was the best myself, and I've not seen any objective reasoning for calling it the best.
So true, every third party AV I've installed on Windows has been a pain in the arse, but MSE just works.
It's a crazy mixed up world in which they're actually afraid to ship MSE with the OS, because a third party application industry relies on the default OS release to be insecure.
I don't get it. You use an Anti-Virus software to protect you from threats, a common threat vector is email, so the software scans emails to detect such threats. All consideration of how well that actually works aside, it's doing exactly what you wanted it to do.
The software needs elevated privileges to do that, and you granted them. You have given it the keys to the castle and now you complain it's using them to install an extra certificate? That might come as a shocker to you, but all security is compromised if the system ensuring it is. They don't have to install that certificate; they can patch software and APIs all day and it wouldn't show up in any fancy GUI. You don't have to break the crypto or MITM it if you have exclusive control over the software performing it. Nobody tries to break disk encryption; they sneak into your room and replace the TrueCrypt bootloader on your laptop with one that looks the same but phishes the password.
You're missing the point. The author can understand it doing these things by default. But it appears to be regularly loosing / ignoring his opt-out.
Something with full privileges, ignoring your specified preferences? That's far worse than something that has them by default but allows you to change it.
It's unfortunate that more people don't understand just how serious a breach it is to install special root certificates. This actually does a complete home run around the entirety of web-based security.
It's very close to having every physical lock sold by a company having a special key that can open all of the locks they sell. Even if you trust that company to buy your lock from them, it's going much too far in allowing them to open up your safe whenever they want to.
I think there's a difference between not trusting an AV, and not trusting that the humans who created it didn't make any mistakes. By assuming that your AV is perfect and can in no way be compromised is a dangerous assumption, because if it fails even the tiniest bit, you are royally screwed.
I haven't used any antivirus software in years, IMHO they're just annoying and reduce performance (used to use NOD32 until 2007, loved it back then). Here is what I do instead:
- surf the web consciously
- do not open any email attachments from unknown senders (seriously, it's 2013, who does that anymore?)
- do not open any URLs from unknown senders (same as above)
- disable unnecessary browser plugins (i.e. everything but Flash)
- use NoScript-like browser addons
- only run executables I 'trust' (tough one, I know)
- run executables I do not 'trust' in sandbox or VM
- properly configured router firewall settings
- * software firewall to monitor & block/allow incoming *and outgoing* connections (Comodo Firewall)
- * work with a user that does not have root/admin privileges (*Power User* privileges are sufficient for daily work)
Esp. the last two points are important and unusual. This requires a certain level of knowledge about IT, computers and some common sense, though.
What you described is similar to my process (though on Windows I always install MSE now too), but it's important to acknowledge the limitations of such an approach. For example:
- do not open any email attachments from unknown senders (seriously, it's 2013, who does that anymore?)
- do not open any URLs from unknown senders (same as above)
These only work as longs as no one you know gets hacked. You're vulnerable as much as the weakest person in your trusted network, and I guarantee others in your network aren't as careful as you. So it's not just avoiding URLs and attachments from unknown senders, it's avoiding URLs and attachments even from people you know and trust that you weren't expecting them to send you. I've come really close before to clicking links from friends that said something along the lines of "Holy crap, this is you", which is actually sometimes expected because I have friends who see articles or pictures written about or by me.
True, even mail from known senders has to be dealt with care as well.
"holy crap, this is you"
This scam could be avoided easily by checking the links actual URL before clicking on it. And even if you click and end up with some malware infected website, disabling all unnecessary and insecure browser plugins and using NoScript should be enough protection. If it's not, the restricted privileges hinder the malware from doing serious damage (e.g. rewriting/deleting system files).
I have recently purchased Avast and I regret it. While free version serves as an anti virus well, paid version does all kind of strange things with system. It made Wi-Fi stop working under Windows 8, rendered OpenVPN drivers uninstallable and what not.
Anyone with a good AV suggestion? I want something light on system that has Firewall as well(can go for separate Firewall as well), free options preferred.
> Anyone with a good AV suggestion? I want something light on system that has Firewall as well(can go for separate Firewall as well), free options preferred.
Use Microsoft's Security Essentials and the built-in firewall. Nothing else is enough better to be worth the cost, performance hit or reliability hits (MSE isn't magically immune to those but it's tested by the same people and they have a stronger incentive to keep the Windows experience competitive).
That's for the easy end of security risks: since traditional AV is becoming less and less effective there's increasingly little benefit to cancel out the costs of using it. The way the AV industry sales tactics are increasingly relying on sleazy fear tactics mirrors this: the traditional players are used to a certain recurring revenue stream and really don't want people to start questioning how effective it is.
The real benefits come from disabling plugins (or at least click-to-play) and keeping internet-facing software on a fast update cycle - Chrome or Firefox, etc. Since the exploit cycle is getting faster, it's about staying ahead of it and finding defense in depth improvements (e.g. not having Flash installed, keeping truly sensitive data on separate systems, using two-factor authentication everywhere, etc.) to reduce the chance of a simple exploit getting whatever the attacker wants.
ClamAV/ClamWin. It's not a resident antivirus so you'll have to scan files you download yourself (or set some kind of trigger) which IMHO is better because it doesn't hog your PC when you don't need it.
Microsoft Security Essentials is good on Windows too. Microsoft has a bad reputation but it does a good job here.
You'll need a separate firewall, but Windows has one built-in and Linux has sooo many alternatives.
Also: keep your software up to date and do regular full-system scans just in case.
-
EDIT: care to explain the downvotes please? It's so irritating when you downvote legitimate comments without further explanation. Where am I wrong here? Is it just because I mentioned Microsoft?
Of course you can downvote but please do us all a favor and explain.
Microsoft Security Essentials + Windows Firewall (enabled by default if you install MSE) = probably good enough unless you visit a lot of shady websites. In fact, this is the exact same combination that comes with every copy of Windows 8.
I don't know why this was downvoted. Windows 8 comes with Microsoft Security Essentials (rebranded back to "Windows Defender"), Windows Firewall, and Windows Smart-screen Filter all set up by default. Additionally, every browser (including IE10) now does its own phishing/malware site flagging protection.
Together, that's about the sum of what AV packages provide you--so I don't really see the need for one any more, as long as you leave all the defaults on.
I should have mentioned that I downgraded to Windows 7 after having graphics drivers issue with 8. Apparently, AMD never built drivers for 44xx series of cards, so I couldn't play games properly.
But Windows Defender is available on Win 7 too, right?
According to AV Comparatives' tests [1] Avira Free Antivirus performs the best out of all free (gratis) antiviruses for Windows. I use it myself on Windows XP VMs as well as hardware Windows 7/8 installations and aside from the annoying daily pop-up I found the experience quite satisfactory. The downside is that with real-time protection enabled it slowed down older Pentium 4M and AMD Sempron machines I've tried it on a bit too much compared to Avast.
Avast also installs plugins on every single kind of browser you have to monitor urls and the newest version now has a remote support agent I assume to help fix problems but remote control in an anti-virus product? What could possibly go wrong.
I've never understood why you'd want an antivirus snooping on your email. Assuming you have an up-to-date email client that doesn't auto-execute attachments, and a filesystem scanner that runs on file save, what value does this intrusion add?
It is amazing the level of trust we give anti-virus on windows. By its very nature it needs access that you would not want a user level program to have.
Chrome's sandbox blocks all access to system resources, so it's a very bad idea to inject hooks into our sandboxed processes, because they usually just break. So, we often have to use the sandbox's loader hooking mechanism to block third-party DLL hooks that are known to cause crashes (ie. "security" software and other process-hooking utilities). Of course, Avast shows up regularly as a crasher, so eventually I added their DLLs to the block-list and then tried to start Chrome.
So, imagine my surprise when blocking the offending Avast DLLs breaks Chrome by preventing all content--even internal content--from loading. I dig into it a bit more and find that Avast is hanging all our sandboxed processes, because their system-level hooking is so invasive that they won't let any process run if their injected DLL hooks don't attach. At that point I was forced to give up, because there's not much you can reasonably do against such recklessly invasive software already present on the system. It's really not very different from malware.