
Schneier on Security: Is Antivirus Dead? - billpg
http://www.schneier.com/blog/archives/2009/11/is_antivirus_de.html
======
stingraycharles
"On the other hand, an antivirus program with up-to-date signatures will
protect you from a lot of threats. It'll protect you against viruses, against
spyware, against Trojans -- against all sorts of malware. It'll run in the
background, automatically, and you won't notice any performance degradation at
all"

Now, this may be a bit off-topic, but does anyone know about which software
he's talking ? I personally find that most of the virus scanners try
desperately to let you know how effective they are, constantly notifying what
they have done to help you, to validate their existence.

On the other hand, you have the more minimalistic virus scanners, like ClamAV,
but I really can't tell if they're effective or not. I fear they are not.

Anyone has recommendations for a good virus scanner that doesn't suck ?
Perhaps pg can make this a request for startups, please ? It's about time this
whole industry stopped sucking. :)

~~~
sp332
Norton. No wait, hear me out. As many here know, Norton has always been a pig
of an antivirus. In 2007 and 2008, it was really, _really_ bad. It went from
just slowing computers down to making them unusable. In the face of consumer
backlash - even non-technical users were boycotting it - they made Norton
Antivirus 2009. It uses ~10MB of RAM, and is now one of the faster scanners
out there. It still gets Advanced/Advanced+ ratings from AV Comparatives, and
updates signatures about every 5 minutes. Plus it has a "gaming" mode which
puts even less stress on your system.

~~~
Danny72
Does it really update signatures every 5 minutes?

Seems a bit excessive.

~~~
sp332
Yeah, but it makes people feel better :)

------
chaosmachine
I spent 2 years working tech support for a large cable ISP. We offered a free
antivirus/firewall package. In my experience, the AV software was more likely
to break your PC than an actual virus, and we'd often get calls where people
were infested with malware the AV package didn't stop.

AV software gives you a false sense of security, imo.

------
marltod
Tools like time machine and vmware snapshots can make viruses less disastrous
than before. You can rollback instead of re-imaging or worrying about removing
all the malware.

~~~
antonovka
Only if you're aware that the virus is running, and it doesn't do something
disastrous in the meantime (eg, sniff your keystrokes while you enter a bank
account number or log into the hospital records system).

------
Dilpil
Will you really not notice any performance degradation from anti virus?
Really?

~~~
DannoHung
It is SO horrible. It's like if you stuck 30 pound weights on one hand of a
sprinter.

~~~
stcredzero
I use ClamX AV. I have it set to do scans of new Downloads and scans late at
night. I have no problems at all.

------
dmfdmf
I think the detection of virus signatures is a failing strategy. I have seen
computers that I _know_ are infected and scanning with multiple products
leaves some of the bugs undetected. That said, it would be pretty stupid to
run Windows today without a scanner. AVG and (believe it or not) Microsoft's
Essential Security are good and free. The two major problems with virus
scanners is that they bog the machine down. (AVG is starting to do this). The
other problem, and I see this from all brands, they can detect a virus but
cannot remove it. This is a serious problem today because it then requires an
expensive tech visit to manually remove a virus.

------
bensummers
The bit about users accessing services on any old computer becoming the norm
is the bit which scares me. The idea of entering a password in a random
computer with who know what key-logging malware installed scares me.

Two-factor can only go so far, as it only limits the window of opportunity to
between log in and log out.

While I, and most technical people, guard our computers carefully and wouldn't
use a computer owned by someone else for anything but anonymous web browsing,
the average user is quite happy to use some terminal in an internet cafe.

------
jodrellblank
""" Examine a typical antivirus package and you'll see it knows about 75,000+
viruses that might infect your machine. Compare that to the legitimate 30 or
so apps that I've installed on my machine, and you can see it's rather dumb to
try to track 75,000 pieces of Badness when even a simpleton could track 30
pieces of Goodness. In fact, if I were to simply track the 30 pieces of
Goodness on my machine, and allow nothing else to run, I would have
simultaneously solved the following problems:

    
    
        * Spyware
        * Viruses
        * Remote Control Trojans
        * Exploits that involve executing pre-installed code that you don't use regularly
    

Thanks to all the marketing hype around disclosing and announcing
vulnerabilities, there are (according to some industry analysts) between 200
and 700 new pieces of Badness hitting the Internet every month. Not only is
"Enumerating Badness" a dumb idea, it's gotten dumber during the few minutes
of your time you've bequeathed me by reading this article. """

\-
[http://www.ranum.com/security/computer_security/editorials/d...](http://www.ranum.com/security/computer_security/editorials/dumb/)

~~~
barrkel
There are a lot more than "30 or so" pieces of goodness. Applications
(directly user-invoked executables) aren't the only vectors for malware and
viruses. A quick scan of my Windows 7 installation - just the Windows
directory - turns up about 17600 EXEs, DLLs and SYS files, which isn't an
exhaustive list of potential module types. Any of those are subject to change
on a monthly basis as updates get installed.

And this doesn't even start counting applications, and their update and patch
mechanisms.

~~~
skolor
And you can't even say "Any 'good' application is only going to do certain
sorts of actions. We'll scan those and if the application does something else,
stop it". UAC in Windows 7 and Vista went a long way to making this better, at
least if you're opening yourself to malware you usually have to click "I know
this is doing something which could be dangerous", and 7 went a step farther
by making it far more un-obtrusive so that users are less likely to auto-click
it.

Its still a losing battle though. Run [http://technet.microsoft.com/en-
us/sysinternals/bb896645.asp...](http://technet.microsoft.com/en-
us/sysinternals/bb896645.aspx) for a few minutes, and look at how many actions
are being taken, just when your computer is supposedly idle. Trying to
whitelist each and every one of those would be massive overhead.

I've found (personally, this isn't for everyone) is to run with as minimal AV
as possible (Right now, SSE), and if I notice anything out of the ordinary run
an offline virus scan. I usually do this with Bart-PE, although I've been
working on another method for it. Expecting an infected OS to report that it
is infected isn't the best idea, it is too easy to fake the results. Doing a
scan of the system while the OS is not running tends to be more reliable and
remove any problems a lot easier. I'm currently working on a system which will
PXE boot once a month, do a virus scan or two (with different, fully updated
scanners), defrag, checkdisk and do a general cleanup.

~~~
inpoiun
>Any 'good' application is only going to do certain sorts of actions Like
delete files, read files, contact websites, read keyb, send email?

There might also be naughty reasons to do these things

~~~
skolor
If you define them that way, yes. If instead you define them as:

Delete files in the application's working directory, read files from the
application's working directory or public areas, contact websites, read
keyboard _when this application is the focus_ , send email.

It isn't nearly as dangerous. Sure, you've still got the computer contacting
webistes and sending email, but that isn't a terribly large risk. There is
still a need for blacklisting that sort of activity. As far as reading
sensitive information, however, as long as working directories are categorized
well, and used by any applications dealing with anything sensitive, it isn't a
problem.

------
pragmatic
Can any one suggest a good white-listing software?

I see he recommends Malwarebytes' Anti-Malware:
<http://www.malwarebytes.org/mbam.php>

However this looks like more of a scanner than a white-listing software. The
other two he recommends look to be commercial only?

Any suggestions? Looking for Windows 7 64 bit capability. Thanks

------
billswift
I posted the original with Schneier's and Ranum's pieces
([http://searchsecurity.techtarget.com/magazinePrintFriendly/0...](http://searchsecurity.techtarget.com/magazinePrintFriendly/0,296905,sid14_gci1373562,00.html))
at about the same time this was posted -
<http://news.ycombinator.com/item?id=932940>

------
jdbeast00
i went sans AV software when i installed windows 7. we are a long way from the
days of windows 98.

