
Arrogant Anti-virus Doesn't Appreciate Your Choices - AndrewDucker
http://rants.effu.se/2013/03/Arrogant-Anti-virus-Doesn%27t-Appreciate-Your-Choices
======
justinschuh
AV software bothers me so much. It's not just that it's generally ineffective.
It's that when you bother dissecting it, you usually find it make users less
safe (e.g. non ASLR/NX injected binaries, dangerous root certs, vulnerable
hooks and format handlers, etc.). That said, Avast has caused me unique pain,
and my personal experience correlates with the author's.

Chrome's sandbox blocks all access to system resources, so it's a very bad
idea to inject hooks into our sandboxed processes, because they usually just
break. So, we often have to use the sandbox's loader hooking mechanism to
block third-party DLL hooks that are known to cause crashes (ie. "security"
software and other process-hooking utilities). Of course, Avast shows up
regularly as a crasher, so eventually I added their DLLs to the block-list and
then tried to start Chrome.

So, imagine my surprise when blocking the offending Avast DLLs breaks Chrome
by preventing all content--even internal content--from loading. I dig into it
a bit more and find that Avast is hanging all our sandboxed processes, because
their system-level hooking is so invasive that they won't let any process run
if their injected DLL hooks don't attach. At that point I was forced to give
up, because there's not much you can reasonably do against such recklessly
invasive software already present on the system. It's really not very
different from malware.

~~~
nolok
Microsoft Security Essentials does so much right. When they put their mind
into it, Microsoft really does great software.

~~~
ambrop7
You have to take into account that Microsoft can modify their own OS and
implement what needs to be done in a proper way. On the other hand, third-
party vendors can only use the public interfaces exposed by the OS, or resort
to unreliable and/or undocumented methods that may break at any time.

There probably is no solution to that, any third-party software that needs
tights integration with the OS is going to have that problem.

~~~
nolok
MSE for windows XP had no associated patch or service pack, was using the same
api as every other AV out there, and was about a thousand time better.

One could argue Microsoft doesn't need to turn a profit so they can afford to
be less intrusive, but the truth is that I would pay for MSE. I wouldn't pay
for any of the others.

~~~
criley
_a thousand times better_

I was under the impression that MSE routinely did OK in AV benchmarks and
rarely even ever held the top spot. How is it a thousand times better?

Or does it's ability to keep you safe not really factor into your analysis of
the software?

~~~
nolok
To be honest with you, my point of view is that no antivirus is going to
protect me 100%, I always have to care about what I open, where it's coming
from, ...

What I want from my AV then, is to catch the most obvious (and thus numerous)
ones, and do so in a way that doesn't bother me. MSE just doesn't get in the
way. It updates silently. It scans silently. It detects silently, ask you for
something but take the safe course by default. You are in a full screen app ?
It doesn't crash everything trying to take control, it just deals with the
threat and show a red icon in the tray.

It doesn't make my computer safer than the other, but it makes me lose way
less time when it does its job.

~~~
criley
Fair enough, I use Lavasoft because its free version is incredibly well
featured and it routinely outperforms MSE in AV tests.

I'm just confused by all of the mad-love for MSE. It's good, but I never
thought it was the best myself, and I've not seen any objective reasoning for
calling it the best.

------
revelation
I don't get it. You use an Anti-Virus software to protect you from threats, a
common threat vector is email, so the software scans emails to detect such
threats. All consideration of how well that actually works aside, _it's doing
exactly what you wanted it to do_.

The software needs elevated privileges to do that, and you granted them. You
have given it the keys to the castle and now you complain it's using them to
install an extra certificate? That might come as a shocker to you, _but all
security is compromised if the system ensuring it is_. They don't have to
install that certificate; they can patch software and APIs all day and it
wouldn't show up in any fancy GUI. You don't have to break the crypto or MITM
it if you have exclusive control over the software performing it. Nobody tries
to break disk encryption; they sneak into your room and replace the TrueCrypt
bootloader on your laptop with one that looks the same but phishes the
password.

~~~
lambada
You're missing the point. The author can understand it doing these things by
default. But it appears to be regularly loosing / ignoring his opt-out.

Something with full privileges, ignoring your specified preferences? That's
far worse than something that has them by default but allows you to change it.

------
RyanZAG
It's unfortunate that more people don't understand just how serious a breach
it is to install special root certificates. This actually does a complete home
run around the entirety of web-based security.

It's very close to having every physical lock sold by a company having a
special key that can open all of the locks they sell. Even if you trust that
company to buy your lock from them, it's going much too far in allowing them
to open up your safe whenever they want to.

~~~
eli
Sure, if you don't trust your AV. But if you don't trust your AV, you've
already got problems.

~~~
relic
I think there's a difference between not trusting an AV, and not trusting that
the humans who created it didn't make any mistakes. By assuming that your AV
is perfect and can in no way be compromised is a dangerous assumption, because
if it fails even the tiniest bit, you are royally screwed.

------
dgesang
I haven't used any antivirus software in years, IMHO they're just annoying and
reduce performance (used to use NOD32 until 2007, loved it back then). Here is
what I do instead:

    
    
      - surf the web consciously
      - do not open any email attachments from unknown senders (seriously, it's 2013, who does that anymore?)
      - do not open any URLs from unknown senders (same as above)
      - disable unnecessary browser plugins (i.e. everything but Flash)
      - use NoScript-like browser addons
      - only run executables I 'trust' (tough one, I know)
      - run executables I do not 'trust' in sandbox or VM
      - properly configured router firewall settings
      - * software firewall to monitor & block/allow incoming *and outgoing* connections (Comodo Firewall)
      - * work with a user that does not have root/admin privileges (*Power User* privileges are sufficient for daily work)
    

Esp. the last two points are important and unusual. This requires a certain
level of knowledge about IT, computers and some common sense, though.

If I really need to check a file for malware I use webtools like
<http://virusscan.jotti.org>

~~~
JangoSteve
What you described is similar to my process (though on Windows I always
install MSE now too), but it's important to acknowledge the limitations of
such an approach. For example:

    
    
        - do not open any email attachments from unknown senders (seriously, it's 2013, who does that anymore?)
        - do not open any URLs from unknown senders (same as above)
    

These only work as longs as no one you know gets hacked. You're vulnerable as
much as the weakest person in your trusted network, and I guarantee others in
your network aren't as careful as you. So it's not just avoiding URLs and
attachments from unknown senders, it's avoiding URLs and attachments even from
people you know and trust that you weren't expecting them to send you. I've
come really close before to clicking links from friends that said something
along the lines of "Holy crap, this is you", which is actually sometimes
expected because I have friends who see articles or pictures written about or
by me.

~~~
dgesang
True, even mail from known senders has to be dealt with care as well.

    
    
        "holy crap, this is you"
    

This scam could be avoided easily by checking the links actual URL before
clicking on it. And even if you click and end up with some malware infected
website, disabling all unnecessary and insecure browser plugins and using
NoScript should be enough protection. If it's not, the restricted privileges
hinder the malware from doing serious damage (e.g. rewriting/deleting system
files).

------
ishansharma
I have recently purchased Avast and I regret it. While free version serves as
an anti virus well, paid version does all kind of strange things with system.
It made Wi-Fi stop working under Windows 8, rendered OpenVPN drivers
uninstallable and what not.

Anyone with a good AV suggestion? I want something light on system that has
Firewall as well(can go for separate Firewall as well), free options
preferred.

~~~
forcer
If you have W8. why don't you just stick with what is built in? There is
really no need to have AV software on W8

~~~
derefr
I don't know why this was downvoted. Windows 8 comes with Microsoft Security
Essentials (rebranded back to "Windows Defender"), Windows Firewall, and
Windows Smart-screen Filter all set up by default. Additionally, every browser
(including IE10) now does its own phishing/malware site flagging protection.

Together, that's about the sum of what AV packages provide you--so I don't
really see the need for one any more, as long as you leave all the defaults
on.

~~~
Already__Taken
Further reading on this:
[http://blogs.msdn.com/b/b8/archive/2011/09/15/protecting-
you...](http://blogs.msdn.com/b/b8/archive/2011/09/15/protecting-you-from-
malware.aspx)

------
ck2
Avast also installs plugins on every single kind of browser you have to
monitor urls and the newest version now has a remote support agent I assume to
help fix problems but remote control in an anti-virus product? What could
possibly go wrong.

------
mixmastamyk
I've never understood why you'd want an antivirus snooping on your email.
Assuming you have an up-to-date email client that doesn't auto-execute
attachments, and a filesystem scanner that runs on file save, what value does
this intrusion add?

------
7952
It is amazing the level of trust we give anti-virus on windows. By its very
nature it needs access that you would not want a user level program to have.

------
xuhu
Does anyone have the text ? The site seems down.

~~~
jtymes
[https://webcache.googleusercontent.com/search?hl=en&biw=...](https://webcache.googleusercontent.com/search?hl=en&biw=1680&bih=952&sclient=psy-
ab&q=cache%3Ahttp%3A%2F%2Frants.effu.se%2F2013%2F03%2FArrogant-Anti-virus-
Doesn%2527t-Appreciate-Your-
Choices&oq=cache%3Ahttp%3A%2F%2Frants.effu.se%2F2013%2F03%2FArrogant-Anti-
virus-Doesn%2527t-Appreciate-Your-
Choices&gs_l=hp.3...12661.13554.1.13886.6.6.0.0.0.2.141.550.0j5.5.0.les%3Bcpsugrccgaiagame..0.1...1.1.6.psy-
ab.FR_qLBMDObQ&pbx=1)

