This is a bit of a broad brush. It assumes that all people always act with the best security hygiene.
I detest traditional AV as snake oil and realize that there is additional risk added by using AV, but it does have its place in many threat models, especially for those who are not internet+security literate.
AV will make those people who are not internet+security literate more vulnerable. There have been vulnerabilities found in all major anti-viruses, some of them were really bad. You're better off not using an antivirus. See for example: https://arstechnica.com/information-technology/2017/06/lates...
Staying up to date on your updates is the best advice you can give.
> AV will make those people who are not internet+security literate more vulnerable. There have been vulnerabilities found in all major anti-viruses, some of them were really bad. You're better off not using an antivirus.
I don't think you can reasonably defend this position.
Let's take a pessimistic guess at the efficacy of antivirus software and say it blocks 50% of the new malware generated in a given day. Now let's take a wildly optimistic stab at the added risk of using antivirus and say it increases your exposure by 1%.
Are you really saying that a 1% risk increase is too high a price to pay for halving your risk overall?
Don't get me wrong, there are all kinds of reasons for power users to bemoan antivirus. RCE vulnerabilities are certainly one, but even just day-to-day usability issues are a legitimate concern. The average user, though, is still statistically much safer with antivirus.
> Staying up to date on your updates is the best advice you can give.
The vast majority of attacks don't involve vulnerabilities, even counting events like WannaCry. It's mostly down to people clicking on things they shouldn't be clicking on. Keeping your software updated is important, of course, but absolutely will not keep you safe.
Oh this looks like a fun game. Let me try. Let's take a pessimistic guess at the efficacy of antivirus software and say it blocks 20% of the new malware generated in a given day. Now let's take a wildly optimistic stab at the added risk of using antivirus and say it increases your exposure by 35%.
Are you really saying that a 35% risk increase is an acceptable price to pay for a small reduction in overall risk?
You can't just pull numbers out of thin air to make your point.
Experience has shown us that antivirus software does not do what it says on the tin.
> You can't just pull numbers out of thin air to make your point.
> Experience has shown us that antivirus software does not do what it says on the tin.
Whose experience?
I built WildFire at Palo Alto Networks[1]. We analyzed a few tens of millions of new potential threats daily, including the VirusTotal firehose.
As part of our internal efficacy and competitive monitoring, we took the top 5 enterprise antivirus products and ran everything coming into WildFire through them.
The delta between ground truth and what the antivirus engines caught using only static scanning and emulation was about a third, i.e. better than the pessimistic estimate of half I threw out. (In the real world, antivirus actually does better because malware is easier to catch after it starts running.)
The danger of antivirus, on the other hand, is wildly overstated in this thread. A small fraction of attacks use vulnerabilities to begin with, and in the scheme of things, very few antivirus vulnerabilities have been found. 1% is just a nice, round number chosen for illustrative purposes; it's orders of magnitude greater than the real risk.
Now, this will surprise exactly no one who works in security, since most new malware is a minor variant of existing malware and exploits are relatively uncommon, but for the less experienced folks reading these comments, I implore you: Don't listen to people who say antivirus is useless or, worse, makes you less secure.
> The danger of antivirus, on the other hand, is wildly overstated in this thread. A small fraction of attacks use vulnerabilities to begin with
But AV vulnerabilities sit on the top of the attack class pyramid. They often are remotely executable, run with kernel privileges and do not require user interaction.
You can't lump that together that with malware that requires tricking a user into downloading an installer, clicking through it and granting it elevated privileges.
You're right of course, my point is that without some evidence you're just making up numbers to prove your point and any jerk with a keyboard (like say, me) can do the same thing. Thanks for providing some background to those numbers.
This Bitdefender vulnerability doesn't come with a PoC and is difficult to exploit due to DEP and ASLR---hooray for defense in depth! I've got a thousand nodes running Bitdefender in environments where malware runs rampant, and I'm not really that worried about someone coming after us through the scan engine. What I am going to do is make sure all my clients are up to date, which is really no different than my existing patch management activities.
If you're talking about WildFire, it's not an antivirus product and isn't relevant to this conversation beyond establishing the provenance of the data I've shared with you.
If you're talking about something else, I've stated that antivirus detects around two-thirds of new malware on any given day. In case it wasn't already clear, two-thirds is terrible.
Your claim is far more extreme, though. You said "You're better off not using an antivirus". That's wrong. Antivirus won't keep you safe, but you're still safer with it than without it.
If you're saying cookies shouldn't be flagged by antivirus, that's wrong. Cookies can be associated with malware in any number of ways[1], although grayware (especially adware), which antivirus also flags depending on configuration, is a more likely culprit.
1. Check out PyExfil, for example: https://github.com/ytisf/PyExfil. Cookies for data exfiltration. DNS controls on firewalls are there for similar reasons.
Antivirus software is fundamentally reactive in nature, not proactive, and I don't run antivirus software to catch novel malware. That's mitigated in other ways (which largely amount to good hygiene and disaster recovery planning).
Rather, I run antivirus software to prevent vulnerabilities due to human error and known threats, and in this regard it functions admirably. Think of it as one of the latter lines of defense in a multi-layer strategy. We are human; we trust our family, friends, and colleagues innately; and even the best of us makes mistakes. One tiny mistake, one shortcut---maybe not even by ourselves but by someone inside our circle of trust---and even security experts can end up running malware. Antivirus acts as a backstop, a last ditch defense predicated on the likelihood that the malicious code in question is well known.
I don't know where you got your numbers from, but I've run enterprise antivirus for about 15 years now. I haven't seen anything target the scan engine. I have hundreds of thousands of instances where someone ran malware and the scan engine caught it, sometimes even just using heuristic signatures. So you do you. I'm going to continue running it even though I know it's reactive.
Antivirus has it's place of course but they are not all created equal. There's a lot of marketing B.S. associated with AV products, especially consumer versions.
A lifetime ago I worked in IT support and AV was a constant pain point. For me it was a lot of energy wasted cleaning up PCs that were "protected" by the likes of Symantec and Norton. I hope the state of the industry has improved since then.
No, it makes them less vulnerable. I work on computers for some very tech illiterate people. They will regularly get more badware until I install an AV (generally avast! Free).
Let's forget about statistic. AV doesn't make your system immune from risks, but it's a good check. Perhaps going extreme, some vaccines are not 100% preventive (there are many that do). I download a file, run file check, and if I am still not convinced, I go to Virustotal to get more feedback. From experience there were a few malicious one passed by most of the AVs, because many AVs determine maliciousness based on same algorithms.
I get the idea that we should ditch an AV if vendor sucks at producing and maintaining the AV software, because that's literally inviting for a thief to stop by. You are better off reducing the risk exposure. But there is still a value to have one.
As with any software there are bugs. It just so happens Edge is shipped with Windows 10, and is also made by Microsoft. So should we give up on Chrome / FireFox / Opera because they also contain vulnerabilities but are made outside of Microsoft, which means we have another update schedule? No, because people value other browsers and most importantly Chrome and Firefox updates are so frequent we feel safe. If we assume AV vendors are as responsible as Chrome and Firefox developers, constantly pushing software updates so security bugs are fixed in no time, then why should we reject something that can be helpful?
How about Windows Defender? It's built-in, but doesn't have 100% successful rate in independent testing, and even so those are just samples that aren't like WannaCry, popping up out of nowhere.
So being able to defend the basic attacks is good enough. What really sucks is people are paying a lot of money for basic protection (and even more for the "Internet suite" and bundled with VPN etc). This is a true ripped off, but whether one is computer savvy or not, we can't take out a screw if all we have is bare hands and nothing else (nothing around you but on a lonely island without trees or plants or rocks but water and dirt). You can try by breaking the wall or the plank, but it would be a painful task. So take your risk. I won't stop you.
This is a bit of a broad brush. It assumes that all people always act with the best security hygiene.
I detest traditional AV as snake oil and realize that there is additional risk added by using AV, but it does have its place in many threat models, especially for those who are not internet+security literate.