Do you use antivirus software?

[Magic Carpet]

Why waste cpu cycles?

 

[djshortsleeve]

Using windows and common browsers, how can you not?

 

[masteryoda34]

In many instances I have seen that antivirus software is a) unable to prevent virus infection, b) unable to fix computer once infected. If this is the case, what is the point of av software? Anyone else have the same observation?

Personally, I do not run av software. I avoid running fishy stuff (or virustotal.com it first), keep software up-to-date, and in the rare cases I screw up then I reformat.

 

[mechBgon]

Yes... as a third-string defense in a defense-in-depth strategy.

Oh, and

Why waste cpu cycles?

Because with an i5-2500k, I have about 14 billion of them per second that'll get wasted one way or another. I suggest downloading Process Monitor from Microsoft and running it... the sheer volume of activity going on under the surface on your Windows system will put the demands of realtime antivirus protection into proper perspective.

 

[lxskllr]

I use GNU/Linux. No one cares enough to write viruses for me :^(

If I were using my more loved Windows box, I'd definitely run A/V. It's cheap insurance.

 

[Magic Carpet]

yes... As a third-string defense in a defense-in-depth strategy.

Oh, and


because with an i5-2500k, i have about 14 billion of them per second that'll get wasted one way or another. I suggest downloading process monitor from microsoft and running it... The sheer volume of activity going on under the surface on your windows system will put the demands of realtime antivirus protection into proper perspective.

In my experience, av software has brought more problems than it has fixed / cured. Even if you can allow unnecessary overhead, it only excels at giving you false peace of mind and unnecessary irritation when it finds false positives.

Regmon (now Process Monitor) is actually a very useful piece of software and it has earned a place on my computer. Thanks for your point though.

Using windows and common browsers, how can you not?

The best av software is you.

 

[thescreensavers]

Yes... as a third-string defense in a defense-in-depth strategy.

Oh, and


Because with an i5-2500k, I have about 14 billion of them per second that'll get wasted one way or another. I suggest downloading Process Monitor from Microsoft and running it... the sheer volume of activity going on under the surface on your Windows system will put the demands of realtime antivirus protection into proper perspective.

:thumbsup:

 

[Lifted]

In my experience, av software has brought more problems than it has fixed / cured. Even if you can allow unnecessary overhead, it only excels at giving you false peace of mind and unnecessary irritation when it finds false positives.

I can't remember the last time I received a false positive, although the only time I ever get warnings is when I mistype a URL and end up and something like yuotube.com. That case only presents an issue when running IE anyway, which I only need it for certain sites. Usually run FF w/ adblock and noscript, so when just browsing the web, it will always be with FF.

If you aren't downloading a lot of random apps, and run a secure browser, antivirus software probably won't get much use, but it's always nice to have when you make a mistake on the web (site or app), or insert a USB disk that has something nasty waiting for you on it.

 

[mechBgon]

I can't remember the last time I received a false positive, although the only time I ever get warnings is when I mistype a URL and end up and something like yuotube.com. That case only presents an issue when running IE anyway, which I only need it for certain sites. Usually run FF w/ adblock and noscript, so when just browsing the web, it will always be with FF.

If you aren't downloading a lot of random apps, and run a secure browser, antivirus software probably won't get much use, but it's always nice to have when you make a mistake on the web (site or app), or insert a USB disk that has something nasty waiting for you on it.

Be aware that FF is missing some security tech these days. Chrome and IE9 both operate at a Low integrity level and feature their own flavors of sandboxing. FF has neither mitigation, which is rather odd since they've always claimed to provide security benefits. But if you like FF, you can use Sandboxie to sandbox it, and it's also possible to force it into Low-integrity operation (although this reportedly must be redone after every update).

If you like to control what sites can run scripts, NoScript works on FF, but IE has had that capability since IE5 back in 1999. They just don't have a catchy name for it Succintly: set the Trusted Sites to Medium-High security and add the desired sites to it, then set the Internet zone to HIGH or just cherry-pick what you don't want to run (Scripts, Java, ActiveX). Done.

Regarding the main topic, if you want a very powerful blanket defense that covers many popular angles of attack, then I suggest Software Restriction Policy if your Windows version supports it (Win7 Pro/Ultimate/Enterprise, Vista Business/Ultimate, WinXP Pro/MCE). Once you understand how it works, it's pretty easy to live with. Not much impact on performance, either.

If you can't use SRP, next best is the poorly-named Parental Controls on Vista or 7: enable program control, whitelist all the existing apps on the system, and then any new stuff will get blocked, including exploit payloads.

With either of these, make sure UAC is enabled and that your user account is a Standard User (create a separate Admin account just for Admin roles). If you're the only user, a password on the Admin account is not really necessary, making management easier.

 

[Magic Carpet]

mechBgon,

:thumbsup:

I appreciate you wrote everything up ^. That is very true. SRP w/ standard user account eliminates 90% of security issues.

With regards to USB attacks, just keep Autorun disabled. That's it.

About false positives:

For example, when you are dealing with keygens and some other homebrew software. More and more AV are getting on the payroll to mask "illegal software" as viruses.

With robust back-up strategy and sand-boxing... av software is useless. Unless of course you don't know what you are doing.

 

[sm625]

If I had a dollar for every AV program that was running on a system infected with sysguard crap, I'd be able to retire. Antivirus is absolutely useless and is effectively malware in and of itself.

 

[LiuKangBakinPie]

Only Malwarebytes Pro

 

[mechBgon]

Speaking of disabling AutoRun, Microsoft now has a Fix-It for that: http://support.microsoft.com/kb/967715 and scroll down to the mechanic-in-a-hat icons.

I don't think Microsoft likes the idea of completely turning off AutoRun, but I do. If I want to run something, I'll insert the disc/drive and run it myself, thanks.

 

[xgsound]

The best av software is you.

Truer words were never spoken, but there are sites (even the best of them) that will infect immediately through rogue banner ads. I still use an A/V and try to plug vulnerabilities as 2nd and 3rd string defenses to try and limit damage. I even use a 3rd party firewall on the oldest machines which many people find humorous.

Jim

 

[Nothinman]

Yes... as a third-string defense in a defense-in-depth strategy.

Oh, and


Because with an i5-2500k, I have about 14 billion of them per second that'll get wasted one way or another. I suggest downloading Process Monitor from Microsoft and running it... the sheer volume of activity going on under the surface on your Windows system will put the demands of realtime antivirus protection into proper perspective.

In theory you're right, but in practice it's a different thing. A/V consistently causes performance drops and other issues, probably because you can't have a filter driver that checks every open() against 10s or 100s of thousands of signatures in zero time so latency increases for every file access. And "the sheer volume of activity" within Windows is huge, so if you add a few ms of latency to every operation the performance affects can be huge. And then couple that with software that just seems to be written pretty poorly and the affect is even bigger.

I would still recommend some A/V for most users, but telling them it won't have any affect on the performance of their system is just a blatant lie.

 

[Magic Carpet]

That depends on your system settings and rights. To kill somebody, first you have to love him / her. AV software often gives you a false sense of security. Often it causes problems itself... like slowdowns... unless you have a fast computer w/ good IO, your killing yourself in the foot.

Thanks for joining in, Jim.

EDIT:

Nothinman +1.

 

[notposting]

I do. Just switched my main desktop to MSE from Avast Free...Avast seems to be bloating up *sigh*.

First AV I ran was Disinfectant for Mac, probably around '90 or so

 

[Magic Carpet]

Last time I benched av for a client. Avast Free turned out on top beating MSE in cpu utilization and memory footprint. That laptop only had 512mb of ram, if I remember that correctly. It was use-able... more or less.

I wouldn't touch MSE with anything less than 1gb of ram and a dual-core cpu.

As long as people are aware of the shortcomings, my jobs done. Most consumer laptops come with home editions wo/ srp anyway. However, this thread wasn't aimed at the general public... hence I wanted to hear from the people that have some clue in computers ;-)

 

[Lifted]

Be aware that FF is missing some security tech these days. Chrome and IE9 both operate at a Low integrity level and feature their own flavors of sandboxing. FF has neither mitigation, which is rather odd since they've always claimed to provide security benefits. But if you like FF, you can use Sandboxie to sandbox it, and it's also possible to force it into Low-integrity operation (although this reportedly must be redone after every update).

Thanks for the link. The majority appear to be Java and PDF related exploits, so that's hopefully a matter of keeping those up to date (if the known exploits have been fixed) and being careful at unknown/untrusted sites.

I agree about IE being secure - in a secure environment. While I have everything locked down at work for all users, but I believe the discussion here was focusing on non-enterprise security, and IE with it's default config, users running as a local admin, is by far the most common situation.

Adding sites one at a time to a lower/trusted security zones in IE would be a nightmare compared to using noscript. While I frequently use this via GPO's at work, mostly for banks, I often have to allow 5 or more 3rd party sites to get a page or site to display the relevant data I'm after in FF w/ noscript. Unless there's an IE add-on out there which allows this granular level of on-the-fly permission per page/site/domain, how would I be able to easily tell which 3rd party sites are being pulled from in order to add them into the zones in IE? Suppose the page is pulling from 20 or more and you only want to allow the few that are required? Is this possible yet in IE?

 

[HeXen]

Why waste cpu cycles?

you on a Pentium 2 or something? lol
seriously, you'd have to be a moron to use Windows and no security software.

 

[Magic Carpet]

you on a Pentium 2 or something? lol

Nope, never had those. Upgraded from Pentium 133 straight to Pentium III 733. Back then I used to run Norton Corporate AV, Windows 98 SE. With AV or without, I had to reinstall the damn box every 2 weeks or so, lol.

 

[Nothinman]

you on a Pentium 2 or something? lol
seriously, you'd have to be a moron to use Windows and no security software.

CPU only has a little bit to do with it. I/O is the main issue and inserting a filter driver that scans each I/O request will have an affect on performance regardless of how fast your CPU is, how many cores it has, etc.

 

[Red Squirrel]

I do, but sometimes I wonder what the point is. Antivirus software does not protect from drive bys, spyware and other junk that's not actually considered a virus, but is still very damaging. Viruses normally come through email, and you have to be an idiot to open that. If they actually made an antivirus that also protects from ALL malware, no matter what category it's in, then it would maybe be more worth it.

 

[mechBgon]

CPU only has a little bit to do with it. I/O is the main issue and inserting a filter driver that scans each I/O request will have an affect on performance regardless of how fast your CPU is, how many cores it has, etc.

Fair enough. Here's a site that benchmarked a few real-world scenarios with several A/Vs, for those who'd be interested:

http://blog.tune-up.com/windows-ins...-out-do-security-solutions-slow-down-your-pc/

As we'd all expect, the impact ranges from significant to zero, depending on what's being done. Here's one I can relate to, since I use PowerDirector:

On the main topic, I see an underlying thought process going like this: "Antivirus software isn't a bulletproof defense, so why have it if it could slow down my BF3 map loads?" But if you apply that logic to every layer of your defense, which ones would you have left?

To paint a real-world scenario for why this layer may be worth keeping, I'll refer to the recent Duqu hoopla. Duqu was a recon Trojan developed at huge expense to hit specific targets. It exploited a kernel vulnerability in Windows to get itself installed.

Microsoft took 6-8 weeks to crank out a patch for this vulnerability. If other bad guys could've figured out how to use the vulnerability in exploit packs, before the patch arrived, even my favorite arsenal of defensive measures wouldn't have stopped them... except for antivirus protection. Microsoft worked with A/V vendors and they had detection for exploits of that vulnerability about a month before the patch arrived. Antivirus vendors often build generic detections for Flash, PDF and Java exploits too.

So while I'm not betting the farm on antivirus, it has its place. If nothing else, it can tip you off to monkeyshines even when you're actually safe from them. Point in case, I set up a new Win7 installation and went to American Power Conversion's site for some UPS software, only to be attacked by a BlackHole exploit kit, because SURPRISE, APC's site was hax0red. And the reason I was even aware of the attack, is that MSE detected it. No human-detectable symptoms. While I was technically safe from it regardless, I was still appreciative of an alert.

So that's my story and I'm sticking to it

 

[jkroeder]

Nope.

I don't trust software that largely relies on signatures to determine what is good and what is bad. It's as simple as that.

How do I know this file that the AV detected is not a false positive? I can't.

How do I know that this file I just scanned is actually clean? I can't.

I just don't bother. I run a Windows 7 Pro system in a standard user account and I employ a software restriction policy and have done so since XP Pro days (thanks in part to mechBgon). I also don't have autorun/autoplay enabled.

My main browser Chromium based and I use Admuncher to block ads.