Performance-oriented Windows tweaking

[imported_BikeDude]

Originally posted by: Nothinman
it makes sense to run an antivirus unless you're absolutely sure all of the email you're receiving and webpages you're visiting are clean.

No.

I'm pretty confident most of the mails I receive are anything BUT clean. So I do not run attachments unless I can verify its source (or rather asked for the contents in the first place). P0rn.eXe and others are at most saved for research purposes, but usually I simply discard them. I get a lot of infected e-mails, but I never get infected. There's a difference, and one that many users fail to spot.

And AV is hardly comparable to insurance. When I insure something it seldom causes noticable performance degradation. Auto insurance doesn't mean my car goes slower (I might even get more reckless and drive faster). AV software OTOH will in some instances seriously degrade performance (and some users also get more reckless -- the only thing AV has in common with insurance).

E.g.: I'm currently fieldtesting a large software package, and some fieldtesters complain about 15+ minute uninstalls. They usually run one of the more popular AV packages. (I get at most 1 minute on a run-of-the-mill SATA drive) Sure, a virus slipping by will cause me a lot of grief, but I'll take that as an incentive for frequent backups, not to degrade performance on a permanent basis. (I've never had a virus infection, but hardware failure poses a real threat)

As for my firewall comment -- I usually have a firewall installed (Cisco PIX at work, simple NAT in the router at home), but: If I want to share something (http/ftp/dns/whatever), then I have to open up certain ports anyway. At this point I have to keep up with OS patches, no matter what... AV won't help. Personal firewall won't help. Closing known vulnerabilities by patching (usually) will.

Finally... I cleaned up my browser habits a long time ago. Javascript/Java/Active-X are all disabled. Sites I trust are all listed in the Trusted sites list (thus enabling javascript et al). Did I mention that in addition to not getting infected by virus -- I never install any spyware either? And the amount of in-page ad-noise is kept at a minimum as well. (no flash, see?)

In short: Just read xtknight's post.

 

[Nothinman]

I'm pretty confident most of the mails I receive are anything BUT clean. So I do not run attachments unless I can verify its source (or rather asked for the contents in the first place). P0rn.eXe and others are at most saved for research purposes, but usually I simply discard them. I get a lot of infected e-mails, but I never get infected. There's a difference, and one that many users fail to spot.

But that's not always enough, modern mail clients are extremely complicated and can be tricked into running things for you. Same thing for websites, which should be obvious considering that the HTML parsers are usually the most vulnerable part of the mail and web clients.

E.g.: I'm currently fieldtesting a large software package, and some fieldtesters complain about 15+ minute uninstalls. They usually run one of the more popular AV packages. (I get at most 1 minute on a run-of-the-mill SATA drive)

Yes, I know the filter drivers can cause a decent amount of slowdowns. That's why I usually disable mine at work when I go to install something that I know is clean.

At this point I have to keep up with OS patches, no matter what... AV won't help. Personal firewall won't help. Closing known vulnerabilities by patching (usually) will.

Usually being the operative word, right now you're lucky because most of the time the people finding the exploit give the software people time to come up with a patch and release it. But that doesn't always happen and in the future the time between problems being announce and exploits being released will only get smaller. You can't be patched against what you don't know about and that's where the AV and software firewall come in, it's a second chance to keep them from installing keyloggers and trojans and crap.

 

[imported_BikeDude]

Originally posted by: Nothinman
But that's not always enough, modern mail clients are extremely complicated and can be tricked into running things for you. Same thing for websites, which should be obvious considering that the HTML parsers are usually the most vulnerable part of the mail and web clients.

I'd rather write my own mail client than install AV just because of theoretical holes in "modern" mail clients. (I haven't seen an e-mail client yet that I like -- I dunno what "modern" entails)

If my mail client (Thunderbird at home, Outlook at work) has a hole, why would anyone attack it with an old existing virus/worm? The attacker would resort to new code hitherto unknown to virus scanners. Besides... Most AV software scan files, don't they? But what if your mail client doesn't save anything to the disk before showing the message? What if there's a buffer overrun vulnerability in the code that deals with POP3? Most users assume they're safe because they're protected by AV products, and don't upgrade their other software. I do the opposite.

I agree that holes exist and will continue to be uncovered; I'm just not willing to completely cripple myself just to avoid being shot in the foot by a virus/worm. I tried McAfee's resident scanner ("vshield"?) back in '88 or so, and it was a fine product I'm sure, but not worth spending money on. I've been virus and AV free for quite a while now... Come to think of it, those people I know with infections have all been AV users at the time. (I know of atleast three such incidents -- and these are friends and co-workers I can name, not just someone I read about on the 'net)

Besides, with DEP active, it has become harder to exploit the traditional buffer overrun vulnerabilities. Granted, the call stack is still up for grabs, but that's a very limited window. (I realise you can call any code in user mode by messing with the stack, but AFAICT it is a rather arduous angle of attack -- I'd really like to know if there are examples of such attacks out there - beyond DOS-like attacks)

 

[Nothinman]

If my mail client (Thunderbird at home, Outlook at work) has a hole, why would anyone attack it with an old existing virus/worm?

Because most of the worms are old and just resending themselves over and over again. I still get CodeRed attempts on my webservers, don't you think by now that those people should have cleaned up their boxes?

Most AV software scan files, don't they? But what if your mail client doesn't save anything to the disk before showing the message? What if there's a buffer overrun vulnerability in the code that deals with POP3? Most users assume they're safe because they're protected by AV products, and don't upgrade their other software. I do the opposite.

Most AV these days also included a mail proxy that scans messages as they're downloaded.

I agree that holes exist and will continue to be uncovered; I'm just not willing to completely cripple myself just to avoid being shot in the foot by a virus/worm.

It's only crippling if you spend your day installing and removing software, normal day to day use sees very little impact from the scanner.

I tried McAfee's resident scanner ("vshield"?) back in '88 or so, and it was a fine product I'm sure, but not worth spending money on

There are a number of free AV packages, I can't comment on them though since I've never used them.

Come to think of it, those people I know with infections have all been AV users at the time. (I know of atleast three such incidents -- and these are friends and co-workers I can name, not just someone I read about on the 'net)

And I can think of a few incidents at work where the AV has stopped an infection.

 

[imported_BikeDude]

Originally posted by: Nothinman
Because most of the worms are old and just resending themselves over and over again. I still get CodeRed attempts on my webservers, don't you think by now that those people should have cleaned up their boxes?

But the old threats stick with the old security holes! If someone uncovers a new vulnerability, they are NOT going to use code red on it. At the very least they'll have to modify it, and while they're at it they might as well modify it substantially enough so that its signature changes. Why create a new threat that existing AV software will shield?

And what stops Code Red on your webservers? AV software? No, you've patched them, that's what. (or you don't run the affected version of IIS)

Most AV these days also included a mail proxy that scans messages as they're downloaded.

Oh goodie, yet another piece of code that I have to trust won't have buffer overrun vulnerabilities. :->

I bet those writing AV systems write flawless code, after all, they're so much better coders than those silly guys writing the OS. It's not as if e.g. Norton's AV product caused a bluescreen for NT4 users as the user inserted a floppy... No, that never happened...

 

[imported_BikeDude]

Originally posted by: Nothinman
And I can think of a few incidents at work where the AV has stopped an infection.

BTW: Are you sure? Would the users in question really have launched the attachment? Has it ever saved your own personal ass?

I've seen mail worms that comes as a .zip file attachment, so I do realise there are plenty of gullible people out there, but really... What kind of people do you work with?

 

[Sunner]

Originally posted by: BikeDude

Originally posted by: Nothinman
And I can think of a few incidents at work where the AV has stopped an infection.

BTW: Are you sure? Would the users in question really have launched the attachment? Has it ever saved your own personal ass?

I've seen mail worms that comes as a .zip file attachment, so I do realise there are plenty of gullible people out there, but really... What kind of people do you work with?

You've never admined a network/domain with "regular users" have you?

 

[gsellis]

Originally posted by: Sunner

Originally posted by: BikeDude

Originally posted by: Nothinman
And I can think of a few incidents at work where the AV has stopped an infection.

BTW: Are you sure? Would the users in question really have launched the attachment? Has it ever saved your own personal ass?

I've seen mail worms that comes as a .zip file attachment, so I do realise there are plenty of gullible people out there, but really... What kind of people do you work with?

You've never admined a network/domain with "regular users" have you?

:thumbsup:
You never cease to amaze me. If my quote block wasn't full, I would have to add this one (sorry, the R0 quote was old).

Real companies don't hire IT people to do core business jobs. That is why they have IT. That is why we have AV, firewalls, intrusion detection, mail gateways, internet gateways, etc. Any build will have AV, a security agent (coming soon), and distribution software.

And anyone that thinks a firewall makes them safe is not paranoid enough or doesn't know what they talk about at Blackhat.

Edit - BikerDude, PLEASE do not take this as a slam on you. I just see this all the time and my "regular users" have nothing to do with IT except that they use computers in their jobs. And there are lots of people much less knowledgable than you that think all that "security stuff" is just a waste of time.

 

[GeneralAres]

I agree that it makes no sense to disable any service that is useful. But the testing here is far from extensive. If the number of services running has absolutely not affect on system performance in any way then Microsoft would have enabled every single service by default. They clearly do not. What they did do was enable the most commonly used services from a standpoint of what was decided on the install and what features they expect end users to need.

Why should the average user not disable features they will never use? Have you proven that having less services running does not improve windows or application load times? Have you proven that having less services running does not improve performance when these unused services need to be paged? Clearly no. The logical argument is flawed simply by the logic that if what you say is true then everything should be enabled all the time as it will not effect performance. It appears you failed to test other areas of system performance and have not proven anything here other then Quake II FPS does not benefit but no mention of the load times or any added delays when the game needed more RAM and unneeded services had to be paged. How could you test this anyway? Since it would vary from system to system and game to game.

These services come enabled by default in Windows XP, why leave them running if you have no use for them?

Alerter
Distributed Link Tracking Client
Indexing Service
IPSEC Services
Messenger
Portable Media Serial Number
Remote Registry Service
Secondary Logon
SSDP Discovery Service
Telnet
Upload Manager
Wireless Zero Configuration

Security Minded people don't rely simply on Firewalls for protection. I find the password argument idiotic to say the least.

 

[Nothinman]

But the old threats stick with the old security holes! If someone uncovers a new vulnerability, they are NOT going to use code red on it. At the very least they'll have to modify it, and while they're at it they might as well modify it substantially enough so that its signature changes. Why create a new threat that existing AV software will shield?

Security comes in layers, you can't always guarantee that you'll be patched before the next CodeRed is released and you can't guarantee that your AV will have definitions for it. But if you have both you have a better chance of one of them being ready and most likely if they do break in, they'll try to install a rootkit or keylogger that the AV will have a definition for.

And what stops Code Red on your webservers? AV software? No, you've patched them, that's what. (or you don't run the affected version of IIS)

I don't run IIS at all, CodeRed doesn't check the server version before attempting to exploit it.

Oh goodie, yet another piece of code that I have to trust won't have buffer overrun vulnerabilities. :->

While true, if you're going to be like that you might as well stop using a computer. At some point you have to put some faith in the developers writing the code that your'e running, either that or spend all of your time auditing code for OSS projects before you run them.

I bet those writing AV systems write flawless code, after all, they're so much better coders than those silly guys writing the OS. It's not as if e.g. Norton's AV product caused a bluescreen for NT4 users as the user inserted a floppy... No, that never happened...

One would hope that they are more security conscience than the OS devs, especially considering NT's security history with regards to things like RPC and IIS. And hell, if the machine BSOD's on floppy insert, there's no chance of getting a virus from it, right? =)

BTW: Are you sure? Would the users in question really have launched the attachment? Has it ever saved your own personal ass?

Yes, I'm sure. I was standing right there when they asked me what the antivirus popup meant and wondered if the did something wrong. And it wasn't an email attachment, it was a worm so there was no need for her to do anything.

What kind of people do you work with?

Regular people who know how to use their computers for their job and that's about it.

 

[Sunner]

Originally posted by: gsellis

Originally posted by: Sunner
You've never admined a network/domain with "regular users" have you?

:thumbsup:
You never cease to amaze me. If my quote block wasn't full, I would have to add this one (sorry, the R0 quote was old).

Real companies don't hire IT people to do core business jobs. That is why they have IT. That is why we have AV, firewalls, intrusion detection, mail gateways, internet gateways, etc. Any build will have AV, a security agent (coming soon), and distribution software.

And anyone that thinks a firewall makes them safe is not paranoid enough or doesn't know what they talk about at Blackhat.

Edit - BikerDude, PLEASE do not take this as a slam on you. I just see this all the time and my "regular users" have nothing to do with IT except that they use computers in their jobs. And there are lots of people much less knowledgable than you that think all that "security stuff" is just a waste of time.

Heh, well, it's nice to see at least someone though not one, but two of my comments were sig material

 

[imported_BikeDude]

Originally posted by: Nothinman

Oh goodie, yet another piece of code that I have to trust won't have buffer overrun vulnerabilities. :->

While true, if you're going to be like that you might as well stop using a computer.

No, seriously, what you're saying is that because developers A can't write code without vulnerabilities, you're going to trust developers B for... whatever reason?

Take the Norton guys. I've had a few brushes with them, and the quality of their products never cease to amaze me -- in a negative fashion. I'll take almost any MS code over Norton code any day.

If there's a problem with code base A, you're not going to solve it by adding more code. That only adds complexity to whatever problem you're trying to solve. Fairly basic software engineering this...

And hell, if the machine BSOD's on floppy insert, there's no chance of getting a virus from it, right? =)

This must've slipped your mind: Bootsector viruses... The most basic virus plague there was a few years back. (certainly an issue in the NT4 days)

BTW: Are you sure? Would the users in question really have launched the attachment? Has it ever saved your own personal ass?

Yes, I'm sure. I was standing right there when they asked me what the antivirus popup meant and wondered if the did something wrong. And it wasn't an email attachment, it was a worm so there was no need for her to do anything.

Well... The popup was caused by the AV system. Without the popup there would've been just one strange attachment. Would they have taken the bait? Or: Now that they know they are protected, would they gladly click on the attachment if there is no security popup...? (aka a brand spanking new worm)

And for the second part of my question? Have you ever had a benefit from running AV systems on your own personal computers? This is at the core of my musings. I understand that computer peons are probably better off with updated AV software, but grizzled IT veterans like yourself..? I can't believe any true BOFH use resident AV on his own personal systems.

 

[Fresh Daemon]

If the number of services running has absolutely not affect on system performance in any way then Microsoft would have enabled every single service by default. They clearly do not.

Speaking from my own personal experience, when I look through services.msc I don't see a single service that's disabled. All are automatic or manual.

Have you proven that having less services running does not improve windows or application load times?

Again, there's no way to prove this. Even Anandtech couldn't find a better way to time level loading times for games than an old-fashioned stopwatch during the RAID-0 debunking they did here. Since the differences in all other tests are so infinitesimal I believe that any test conducted here would be worthless because any results would be completely obscured by the "noise" of the unreliability of the results. Basically, if you have no way to measure results to an accuracy where any variation would be visible outside the margin of error, the test is worthless.

You can run worthless tests if you want, but my time is valuable.

Security Minded people don't rely simply on Firewalls for protection.

To all the people who say this, I ask:

1) What, exactly, do you do to secure your system?
2) Is the Windows firewall either a) better than nothing or b) worse than nothing?
3) Bearing in mind the answer to 2 is obviously A, why do you think that instructing a non-technically-inclined user to disable his firewall would be a good idea?

I find the password argument idiotic to say the least.

Why? It was explained quite clearly. An account without password can't be accessed over the network. Period. An account with a password can be, so at that point, security depends entirely on the strength of the password and as many people pick ones like "password", "opensesame", their mother's maiden name or their favourite sports team, said password is probably going to take all of two minutes for a brute-force password cracker to break.

What's safer - a safe left out on the street but with a password, or a safe in a bank vault deep underground where the public can't get at it?

BTW: Are you sure? Would the users in question really have launched the attachment? Has it ever saved your own personal ass?

Yes, my antivirus software has saved my own personal ass many times. It's the first thing I install on a new system. Why take the risk for a few MB of RAM? Do you drive around without your seatbelt on because it saves you a few seconds when you get into and out of the car?

 

[Nothinman]

No, seriously, what you're saying is that because developers A can't write code without vulnerabilities, you're going to trust developers B for... whatever reason?

Not for any reason, because it's their job. If their code turns out to be that bad they company will either die or replace the coders. Although I doubt we'll have to argue about this for long, MS bought an AV and will probably start bundling it eventually.

Take the Norton guys. I've had a few brushes with them, and the quality of their products never cease to amaze me -- in a negative fashion. I'll take almost any MS code over Norton code any day.

And I say the same thing about MS. They've definitely been making progress and their current stuff is a lot better security-wise than the old stuff, but I still don't trust them.

This must've slipped your mind: Bootsector viruses... The most basic virus plague there was a few years back. (certainly an issue in the NT4 days)

Well the machine halts during a BSOD so it won't directly cause you to infect yourself, you would still have to press the reset button while forgetting to pull the floppy you put in 2s ago. And if you're going to do it then, you'd probably end up doing it eventually without Norton's help =)

Well... The popup was caused by the AV system. Without the popup there would've been just one strange attachment. Would they have taken the bait? Or: Now that they know they are protected, would they gladly click on the attachment if there is no security popup...? (aka a brand spanking new worm)

The popup was the AV saying "Hey, I deleted this file, it was infected with XXX" so of course it was caused by the AV system. And there wouldn't have been an attachment, email was never involved.

And for the second part of my question? Have you ever had a benefit from running AV systems on your own personal computers? This is at the core of my musings. I understand that computer peons are probably better off with updated AV software, but grizzled IT veterans like yourself..? I can't believe any true BOFH use resident AV on his own personal systems.

Personally, I don't run Windows and my postfix filters don't accept mail with executable attachments, just to save me from deleting them manually. And I read my mail in mutt, so all of the HTML phishing messages and crap are obvious. I do have Win2K in a VMWare session that gets started up occasionally and it does have an AV on it because usually when I'm starting that up I'm checking out something Windows-only thats shady.

 

[imported_BikeDude]

Originally posted by: Sunner
You've never admined a network/domain with "regular users" have you?

I'm a software developer by profession and usually work in places where most employees are well above average (in computer know-how).

So no, I don't see many "regular users" (among my coworkers).

Look, just because I don't believe non-heuristic virus scanners is the final solution, doesn't mean I completely fail to understand the fundamental problems. After all, a perfect computer network is one without any users, but a return to big mainframes with thin terminals is hardly the best way. (funny how these solutions tend to repeat every decade or so)

Some exercises for everyone: Could someone tell me how a restricted user can launch code received by e-mail? Or demonstrate a successful buffer overrun attack with DEP enabled? (I assume bypassing DEP is possible -- just like to know how -- to get anywhere with the stack, beyond a localised DOS attack, you pretty much have to be incredibly lucky with the vulnerable code in question AFAICT)

 

[imported_BikeDude]

Originally posted by: Nothinman
Not for any reason, because it's their job. If their code turns out to be that bad they company will either die or replace the coders. Although I doubt we'll have to argue about this for long, MS bought an AV and will probably start bundling it eventually.

So, MS adds more code, and all of the sudden they're to be trusted...? *shrug*

you would still have to press the reset button while forgetting to pull the floppy

Where were you in the late 80s? This was a very, very, very common mistake.

The popup was the AV saying "Hey, I deleted this file, it was infected with XXX"

My English must be very bad. One more time: If they hadn't been running an AV system at that time, there wouldn't have been a confusing popup (and no reason to summon you). So... In such a scenario, would those users gladly launch the attachment?

And in the next scenario: They now know what the security popup looks like, so they know they are protected by the super-duper AV system. Now, another attachment arrives... No warnings... Perhaps the sender's e-mail address even look familiar... Do they launch the attachment?

 

[Nothinman]

So, MS adds more code, and all of the sudden they're to be trusted...? *shrug*

No, I'm just saying that they'll be shipping an AV that will probably be difficult or impossible to remove, much like IE =)

Where were you in the late 80s? This was a very, very, very common mistake.

Late 80s? Elementary school.

My English must be very bad. One more time: If they hadn't been running an AV system at that time, there wouldn't have been a confusing popup (and no reason to summon you). So... In such a scenario, would those users gladly launch the attachment?

Apparently it is. Say it slowly: There was no attachment to be opened.

And in the next scenario: They now know what the security popup looks like, so they know they are protected by the super-duper AV system. Now, another attachment arrives... No warnings... Perhaps the sender's e-mail address even look familiar... Do they launch the attachment?

They already knew the AV was there, we're not hiding it from them. And most attachments are filtered by the mail system so it would take a conscience effort for them to work around the system to get infected.

 

[gsellis]

Hey guys, while this is a good conversation, it is a wee-bit off topic. New thread?

 

[GeneralAres]

Speaking from my own personal experience, when I look through services.msc I don't see a single service that's disabled. All are automatic or manual.

Right and service set to manual don't load on startup and are not always in memory. So why are they not ALL on Automatic?

Again, there's no way to prove this. Even Anandtech couldn't find a better way to time level loading times for games than an old-fashioned stopwatch during the RAID-0 debunking they did here. Since the differences in all other tests are so infinitesimal I believe that any test conducted here would be worthless because any results would be completely obscured by the "noise" of the unreliability of the results. Basically, if you have no way to measure results to an accuracy where any variation would be visible outside the margin of error, the test is worthless.

You can run worthless tests if you want, but my time is valuable.

Nice dodge, you haven't tested this and cannot confirm it so you are making assumptions. Which means you haven't proven anything.

To all the people who say this, I ask:

1) What, exactly, do you do to secure your system?
2) Is the Windows firewall either a) better than nothing or b) worse than nothing?
3) Bearing in mind the answer to 2 is obviously A, why do you think that instructing a non-technically-inclined user to disable his firewall would be a good idea?

What I stated was clear.

Why? It was explained quite clearly. An account without password can't be accessed over the network. Period. An account with a password can be, so at that point, security depends entirely on the strength of the password and as many people pick ones like "password", "opensesame", their mother's maiden name or their favourite sports team, said password is probably going to take all of two minutes for a brute-force password cracker to break.

What's safer - a safe left out on the street but with a password, or a safe in a bank vault deep underground where the public can't get at it?

That is not true at all. http://www.microsoft.com/resources/docu...windows/xp/all/proddocs/en-us/506.mspx

local accounts must be be password protected; otherwise, those user accounts can be used by anyone to access shared system resources. It is the same on a domain.

 

[gsellis]

Originally posted by: GeneralAres

Why? It was explained quite clearly. An account without password can't be accessed over the network. Period. An account with a password can be, so at that point, security depends entirely on the strength of the password and as many people pick ones like "password", "opensesame", their mother's maiden name or their favourite sports team, said password is probably going to take all of two minutes for a brute-force password cracker to break.

What's safer - a safe left out on the street but with a password, or a safe in a bank vault deep underground where the public can't get at it?

That is not true at all. http://www.microsoft.com/resources/docu...windows/xp/all/proddocs/en-us/506.mspx

local accounts must be be password protected; otherwise, those user accounts can be used by anyone to access shared system resources. It is the same on a domain.

Don't get confused with default Pro and Home. If you install Home without a password, it will turn off access from the net IIRC. In Pro, this can easily be accomplished by changing the local security settings to restrict Access from the Network to None, Domain Admins (not easily automated as requires their SID to be known), Local Admins, etc. The best way to do this in an automated install is using security templates and running Secedit as part of the install package.

 

[Fresh Daemon]

Right and service set to manual don't load on startup and are not always in memory. So why are they not ALL on Automatic?

Because that would make booting the computer slower.

And you may say, "Ah-hah!", but I don't think booting is a valid test of computing performance. As I've said before, most people here will boot their computer once per day, if that, many leave it on 24/7 so it can download/fold/crunch at night. And like I also said before, if booting is a real test of performance, then you must contend that MacOS X, Linux, *BSD, heck, basically every *NIX variant is crap. Right?

Nice dodge, you haven't tested this and cannot confirm it so you are making assumptions. Which means you haven't proven anything.

No, I haven't, and to be frank I don't care. I spend a fraction of a percentile of my time on my computer waiting for anything to load, so what am I going to test - performance in things I do <1% of the time, or that in things I do >99% of the time?

To make a car analogy, this would be like a car reviewer ignoring all performance and capacity data and testing how fast he can put the spare tire on, then basing his opinion of the car on that.

What I stated was clear.

Not to me, or I wouldn't have asked the question, would I? I'm not here for my health.

That is not true at all.

Don't get confused with default Pro and Home. If you install Home without a password, it will turn off access from the net IIRC.

Thank you. I also have this on authority from an MS employee.

 

[imported_BikeDude]

Originally posted by: Nothinman

My English must be very bad. One more time: If they hadn't been running an AV system at that time, there wouldn't have been a confusing popup (and no reason to summon you). So... In such a scenario, would those users gladly launch the attachment?

Apparently it is. Say it slowly: There was no attachment to be opened.

Sigh.

One more time: in a different scenario, think of it as a parallell dimension even, but this time (in the other dimension) no AV was installed, the same users received that e-mail, and... Would they have launched the attachment? (it's OK; you can answer "yes" and keep your head held high, but a slightly more verbose answer would be appreciated)

You say the AV system protected them because they saw the popup (and the attachment had been automatically deleted). But that's an excellent example of the Schroedinger's Cat paradox. You don't really know if AV was necessary in this particular case. Surely you can spot that? (hopefully you finished more than elementary school)

And in the next scenario: They now know what the security popup looks like, so they know they are protected by the super-duper AV system. Now, another attachment arrives... No warnings... Perhaps the sender's e-mail address even look familiar... Do they launch the attachment?

They already knew the AV was there, we're not hiding it from them. And most attachments are filtered by the mail system so it would take a conscience effort for them to work around the system to get infected.

Yet more reason to trust any attachment that do manage to get through! Again: Would they blindly launch it? Or are they somewhat aware of that virus definitions do not update instantly whenever a new threat rises?

I've seen so many IT professionals who think their AV systems are working because of those little "I've deleted the scary attachment!" popups. I'm just not convinced by all the smoke and mirrors. (some of you guys sound a lot like my grandma; "wear your seatbelt"... sigh)

As a final note: Sometimes it is convenient to simply mail someone an updated executable or similar, and for certain recipients I end up renaming the file to .rxe to get past the security. Would this be caught by your filter? (surely you're not filtering on extensions, are you?)

 

[Nothinman]

One more time: in a different scenario, think of it as a parallell dimension even, but this time (in the other dimension) no AV was installed, the same users received that e-mail, and... Would they have launched the attachment? (it's OK; you can answer "yes" and keep your head held high, but a slightly more verbose answer would be appreciated)

Of course they would, but my point was that you don't always need user intervention to get infected and these were boxes that were up to date with patches AFAIK.

You say the AV system protected them because they saw the popup (and the attachment had been automatically deleted). But that's an excellent example of the Schroedinger's Cat paradox. You don't really know if AV was necessary in this particular case. Surely you can spot that? (hopefully you finished more than elementary school)

And you can't say that it wasn't necessary, that's why it's considered anecdotal evidence.

Yet more reason to trust any attachment that do manage to get through! Again: Would they blindly launch it? Or are they somewhat aware of that virus definitions do not update instantly whenever a new threat rises?

The definitions are updated as soon as they're released, so while it's not instantaneous it's as close as possible. And it depends on the person, we've got enough of them scared enough that they won't blindly run things they get via email but there is undoubtly those that would.

As a final note: Sometimes it is convenient to simply mail someone an updated executable or similar, and for certain recipients I end up renaming the file to .rxe to get past the security. Would this be caught by your filter? (surely you're not filtering on extensions, are you?)

You have to filter on extensions, doing mime-types would be too CPU intensive IMO and could be worked around just as easily. So yes, renaming it would get past the filter and ironically this is the work around that we give users when they complain about attachments get filtered. But we also explain to them that mailing files around like that is a bad idea and they should be using one of the file servers to transfer the files, if it's an external user then they either have to just rename the file if it's a one shot deal or get some real infrastructure setup and start using sftp or something.

 

[imported_BikeDude]

Originally posted by: Nothinman
And you can't say that it wasn't necessary, that's why it's considered anecdotal evidence.

Right. But it does not answer my initial "has AV saved your butt?" question. A blinking "you've received a virus" warning does not count as "saved your butt". It merely tells me that you've received a virus. Hardly anything new there? I too have received plenty of viruses...

I'd probably do the same thing as you do had I been the administrator of a large corporate network, but luckily I landed a job in a small company (doing big stuff, instead of vice-versa like at my previous employer) a few years back, and I think that permits a slightly different approach. Much less red tape involved.

So yes, renaming it would get past the filter

I.e. security by obscurity. Pretty much what we all do... (be it by altering our surfing habits, choose less common operating systems, install every security product under the sun and/or just common sense aka "don't click there")

 

[Nothinman]

Right. But it does not answer my initial "has AV saved your butt?" question. A blinking "you've received a virus" warning does not count as "saved your butt". It merely tells me that you've received a virus. Hardly anything new there? I too have received plenty of viruses...

I don't remember the specifics considering that the incident was like 2 years ago, but I believe it was one of the RPC exploits so, yes it saved that user's butt. I believeit successfully exploited the RPC service but couldn't replicate onto the machine because the AV stopped it, but as I said it was awhile ago.

I.e. security by obscurity. Pretty much what we all do... (be it by altering our surfing habits, choose less common operating systems, install every security product under the sun and/or just common sense aka "don't click there")

No, it's security by doing what you can. You can't be 100% sure of any solution so you implement what you can and deal with the fallout from what slips by, luckily for us very little has every slipped by.