"On the other hand, an antivirus program with up-to-date signatures will protect you from a lot of threats. It'll protect you against viruses, against spyware, against Trojans -- against all sorts of malware. It'll run in the background, automatically, and you won't notice any performance degradation at all"
Now, this may be a bit off-topic, but does anyone know about which software he's talking ? I personally find that most of the virus scanners try desperately to let you know how effective they are, constantly notifying what they have done to help you, to validate their existence.
On the other hand, you have the more minimalistic virus scanners, like ClamAV, but I really can't tell if they're effective or not. I fear they are not.
Anyone has recommendations for a good virus scanner that doesn't suck ? Perhaps pg can make this a request for startups, please ? It's about time this whole industry stopped sucking. :)
Norton. No wait, hear me out. As many here know, Norton has always been a pig of an antivirus. In 2007 and 2008, it was really, really bad. It went from just slowing computers down to making them unusable. In the face of consumer backlash - even non-technical users were boycotting it - they made Norton Antivirus 2009. It uses ~10MB of RAM, and is now one of the faster scanners out there. It still gets Advanced/Advanced+ ratings from AV Comparatives, and updates signatures about every 5 minutes. Plus it has a "gaming" mode which puts even less stress on your system.
Tech support in my company has to constantly deal with false positives of our software with NOD32. I don't know how effective it is catching real trojans/viruses, but I know it sucks at catching non-trojans/non-viruses.
ClamAV is actually pretty effective at detecting malware it knows about. I've seen it work on multiple occasion even with non in-the-wild viruses. However because it lacks real time scanning and cleaning, it's clearly not a first line of defense yet.
A better bet would be F-Prot or Nod32 which seem far lighter and a tad more quiet about their business except when a malware is actually found (which is also customizable I believe).
However, I see a hard task ahead of any startup that wants to come up in this field. Writing sig definitions for the 100000+ viruses already difficult is a massive initial undertaking. The older players already have most of it written down but a startup would have to put in a ton of effort just to catch up.
The problem is remembering each time you do this. After a while it gets painful to repetitively do the same. Its just easier to install an alternative which comes with a real time scanner.
True, the best way would be to have OS support for automatic quarantining of anything from outside until it has been checked.
Vista sort of has this but it doesn't clear the suspicion, so if you download a simple utility (or even a help file) it will warn you every time you open it - unless it comes inside an installer.
I really liked Microsoft's Windows Defender, and I was pleased to find out that they recently expanded it into a full (and free) AV suite: Security Essentials:
I spent 2 years working tech support for a large cable ISP. We offered a free antivirus/firewall package. In my experience, the AV software was more likely to break your PC than an actual virus, and we'd often get calls where people were infested with malware the AV package didn't stop.
AV software gives you a false sense of security, imo.
Tools like time machine and vmware snapshots can make viruses less disastrous than before. You can rollback instead of re-imaging or worrying about removing all the malware.
Only if you're aware that the virus is running, and it doesn't do something disastrous in the meantime (eg, sniff your keystrokes while you enter a bank account number or log into the hospital records system).
Yep. Unfortunately, this is becoming more and more true. Typical computer users just don't know the difference between "safe computer use" and "unsafe computer use."
It's the same as human viruses. If you do things that are safe, you dramatically reduce your chances of infection.
I think the detection of virus signatures is a failing strategy. I have seen computers that I know are infected and scanning with multiple products leaves some of the bugs undetected. That said, it would be pretty stupid to run Windows today without a scanner. AVG and (believe it or not) Microsoft's Essential Security are good and free. The two major problems with virus scanners is that they bog the machine down. (AVG is starting to do this). The other problem, and I see this from all brands, they can detect a virus but cannot remove it. This is a serious problem today because it then requires an expensive tech visit to manually remove a virus.
""" Examine a typical antivirus package and you'll see it knows about 75,000+ viruses that might infect your machine. Compare that to the legitimate 30 or so apps that I've installed on my machine, and you can see it's rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness. In fact, if I were to simply track the 30 pieces of Goodness on my machine, and allow nothing else to run, I would have simultaneously solved the following problems:
* Spyware
* Viruses
* Remote Control Trojans
* Exploits that involve executing pre-installed code that you don't use regularly
Thanks to all the marketing hype around disclosing and announcing vulnerabilities, there are (according to some industry analysts) between 200 and 700 new pieces of Badness hitting the Internet every month. Not only is "Enumerating Badness" a dumb idea, it's gotten dumber during the few minutes of your time you've bequeathed me by reading this article. """
There are a lot more than "30 or so" pieces of goodness. Applications (directly user-invoked executables) aren't the only vectors for malware and viruses. A quick scan of my Windows 7 installation - just the Windows directory - turns up about 17600 EXEs, DLLs and SYS files, which isn't an exhaustive list of potential module types. Any of those are subject to change on a monthly basis as updates get installed.
And this doesn't even start counting applications, and their update and patch mechanisms.
And you can't even say "Any 'good' application is only going to do certain sorts of actions. We'll scan those and if the application does something else, stop it". UAC in Windows 7 and Vista went a long way to making this better, at least if you're opening yourself to malware you usually have to click "I know this is doing something which could be dangerous", and 7 went a step farther by making it far more un-obtrusive so that users are less likely to auto-click it.
Its still a losing battle though. Run http://technet.microsoft.com/en-us/sysinternals/bb896645.asp... for a few minutes, and look at how many actions are being taken, just when your computer is supposedly idle. Trying to whitelist each and every one of those would be massive overhead.
I've found (personally, this isn't for everyone) is to run with as minimal AV as possible (Right now, SSE), and if I notice anything out of the ordinary run an offline virus scan. I usually do this with Bart-PE, although I've been working on another method for it. Expecting an infected OS to report that it is infected isn't the best idea, it is too easy to fake the results. Doing a scan of the system while the OS is not running tends to be more reliable and remove any problems a lot easier. I'm currently working on a system which will PXE boot once a month, do a virus scan or two (with different, fully updated scanners), defrag, checkdisk and do a general cleanup.
If you define them that way, yes. If instead you define them as:
Delete files in the application's working directory, read files from the application's working directory or public areas, contact websites, read keyboard when this application is the focus, send email.
It isn't nearly as dangerous. Sure, you've still got the computer contacting webistes and sending email, but that isn't a terribly large risk. There is still a need for blacklisting that sort of activity. As far as reading sensitive information, however, as long as working directories are categorized well, and used by any applications dealing with anything sensitive, it isn't a problem.
"And whitelists aren't a panacea, either: they don't defend against malware that attaches itself to data files (think Word macro viruses), for example."
But this should be a solved (or at least solveable problem). You have complete control over email in the enterprise b/c you control the mail server.
If you use a service like gmail then you can't even send certain attachments. I couldn't send .zip files the last I checked. Plus spam filtering has gotten better.
I think white-listing could go a very long way towards solving the problem.
What does email have to do with opening Word documents with macro viruses? What does email have to do with opening any data file that maliciously exploits the application opening the data file?
How can a whitelist prevent attack vectors as varied as opening a PDF file designed to exploit your PDF reader? The user cannot always be vigilant enough to know that site X is giving him a malicious file to open. Hell, site X might actually be a legitimate site that has itself been attacked and exploited...
However, I can't receive zip files through my work email which is a policy decision made by our network admins. (You can rename it .zipX or something like that and it will go through. They have been burnt by users clicking on any random attachment and getting Trojans and viruses.)
I don't seem to be able to send an exe through GMail though.
The bit about users accessing services on any old computer becoming the norm is the bit which scares me. The idea of entering a password in a random computer with who know what key-logging malware installed scares me.
Two-factor can only go so far, as it only limits the window of opportunity to between log in and log out.
While I, and most technical people, guard our computers carefully and wouldn't use a computer owned by someone else for anything but anonymous web browsing, the average user is quite happy to use some terminal in an internet cafe.
Now, this may be a bit off-topic, but does anyone know about which software he's talking ? I personally find that most of the virus scanners try desperately to let you know how effective they are, constantly notifying what they have done to help you, to validate their existence.
On the other hand, you have the more minimalistic virus scanners, like ClamAV, but I really can't tell if they're effective or not. I fear they are not.
Anyone has recommendations for a good virus scanner that doesn't suck ? Perhaps pg can make this a request for startups, please ? It's about time this whole industry stopped sucking. :)