How come noone talks about Qihoo Internet Security?

[Mushkins]

Anyway, I'm not "bulletproof"--an insanely good unpatched 0day RCE could get me. But those things are really rare, and most importantly, the kind of stuff that can get me is also the kind of stuff that AV wouldn't have a prayer of stopping.

*Any* unpatched zero day could get you. It's just like driving my car. I'm not worried about *me* being a bad driver, i'm worried about all the other yutzes out there crossing three lanes of traffic at the last minute while talking on their cell. If MSN.com's ad network ends up with a malicious script laced in an advertisement, "smart browsing habits" aren't going to protect me, but there's a chance a good AV heuristics engine might. Are the odds of it catching that zero day slim? Yeah, but why wouldn't I want to increase my chances of not getting infected?

Whereas AV definitely gives a very dangerous false sense of security. I do cleanup for family, friends, and friends of family/friends. Unlike my computers, their computers all have AV. Yet they're the ones being compromised, not me. And the kinds of questions that I get are along the lines of "Why didn't the AV stop it?" or "What would you recommend as a better AV?"

Correlation =/= causation. Your family network of supported users aren't practicing smart browsing habits, it's not the AV's fault if the AV pops up yelling about a potentially dangerous script and little Joey intentionally clicks "run anyway" because he wants his flash game to load. AV is not a replacement for poor security consciousness and it never will be, but that doesn't mean it's useless in a security plan.

It's cost-vs-benefit. The cost is tremendous. Even with light AVs like Defender/MSE, disabling it results in very noticeable performance gains. In one extreme case, I have a large suite of utilities that I install on all the systems that I manage using a custom installer that I wrote. On my parents' desktop (which has MSE), it took almost a minute to install, with one core of the CPU completely pegged. On my netbook, despite having a slower CPU and slower drive, it took a few seconds...

...And there's the cost of false positives. Remember that time when installations of Excel were hosed by AV? Or the many pieces of legitimate software that get flagged as suspicious by overzealous heuristics?...

Tremendous, intolerable costs? I don't know what kind of rigs you're running, but MSE/Windows defender are not adding minutes to my software installs or any noticeable performance hit to my gaming habits or compute-based tasks. Anything with at least an i3 in isn't going to be bogged down by active antivirus protection, sorry. It's just not true, you're welcome to post some benchmarks to back it up though. It's 2014, not 1995.

And yes, occasionally there are false positives. That's why good AV prompts you on a detection and asks you what *you* want to do with the detection, quarantine it, delete it, or leave it be. You talk like AV software is regularly and maliciously deleting half the files on your hard drive "just because," its not. Personally, I move hundreds of gigs of files across my systems at home every month and not once in the last decade have I run into a false positive. Has it flagged things as questionable? Sure, but those were actually files of questionable integrity (pen testing tools, RATs, legitimately unsavory programs I was experimenting with in VMs, etc). It's also missed things that i've known were definitely malicious.

...But if you're tech-savvy enough to be a regular at a forum like this, AV is not something that will give you a lot of benefit. Certainly not enough to justify the intolerable costs that it incurs.

I'll absolutely agree with you, in that last decade AV has not particularly given me a lot of tangible benefit, it hasn't caught many legitimate threats. But that's because I view AV as the last line of defense in a multi-layered security approach, and catch or prevent 99% of potential threats at a higher level (running adblock/noscript, browsing trustworthy sites, not clicking phishing links, etc). However again, there has been no "intolerable cost" to that 1%. If anything noscript and adblock breaking websites has been more of a performance hit and a hassle than having MSE ticking in the background.

Now if you want to talk about something beyond fixing PCs for your family, I could pull the AV logs from my office, where software doesn't always get updated to the latest version for compatibility reasons, windows updates are staggered to make sure they don't break core software, and users will click nearly anything: for every threat that actually manages to get on a PC, our AV probably caught and prevented another 100+ potential infections for that user.

 

[code65536]

*Any* unpatched zero day could get you.

If you read the technical details in the security advisories for most flaws, you'll see that there are often lots of caveats. You must be using feature x and/or have option y enabled and/or be doing activity z. I review the Patch Tuesday advisories each month--see what the conditions for exploit are, and then decide, based on that, whether I and my usage patterns are actually at any risk or not. Most months, I skip PT. Which is, in large part, a testament to how good Windows has become security-wise (well, if you ignore IE, but since I never use IE, I don't care about IE flaws). (I virtually never skip Flash updates, though, which also says something about Adobe.) And by "insanely good 0day", I mean a flaw that comes with little or no caveats of that sort. And I haven't seen one of those in years.

Correlation =/= causation.

Them getting hosed wasn't my point. Their expectation that AV should've helped them, however, was.

It's just not true, you're welcome to post some benchmarks to back it up though. It's 2014, not 1995.

How about an increase in boot-time by about 50%? With a stopwatch, it was ~9-10 seconds on an i3 SSD-equipped system without MSE. After I put in MSE, it was something like ~15 seconds. And there was the example that I already gave (which I admit is extreme, since it was a package containing a couple hundred files, most of which are executables).

But that's because I view AV as the last line of defense in a multi-layered security approach

Yes. It's a last-ditch defense when something else has failed.

for every threat that actually manages to get on a PC, our AV probably caught and prevented another 100+ potential infections for that user.

Then perhaps it time to turn off extension hiding in Windows and tell people, "If it ends in .exe or .com, DO NOT open it!" (User education isn't that hard.)

Yes, I do deploy AV for family and friends. But...

1) None of my systems are polluted with AV. For all the reasons already discussed.

2) I try to make it very clear to them that AV is not to be trusted, and it's only a last-ditch defense, and that it's like the airbag in a car--there's a very good chance that it won't save your ass. This message seems to stick better after they get hosed once and they ask me their "But I had AV! I should've been safe! Why wasn't I?" questions. And I teach them basic steps to remaining safe: turn off extension hiding, run in the other direction if they see ".exe" when doing something other than downloading software, and don't try to prevent automatic software updates.

These days, I've done far, far fewer cleanups (with some, I hadn't done any in the past few years) (And I do check up on their systems now and then to sweep for hidden rootkit-style malware that they wouldn't notice.), and, most importantly, the AV history log is very sparse (or in some cases, completely barren).

 

[SlickR12345]

If you read the technical details in the security advisories for most flaws, you'll see that there are often lots of caveats. You must be using feature x and/or have option y enabled and/or be doing activity z. I review the Patch Tuesday advisories each month--see what the conditions for exploit are, and then decide, based on that, whether I and my usage patterns are actually at any risk or not. Most months, I skip PT. Which is, in large part, a testament to how good Windows has become security-wise (well, if you ignore IE, but since I never use IE, I don't care about IE flaws). (I virtually never skip Flash updates, though, which also says something about Adobe.) And by "insanely good 0day", I mean a flaw that comes with little or no caveats of that sort. And I haven't seen one of those in years.


Them getting hosed wasn't my point. Their expectation that AV should've helped them, however, was.


How about an increase in boot-time by about 50%? With a stopwatch, it was ~9-10 seconds on an i3 SSD-equipped system without MSE. After I put in MSE, it was something like ~15 seconds. And there was the example that I already gave (which I admit is extreme, since it was a package containing a couple hundred files, most of which are executables).


Yes. It's a last-ditch defense when something else has failed.


Then perhaps it time to turn off extension hiding in Windows and tell people, "If it ends in .exe or .com, DO NOT open it!" (User education isn't that hard.)

Yes, I do deploy AV for family and friends. But...

1) None of my systems are polluted with AV. For all the reasons already discussed.

2) I try to make it very clear to them that AV is not to be trusted, and it's only a last-ditch defense, and that it's like the airbag in a car--there's a very good chance that it won't save your ass. This message seems to stick better after they get hosed once and they ask me their "But I had AV! I should've been safe! Why wasn't I?" questions. And I teach them basic steps to remaining safe: turn off extension hiding, run in the other direction if they see ".exe" when doing something other than downloading software, and don't try to prevent automatic software updates.

These days, I've done far, far fewer cleanups (with some, I hadn't done any in the past few years) (And I do check up on their systems now and then to sweep for hidden rootkit-style malware that they wouldn't notice.), and, most importantly, the AV history log is very sparse (or in some cases, completely barren).

That is terrible advice and outright stupid. Not everyone is a computer expert and even computer experts can make mistakes. Most users have no idea even what viruses are, so to claim that anti-virus software is useless is ridiculous.

Plus I'm not sure how many people can do it the safe way, as opposed to just browse the internet and do stuff on it for fun or to find information or whatever and can't be bothered being careful.

Plus most viruses don't come as "virus-click me", they come in different forms pretending to be other legitimate software, then you have malware, ransomware, trojans and keyloggers.

Firewall protection is a must, its key, but after that you need additional layers of protection just in case, so a good anti-virus with good heuristics engine is great to have, plus a program like malwarebytes anti-malware that has a giant database of known threats as a back-up. User carefulness is on top of the protection.

 

[code65536]

That is terrible advice and outright stupid. Not everyone is a computer expert and even computer experts can make mistakes. Most users have no idea even what viruses are, so to claim that anti-virus software is useless is ridiculous.

Plus I'm not sure how many people can do it the safe way, as opposed to just browse the internet and do stuff on it for fun or to find information or whatever and can't be bothered being careful.

🙄 Hence why I stated in the post that you just quoted and in earlier posts that, yes, I do deploy AV for friends and family who are not tech-savvy.

They are still extremely limited in what they can do, and non-tech savvy people should know what those limits are and they should learn how to be safe without depending on AV because AV is, at best, a last-ditch defense, and anyone who relies on AV as anything other than a last-ditch defense is going to be screwed.

This is a forum where most people are tech-savvy, and for most of the people in this forum, ditching AV is good advice.

I despise the security snake-oil industry because 1) they don't offer much in the way of actual protection and 2) they like muddle and obfuscate the nature of the dangers that people face, and in the process, undermine user education.

How many times have I heard people--tech-savvy people, too--make statements like, "If you don't have AV, you're screwed"? That's the product of their brainwashing, and it's the kind of misinformation that I'm on a crusade against.

Plus most viruses don't come as "virus-click me", they come in different forms pretending to be other legitimate software

They usually pretend to be non-software.

then you have malware, ransomware, trojans and keyloggers.

If you want to get technical about it, viruses--which alter existing executables--are pretty much extinct and a non-threat in this day and age--they haven't really be in circulation since the mid-90's. Ransomware, trojans, keyloggers, viruses, etc., are all forms of malware. Technically, we should be saying anti-malware instead of anti-virus. But colloquially, people mean "malware in general" when they say "virus".

Firewall protection is a must, its key, but after that you need additional layers of protection just in case, so a good anti-virus with good heuristics engine is great to have, plus a program like malwarebytes anti-malware that has a giant database of known threats as a back-up. User carefulness is on top of the protection.

No. User carefulness is the first and primary line of defense. Period. I don't care if you are a seasoned security researcher or a first-time computer user. User awareness comes first. It's not the icing on top of the cake--it's the cake.

There is also a lot of misconception over the function and role of firewalls. If a computer has an exposed surface in the form of software that is actively listening on a port (i.e., an "open port"), then if that software also has an exploitable security flaw, then there is the potential for a RCE (remote code execution) attack. If you don't have any open ports, you're fine. If the software that opened those ports is flawless, you're fine. But since there is no way to guarantee that software is flawless (because all software appear to be flawless until a flaw is discovered), a firewall is a precaution that restricts access to that open port--either blocking it entirely (in which case, you might as well just shut down the software that's opening the port in the first place) or by limiting access (like letting computers on the local network connect, but not computers "out in the wild" connect). But for some things (e.g., if you're running a web server or if you are running P2P like a torrent), you need to keep that port fully open, in which case you make exceptions in the firewall, effectively disabling the firewall for that port.

As a result, just being behind a residential NAT fulfills the role of a firewall (it's not a surprise that NAT and firewall are often share code).

Inbound firewalling (don't let unsolicited packets reaching your open ports) is the only form of firewalling that's preventative. Most firewall software also have outbound firewalling, and that's the firewalling that most people see, UI-wise. Outbound firewalling is mitigation, plain and simple. It prevents malware from phoning home and contacting its master for instructions (though well-made malware at this point would've disabled that pesky software firewall). But it will not prevent that malware from being installed in the first place. Which is why outbound firewall is useless for advanced users--because it doesn't do you any good until after your computer has been hosed. And software firewalls are pretty weak, too, since they can be disabled once malware gets on the system. Your residential NAT not only does the job of inbound firewalling, but it's also a hardware firewall, so if you have that, you don't have to mess with that junk known as software firewalling.

So, in short, what does the firewall protect against? Inbound protects against RCE attacks against software security flaws (if there are any) in software that maintain open ports. The vast majority of malware infection vectors, however, do not involve RCE against an open port. And outbound might lessen the impact of malware after you've been hosed by potentially blocking the malware from contacting its master.

 

[ninaholic37]

Tremendous, intolerable costs? I don't know what kind of rigs you're running, but MSE/Windows defender are not adding minutes to my software installs or any noticeable performance hit to my gaming habits or compute-based tasks. Anything with at least an i3 in isn't going to be bogged down by active antivirus protection, sorry. It's just not true, you're welcome to post some benchmarks to back it up though. It's 2014, not 1995.

Not everyone has an i3. I've had around 10 laptops and none of them were as powerful as an i3. There are Celerons, Pentiums, Atoms, Bobcats, Jaguars, etc. not to mention not everyone has the latest 2014 CPU, and many don't have 4GB or more of RAM, so your "i3" comment is pretty narrow / short-sighted. Every AV I've tried bogged my systems down in some way (McAfee, Norton, AVG, Bitdefender, MSE, etc.). Since they are mostly "reactionary", as code65536 said, and most are borderline useless for new/unknown threats, and many block legitimate things that are not in their database, or annoy you just for the sake of trying to look like they are "helping" (so you'll keep the product), I think it would make more sense to only run an AV once when you are curious, or reformat once every few years to clear out the accumulated Windows junk, or switch to ChromeOS, Linux, etc. if you are paranoid. I do not find AVs useful enough to add them to my list of processes/resources.

Now if you want to talk about something beyond fixing PCs for your family, I could pull the AV logs from my office, where software doesn't always get updated to the latest version for compatibility reasons, windows updates are staggered to make sure they don't break core software, and users will click nearly anything: for every threat that actually manages to get on a PC, our AV probably caught and prevented another 100+ potential infections for that user.

A work / public environment is different because people don't really care because it's not their computer.

 

[Mushkins]

Them getting hosed wasn't my point. Their expectation that AV should've helped them, however, was.

You focus on the one infection they notice, and neglect to mention how many threats and/or potential threats the AV actually caught and prevented. AV did help them, probably a dozen times or more, but it only takes one thing to not be detected to compromise the system.

How about an increase in boot-time by about 50%? With a stopwatch, it was ~9-10 seconds on an i3 SSD-equipped system without MSE. After I put in MSE, it was something like ~15 seconds. And there was the example that I already gave (which I admit is extreme, since it was a package containing a couple hundred files, most of which are executables).

Seriously? You're complaining about six seconds that you can't definitively prove was even caused by antivirus software? I don't even know what to do with that. Even if you restarted your PC ten times a day, you'd be out a whopping one minute. Hardly tremendous or intolerable considering how infrequently PCs are actually rebooted.

Then perhaps it time to turn off extension hiding in Windows and tell people, "If it ends in .exe or .com, DO NOT open it!" (User education isn't that hard.)

Extensions are not hidden specifically for that reason, that's group policy enforced. That doesn't stop a Java or Flash exploit buried in an advertisement that we are not protected from because we cannot update those plugins and still do our jobs. AV, however, has the definitions for that exploit less than 24 hours after it is released and protects our systems reasonably well until we can update those plugins and not break our software.

1) None of my systems are polluted with AV. For all the reasons already discussed.

How many times have I heard people--tech-savvy people, too--make statements like, "If you don't have AV, you're screwed"? That's the product of their brainwashing, and it's the kind of misinformation that I'm on a crusade against.

See, you actually make some good points, and then you go right back to referring to AV as "polluting" your system and denounce it as snake oil? When those very same people you're trying to protect from these threats hear their supposed "security expert" talking about something they should absolutely be using like that, it's downright dangerous. You're spreading just as much misinformation as they are.

Not everyone has an i3. I've had around 10 laptops and none of them were as powerful as an i3. There are Celerons, Pentiums, Atoms, Bobcats, Jaguars, etc. not to mention not everyone has the latest 2014 CPU, and many don't have 4GB or more of RAM, so your "i3" comment is pretty narrow / short-sighted.

I was actually estimating conservatively, any off-the-shelf PC you can buy today, or in the last few years, is not going to be bogged down by a proper antivirus program. I'm typing this very message on a five year old Core 2 Duo with 3 GB ram and 32 bit Windows 7 Pro, with the latest version of Kaspersky Endpoint 10 installed. The only performance hit I ever see is during the scheduled daily deep scan, which I have scheduled to run at 1am. If your AV is bogging down your system, you're either long overdue for a new PC, something is misconfigured, or that specific product is a bloated hog. None of which are a direct reflection on the benefits of Antivirus as a whole.

A work / public environment is different because people don't really care because it's not their computer.

If anything, that makes antivirus *more* relevant. Active malware on a work PC can compromise sensitive information and drop an employees productivity to zero pretty quick. Both of these things cost money.

 

[code65536]

You focus on the one infection they notice, and neglect to mention how many threats and/or potential threats the AV actually caught and prevented. AV did help them, probably a dozen times or more, but it only takes one thing to not be detected to compromise the system.

I do check the AV history. If there is something in there, I treat it as if they were actually hit by something and ask them why/how they let things get to the point that AV had to take action. If you have a situation where there are tons of entries in the AV history, then you need to sit your user down and have a talk with them instead of continuing to rely on the hope-and-prayer method of prevention known as AV.

Seriously? You're complaining about six seconds that you can't definitively prove was even caused by antivirus software? I don't even know what to do with that. Even if you restarted your PC ten times a day, you'd be out a whopping one minute. Hardly tremendous or intolerable considering how infrequently PCs are actually rebooted.

That is a distortion. No, I'm talking about a 50% increase. And increase that doesn't happen just during boot, but at any other point executable files are accessed (and for some variants of AV, when any file is accessed). Boot was just one example that's easy to measure consistently (since you don't have the problem of the Windows disk cache muddling up results of subsequent runs). And yes, I do know that it's the AV's fault, because I explicitly did this as a before-and-after MSE install because I was trying to see what the exact impact of MSE was.

Extensions are not hidden specifically for that reason, that's group policy enforced. That doesn't stop a Java or Flash exploit buried in an advertisement that we are not protected from because we cannot update those plugins and still do our jobs. AV, however, has the definitions for that exploit less than 24 hours after it is released and protects our systems reasonably well until we can update those plugins and not break our software.

Um, for the typical user, extension hiding is a checkbox in the Explorer options. And, please, repeat after me: "AV is useless against RCE." You keep bringing up Flash and Java exploits. AV generally doesn't protect against Flash and Java exploits. Or any other RCE exploit. If you have a Flash or Java exploit, you need to patch Flash or Java. Period. Full stop. Updated AV definitions are not going to help you there and, most importantly, cannot help you there.

See, you actually make some good points, and then you go right back to referring to AV as "polluting" your system and denounce it as snake oil? When those very same people you're trying to protect from these threats hear their supposed "security expert" talking about something they should absolutely be using like that, it's downright dangerous. You're spreading just as much misinformation as they are.

I've been pretty clear and consistent:

* AV is the airbag-in-a-car defense: It's the final defense that doesn't kick in until the user screws himself, and even when it does, there is a very good chance that it won't protect them. This is fact and not misinformation.

* AV has lots of limitations that most AV users are ignorant of. New threats. RCE exploits. Non-software security flaws like phishing e-mails. Fact, not misinformation.

* The AV industry pimps AV through scare tactics and reinforcing misconceptions. Namely, that 1) if you have AV, you will be safe and 2) if you don't have AV, you will be screwed. Both of these are lies. People with AV get screwed (esp. when they do stupid things because AV gave them a false sense of security), and security-savvy users without AV can get along just fine. This is fact and not misinformation.

* AV has costs. Performance. False positives. Sometimes financial. Fact, not misinformation.

* For tech-savvy users, AV offers little or no benefit because the kinds of things that AV can protect against (which does not include most RCEs, as you keep claiming) are the kinds of things that a well-informed user could easily avoid. This is my opinion, but it is couched in facts about AV and is not misinformation.

* For tech-savvy users, the cost of AV coupled with the virtually non-existent benefit is why I call it "pollution" and "snake oil" in the context of tech-savvy usage. Yes, those terms are deliberately abrasive, because hopefully it drives home the point just how limited AV is, esp. compared to the trumped-up claims of the AV industry.

* For average users, AV does provide a (thin) layer of last-ditch defense, and I do condone the use of AV for these users (as I've stated multiple times in this thread already), but with the caveat that the users understand that AV is just as likely to fail to protect them as it is to protect them. They must be taught about how to be safe, and they must be told that they should operate as if AV is not there. They must understand that if AV catches something, that means they made a mistake and got lucky. I often see advice online where people ask, "How do I remain safe?", and the first answer is "Make sure your AV is always up-to-date." (e.g., this thread) The first answer never, ever should be AV. AV is the "PS: BTW, ..." footnote answer; it's there to supplement and provide backup for other defenses. In short, yes, average users should have AV, but they should also understand that it's borderline useless because without that understanding, AV is just fostering security complacency and standing in the way of nurturing good security awareness.

 

[PliotronX]

I also see a lot of AV with expired subscriptions so they literally do nothing but occupy resources for advertising purchasing of services so in effect they become adware. It's just gotten ridiculous.