Thursday, 26 January 2017

Disable Your Antivirus Software (Except Microsoft's)

I was just reading some Tweets and an associated Hackernews thread and it reminded me that, now that I've left Mozilla for a while, it's safe for me to say: antivirus software vendors are terrible; don't buy antivirus software, and uininstall it if you already have it (except, on Windows, for Microsoft's).

Update (Perhaps it should go without saying --- but you also need to your OS to be up-to-date. If you're on Windows 7 or, God forbid, Windows XP, third party AV software might make you slightly less doomed.)

At best, there is negligible evidence that major non-MS AV products give a net improvement in security. More likely, they hurt security significantly; for example, see bugs in AV products listed in Google's Project Zero. These bugs indicate that not only do these products open many attack vectors, but in general their developers do not follow standard security practices. (Microsoft, on the other hand, is generally competent.)

Furthermore, as Justin Schuh pointed out in that Twitter thread, AV products poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security. For example, back when we first made sure ASLR was working for Firefox on Windows, many AV vendors broke it by injecting their own ASLR-disabled DLLs into our processes. Several times AV software blocked Firefox updates, making it impossible for users to receive important security fixes. Major amounts of developer time are soaked up dealing with AV-induced breakage, time that could be spent making actual improvements in security (recent-ish example).

What's really insidious is that it's hard for software vendors to speak out about these problems because they need cooperation from the AV vendors (except for Google, lately, maybe). Users have been fooled into associating AV vendors with security and you don't want AV vendors bad-mouthing your product. AV software is broadly installed and when it breaks your product, you need the cooperation of AV vendors to fix it. (You can't tell users to turn off AV software because if anything bad were to happen that the AV software might have prevented, you'll catch the blame.) When your product crashes on startup due to AV interference, users blame your product, not AV. Worse still, if they make your product incredibly slow and bloated, users just think that's how your product is.

If a rogue developer is tempted to speak out, the PR hammer comes down (and they were probably right to do so!). But now I'm free! Bwahahaha!

101 comments:

  1. The title says it all. I did exactly that a few months ago coincidentally.

    ReplyDelete
    Replies
    1. I did this 10 years ago...

      Delete
    2. Yeah I haven't installed any real antivirus for ages...an occasional MWB and Superantispyware sweep is all I've needed.

      Delete
    3. Did this about 4 years ago. Had no issues even before MS - just need to exercise patience and general knowledge.

      Delete
  2. I really agree. It is particularly troubling for application software vendors, that it's essentially impossible to test against common AV software.

    The AV vendors update and patch their products frequently, modifying the way they hook the OS. They don't ever allow anyone access to pre-release versions. This is the kind of thing that, even with the best of intentions, causes problems.

    As a long-time software developer, I have seen many problems caused by AV behaviour, particularly network hooks which modify traffic (TLS interception anyone?).

    ReplyDelete
  3. I switch off Microsoft's Windows Defender as well. It makes my laptop unusable when it's running, which I've found to be a general problem with AV software.

    ReplyDelete
    Replies
    1. This was meant for 3rd party antiviruses. Leave Windows Defender on.

      Delete
    2. if your laptop's running slow uninstall software you don't need and make sure your main hard drive is in good condition. also go to windows search and type up misconfiguration turn off all startups you don't need you can do the same in services, but i recommend you leave Microsoft services on

      Delete
  4. I guess what we need is "the people's AV". If Mozilla gets Firefox back on track, could they start something?

    ReplyDelete
    Replies
    1. as that article shows , its not a political issue its a functional one , essentialy anti virus breaks apis and makes their results unpredictable.

      Delete
  5. I have not used AV software for years (apart from on the mail filter) - must have been around 8.06. Ubuntu ofcourse.

    ReplyDelete
  6. I totally agree with this. I bought new TP-Link USB wireless Adapter and whenever I connected to my wifi, windows 10 crashes with bad pool header error and only after uninstalling my MalwareBytes software, that crash got fixed.

    ReplyDelete
    Replies
    1. What version of Malwarebytes? In case you are unaware the recent version of Malwarebytes has been riddled with thousands of bugs and issues. You can look at their forum

      Delete
  7. Was "now that I've left Mozilla for a while" supposed to be linked to somewhere, rather than underlined?

    ReplyDelete
    Replies
    1. No. I just wanted to make sure Mozilla doesn't get blowback.

      Delete
  8. Does Microsoft make anti-virus software for the Mac?

    If not, then what?

    ReplyDelete
    Replies
    1. I'd use whatever Apple offers; if they don't offer anything, then "nothing" is probably better than the usual A/V vendors. MacOS is locked down reasonably tightly already.

      Delete
    2. If you are a business, Bromium. Not quite AV, but something better, imo, as it doesn't use signatures, but looks for aberrant behaviour; e.g your email should not be trying to access your customer database. Best of all, the way it works is to let the infection think it's succeeded, while recording what it's trying to do, and that can be shared without exposing your security.

      Delete
    3. Mac's do not require any antivirus.

      Delete
    4. Sir, i hope you never have children

      Delete
    5. heheh... Yeah that is it.. Mac don't require antivirus.. They are immune to all digital threats.. You might want to search that on snopes.com!!!

      Delete
    6. My wife is a graphic designer and uses nothing but Macs. Her company uses Macs. None have security on them. Is there Mac malware? Yes but far and few between.
      http://www.pcadvisor.co.uk/how-to/security/do-apple-macs-need-antivirus-os-x-security-explained-2016-3418367/

      Delete
    7. Mac's don't usually require antivirus software, because they have three significant deterrents. First is Malware Check, which functions similarly to Windows Defender, but runs silently in the background without any user interface. 99% of users never know that it's there.

      The second is GateKeeper. It's default configuration requires that any binaries be signed by a developer with an active developer account with Apple before it will run. (This can be disabled on an app-by-app basis or globally, but it is on by default). This allows malicious apps discovered in the wild to be disabled by Apple unless the user specifically re-enables them.

      The third is that any app sold through the App Store undergoes a code review and also is required to be sandboxed from other processes.

      So, while it's not perfect, given those three mechanisms, and the fact that the Mac installed base is less than 10% of windows, means that malware and viruses are virtually nonexistent on the Mac.

      Delete
    8. Just to be clear, if I'm not mistaken, Gatekeeper started with Lion (10.7), so those of us using Snow Leopard this advice is not relevent.

      Delete
    9. "Mac's don't usually require antivirus software, because they have three significant deterrents."

      BS! Macs don't have as many issues with malware because they have such tiny market share, and malware creators don't target it as much. The simple fact is as an OS Windows is more secure and has fewer exploits. This isn't even debatable.

      http://www.businessinsider.com/android-most-vulnerable-operating-system-in-2016-2017-1

      Delete
  9. What about open source antivirus like ClamAV?

    ReplyDelete
    Replies
    1. I don't know much about it. Being open-source means it's probably less crazy-bad than the others. Still, I'd be skeptical that it's a significantly better recommendation than Windows Defender, for Windows 10 users.

      Delete
    2. As far as I know, it is the only free (as in freedom) antivirus. If you need more security than that, just go free software full way and ditch MS Windows altogether in favor of a free OS such as GNU/Linux.

      Delete
    3. 1. ClamAV has poor virus detection rate 2. it is only a virus scanner (to be used on files or folders), it does not provide a resident shied checking the files before you open them.

      Delete
    4. ClamAV is an AV solution you need to run manually. It is therefore a nice enough "stick behind the door" for tech savvy users, not your average Joe. There are ways to make ClamAV work as a real-time AV scanner, but that software isn't made by the people behind ClamAV, and the last time I tried it, my CPU had a continuous load of 30%.

      SO I use ClamAV sometimes, I use online AV scanners more often and monthly malware scans. No virus or malware on my system for 10 years. That said, I run a strictly configured router/firewall on a completely separate PC and every device that connects through my LAN is on a separate VLAN with even stricter rules. All of the computers I use have mostly PortableApps tools and browsers are as vanilla as possible, with the exception of 'uBlock Origin' and 'uMatrix'.

      Delete
    5. Try this link to improve detection rate of ClamAV :

      https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml?lg=en

      Delete
  10. Hi Robert, what about applications such as https://heimdalsecurity.com/en/products/heimdeal-free that simply keep your average virus magnet applications up-to-date? Would you recommend that on the side, along with whatever the OS offers?

    ReplyDelete
    Replies
    1. You should stick to applications that are good at updating themselves. For example there's no need for Heimdal to update Firefox or Chrome, and getting it involved adds potential for catastrophic bugs.

      So it depends on what applications you use. If a random person asked me with no further information, I'd probably play it safe and say no since there's potential for badly-implemented updates to do great harm.

      Delete
  11. Microsoft has a tool for enable processor based protection that may be helpful for some people. https://en.m.wikipedia.org/wiki/Enhanced_Mitigation_Experience_Toolkit

    ReplyDelete
    Replies
    1. EMET ius being discontinued on July 2018

      Delete
    2. Windows 10 has EMET features built in.

      Delete
    3. Not all of them... https://betanews.com/2016/11/24/windows-10-security-emet/

      Delete
  12. Just use Linux, you don't need AV at all, I've never used AV for more than 20 yrs so far

    ReplyDelete
    Replies
    1. Linux fan boys are as bad as Mac fan boys.. Mark my words, when you get hit.. It will be bad.

      Delete
  13. As a layman, are you talking about always-on virus scanners that run in the background or also on-demand file scanners? I would guess the latter are less intrusive to the os?

    ReplyDelete
    Replies
    1. Yes, you are very much right. In fact, running bit defender and something like McAfee together will cause the OS to become unstable. Just my experience after doing thousands of virus cleanings.

      Delete
    2. That is why most real time scanners will disable Windows antivirus software. (And McAfee is utter garbage these days)

      Delete
    3. On-demand file scanners are certainly a lot less problematic.

      Delete
  14. The only time I ever use AV is to scan files in a VM. Be safe online, not stupid.

    ReplyDelete
  15. I vaguely recall that a few years back, my laptop would intermittently Blue Screen until I uninstalled Norton.

    I still use MalwareBytes (the free version, with no "active" protection), and I run it occasionally just in case, but otherwise I stick with MSE (or whatever it's called) on my Windows boxes.

    ReplyDelete
  16. I used AV in the past, but after getting Windows 10 machine, I really use only the Defender. It works great, nothing bad happened yet, and it doesn't scream on full volume every time definitions are updated ;-)

    ReplyDelete
  17. For home use I don't disagree with you. We all know that by the time the AV software finds an infection it's too late anyway. But a lot of businesses these days are allowing or requiring BYO devices with their user base. We have to protect everyone's systems. We can't have people running on networks in such an insecure way. Here, our security appliances & firewalls can help to mitigate security threats imposed by rogue devices, but that is not enough.

    Ideally, everyone just becomes more tech-aware and can figure out that they shouldn't click that link in their email because they probably aren't descended from African royalty. But I don't see that happening anytime soon. As long as people keep clicking on stupid things, then they need stupid software to babysit them.

    ReplyDelete
    Replies
    1. I can't imagine why you'd allow regular users to attach BYO devices to your corporate network.

      That aside, what evidence is there that any third-party AV is a net security win over Microsoft's built-in stuff? I haven't seen any, even with all the comments around this post.

      Delete
    2. Calling the major vendors' products "anti virus" kind of highlights a lack of research, on your part. Apparmor/SELinux, for example, is pretty much considered best practice in the Linux world, so why is it that similar third party functionality in the suites that you dismiss as "AV" suddenly becomes worthless in the Windows world. There's much more to the major - let's call them what they are - HIPS software packages than you give them credit for.

      Delete
    3. SELinux has all kinds of problems. However, at least it has defined interfaces; the source is open and operates in a transparent fashion; distros take responsibility for configuring it and making it work with their application packages; and it hasn't been a source of egregious security bugs.

      Windows AV on the other hand is a crazy mess of closed-source code doing random patching, hooking, parsing arbitrary complex data formats in ring 0 and other blunders, changing unpredictably, with practically no coordination.

      Delete
    4. windows is different to linux in this respect because software vendors are considered potentially hostile to the OS as they are frequently not aligned to its goals. linux distros on the other hand tend to provide software that is more closely matched to the OS because of its maintainers including or packaging them instead of vendors.

      Delete
  18. This smells all too consumer to me. Users who are diligent about patching not only their OS but third party software as well (Reader, Java etc.) MAY be able to get away with nothing more than Defender; However, what ever happened to Defense in Depth? At any business or enterprise, you have to do your best to protect the data, employees as well as your customers. Sure, traditional AV isn't always going to protect you but most AV \ EPP vendors are doing their diligence to include technology in their products that go way beyond what traditional AV ever did. In addition, there are other products to consider like Application Whitelisting technology. Of course, these in concert with other technologies like DLP, IDS, NGFW, SIEM etc. can all help protect the business. Common Defense in Depth here. But to recommend either nothing or Microsoft built in offering is not the best approach if you care about the things you need to protect.

    ReplyDelete
    Replies
    1. "Defense in depth" does not mean that the answer to "should I install this 'security' product?" is always "yes".

      Each product you install adds vulnerabilities to your system as well as protecting you from some set of threats. The sets of threats overlap (e.g. if you're scanning email on the mail server, scanning it again on the client doesn't do much).

      > But to recommend either nothing or Microsoft built in offering is not the best approach if you care about the things you need to protect.

      I'd like to see an independent evidence-based evaluation of this. I haven't, and one hasn't turned up in all the comments around this post. Lacking one, and given the egregious blunders of the major AV vendors that have come to light, I still think being conservative in what you install, as I have advised, is perfectly reasonable for the average user.

      Delete
    2. I guess that one could then argue that since Microsoft also includes IE and/or Edge in their operating systems, one should not install Firefox, Opera, or Chrome either. After all, you are adding more software with more bugs and we do want to be conservative in what we install, right?

      Delete
    3. If IE/Edge are installed but you don't use them, no problem.

      Delete
  19. Some years ago I used to put MSE on some people computers, that was until they came back infested. Now I won't recommend it to anyone. (still, I have to admit I didn't check recently, since I mainly use Linux with no AV)

    ReplyDelete
  20. What about Emsisoft? If you are going to recommend to uninstall AVs, you should at least be aware of the popular ones and more.

    ReplyDelete
  21. These days most of the malware comes from online. Just run your browser in a software like sandboxie. You won't need an 3rd party AV, unless you often connect unknown USB devices.

    ReplyDelete
  22. Your advice is flawed, opportunistic, irresposible and dangerous to people who don't understand the malware landscape that is out there.

    Your reputation, in my mind at least (as I don't speak for others) has been tainted.

    The average Joe on the street is better served with anti-virus on their computer than not. No software is perfect.

    ReplyDelete
    Replies
    1. > The average Joe on the street is better served with anti-virus on their computer than not.

      I believe you may be right about that which is why I suggested Microsoft's stuff.

      Delete
  23. The problem if you only use Windows defender (on Win 8.1 about myself) is that you could be infected by a virus (like a trojan) while browsing a web page with firefox.
    I've made EICAR tests with Windows defender and firefox and defender doesn't notice the viruses in a web page (but it works with IE 11).

    ReplyDelete
    Replies
    1. EICAR-like tests are mostly meaningless for browsers. By the time malware has been around long enough to be analyzed and its signature(s) (binary, behavioural, whatever) blocked by AV tools, modern browsers will have already fixed whatever holes they were exploiting. Firefox doesn't need to explicitly detect Web-bourne viruses; Firefox's job is to make sure that all such content is harmless.

      For modern browsers that are kept up to date your real threats are zero-day exploits, which can easily evade any AV product.

      Delete
    2. I think I need a good AV also because a few weeks ago, i've been on a TV streaming webpage and there was a trojan into the page.
      It has been detected by my AV but not by Firefox.
      What could you advise in this case?

      Delete
    3. I thought I was clear before. Without more details it's probably not worth me saying anything more.

      Delete
  24. I've done this since I understood a little more about how these security solutions work (5 or 6 years ago).

    I don't understand why Windows Defender is different from the others AV. If you could explain this point I would appreciate it.

    ReplyDelete
    Replies
    1. I mentioned it in the post. Based on the data I've seen, I have a much higher opinion of Microsoft's people and processes than the other AV vendors. Also, because Microsoft's stuff ships with Windows they are more likely to get the integration right and be held to reasonable quality standards.

      Delete
  25. Hooray another educated opinion from someone who does not actually fix PCs for a living.
    Thanks for that. You just made my job harder, but more profitable.

    Microsoft themself say that their AV solution is "Baseline", which means is the lowest you should go, not the highest.

    I keep seeing quotes about the crappy state of AV, but it always focuses on Norton, Mcafee etc., who are historically crap and simply sell more product.

    Avira or Bitdefender never apear in these quotes or lists of bad AV/vendors.

    I can find zero evidence that MS AV is any good, only the oposite, as the frequent infected PCs I have to fix are usually using either MSE/Defender, Norton or Mcafee, which is as good as using a magic 8-ball.

    MS AV does not scan web page content in non-MS browsers, so malvertising and link scanning in FF or Chrome is non-existent.

    If you are going to recommend MSE/Defender, at least show some evidence or reference to how good it is at its job, not mere opinion and belief.
    It is provably consistently below average, and for a while fell off the bottom of the AV test/comparison sites.

    ReplyDelete
    Replies
    1. Avira:
      https://bugzilla.mozilla.org/show_bug.cgi?id=844714
      Bitdefender:
      https://bugzilla.mozilla.org/show_bug.cgi?id=1310629

      Firefox and Chrome use Google Safe Browsing for URL filtering so it's not "non-existent".

      Scanning Web content adds very little value. By the time malware has been around long enough to be analyzed and its signature(s) (binary, behavioural, whatever) blocked by AV tools, modern browsers will have already fixed whatever holes they were exploiting. Firefox doesn't need to explicitly detect Web-bourne viruses; Firefox's job is to make sure that all such content is harmless. AV products interfering with Firefox has historically made that more difficult --- including Avira and Bitdefender, as you can see above. Justin Schuh says it's the same for Chrome.

      This all assumes users are using up-to-date OSes and browsers, as I updated my post to make clear.

      Windows Defender may not be very good at the metrics you're talking about, but at least it does relatively little harm.

      Delete
    2. Well what if you never enable the plugings those AV products try to push onto your browser?

      Delete
    3. That doesn't necessarily stop them hooking and patching browsers; i.e. that wouldn't stop all the bad stuff they do.

      Delete
    4. "Windows Defender may not be very good at the metrics you're talking about, but at least it does relatively little harm."

      For the test suites that look at false negatives, Microsoft's consumer solutions are generally the king of the hill. How is that "relatively little harm"?

      Delete
    5. See http://robert.ocallahan.org/2017/01/a-followup-about-av-test-reports.html about test reports.

      Delete
  26. https://blog.cylance.com/dont-test-a-bomb-with-a-hammer

    ReplyDelete
  27. Which is why I never install browser addons that monitor/pre-empt/intercept/divert/parse or otherwise aggregate code or functionality into or onto my browsers, of which I use two: Chrome and FireFox. Nor do I lard on all the extra geegaws they beg you to buy. AND by-the-way, I never pay for AV software. I have used AVG Free, rightly or wrongly, in conjunction with FireFox (and now Chrome) for 18(?) years during which time I have fallen prey to an exploit only once and that was my fault. Any other security failures I experienced were with MSIE - and nothing could protect you from the flaws in MSIE. No AV product can protect you against your own stupidity, especially if you don't understand or acknowledge the shortcomings of the AV platform you use. I get the point about MSAV: who knows MS better than MS? Who better to create and build an AV architecture that works in harmony with MSOS, but then look at MSIE. I still think MSIE is terrible software and never use it. So I stick to what I know works, for now. But I will say this, and I wish someone would address this specific issue. What i fear, in light of the Russian exploit of the DNC, is that these foreign AV softwares could be engineered to backdoor any user and expose westerners to attack. Imagine planting evidence of criminal activity on thousands or millions of computers, implicating innocent users in criminal activities of which they have no knowledge and indictment for said crimes they did not commit: wire fraud, sex crimes, computer crimes, espionage, public infra-structure crimes, you name it, or leverage your system as a bot to attack dot-gov or public/private infrastructure. This has begun to steadily creep into my awareness of late.

    ReplyDelete
  28. If you are too stupid to use XP, doesn't mean others are.
    And your new Firefox versions are plain shit! Go fuckyourself in you catolic church.

    ReplyDelete
  29. Lol, good one. Windows defender worst piece of shit I ever saw

    ReplyDelete
  30. Totally, that is what I do and say to my users/customers.

    ReplyDelete
  31. yep.

    If some OS isn't able to secure itself (vs selinux, openbsd, ..) i don't use it. security as an after thought never worked and never will. just say bye-bye to this exensive crap that makes your box crawl - your apps crash and only gives a false sense of security.

    ReplyDelete
  32. Also are you discrediting places like Virus Bulleting or AV-Comparatives?

    https://www.virusbulletin.com/
    https://www.av-comparatives.org/

    That don't even bench the Microsoft built in av because of its low scores.

    I understand from a stand point of the browsers sake with their plugins. I don't even enable those because i want the browser to do that and the AV to catch anything the browser doesn't catch.

    I've gone back and forth on this myself as an IT professional and I find myself using AV because of those listed sites and Microsoft's admission that it's just a baseline product they include.

    To me performance is always what I'm looking for as I'm an avid PC gamer and I've never had issues with Bitdefender running on my PC slowing down my Games or Browsing.

    I have though run into those issues you mentioned where it gets tricky because the AV product is doing some stuff with the kernel. For example Asus tools to monitor my PC and adjust setting like voltages and bus speeds has an issue with BitDefender. My response to that was just to not use the software and seek alternatives to monitor temps.

    ReplyDelete
    Replies
    1. OK for the sake of time I'll just focus on
      https://www.av-comparatives.org/wp-content/uploads/2016/12/avc_prot_2016b_en.pdf.

      > That don't even bench the Microsoft built in av because of its low scores.

      This report does include Microsoft. In that test, MS got 97% (1570 out of 1619) ... lower than most of the other products, but the actual difference is very small.

      The major problem with tests like this is that they are designed to fit the strengths of AV products and avoid their weaknesses. The report doesn't say how they acquire their malware samples, but I guess they get them from the same sources AV vendors do. (They're not writing their own since they say they independently verify that their malware samples "work" on an unprotected machine.) So what they're testing here is the ability of AV software to recognize malware that's been in the wild long enough to be recognized and added to someone's database. That's exactly the malware that AV systems detect. But in the real world users will often encounter malware that hasn't had time to be classified yet, and possibly (e.g. in spear-phishing cases) will never be classified. A more realistic test would include malware like that. The test writers should cover that by generating a whole lot of their own malware that's not in any database, and see how AV products perform on that. My guess is that the detection rate would be around 0% if they do it with a modicum of skill. Of course in the real world, some malware authors can and do iterate on their new malware until they're sure the major AV products won't detect it.

      So for the sake of argument let's suppose 20% of the attacks in the real world use new unclassified malware and 80% use old malware and none of the 20% is detected by AV products. That would be 405 additional malware samples not detected by any product. Now Microsoft scores 77.6% and F-Secure is 79.9%. That difference doesn't look so important now.

      The other major issue with this whole approach is that it takes no account of the downsides of AV products. If a product slows down your system massively (more than other products), that doesn't show up here. If a product blocks all kinds of valid content, that doesn't show up here. If a product introduces huge security vulnerabilities --- even if they're broadly known --- that doesn't show up here. If a product spams the user incessantly with annoying messages, that doesn't show up here.

      Because of these systematic issues, this approach to testing actually does more harm than good because to the extent AV vendors care about these test results, they'll optimize for them at the expense of those other important factors that aren't being measured.

      There are also some issues with this particular test report. For example they say how important it is to test up-to-date software, and then test "Microsoft Windows 7
      Home Premium SP1 64-Bit, with updates as of 1st July 2016" and Firefox version 43.0.4. But on 1st July 2016, the latest versions were Windows 10 and Firefox 47.0.1.

      Another issue I have with this particular report's product comparisons is that I suspect all it's really measuring is how closely their malware sample import pipeline matches the pipelines of other vendors. Maybe F-Secure won that benchmark because they happen to get their malware samples from exactly the same sources as AV-Comparatives and the other products use slightly different sources. The source of malware samples is critical here and I can't find anywhere they say what it is.

      Delete
  33. what about the almost 5000 malware samples i got, which is not detected by Win defender...?
    this blog post is the worst suggestion i'v ever read.
    but is detected by 3th party AV's?
    this is damaging to end-users. people should not even use mozilla because of all the vulnerable plugins it possesses...

    ReplyDelete
  34. I agree and I do not want to know how much energy is burned every day for the useless AV software.

    ReplyDelete
  35. I have more than 10 years that I use Windows Security.... It's Good

    ReplyDelete
  36. since my first computer (year 1999)i don't use antivirus...

    ReplyDelete
  37. Was this more what you were trying to say?

    https://www.onmsft.com/news/google-chrome-engineer-says-windows-defender-the-only-well-behaved-av

    ReplyDelete
    Replies
    1. I agree with that, but it's not all I was trying to say.

      Delete
  38. The false positive rate is horrendous, leading to silent and weird changes in behavior. For example a prominent AV solution stops git working under Cygwin on Windows - it fails with some weirdo error, no logging, no diagnostics, nothing to fix it. So - step 1. for all developers: disable AV on Windows.

    Beyond that, the number of user-reported false positives as we tweak headers and re-compile LibreOffice is beyond belief - even though the binaries, installer etc. are signed. The whole "look for virus signatures" approach seems unlikely to succeed in the end anyhow, and the performance impact of AV is severe for most low-end machines (so I'd not enable it on Windows XP either since a) you're doomed anyway and b) you ought to be able to use the PC in the small window of life you have).

    I'd put good money on someone creating entirely random PE executables by shuffling code fragments of any given binary and putting them through lots of AVs of hitting truck loads of false positives; it would be great to have a comparison of the lame-ness of AVs based on that alone I guess; and some independent benchmarks of their real impact on machines.

    I guess the AV industry is just another clown in the circus =)

    ReplyDelete
  39. I am so glad there are people who think the same way. I haven't used an AV for more than a decade now.

    I think they're the most useless piece of software in existence today that act like virus themselves by slowing down computers, interfering with other processes and the beauty of it is PEOPLE pay for them!

    ReplyDelete
  40. I've had to fix machines which have run only Microsoft's security and got infected, and SpybotS&D or MalwareBytes have easily found the problem.

    In my experience it's the fully integrated security suites that are the biggest headaches.
    I've had to turn off outbound mail scanning on wife's laptop because it fails for an unknown reason; she runs Avast.

    ReplyDelete
  41. I've been running MC Shield because of the high number of USB viruses in the country I live and I've heard Immunet is supposed to be good, both run alongside resident antivirus programs. How do these fit with the recommendation to not install 3rd party scanners and use windows defender instead?

    ReplyDelete
  42. Robert, I am not into all this chain of comments but seeing this:

    > because of the high number of USB viruses in the country I
    > live and I've heard Immunet is supposed to be good, both run
    > alongside resident antivirus programs.

    ... I'm tempted to recommend the tool I was using several years in a row (on farm of Windows boxes at my previous job). And boy was it perfect! It's called Ariad:
    https://blog.didierstevens.com/2010/07/18/mitigating-lnk-exploitation-with-ariad/

    If tools you mention are in the same vein like Ariad, it's very nice combo, I'd say (I used both Ariad + MSE in those older times). Because it deals more with infection causes than a consequences. Recommended!

    ReplyDelete
  43. I only noticed one thing about my Eset Internet security is that it overwrites some of the websites security certifications to it's own.

    ReplyDelete
    Replies
    1. This paper says ESET is especially bad about its TLS interception: https://jhalderm.com/pub/papers/interception-ndss17.pdf

      Delete
  44. Finally, a voice of sanity in the wilderness. I run a small IT shop and I've had people call and rail on me for hearing about me telling something this exact thing. I can confirm, personally, that I have never, not once in 20 some years of doing this, seen AV actually protect the people who were always infecting themselves.

    The other major issue is that by and large, the biggest problems are PUPs, which many AV solutions cheerfully ignore - or even install. Which is why in the end, prevention (patches, user education, user lockdown) and remediation (malwarebytes et al, backups, restores) have been the only thing that really works.

    And yes, leave Windows Defender on.

    ReplyDelete
  45. This is a terribly ignorant article, written by someone who does not understand vectors of attack, the nature of viruses in the past decade, or anything, really, about security. It also certainly explains why millions of people are part of zombie botnets without even knowing that they are. Mind-boggling stupidity on display.

    ReplyDelete
  46. Sorry, but Windows Defender is absolute garbage. Slow, poor (well, non existent to be honest) proactive features, only thing good about it is that it's easy to use since it hardly has any settings. Are you a Microsoft shill? Coz no one in right mind would recommend Windows Defender over products like Kaspersky, avast! or Bitdefender. Of which last two also offer free versions that are not any worse protection wise than their paid counterparts. Diversity in antimalware field gives users immunity. If everyone used Windows Defender, bad guys would just have to bypass that and they'd be done. And trust me, bypassing Windows Defender is easy. But if bad guys have to craft their packages to bypass 20 different products, they have to make compromises, extensive testing and even then chances are one vendor will nail them and share the sample with rest is very high. And with cloud systems, they can't test it in advance because it means AV vendors will get an insight on the malware and if they don't, they can't be sure it's not detected already. It's why everyone else is better than Microsoft, because they have complex multilayer protection systems.

    ReplyDelete
  47. I was too lazy to write all that out, but yes, exactly. Homogenuity, using AV by the same company that made the OS, is insanity. In addition, Windows Defender/MSSE are simply way behind in innovative technologies like deep cloud AI (Symantec) or Webroot's tracking and reversal of suspicious application behavior.

    People who write such articles are terribly ignorant, and they believe they still live in an era where you could, first of all, know when you have a virus, and second, eliminate it by "scanning" after it executed.

    The only thing that still works to root out modern viruses are hacker utilities like Combofix. Modern antiviruses are trying to catch up, but Microsoft is certainly way behind all of them.

    ReplyDelete