back to article Former Mozilla dev joins chorus roasting antivirus, says 'It's poison!'

Antivirus is harmful and everyone should uninstall it, so says recently liberated ex-Mozilla developer Robert O'Callahan. The former Mozilla man worked at the browser baron for 16 years and has now joined his voice to the growing chorus of hackers pouring scorn on the utility of antivirus software. Among O'Callahan's beefs is …

  1. a_yank_lurker Silver badge

    Problem with Anti-Virus

    AV applications are more like flu vaccines - one has to get a new one periodically with guarantee it will work. Given most infections exploit well known, unpatched bugs or rely heavily on social engineering, neither is any AV good at stopping.

    1. Grifter

      Re: Problem with Anti-Virus

      Except flu vaccines actually work, and AV is still shit.

      Fuck I hate AV so much, I used to be 'responsible' if one can call it that for securing smb with antivirus and keeping it updated, across hundreds of machines remotely, and every once in a while you'd still get phonecalls from various bosses (it's always the fucking bosses for some reason) about how their machines did weird shit, and turns out *other* antivirus found what our own antivirus didn't find, and of course they want answers, 'How could this happen!?' BECAUSE IT FUCKING DOES, ALL THE GODDAMN TIME, but diplomatically there was only the platitudes you could give, 'this particular virus was a new variant and hadn't been innoculated against', bullshit of course.

      In my experience, at least the computers that I were exposed to, none of them should have been running windows at all, most of them just did basic shit anyway which would have worked just as well running linux, even if one was not a savvy user, and the cases where win was needed it should have been only running as a vm inside a linux host, a particular state saved on the image and when done using it wipe the image and use a new copy of it for next time, it would have saved so much fucking energy and money for everyone involved. AV I hate you so much.

      1. joeW

        Re: Problem with Anti-Virus

        Reminds me of an Internet Café (god, remember those?) I worked at about 15 years back. We tried AV to keep the fleet clean but with an endless parade of clueless fuckwits clicking on every flashing banner that moved it just didn't work.

        In the end we went with no AV on the customer PCs, restoring them to a clean image with Norton Ghost every night after closing, and keeping the payment terminals, etc, on a seperate subnet. Saved time, money and headaches.

        1. Triggerfish

          Re: Problem with Anti-Virus

          Reminds me of an Internet Café (god, remember those?)

          Always interesting when travelling and using internet cafes to email from, the amount of people who never logged out of email or other sites they had been visiting. Lucky I was nice and used to clear down the history/cookies/logins etc for them.

        2. Jack of Shadows Silver badge

          Re: Problem with Anti-Virus

          Precisely what I've done in the past with good effect.

      2. Mage Silver badge

        Re: Problem with Anti-Virus

        AV is rubbish:

        User education is more effective.

        It regularly trashes OSes.

        It slows machines

        It has wrong default settings

        Never up to date.

        Gives false confidence, so users don't bother learning about basics.

        Disable uPNP on router and PC, always use EXTERNAL firewall, turn off SSSD and all other stupid default services on Windows. No remote content in email. Use NoScript and whitelist and blacklist on each site you use (once per visit is usually enough). Don't install stupid toolbars. Always use custom install and untick extras. Don't download "free" versions of pay only software. Only use sensible sources for SW and codecs.

        Disable Autorun on all devices.

        All far more use than ANY AV.

        I've been saying this for 25 years.

        All far

        1. Anonymous Coward
          Anonymous Coward

          Re: Problem with Anti-Virus

          AV may be rubbish, but how do you handle everything else:

          "User education is more effective."

          Unless the user's dumb as a brick, which tends to be the norm. Plus what if the user DEMANDS you turn off the security settings because their favorite stuff doesn't work otherwise? AND cites "The Customer Is Always Right" when they threaten to replace you for recalcitrance?

          1. Archtech Silver badge

            Re: Problem with Anti-Virus

            "Unless the user's dumb as a brick, which tends to be the norm".

            IMHO it's not that they are dumb at all - many of them are very intelligent. It's that they have absolutely no patience at all with any technical necessities of computing that they don't know or care about. (OK, you could argue that it's dumb to have such an attitude, but many of us do in respect of hidden complexities we don't know or care about).

            1. Charles 9 Silver badge

              Re: Problem with Anti-Virus

              "IMHO it's not that they are dumb at all - many of them are very intelligent."

              When it comes to computers, though, even surgeons can be dumb as a brick. I speak from experience. How can you educate users when, as the comedian says, "You can't fix Stupid"?

              1. Yet Another Anonymous coward Silver badge

                Re: Problem with Anti-Virus

                It wasn't users who invented a standard Windows graphics format that allowed executable commands to be placed in the image header and ran them when the image was viewed.

                If HW had the same attitude to security you would have computers that caught fire or exploded if you looked at them funny.

            2. Mage Silver badge

              Re: Problem with Anti-Virus

              The problem is OS design and ESPECIALLY email client and Browser design.

              Many people can't be bothered learning.

              It's crazy bad design that you can infect OS from browser content.

              AV isn't the solution, so while it sometimes nearly impossible, user education, when accepted is far more effective.

        2. Patrician

          Re: Problem with Anti-Virus

          And my next door neighbour is going to know how to do all that how?

        3. Anonymous Coward
          Anonymous Coward

          Re: Problem with Anti-Virus

          > User education is more effective.

          From bitter experience - you can not educate lard.

          1. AlgernonFlowers4
            Joke

            To Paraphrase Terry Pratchett

            > User education is more effective.

            From bitter experience - you can not educate lard.

            You have not got the brains of a tub of lard!

      3. Anonymous Coward
        Anonymous Coward

        Re: Problem with Anti-Virus

        "Except flu vaccines actually work"

        Given that flu vaccines contain about 20 virus strains and about 200 circulate per year, flu vaccines do work, just not thoroughly.

        They still probably work better than any computer AV product, tho...

      4. Jack of Shadows Silver badge
        Mushroom

        Re: Problem with Anti-Virus

        Except I just got out of the hospital after someone decided to inject me, violently allergic to, with flu and pneumonia vaccines. I should be dead. [Is this Hell? After this week, I think it really is.] I spent thirty years [1982-2004] not only as a sysadmin owning thousands of systems and responsible for whole libraries of software on services like CompuServe. I was last infected in 1989 on an Amiga. Despite owning a dozen Windows machines of my own.

        I think that means I have a cluestick. Yeah, it can be dangerous stuff but so can a vaccine in the wrong hands too. As for trusting Windows Defender, well it's one arrow here except Microsoft loves to alter services, ports, registries, and other system aspects behind my back. FU very much Microsoft.

        I am switching us to other operating systems here and no, nether Apple nor popular Linux distributions are involved. At least I have executive respect there for the foreseeable future. Unless some idiot kills me by accident or intention.

        /rant.

    2. LDS Silver badge

      Re: Problem with Anti-Virus

      The problem lies in the way AV products went the "snake oil" route in an attempt to protect and heal you from any disease. Thereby instead of doing what they should have done properly - they started to become firewall, proxies, DLP and whatever. Just, to do it properly, it would have required skills and a level of integration with the OS far beyond their capabilities - especially when the users started to expect "free" products and money had to come from elsewhere...

      Thus what you really got was a dangerous pile of s**t hacking into your system in the most dangerous ways. And which usually wasn't able to clean itself properly once uninstalled. Once I got one that redirected Windows scripts to its engine to parse them before execution, but didn't restore the original setting on uninstall.... crippling some Windows updates. Another borked dowloads of some tools that could also used to hack - but without telling what it did. You just got a damaged zip, and wondered why....

      That's why in some ways MS one is better. It does less, so it doesn't usually get in the way, and don't slow down everything continuously.

      Anyway, from a developer of one of the most effective attack vectors of the PC era (the browser!) I would have expected better. Why browsers are still so insecure, and why, like AV, they attempt to do too much - and often accepting insecure designs just because web apps needs more bells and whistles, exposing users to unnecessary risks?

      1. This post has been deleted by its author

      2. Archtech Silver badge

        Re: Problem with Anti-Virus

        "The problem lies in the way AV products went the "snake oil" route in an attempt to protect and heal you from any disease".

        I would suggest that the needs of computer security are very hard to cater for in the competitive free market environment - especially when most software (and some hardware) is proprietary and secret.

        Security cannot be added on like a box on the side - or if it is, it won't work very well at all. Ideally it needs to be built right into the system at a deep level, preferably when the system itself is first designed. That is somewhat easier to do with FOSS, although there too there are serious obstacles.

        On top of everything there is the chronic incomprehension and patience of users - all the way from your husband, wife or SO to the CxOs of a big corporation - who don't want to hear anything about how computers work, just to have the benefits all the time without any interruptions or hiccups.

        1. Charles 9 Silver badge

          Re: Problem with Anti-Virus

          "Security cannot be added on like a box on the side - or if it is, it won't work very well at all. Ideally it needs to be built right into the system at a deep level, preferably when the system itself is first designed. That is somewhat easier to do with FOSS, although there too there are serious obstacles."

          The biggest obstacle, however, is the user that expects to just get things done. If things get in the way, they complain. Well, like the lock in the door, security necessarily gets in the way of the user's job. And they're not interested in learning more hoops to jump. So what do you do?

          1. Kiwi Silver badge
            Holmes

            Re: Problem with Anti-Virus

            The biggest obstacle, however, is the user that expects to just get things done. If things get in the way, they complain. Well, like the lock in the door, security necessarily gets in the way of the user's job.

            System security is seldom like a lock in a door. In some cases it's more like having to get an armed and armoured escort, open a dozen nuke-proof doors each with a dozen different security systems, just so they can look out the window for a moment.

            Locking the door so that things of value are protected is all that should be needed, and as Mage says "It's crazy bad design that you can infect OS from browser content.".

            AFAIA browsers and email are, if not the main source of infection, then a significant portion of it. Sure, stupid behaviour is a part of it but when reputable sites can deliver an infection through advertising, there's a lot more than user stupidity at issue. Make it so the browser cannot infect the OS and somewhat more importantly (yes, really!) make it so the browser cannot mess with files outside of say ~/Downloads and ~/.profile/browser_customisations. That way it shouldn't be able to infect a users other files (photos etc) or anything else - protecting them from at least some forms of crypto malware, stuff that steals private data and so on.

            While a browser or email client can infect the OS or mess with user's other files, problems will remain.

            1. Havin_it

              Re: Problem with Anti-Virus

              Having a prescribed dropzone for downloaded files would be a royal ballache for me a lot of the time, though I'm not against it as a default for new users. What would be more beneficial to my mind, would be if downloaded files weren't executable by default and had to be explicitly OK'd as such by the user.

              I've tried in the past to make Windows systems live up to that philosophy, typically by revoking execution permissions on all but one of a user's folders (and crucially not the default download folder) but this just tends to hit problems. 1: some apps have installation/update routines that fail if your TEMP folder doesn't have execute permissions; 2: the stupid-ass Windows permissions granularity where the key permission is "Read AND Execute" whereby if you revoke this permission from a given folder, you can download shit into it and be sure it won't execute, but unfortunately nor can the shell navigate that folder!

              In short, a setup whereby the user is required to manually bless the execution of a downloaded file is not a goer without training or seriously crafty system configuration.

              1. Kiwi Silver badge

                Re: Problem with Anti-Virus

                Having a prescribed dropzone for downloaded files would be a royal ballache for me a lot of the time, though I'm not against it as a default for new users. What would be more beneficial to my mind, would be if downloaded files weren't executable by default and had to be explicitly OK'd as such by the user.

                True, I often download stuff to various locations depending on what I am doing at the time. So we could have a few options - have the browser only able to write to the profile folder (so it can save history etc) and where the user sets the download/saves the file to at that time, and /temp of course, for newbies have it default to ~/Downloads or whatever is specified in the config as the download location (they can move it later!)

                Killing execuatable-by-default would be great but is not-doable on Windows (an OS that lets you have safefile.txt.exe, that hides the ".exe" and has a wordpad icon, and tries to execute anything that ends in .exe, .com, .bat etc when double-clicked is NOT a safe OS!), and probably too many people would complain. But if you at least limit the browser's access to other folders not it's own. If you're a Windows users, which would you prefer - a few moments moving a file from Downloads to where you want it (and yes you may have to remember to come and do it later if it's a long download), or all your personal data trashed because your browser was compromised? I'd rather the browser could be prevented from touching all but a tiny fraction of the disk! (RO at least!)

                Users, btw, can be capable of some quite interesting and scary feats in their attempts to use that "special secret preview release" etc. Make it sound that they're somehow a "l33t haxxor" just by having the file and the mad skillz to circumvent the special security routines ("rename illicitfile.zi_ to *.zip"!) that they can read on some dodgy website and they'll be falling all over themselves to install your malware. Make sure to warn them to turn their AV off before downloading as the installer might not work otherwise...

                I've tried in the past to make Windows systems live up to that philosophy, typically by revoking execution permissions on all but one of a user's folders (and crucially not the default download folder) but this just tends to hit problems. 1: some apps have installation/update routines that fail if your TEMP folder doesn't have execute permissions; 2: the stupid-ass Windows permissions granularity where the key permission is "Read AND Execute" whereby if you revoke this permission from a given folder, you can download shit into it and be sure it won't execute, but unfortunately nor can the shell navigate that folder!

                um.. Wow.. I think I need to take a while away from the computer after this post! Just.. WTF?? Wow..

                In short, a setup whereby the user is required to manually bless the execution of a downloaded file is not a goer without training or seriously crafty system configuration.

                Yeah.. So sad.. See above..

                Still, such activities kept me fed and in new toys for a few years.. If all our users suddenly sprouted a sense gland, I think we'd see a lot of IT peeps out of a job PDQ.

    3. Archtech Silver badge

      Re: Problem with Anti-Virus

      Actually flu vaccines work only if you are lucky enough to be infected by the particular type of flu virus against which you were inoculated. While there are a lot fewer of those than computer viruses, etc., the odds are still heavily in favour of the flu going round your vaccination "Maginot Line".

    4. JCitizen
      Coffee/keyboard

      Re: Problem with Anti-Virus

      Since Windows 10 came out, I have actually started recommending just what the author ordered. HOWEVER - this is ONLY after setting the client up as a local user and NOT an administrator. Then I put one or both of my favorite updater reminder tools, like Secunia PSI, and/or File Hippo's Application Manager, so that will close the vulnerability gap with apps and browsers.

      Fortunately many apps have improved their own automatic updates, not perfect but getting there. The only other thing I install for sure is CCleaner; and I include this warning. I tell them, if something unexpected pops up DO NOT CLICK ON IT, close the browser, and simply run CCleaner, then open Task Manager to end the task - if it is visible - if not - simply log off and back on, or reboot and all is well.

      If you truly want the best damn thing since sliced bread, put Deep Freeze on your computer - HELL you can run as administrator all day if you like, because once you reboot - POOF!! all the bugs and any changes made without your permission are gone - your data storage may be compromised, but the operating system will never get taken over with something like that. There are competitors that claim better technology than what Faronics offers, but I've not been able to test them yet.

      The protections that Microsoft lends to the equation are powerful and can defeat all but nation state bad actors as long as one is logged in as a standard user and EVERYTHING is up to date. If your banking and shopping online, I highly suggest the ultimate in anti-keylogging and screen capture technology and install IBM's Rapport - I have extensively tested it, and it is rock solid, but you have to pay attention and make sure it is working in which ever of the big three browsers you like - all of which is simple visual consciousness. My many hours in my honey pot lab are proof enough for me, and I keep testing every chance I get.

      1. Kiwi Silver badge
        Coat

        Re: Problem with Anti-Virus

        your data storage may be compromised, but the operating system will never get taken over with something like that.

        Ahem.

        1. JCitizen
          Alert

          Re: Problem with Anti-Virus

          Okay - I'll bite! When it comes to laptops and mobile devices, there is no substitute for remote wipe - that is all I can say about that.

  2. Notas Badoff
    Megaphone

    Less is more?

    If the best antivirus product is the one least bad, are they any good?

  3. kbb

    If Microsoft's own AV is the best...

    ...why don't they just build it straight into the product it's protecting?

    1. Adam Azarchs

      Re: If Microsoft's own AV is the best...

      That's easy. Because they'd be sued for antitrust. That's an actual thing that happened when they released Defender. Norton sued them and the settlement was that they agreed not to bundle it.

      1. patrickstar

        Re: If Microsoft's own AV is the best...

        They actually do include it with Windows 8 and above, unless that changed at some point.

        In any case the same engine is used for MSRT which is delivered monthly to 7 and XP, so in some sense it's included even with them.

      2. Anonymous Coward
        Anonymous Coward

        Re: If Microsoft's own AV is the best...

        "Because they'd be sued for antitrust"

        Surely security is a core part of the product? They can't be touched for antitrust on that - unless third parties have built businesses on frightening users by getting clueless salespeople in PC World to flog antivirus with each PC, the way MS gets PC manufacturers to sell Windows with PCs, whether user wants it or not. Othere option is of course to keep it as a separate thing, which would be saying "this type of security is not a core part of this software."

        1. Pascal Monett Silver badge

          You cannot apply reason to markets that are governed by lawsuit.

  4. Anonymous Coward
    Anonymous Coward

    From the 90's on....

    ~ Symantec-Norton became synonymous with bundling or forcing subscriptions. Like buying from a mail order corp who won't deliver unless you also buy from their affiliate.

    ~ So AV was the original scammers scam, and this has where it has all led! Now as per IoT, the suits are in charge, so the value proposition from buying AV is zero. Sprinkle in the fact too that Avast / AVG are pwning user info, its all just another cyber-cesspool....

    ~ Whereas this should have been a boon time for AV firms. They should be raking it in for legit utility. How did it get this bad? Hackers-cyber-crims are winning on every front.

    1. Triggerfish

      Re: From the 90's on....

      But I love the McaFee I get bundled on every new PC and laptop... now excuse me just got to go see about this head injury.

      1. jason 7

        Re: From the 90's on....

        McAfee Preintstalls are responsible for more shit than anyone mentions.

        I have never seen anyone take up the subscription after the free three months is up but the tards still think they have valid AV on their machine.

        All they had to do was uninstall it and Defender would take over and stay up to date.

  5. This post has been deleted by its author

    1. Norman Nescio Silver badge

      Re: If MS AV is the best...

      < The only way it could get any worse is to install an AV product from Adobe FFS!>

      Adobe and Symantec did partner each other:

      https://www.adobe.com/aboutadobe/pressroom/pressreleases/200603/030206Symantec.html

      "Initially, the two companies will offer a complimentary trial and the option of special pricing for the Norton Internet Security 2006 suite to users who are downloading the latest version of Adobe Reader"

      You almost got your wish.

      1. Anonymous Coward
        Anonymous Coward

        Re: If MS AV is the best...

        Will nobody rid me of this "industry"?

        1. analyzer

          Re: If MS AV is the best...

          Curiously, Windows Defender uses ASLR and can operate on a system using ASLR because they are both MS and can therefore access the required APIs to do the defending job.

          As to how good it actually is I have no personal knowledge of, but it would seem to be one step better than most anti virus.

          1. Brewster's Angle Grinder Silver badge

            Re: If MS AV is the best...

            "As to how good it actually is I have no personal knowledge of,"

            I don't how good it is at reducing infection, but I haven't noticed it running. Which, for AV, makes it really good.

          2. Kiwi Silver badge
            Boffin

            Re: If MS AV is the best...

            As to how good it actually is I have no personal knowledge of, but it would seem to be one step better than most anti virus.

            My posting history will clearly show that I have a, well, shall we say "mild dislike" of all things Microsoft.

            When I was working in IT repair we used an offline version of Defender/Security Essentials as a regular part of our clean-up scans (also used Eset, BitDefender, Kaspersky and AVG boot disks (PXE boot) and a few other tools). We noticed that WD could find hundreds of infections where a paid and up-to-date Norton Virus would be saying "move along, nothing to see here, everything's fine".

            We also found that the installed AVG tended to be crap, but their offline scanner/"rescue disk" was one of the best. And there were a few things out there that no AV seemed to detect. You knew something was there, but what or how. And one or two seemed to infect parts of the USB other than the normal filesystem - we would have tools on USB that were re-imaged after being inserted into a customer's machine, but one or two things survived the re-imaging so we went to the much slower option of USB-DVD (didn't always work) or booting a Linux/F4/Hirem etc an copying across what we wanted first.

            Annoyingly W8 and W10 make a lot of this harder to do, especially with that totally fucking ridiculous "only way into safe mode is to tell your computer to go into it BEFORE you know you need it" and the often-equally-stupid "never shut down only every hibernate making it potentially risky to copy data to the HD". Come on MS, help people out who service your systems, especially with safe mode being available if the machine fails to boot (maybe they fixed that, I'm no longer in that part of the industry).

            Oh yeah, MSE/WD seemed to be pretty light on resources, and ran rings around Avira when it comes to ease of telling it a file was OK and to ignore it OR getting a sus file submitted to them for further analysis.

            1. jason 7

              Re: If MS AV is the best...

              "Come on MS, help people out who service your systems, especially with safe mode being available if the machine fails to boot (maybe they fixed that, I'm no longer in that part of the industry)."

              This is still a major problem. All the so called 'fix it' features that MS have introduced with Windows 8 to 10 are more of a problem than a help. They either get in the way or just don't work. The restore points often aren't there or magically disappear. The system rebuild often doesn't work either. Then there is the classic of Safe Mode which has hardly any access unless you can get the machine to boot in the first place...which isn't the reason you need Safe Mode.

              9 times out of 10 its quicker to try to copy the user data off and rebuild the machines with a fresh USB install.

              With Windows 7 you could usually boot it into Safe Mode via F8 and 5 minutes later you would be back up and running.

              But no we have to now have the useless Fast Boot setting which is a waste of time and a liability.

              I always switch Fast Boot off on all my customers machines. None of them miss it.

      2. Francis Boyle Silver badge

        Re: If MS AV is the best...

        "Initially, the two companies will offer a complimentary trial and the option of special pricing for the Norton Internet Security 2006 suite to users who are downloading the latest version of Adobe Reader"

        Oh, happy days.

        These days they just try to sneak McAfee onto your machine.

    2. patrickstar

      Re: If MS AV is the best...

      Sorry, but you are atleast 10 years behind on your information on Microsoft security efforts...

      1. Patrician

        Re: If MS AV is the best...

        No he's not; Microsoft only blocked 97% in the latest AV-Comparatives test. Please see link below:-

        https://chart.av-comparatives.org/chart1.php#

        1. jason 7

          Re: If MS AV is the best...

          "Microsoft only blocked 97%"

          Which is far more effective than 80% of laptops out there that are relying on a 2 year out of date lapsed trial copy of McAfee and Norton.

          1. Kiwi Silver badge
            Flame

            Re: If MS AV is the best...

            that are relying on a 2 year out of date lapsed trial copy of McAfee and Norton.

            OR a fully up-to-date Norton for that matter. Aside from Ghost, I don't think there's anything Symantec does that isn't worse than nothing at all.

            If they made a sunscreen it'd consist of a magnifying glass and several ultra-high intensity UV lamps just to make sure. If they made airbags they'd be filled with hydrogen. Or shrapnel, coated with cyanide and festering dogshit. I don't know how anyone can promote their garbage without being done for fraud, or collected by the men in white coats with oversized butterfly nets. I actually think there's a software firm I dislike more than I dislike MS!

  6. Anonymous South African Coward Silver badge

    Only way to get rid of nasty stuff is to enforce a default deny policy.

    1. Anonymous Coward
      Anonymous Coward

      No, because the malware will just find an exploit to get around the default deny, probably by exploiting an existing app that CAN'T be denied by default or your system can't run.

      1. Jack of Shadows Silver badge

        Default deny is the number one protection I've been using for 20 years. I highly suggest you talk to real security engineers before accepting otherwise. Least privilege is next to prevent circumventing Default Deny.

        1. Kiwi Silver badge
          Windows

          Default deny is the number one protection I've been using for 20 years. I highly suggest you talk to real security engineers before accepting otherwise. Least privilege is next to prevent circumventing Default Deny.

          Vista effectively tried that with UAC. I watched a number of people click whatever button made the prompt go away quickly, without bothering to read what was there. Often it was the "yeswhateverjustpissoffletmeplaymygame" button rather than the "You know what, I've read this and I am unsure what it means so for now I will say NO and seek help/think about it in depth".

          I used to use Comodo Firewall and set it up for people, and I would spend a while going through everything on their machine to make sure everything was running OK (Commodo like Zone Alarm would whitelist programs AND things like writing to the registry, changing system files, changing their own exes and so on). Those who followed my instructions and got me on the line before clicking any "allow" prompt had a stress-free system. Those who insisted on clicking the "allow" so they could install "guaranteed safe downloaded from download.com/softonic etc free (honest! just give us your credit card info so we can verify your age!) whatever" were infected within a few days. Wasn't much I could do for them anyway, whatever security that went into place was inconvenient if it didn't let them install whatever they wanted.

          Considering one of them started downloading the Dark Knight movie a few hours after it had been announced (as in filming hadn't even started, the film company/producers/whoever had just publicised that the movie would be made) and couldn't see the logic in waiting till the movie was actually filmed first.. Well, user stupidity knows no bounds.

          Icon - I've always associated with a homeless guy sniffing a nice bottle of glue - would have more sense than some of the users I've dealt towith over the years....

  7. Potemkine Silver badge

    :unsure:

    From my experience, all the (non-tech) people I see around me without an AV on their computer have their PC infected and generally by multiple strains of viruses.

    1. Mage Silver badge

      Re: :unsure:

      All the PCs I've cleaned viruses, trojans, rootkits from DID have AV installed.

      I know people that have never used AV and never had infections.

      1. VinceH Silver badge

        Re: :unsure:

        "All the PCs I've cleaned viruses, trojans, rootkits from DID have AV installed."

        Ditto...

        Except it has always been a long out of date free trial that was part of the manufacturer's default build.

      2. Smooth Newt
        Meh

        Re: :unsure:

        All the PCs I've cleaned viruses, trojans, rootkits from DID have AV installed.

        I know people that have never used AV and never had infections.

        My granny smoked several packets of cigarettes a day before dying of a heart attack at 95, so smoking doesn't cause cancer. Anecdotal evidence is no substitute for statistical evidence.

    2. Anonymous Coward
      Anonymous Coward

      Re: :unsure:

      There is a particular type that's very hard to eradicate, too - think it's called Norton?

      1. Destroy All Monsters Silver badge

        Re: :unsure:

        Great stuff.

        Anecdotal evidence and angry blog posts do not lead to good conclusions.

        Statistics, can we have any?

        1. Destroy All Monsters Silver badge

          Re: :unsure:

          Actually got a very suspicious attachment in my e-mail, twice, pretending to be a "friendly message". Virustotal shows only "Arcabit", "Fortinet" and "NANO-Antivirus" flag it as malicious.

          Sigh!

        2. Archtech Silver badge

          Re: :unsure:

          Sure, what kind of statistics would you like? Governments and corporations routinely make up their own statistics, so I guess we can too.

        3. Naselus

          Re: :unsure:

          "Statistics, can we have any?"

          https://chart.av-comparatives.org/chart1.php#

          Plus, the same thing every year since about 1997, with more or less similar rates each year despite a threat environment that grows exponentially each year.

          So, what we see is no AV protects against 100% of threats, but even the worst AV protects against about 95%. Microsoft (y'know, the one Mr Mozilla rates as the bestest because it doesn't interfere with his code as much) rates fairly low on the list, with a 3% full-on compromised rate (behind, well, literally all the dedicated AV vendors who he was busy slagging off). So yeah, it's not perfect, but then only a complete amateur would assume it was; heuristic AV should be deployed as part of a multi-layer security regime that also includes anti-malware scanning, spam protection, firewalls, proxies, ACLS, non-admin accounts with elevation requirements, and (if possible) a DMZ and IDS. This is hardly news, and has long been the refrain of infosec bods - 'onion security' and all that.

          See, I'd feel a lot more convinced by this argument if it had more quotes from genuine infosec specialists criticizing AV software, and less noise from non-AV developers and bug hunters complaining about how AV doesn't let them do cool things they really, really want to do. How long before Mozilla devs then starts complaining that proxy servers should be removed because they screw up SSL certificate checks? It's true, they do, but I'd still rather have my proxy in place, thanks.

          See, that's kinda the issue here, more than anything; I want Firefox to be a browser. It needs to be secure, but not so secure that it conflicts with all my dedicated security infrastructure (which it does near enough constantly). When it starts doing so, is the problem really the AV software, or is it that Mozilla has gone into full-on mission creep and is starting to muck about in areas that it has no business playing with (while slowing it's own performance down to dog-like levels compared to other browsers)?

          I'm not removing my AV solution yet, because while it may 'only' protect against 99% of threats, I'd sooner have that protection against those 99% at that layer, and trust that the other 5 or 6 layers of security in my network will deal with the rest. Firefox, on the other hand, is already gone.

          1. Charles 9 Silver badge

            Re: :unsure:

            "I'm not removing my AV solution yet, because while it may 'only' protect against 99% of threats, I'd sooner have that protection against those 99% at that layer, and trust that the other 5 or 6 layers of security in my network will deal with the rest. Firefox, on the other hand, is already gone."

            But what happens when a malware EXPLOITS the AV software to say create an admin-level exploit and uses it to leapfrog all the other defense layers? Is a layer of defense really worth it when it can be made into a mole?

          2. patrickstar

            Re: :unsure:

            The actual protection rate of any AV against malware at the time you actually encounter it in the real world (drive-by browser exploit for example) is close to 0%.

            What do you think malware authors do before releasing their creations: Answer: They test it against all major antivirus products. Doesn't matter if it's a signature detection or some sort of heuristic that detects it - whatever it is, they fiddle with the files until all detections are gone.

            What do you think malware authors do once it's in the wild and one or several AVs detect it? Answer: They go through the process above again.

            These are professionally operated and funded businesses, not a bunch of teenage kids who can't attend to the AV evasion work because their mom would take the computer away if they skipped school.

            While AVs admittedly have a sort of collective restraining/slowdown effect on the malware ecosystem as a whole, it's unlikely that your particular AV happens to save you in a given infection attempt.

            The exception would possibly be things delivered via mail, since there can be a significant time between a mail being sent and actually opened by the receiver, but that doesn't require some horrible attack surface running on the clients hooking into the system and applications to stop.

          3. veti Silver badge

            Re: :unsure:

            See, I'd feel a lot more convinced by this argument if it had more quotes from genuine infosec specialists criticizing AV software

            What, you mean like this, or this, or this?

            If you've been paying attention at all, you know the literature is out there. This is just a story about one guy's opinion. Take it for what it's worth, which is not much, but don't dismiss the whole subject just because this story doesn't cover the whole thing. That's like reading an article about Arctic sea ice that mentions global warming, and dismissing "global warming" because the article doesn't go on for 20 pages telling you everything there is to know about it.

          4. JCitizen
            Thumb Up

            Re: :unsure:

            @Naselus - BAZINGA!!

        4. Kiwi Silver badge
          Devil

          Re: :unsure:

          Statistics, can we have any?

          One machine. Up to date proper paid Norton AV (Think it was 360 but not entirely sure). Machine was running XP but was before end of life.

          1492 infected files, over 400 (can't recall exact figure) different viruses, as detected by Kaspersky Rescue Disk. That was about 50% of the way through the scan where I decided I would first clone the drive.

          If you want real stats, just install the norton crap on your machine. Measure the time between installing to the time before you throw it through the window because it's just so unstable/slow/obviously infected you can no longer tolerate its existence.

          No security pro would ever suggest Norton. Fraudsters might though.

  8. Anonymous Coward
    Anonymous Coward

    Er, the Browser Cannot Save Us

    There's far more to life than browsers. Software nasties are delivered by many routes that have nothing to do with a browser; CD, USB, file shares, email, the lot. You name it, malware will travel via it. If you're even slightly exposed to those possible routes for infection, you need something to watch your back, even (depending on one's level of paranoia) on Macs.

    OK, so probably not Norton or McAffee, but there's plenty of sane reasonably priced AV software out there that does a reasonable job.

    The browser developers have been as guilty as everyone else in creating vulnerabilities, or placing unwarranted trust in certificate authorities right up until it's way too late. Firefox itself had nightmare memory leaks worthy of legend. Probably still does, and probably will continue to do so until they throw out all their crufty code and do it again properly, and maybe Rust will help them get it right.

    And their absurd passion for one of the worst languages in the world, Javascript, is driving down coding quality so much that there's bound to be severe repercussions somewhere or other.

    1. Charles 9 Silver badge

      Re: Er, the Browser Cannot Save Us

      "And their absurd passion for one of the worst languages in the world, Javascript, is driving down coding quality so much that there's bound to be severe repercussions somewhere or other."

      Except that getting rid of JavaScript would have EVEN MORE SEVERE consequences. As in users would stop using it, because many sites REQUIRE JavaScript, have no alternatives, and The Customer Is Always Right. So what do you do? Open security holes or fade into obscurity? And don't even start with education since the average user isn't capable of learning.

      1. Pascal Monett Silver badge

        Re: "getting rid of JavaScript would have EVEN MORE SEVERE consequences"

        Yeah, all those cool sites would become a lot less cool, all the tracking and data gathering would be drastically reduced, and ads wouldn't be able to infect machines any more

        Can't have that, obviously.

    2. Jack of Shadows Silver badge

      Re: Er, the Browser Cannot Save Us

      Depending on free Anti-Malware is right up there with negative results. I always have site licenses for any security product, of which Anti-Malware is a tiny fraction. For instance toss backup into the toolbox, lots more. If this were easy, anyone could do it. The evidence is that most people cant, including IT people.

    3. Kiwi Silver badge
      Paris Hilton

      Re: Er, the Browser Cannot Save Us

      Firefox itself had nightmare memory leaks worthy of legend. Probably still does,

      Hmm.. 24+29 tabs open (2 windows), most haven't actually been loaded in a while, FF v 50.1.0 on Mint 17/64bit, AdNaseum, NoScript and a couple of other general addons.

      It's only using just shy of a gig of ram. Not so much "memory leak" as "memory hogged beyond belief".

      I still prefer it for some reason. Dunno why. Laziness?

      Her memory could get filled by small amounts of trivial things as well I believe.

      [Edit - hitting submit on this post made FF jump from 937Mb to 987 mb used - yes, submitting a post to El Reg used an extra 50Megabytes!]

    4. JCitizen
      Big Brother

      Re: Er, the Browser Cannot Save Us

      Before Windows 7 came out, I put Avast on all my clients who could not afford NOD32 but ESET. I never had to hear from then again, although I did start putting subscription based MBAM on clients who may need additional protection because of what they keep on their hard drives, privacy needs, and the banking and shopping habits they require.

      I've NEVER seen a problem with Avast - and if they claimed they did, I always found out it was because of some problem they had BEFORE Avast was put on the machine - usually something not properly updated - or a trashed out registry.

  9. Anonymous Coward
    Anonymous Coward

    From the trenches...

    AV has one major advantage that keeps us installing it, even though we know it greatly increases attack surface and doesn't catch much of what it's supposed to catch. It stops us getting sacked. Imagine a post-incident enquiry by senior management, "so how did this happen? Why didn;'t the AV catch it? What's that you say -- you're such a brilliant security expert that you uninstalled our antivirus software??" Your feet wouldn't touch the ground.

    On top of that, financial auditors (who often get the job of IT security controls audits as well, GOD knows why as they mostly seem to be children who can just about install an app on their phone but know nothing about IT, let alone infosec) *always* demand / expect AV. These are not people you can reason with; they have their checkboxes and they're damn well going to check 'em. And finally, to the best of my knowledge all security management frameworks like ISO 27001, NIST SP 800/53, IASME, Cyber Essentials, etc etc always demand it.

    It's pure CYA. But you don't last long in this game unless you CYA. We have two main functions in security: (1) as a figleaf to convince auditors, customers, shareholders and the Board that we TSVS (Take Security Very Srsly), and (2) to be sacrificial goats in the event that anything properly bad happens, because who else are you going to blame for a security failure but your security team?

    "...and that's why I drink."

    On reflection, better post this as AC...

    1. Charles 9 Silver badge

      Re: From the trenches...

      "AV has one major advantage that keeps us installing it, even though we know it greatly increases attack surface and doesn't catch much of what it's supposed to catch. It stops us getting sacked. Imagine a post-incident enquiry by senior management, "so how did this happen? Why didn;'t the AV catch it? What's that you say -- you're such a brilliant security expert that you uninstalled our antivirus software??" Your feet wouldn't touch the ground."

      Until you find out that the AV was the means by which the company got pwned?

      1. stephanh Silver badge

        Re: From the trenches...

        @Charles 9:

        "Until you find out that the AV was the means by which the company got pwned?"

        From an *ss-covering perspective, would that not be optimal? You get somebody else to blame!

        1. Charles 9 Silver badge

          Re: From the trenches...

          No, because YOU then get the blame for choosing such a, pardon by American, stupid moron.

    2. patrickstar

      Re: From the trenches...

      You could probably find some piece of software that could reasonably be called an "AV" but isn't utterly horrible. There are presumably some good HIPS/HIDS solutions for example. Or disable "realtime" protection on the hosts and punt that scanning to the mail server/proxy level (which can be ClamAV or whatever).

    3. tiggity Silver badge

      Re: From the trenches...

      Upvote for the Doug Stanhope reference

  10. Halfmad

    Bodyguard cards

    I remember back in the 90s having little PCI (might have even been ISA?) cards which would effectively protect the active windows partition, reboot the PC - it resets back to how it was. We used them in public library pcs and they were excellent - got a problem? Just reboot the PC - problem solved. You could even format the c drive and still reboot to fix.

    I've no doubt there are/were alternatives but it suited us great, eventually we just removed AV and scheduled the PCs to reboot nightly at closing time + 2 hours.

    1. Kiwi Silver badge

      Re: Bodyguard cards

      Just reboot the PC - problem solved. You could even format the c drive and still reboot to fix.

      Just about any *nix liveCD would do that, just have the CD drive* internal to the machine so no one can change it. With a bit of spare RAM you could even load it into ram pre-boot, so loading eg the web browser from CD doesn't take a decade or so. Or netboot it from an ISO as well, don't even need the spinny bits in the machine. With a properly set up network you could even let your customers use USB/CD etc ports without worry.

      There's ways to do this with Windows XP, Vista and 7 though a harder than Linux IIRC, but once it's set up it's done, just back up your server as often as necessary** and you're set.

      *yesyesIknow, usually a DVD these days.

      **Can be once, if the content is unlikely to change significantly, just a simple clone....

      1. Yet Another Anonymous coward Silver badge

        Re: Bodyguard cards

        Have them, they are called chromebooks.

        For extra points get one with an ARM cpu - couldn't run a virus if you wanted them to.

        Running windows on a pubic web browser terminal securely is like making a fire extinguisher out of magnesium - you COULD do it safely but it's tricky and there are easier ways.

    2. JCitizen
      Childcatcher

      Re: Bodyguard cards

      Drive Vaccine used to be one of those vendors - but now they claim (XP, Vista, Win7), that they can do it better by installing on the hard drive only. I haven't had time to test it yet - but when I was in college DEEP FREEZE, by Faronics, worked just fine - their network was never compromised in the last 20 years I was watching how things were going over there.

  11. RIBrsiq
    Facepalm

    AV isn't perfect. It's supposed to be another layer in your defences, though, and not the only thing keeping the Big Bad World out.

    Arguing that AV should not be used because it doesn't solve all malware issues is like arguing one shouldn't see a doctor until they can cure all illnesses.

    Finally, imagine the PC of your typical user, please. Now ask yourself: would it really be more secure without an AV...?

    1. Charles 9 Silver badge

      Unless the layer becomes a LADDER? As in the AV BECOMES the means by which the malware gets in. Now layers are useless because the malware can use the AV to leapfrog everything.

    2. patrickstar

      A lot of AV would be like seeing a quack that feeds you heavy metals and various toxins followed by a good dose of radiation. Might not kill you 100% of the time - hell, might even cure the occasional disease (see mercury treatment for syphilis) - but certainly not something anyone with a solid medical background would recommend.

  12. inmypjs Silver badge

    "Antivirus is harmful and everyone should uninstall it"

    Maybe someone should have told Intel that before they paid $7.7 billion for Mcafee.

    Still could be worse, they seem to have only lost $3.5 billion in 5 years.

  13. Mahhn

    LOL

    All that useless stuff AV does, detecting malware in Email and blocking them, filtering out URLs that are serving malware, providing full disk encryption incase the laptop is stolen, Device control so people don't put infected USB sticks in the work PC, ability to pull vulnerability reports on the software that's out of date (including firefox), white and black listing software, 3rd party license management, advanced firewall rules (better than MS)

    Yeah, all that useless stuff. Maybe if software vendors didn't make exploitable software and people didn't try to steal data, but that's unlikely.

    1. patrickstar

      Re: LOL

      The inability of AVs to actually detect malware is kinda the reason we're having this discussion. That, and the huge attack surfaces they frequently introduce as well as problems they cause.

      URL filtering is included with lots of browsers.

      Full-disk encryption is included with Windows, and I would much rather trust that or Veracrypt than some random AV vendor offering.

      Device control is included with Windows.

      Firefox auto-updates pretty fine on its own. So does the OS and related applications.

      White/blacklisting software is included with Windows.

      License management is best done by something that doesn't have the downsides of AVs.

      Advanced firewall rules - not entirely sure what you want here, but if you are hoping to stop malware from phoning home, I'd be very surprised if any endpoint firewall rule, no matter how advanced, would succeed since essentially all malware simply use the normal web browser for that.

      1. JCitizen
        Holmes

        Re: LOL

        @patrickstar - white listing worked well with Vista, but I can't tell what it is doing on Windows 7 - haven't had a chance to see if Win8 thru Win10 have improved on it, or even implement it.

        So far on my Windows 7 honeypot, I haven't had an infection on a standard user account with white listing enabled though, so maybe it is working. However I always clean with CCleaner in between sessions, just to eliminate old session situations and test the new attacks.

    2. Jack of Shadows Silver badge

      Re: LOL

      Agreed. I practiced, and frequently succeeded, in zero defect, safety-critical software engineering. We still haven't seen NAS North Island blow up in the last 26 years so we got it mostly right. Developers. and System Administrators were and remain a bane of my existence.

  14. Kev99 Bronze badge

    I've been running Norton since NU5. There are two reasons I've never had a problem. One, I use this old fashioned software called "my brain". I don't click on every link I see. I don't open emails from people I don't know. And I ignore special offers from web sites I do frequent.

    Second, the few times Norton has gone apoplectic I pay attention and let it whack the "offender". It's easier than reformatting my drive. and spending a few days reinstalling Windows.

    1. Kiwi Silver badge
      Trollface

      I've been running Norton since NU5.

      You forgot...

      Third, the computer is so slow and unstable that no malware has a chance to function anyway. One extra CPU instruction and the system falls over.

  15. Dr.Flay

    Seriously ?

    The given reasoning that MS AV must be good is because of the probable good quality of the company as a whole.

    Seriously ?

    No evidence given ?

    Unfortunately some crappy AV and vendors are being used as the gauge to measure against.

    Avira has never given me any problems since swapping to it, and never seems to show in the lists of vendors doing stupid things.

    Microsoft are not virus experts. Just like Symantec they bought into the AV scene and have failed to impress or progress with their AV products.

    Not 1 AV comparison site shows Defender or MSE as being any better than low-average.

    Microsoft themselves have said that their AV should be considered "Baseline".

    The baseline is not the bar you are aiming to climb to, it is the lowest you should ever fall to.

    I often have to repair people PCs that rely on only MS protection, and know that the AV I then use to fix it, would have protected it if they used it.

    MS AV does not stop people going to bad sites, and does not scan web-page content unless you use MS browsers.

    It does not even have a sandbox like all good AV, so unknown files are still allowed to run

    Yes education is the key, but it is not happening so throw that idea out unless you are actively doing something about it.

    Do you trust your Mum to retain the nerd-info you gave her enough to spot a phishing site ?

    I don't and I am glad my Mum has Avira keeping her virus-free for the past 5 years (and yes I regularly scan with a standalone).

    I am now trialling an AV that also notifies about, and blocks keylogging and webcam activation.

    Which part of MS security does that ?

    People need to stop comparing how geeks protect themselves, to the needs of the majority users who cannot be bothered with white-lists or regular audits.

    They want a MacOS style world where you push a button and it works.

    You can teach them to be secure, but it will not last.

    AV are never going to be the perfect solution, but as the rate of viri and hacks continues to rise, the sheer stupidity of advising people ditch good AV and rely on only "Baseline" is an act of criminal insanity.

    Good tech support means you have tested the options and give evidence based recommendations.

    Just because VW did some stupid things with their tests, does that mean all other car makers are as crap and guilty ?

    Whould you recommend people stop using seat-belts in all cars, if only some car makers had faulty seat-belts ?

    1. Naselus

      "Microsoft themselves have said that their AV should be considered "Baseline"."

      Very much this; MS are pretty clear that they aren't an AV company and that their various security products are there as 'better than nothing' only. MSE was actually extremely good when it was first released (so good that some malware families actually checked if MSE was installed and didn't deploy if it was), but everyone (MS included) was amazed by that, and it very, very quickly fell down the rankings.

      It's fairly clear that O'Callahan's objections aren't particularly based on whether the AV stops viruses (because who would measure how good an AV product is based on a silly metric like how many threats it detects and stops), but rather by whether it prevents his own code from doing clever stuff that most programs don't. But that's the entire point of AV software. Sure, that's really annoying for developers, but it's exactly the reason most people are installing AV in the first place.

      Besides, while removing AV might be better for the 7.5% of people who use Firefox, what about the other 92.5% on browsers with a different (and less secure) feature set?

      1. patrickstar

        All AVs have a 0% detection rate for any fresh malware you are gonna encounter. Or what, didn't you think malware authors check their goods against all common AVs? There are even automated cloudy services for this - you submit a file via a API and get back a response.

        The best you can hope for is your particular AV happening to pick up a specific variant in the timeframe before the malware authors have pushed out new files.

        Basically the whole "traditional AV" model was built in the days of viruses spread via floppies and the occasional BBS download. "New strain of malware" meant "one or a few variants", spreading slowly from computer to computer. AVs had time to add detections for it long before it reached a substantial amount of users. And it was all done basically for the hell of it.

        Now malware is a 100% commercial business. You literally have organizations much like companies, with employees doing nothing but developing malware and evading AVs. And their newest variants literally reach the entire world in an instant.

        This evasion, frequently a semi-automatic process, starts as soon as a single AV detects it. Chances are very high that this particular one is not whatever you happen to be running. So in most cases, even _before_ your AV has added a signature it's already obsolete and won't offer any protection.

        As for MSE, it has never had a great total detection rate if you feed it a collection of random malware samples of various ages. However, it's often been the first one to detect something new.

        Several of the commercial AVs have very low detection rates by BOTH these measures - some very close to zero for things plucked from the real world (regardless of their Virus Bulletin AV industry circle-jerk back-scratching scores).

      2. patrickstar

        Read what he writes again. This "clever stuff" he's trying to do is using officially suipported and fully documented mechanisms in the OS to enhance security. The AV software is breaking his use of these mechanisms because it's buggy, not because it would somehow improve security. I am very sure the reason people is installing AV software isn't so that say a Flash exploit can compromise the entire system (that's what the 'delayed Win32k Flash lockdown' mentioned in the earlier discussion with the Google/Chrome guys essentially means, for example).

        As to the 92.5% of people not using Firefox - all the major browsers are reasonably similar security-wise these days. And AVs are hurting all of them. Note that this is a Firefox developer picking up a discussion from a Chrome developer.

    2. patrickstar

      Guess what the authors of keylogging and webcam spying tools will have them do as soon as that software gets any market share, if they haven't already? Answer: Bypassing it.

      The only way that kind of software can possibly work is if it's not available to the attacker beforehand.

      Besides, neither is much of a concern unless you are expecting targeted attacks. And webcam spying is easy to protect against in a way that can't be bypassed - piece of tape, or a shutter if you need to use it sometimes (Trend Micro actually has branded ones as giveaways - certainly much better and more effective than their AV software)

      And for keylogging, well, you are much better off scrapping passwords for anything important.

    3. Kiwi Silver badge
      Unhappy

      Avira has never given me any problems since swapping to it, and never seems to show in the lists of vendors doing stupid things.

      Avira was my free AV of choice for a long while. Then a known good clean file kept getting flagged as infected by it, and no matter what I did (copy from backup, recompile from source code, tell Avira it was OK over and over, send a copy to Avira along with source code and compiler version so they could check themselves (they never replied or even acknowledged receipt). It got too annoying trying to run stuff that I knew full well was clean so I swapped out for BitDefender this time round.

      And yes, I know the file is fine. It has been checked against several other competing AV products and some online scanners as well (eg Trend Micro's "housecall"), Avira was the only one that insisted it contained a trojan (generic.win32 or something) and ignored any "this is safe ignore it in future" options. I do still have Avira on a couple of my VM's that don't need this specific file.

    4. JCitizen
      Windows

      Avira??

      Meh! Too slow on the draw - It once let a friend of mine get cracked because it wasn't fast enough, despite the fact that it recognized the batch file as suspicious. I haven't trusted it since.

      Too many reports about false positives too!

  16. steve 124

    Sorry, I have trouble detecting sarcasm...

    Surely the bunch of you jest in your comments. AV is crap? Seriously?

    This single line from the article made me laugh so loudly my staff had to ask what I was reading... "He says Redmond's antivirus is okay since it is built by the company's "generally competent" developers who follow good security practice."

    Microsoft is leading the fight against malware? Really? Cause, I've really never ran into any problems surfing the web on my Linux box but every time I've encountered a virus on a box (personally and professionally) it's been because M$ had some broken "feature" that was being exploited (except the java script and flash player induced comas).

    I've been using Webroot for a few years now professionally and at home and I'm not sure if it's being missed in these "evaluations" or not but I haven't had a problem since I installed it. Our last solution at work was McAfee and it was just terrible. I was using ESET and Norton at home but ESET stopped catching stuff late in 2006 and Norton just bloated so badly after 2001 that it was worse than having an actual virus. Maybe you guys are just not looking hard enough for a good AV because aside from WR there's a couple of others taking this cloud definition / hueristic behavioral approach and it's pretty spot on. From what I can tell, new variants hit a few users when they come out but then they are identified, hashed and added to the global definitions so the rest of us are immune.

    I know this guy worked for Mozilla for quite some time, but I doubt from this article how much of an expert in security a/v he is. I know the catch 22 here is that anyone who IS an expert in A/V typically works for an A/V company and so you can't trust their opinion as to whether it's rubbish or not, but my experience does not jive with what this guy is selling (or at least not buying).

    I think recommending anyone turn off or disable A/V is a really bad idea and a little irresponsible of whoever is saying that.

    Just my 2 cents.

    1. Jack of Shadows Silver badge

      Re: Sorry, I have trouble detecting sarcasm...

      My problem is that he's, and other practiones, are the very Developers that create the problem in the first place. Not a one seems to use, or even be aware of, formal verification, proper software engineering principles or even the canons of computer science. Repeat after me, Developers. Test driven development is about the best that they can manage in that direction.

      DevOps, something I started doing back in 1982 when I not only worked on machines at work but was handed a whole one of my own to use. Yeah, it can help but turd-polishing rets you so far. You generally get your own nuclear reactor to learn on. I had one of those in 1979.

      Perfect end to a bad week. [Fuck Drumpf]

  17. Galto

    Network AdBlock for the Win

    I would not advocate using Windows Defender as primary protection as I have had many issues with it. Most annoyingly was numerous false positives and updates resetting the white/black listing of directories/executables. I have even had Defender remove a python script I wrote to ensure that security settings had not been tampered with. Coupled with very poor logging, Defender cost me many hours of troubleshooting before I fired it into the bit bucket.

    Our family manufacturing business computers have for years run Firefox and Adblock Plus with very good results. One of the few shortcomings has been the fact that it doesn't work on IE/Edge. Historically, many of the Canadian Federal Government websites required IE. No IE - no export declaration forms - no other options. This caused other problems; every once in a while I would be asked why <insert web page here> suddenly had so many annoying ads. The user had gone to a site using IE.

    As our business is home based, I have a mixed network of virtualized Ubuntu servers, Win10 workstations, Win7 CNC mill/lathe controllers, Ubuntu kodi boxen and personal Win10 desktops, laptops and Android tablets to manage.

    My frustration particularly with the Android ad-machines was to the point that I was ready to pitch them into the void for bombarding my children with inappropriate ads.

    So I did some research and found this...

    https://gist.github.com/teffalump/7227752

    This enables the Adblock Plus database on the router. It has white/black listing options, serves autoritive internal and caching external DNS queries and is self-updating. Since I was already using OpenWRT on my routers and access points, this seemed like the logical choice.

    This setup (nearly) completely eliminated ads on all platforms. Ads on mobes disappeared from all apps except Youtube video ads, which, while annoying are at least not seriously dangerous. Recently, this system started blocking Youtube ads too, Nice!

    While we don't travel a huge amount, it does happen so I set up a VPN on the laptops so they have access to docs etc. but more importantly, they use the OpenWRT router for DNS queries. This eliminated the largest attack vector on our systems. While I do still use ant-virus and noscript with Firefox on the Windows computers, after several years we have not had a single instance of malware detected by the ant-virus software.

    Virus protection is IMHO not a viable security tactic on its own. For me, the removal of the attack vector BEFORE the end-user is far, far more effective.

    While not perfect, this free and open source solution has done a highly effective job at not only preventing attacks but also reduced our bandwith by approximately 40% and increased our privacy as well.

    1. JCitizen
      Go

      Re: Network AdBlock for the Win

      Also, not long ago I was using an extension that made my Firefox browser appear as Internet Explorer - so if you really need to use Firefox but the web site is being picky, that usually works very well.

      1. Captain Badmouth
        Unhappy

        Re: Network AdBlock for the Win

        Browser spoofing was out of the box on Opera 12 - and previous versions. Sadly missed.

  18. Andrew Jones 2

    I have to agree with what a lot of posters here have pointed out - users with AV installed tend to believe that because they are "protected" they can click on what they want and visit the most dodgy sites and they are protected so everything will be fine. Every single computer I have had to repair over the years has always had some type of AV product installed - sometimes up-to-date and sometimes not. I've even had a computer that was fully up-to-date, had up-to-date AV installed (Norton if I recall), but had been infected with something which had obliterated system restore, the admin account, the ability to create new user accounts and most of control panel. Regedit and MSConfig wouldn't run and while web browsing was possible, any attempt to download something like Stinger would get to around 60% and then fail with "connection reset by peer" - in the end - while it would of been possible to clear the computer of whatever was infecting it, a reformat and re-install was a much preferred option.

    I'm often asked "what AV do you use?" to which I respond, I don't - I just make sure I don't visit any dodgy sites and I don't open every email attachment that is sent to me.

    From a psychological point of view - a study was done a long time ago that showed that while you would expect that Motorcycle users would suffer from more accidents than car drivers - the reverse was actually true because motorcycle users know they don't have a massive box around them protecting them - so they don't take risks that car drivers take - even though consciously neither type of driver was necessarily aware of the reasons one type of driver might take a risk that another would not. I feel that non technical users who believe they are completely protected from everything behave in the same way.

    We saw first hand at college in the days of Win32.CIH how damaging AV was when Dr Solomon that was installed across the entire network encountered a problem where the virus copied itself to the C: drive because for some reason we were allowed to write to the C: drive, but not delete or modify existing files. Dr Solomon was unable to remove the virus from the C: drive and crashed, in less than 2 hours - every computer at Bishop Auckland College had a BSOD.

    If I need to download something I am unsure of - I do it in a VM and if I absolutely need to do a virus scan, I tend to use ClamAV (in the VM) because I trust the community to do a better job than any individual company will.

    1. Charles 9 Silver badge

      "I'm often asked "what AV do you use?" to which I respond, I don't - I just make sure I don't visit any dodgy sites and I don't open every email attachment that is sent to me."

      What about drive-by attacks, which embed into mainstream sites and can usually penetrate blockers?

  19. jason 7

    What do I use?

    For Windows -

    Defender

    EMET 5.5

    Unchecky

    Local User Account

    Common Sense

    For Browsing -

    NoScript

    Ad Blocker

    Privacy Badger/Disconnect

    I too always take AV as the very last line of defence against the stuff I can't see till its too late. Luckily instances have been next to nil.

    In fact recently most people that have called me up with virus issues have been caught out with the support call from India. I mean really? In 2017 people are still dumb enough to be caught out by that one. The beauty of this route is that the user virtually physically bends over and says "take me big boy!" with full consent. No malware required. People just don't want to learn. I have tried so many times to impart some Internet safety tips from my 25 years on the web buy the lazy bastards just roll or glaze their eyes over within 3 seconds.

    Ah well...constant income for me I guess.

    1. jason 7

      Re: What do I use?

      Oh yes also forgot to mention I also use FoolishIT's Cryptoprevent.

      However, what was a simple product to license and rollout has suddenly become far more complicated and convoluted.

      I hate it when products do that. May be looking for an alternative.

      1. JCitizen
        Alert

        Re: What do I use?

        @jason 7 - I haven't noticed any problem with Cryptoprevent so far. I downloaded it for free and manually update it once and a while - what is not to like?

        1. jason 7

          Re: What do I use?

          No the usage of it is fine. Its the Licensing and bulk deployment that's got rather difficult.

          For the single user its fine.

          1. JCitizen
            Coat

            Re: What do I use?

            @jason 7 - well that probably shoots down MBAM and AVast too - as I'm not sure what Avast's bulk rules are. Both of them have ransomware protections now. I suppose you could always write a script to deploy your own cryptoprevent, as the free one from Foolish IT is simply the same thing setting up MMC Administrative action to keep the cryptolocker variants from running, by using permissions and good ol' MSCE methods on servers and active directory. It would probably contain about 100 modifications through the MMC though. I bet searching online would find a forum somewhere showing how to DYI.

            Bleeping Computer may even have such posts some where there - that is where Foolish IT's download was first featured. It is really stupid that MS doesn't offer it as a snap-in (or maybe they do - I haven't checked)

  20. Andrew Dancy

    Don't tar all AV with the same brush

    I tend to agree with O'Callahan to some extent - when it comes to traditional AV. That's increasingly redundant as it won't easily detect new threats until updated, can be exploited, is often bloated, etc.

    However in the last few years there have been some interesting next-gen AV products appearing which do seem to still have a place in our battery of security measures. Products like Webroot and Cylance (I'm sure there are others but these are the two I've heard of) which don't just do the traditional scanning of files but also monitor system behaviour. For example if a process suddenly starts writing to lots of different files one after the other, they'll alert to say this might be ransomware encrypting all your files. From that point they'll also log rollback data so that when you say "oh s**t it is ransomware!" they can undo all the changes made by that process, block it and automatically fire a report off to the mothership to analysis.

    As has been said above it's all about layers - AV is one part of a solution amongst software restriction policies, firewalls, user education and a large pointy stick.

    1. Charles 9 Silver badge

      Re: Don't tar all AV with the same brush

      " For example if a process suddenly starts writing to lots of different files one after the other, they'll alert to say this might be ransomware encrypting all your files."

      What about slow encrypters which try to fly under your threshold or malware that directly targets and tries to pwn your AV?

      1. Andrew Dancy

        Re: Don't tar all AV with the same brush

        Fair point, but it's all about making life difficult for the attacker and protecting against 99% of threats. Let's face it - we'll never get 100% perfection but in most cases we don't need that.

        1. Charles 9 Silver badge

          Re: Don't tar all AV with the same brush

          Yes you do, because THEY only have to be lucky ONCE, and with so many of them beating at the gates SOMEONE's bound to think outside the box. Plus for them, making things difficult = challenge (meaning you egg them on).

  21. Ian Emery Silver badge

    PMSL

    "Experts" spouting "you dont need AV if you dont visit dodgy sites"

    What, you mean like the BBC, who had a malware injection on one of their pages two years ago, or my local county council, whose Child Services pages were infected for 18 months??

    How about Github?? Ubuntu?? Both have been victims of tainted download files replacing the genuine versions.

    WHen I started reading this I stopped at the line stating MSE was the best and checked the date; nope not April 1st, so WTF??? Has Trumps pet technology guy taken over El Reg??

  22. bombastic bob Silver badge
    Terminator

    Practice "Safe Surfing"

    with the obvious STD prevention parallel, there's what I like to call "Safe Surfing" on 'teh intarwebs'.

    0. When doing ANYTHING "intarweb related" (this includes e-mail), ONLY log in with 'guest' level credentials. This means you will probably need to have a separate 'administrator' login for fixing things and doing updates. Big whoop, just do it.

    1. Don't use Internet Explorer. EVAR. That includes 'Edge'.

    2. Make sure you disable scripting by default. A plugin like 'NoScript' makes this easier.

    3. If practical, delete cookies and cache on exit.

    4. Unless you have some "compelling reason" not to, use a NON-WINDOWS OPERATING SYSTEM for web-related things.

    5. _ONLY_ view e-mail in PLAIN TEXT, and without "embedded attachments". Attachments should be opened ONLY by specifying "open with" or saving first, then opening directly with an application.

    6. Do _NOT_ examine office documents with a MICROSOFT PRODUCT

    7. Do _NOT_ view PDF files with Adobe's PDF reader!

    8. If you _MUST_ use 'Virus Outbreak' (aka MS Outlook) for e-mail, _NEVER_ 'preview' ANY kind of document or attachment in a preview window.

    9. _NEVER_ click on a link in an e-mail, _ESPECIALLY_ if you are viewing it in HTML [chances are a spam mail will direct you to a phishing site by faking the link info, but viewing as plain text reveals this with no ambiguity]

    1. Anonymous Coward
      Anonymous Coward

      Re: Practice "Safe Surfing"

      Oh?

      0 - Say hello to Privilege Escalation. Now it doesn't matter what level of access you grant. To them it's the proverbial foot in the door.

      1 - You know they target all the other browsers, too? Plus what if your site REQUIRES IE or it breaks? And no, there's no budget to replace it.

      2 - And if your corporate site REQUIRES scripting?

      3 - Not practical because of how irksome it is to re-enter credentials every single f-ing time. Some of us have bad memories.

      4. Hello, IE-REQUIRED websites. See #2.

      5. And if the e-mail is HTML-ONLY, has embedded graphics (because they're worth 1000 words, remember), and the sender is not allowed or incapable of re-sending?

      6. Sometimes, a Microsoft product is the ONLY way to see it properly.

      7. Same here.

      8. Then they just nail you when you open the e-mail. Not the attachment, the e-mail.

      9. Then they'll find a way to click it for you.

      And let's not forget #10. You can't fix Stupid. And you can't fire Stupid if he's ABOVE you.

    2. patrickstar

      Re: Practice "Safe Surfing"

      "Avoid Internet Explorer" was relevant advice in like 2004. Not so anymore.

      It's not even the most common browser anymore i.e. not the most likely target for mass distributed malware stuff. You are probably more likely to be popped if you are surfing around with an outdated Chrome or FF these days.

      Whatever you use, keep it up to date. This won't save you from 0days and/or a highly determined/well financed attacker but neither will any other advice that fits into a Reg comment.

      I would recommend using a uncommon OS though, so keeping a Linux desktop or VM around for doing dangerous stuff (which apparently 'random web surfing' counts as these days... sigh) is a good idea. Not because it would automatically be inherently more secure - it isn't - just that it's a less likely target.

      Same goes for using uncommon software to read DOC/PDF/etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: Practice "Safe Surfing"

        "I would recommend using a uncommon OS though, so keeping a Linux desktop or VM around for doing dangerous stuff (which apparently 'random web surfing' counts as these days... sigh) is a good idea. Not because it would automatically be inherently more secure - it isn't - just that it's a less likely target."

        Until they develop a Red Pill (Hypervisor Attack). They broke out of sandboxes, after all.

        "Same goes for using uncommon software to read DOC/PDF/etc."

        Until they find ways to target ALL of them at once. If they can get most of the browsers in one go, why not the readers?

        1. patrickstar

          Re: Practice "Safe Surfing"

          This is advice geared towards people subject to non-targeted attacks - you simply aren't gonna find a hypervisor breakout in one of those. They definitely exist but the value is too high to waste on mass attacking random people.

          And while there definitely are mass attacks against less common software, the primary targets tend to be the most common stuff.

  23. bobajob12
    Thumb Up

    AV is doomed to failure

    An AV package needs to scan, in real time, every input source of the computer - network, USB ports, floppy disks (for your nana in Iowa) etc. No AV package can do this without materially affecting the performance of said computer. Doesn't matter whose it is. Sure you can pull tricks like heuristic scanning but that's really a bandaid - a heuristic is basically an intelligent guess based on experience that allows the package to shortcut the full scan function. So not perfect, and never will be.

    Compounding the problem is that most AV packages are aggressively horrible: buggy, difficult to manage, and reeking of money-grubbing (I find AVs' prompts to try/buy and their ordering systems bizarrely mirror the look and feel of the very kind of dodgy malware they purport to defend against - almost like they were written by the same people). I would rather have imperfect Windows Defender baked into the OS than some sh**ware from Symantec. It occurs to me that with MSFT's penchant for data collection they are also in a position to start doing behavioral analysis on network connections too, like CC companies do. If my nana's PC in Iowa suddenly starts making TCP connections to a server in a faroff country, wouldn't that strike you as a little odd?

    1. Charles 9 Silver badge

      Re: AV is doomed to failure

      " If my nana's PC in Iowa suddenly starts making TCP connections to a server in a faroff country, wouldn't that strike you as a little odd?"

      Given how interconnected the Web can be, not necessarily.

  24. Zmodem

    hacked together hooks is how most trojans work, a good coder would stick to the manual and the hook would'nt be taken as a virus

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019