I was just reading some Tweets and an associated Hackernews thread and it reminded me that, now that I’ve left Mozilla for a while, it’s safe for me to say: antivirus software vendors are terrible; don’t buy antivirus software, and uininstall it if you already have it (except, on Windows, for Microsoft’s).
I’ve been saying the same thing here on OSNews for a decade now: antivirus software makers are terrible companies. Don’t buy their crappy software only to let it infect your machine like a virus that slowly hollows out and kills your computer.
Stick to Windows’ built-in Microsoft tool.
The day that Windows defender rises up from the bottom of the AV-Test and AV-Comparatives list, I’ll give it another try. As things stand at the moment, Defender slows my systems down. Bitdefender Free, Panda Free, and the ad laden 360 Total Security with Avira and Bitdefender engines added in, all let the machines that I service run better. Maybe with the next feature update to Windows 10, will Defender run better than the competition. Time will tell.
I don’t think I would like to trust Windows Defender and some AVs are arguably worse than having a virus. However, I do remember being quite impressed with ESET NOD32, which succeeded where Avast failed. I would use NOD32 again.
I’ve not used an AV for a while, I haven’t used Windows for a while. For the Windows users, in your opinion, which is the best least obnoxious AV?
Gone fishing,
I was using avast for years, but it kept getting worse and that forced me to look around for an alternative. I settled on Comodo based on the “least bad” principal and the ability to disable the unwanted features. Crucially, it never interrupts me or other users with undesired notifications whereas Avast had become daily nagware to install features and products we don’t want. A glaring omission compared to other products is that when Comodo detects an infected file, it doesn’t provide links to information, that forces me to look it up manually. Not a glowing endorsement, but it is what it is.
The free Microsoft antivirus only? That must be some really good weed over there.
If you’re going to introduce a new executable to your machine, just run it through virustotal.com first. No need to have an AV program running in the background. If anything, use Malwarebytes, and ad/flash block on your browser. Maybe Noscript if you’re extra paranoid.
Obviously, this advice is probably not workable in an enterprise situation. But at home, as long as you keep your machines up to date and aren’t an idiot in regard to what you install, you should be fine.
Edited 2017-01-27 00:26 UTC
My company did a proof-of-concept on several enterprise-class IDS/IPS appliances several years ago and I’m pretty sure the one from BlueCoat was using VirusTotal for secondary analysis
A while back I got called in to deal with an infected website that was triggering warnings from popular anti-virus software. After looking around a bit I concluded there was no virus on the web server. But the company had been getting dozens of complaints from vistors.
So we found out which anti-virus it was and confirmed it was reporting the site as infected, but not giving a reason. We eventually got ahold of someone at the AV company and asked for an explanation. They claimed the website was hosted on a network that was “known” to be notorious because it was free and hackers frequently used it.
There were two problems with that: the company I worked for was paying for their website and it was hosted by a different provider. The AV company was wrong on both accounts, but refused to listen to our objections.
I ended up playing with the DNS settings to make it “look” like the web server had been moved to a different network, told the AV company the issue was fixed. They confirmed it and took the website off their black list.
Sadly, this was one of the best experiences I have ever had with anti-virus software and the people who make it. The “cure” is definitely worse than the disease.
jessesmith,
Yikes, and to think they don’t know someone else’s software is interfering until customers call to complain. I hate where the industry has gone, it would be nice if AV software stuck to the essentials and stopped the mission creep. They need to work together to improve coverage and accuracy, not going to happen though…
I’ve experienced similar scenarios with email blacklisting, what a mess that is. It’s not unusual for blacklisting to punish the wrong parties. False positives and false negatives remain problematic.
Hi,
As far as I’m concerned, AV is mostly attempting to cure the symptoms (and making it easier to avoid fixing the root cause, and making everything worse in the long term).
For Microsoft’s AV; at least there’s a theoretical possibility that maybe someone at Microsoft might tell someone else at Microsoft to fix a gaping security hole properly (instead of hacking/patching around it).
– Brendan
Brendan,
Yea the underlying exploits need to be closed. Still, AV can still be useful if a security vulnerability only gets fixed after a successful exploit has taken place or a family user accepts an unsafe prompt. A system could remain compromised for years without knowledge of the owner. This is the main reason I recommend users have some kind of AV in place. I still criticize AV vendors for features that go overboard though.
For corporate networks where files are routinely shared, I think it makes sense to have AV. We don’t want file/email servers to be a distribution vector for malware even if it remains dormant on the server. The risky behavior of one employee can affect everyone else. The financial consequences of not catching malware on corporate networks can be catastrophic.
So even though I understand the opposing points of view, nobody should claim AV scanners are completely without merit. They do serve legitimate purposes, the problem is bad implementations.
Edited 2017-01-27 15:16 UTC
Damned right about that. Dealing with a situation now involving that very thing, and the blacklist is at the ISP level! Ouch! Still trying to get information out of the ISP in question.
darknexus,
Many of them are good & honest, the reputable blacklists will work with you to resolve the problem. They recognize the fact that their blacklists can/do affect legitimate traffic. And sometimes you are an innocent victim too. The best ones respond to problems quickly and even offer a feedback loop like spamcop/aol.
However the bad ones will waste many hours, offer no resolutions and don’t even care that they’re blacklisting legitimate senders. The worst ones extort innocent senders by demanding a fees to unlist your server.
Linux Magic / mipspace.com are one of the bad ones we’ve had the misfortune of dealing with:
http://www.pdxtc.com/wpblog/spam-prevention/email-fascism-by-linux-…
If you haven’t already, I highly recommend you lookup your own IPs using an aggregation blacklist lookup service:
http://mxtoolbox.com/blacklists.aspx
For us, this often reveals a problem even when the recipient’s ISP/administrators aren’t quick to cooperate. There’s a good possibility they’re blocking emails because of the 3rd party blacklist.
It’s frustrating that there are victims in the fight against spam. I certainly understand why companies outsource to google and microsoft’s cloud email services to eliminate these headaches, but even those aren’t 100% reliable. Part of it has to do with user error, like hitting “spam” for something they explicitly subscribed to but no longer want to receive. Email is one of our oldest protocols still in widespread use today, but sometimes I wish we could clear the board and design new standard protocols to fix all these issues that have been plaguing us for so many years.
because I have YET to see MSE actually stop anything! I tested it at the shop just the other day to see if it had gotten any better, it happily kept its mouth shut as the browser was locked by a malware vendor shoving BHOs into the browser, didn’t say squat when I installed adware and spyware infected programs (I planned on wiping the system anyway and it didn’t have any data on it so I just grabbed every nasty I could find and let them loose) in fact it never once said boo!
If you want an AV that actually works? Get Comodo IS or Avast Home Free, both actually stop malware and neither cost a cent, in fact Comodo IS is free for both home AND business use. But MSE? Yeah its a bad joke.
Funny thing is… at some point in the past Microsoft actually made it decent. But like all things Microsoft, they figured they had started to beat out some competition, then let it stagnate, so it was crap again in less than a year, because the virus industry moves way too fast for the glacial giant. Besides, MS must figure that they may as well share some of your data they are pilfering from Windows 10 anyhow, right?
Comodo: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=comodo&…
Avast: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=avast&c…
Just look at the category of (security) issues they introduce and then consider what you are getting into when installing those products…
Update: I’d rather gamble with Microsoft Defender, (automatically) installing updates for all software and educate the users any day.
Edited 2017-01-27 15:12 UTC
Then why bother with an AV at all? As I already said MSE does not stop anything but the most trivial of bugs so you might as well just take your chances.
Look at any listing of security products, MSFT product ranks dead last, last time I checked the ONLY thing that ranked worse than MSFT was that fake AV from the company that bought the corpse of Spybot.
I have been building and selling PCs since William Shatner had his TJ Hooker hair and in the 3 years I’ve been using Avast and Comodo IS as my “go to” AVs for new builds? Not had a single one come back for bugs, not one. In fact the only time I had a PC returned that had either installed was when a customer purposely uninstalled the AV because he wanted to install a piece of malware (a trojan dropper labeled Limewire half a decade after the FBI shutdown the real Limewire) and the AV refused to allow him to install it so he removed the AV.
By your logic I guess I should have installed MSE for him, it would happily let him dump all the trojans and malware he wanted, not a single peep out of the “AV” would be heard.
I have used Avast free anti virus since my Windows 98 days without any problems. It’s caught quite a few bogies over the years and bailed me out the shit more than once!
I did try once on a new installation of Windows 7 x64 to stick with Windows Defender and Microsoft Security Essentials, it lasted three days before I had to wipe and re-image the drive.
Complete and utter shite is a massive understatement for those totally inept pieces of crap!
They don’t do anything! They only exist so Microsoft’s name is included in that line of software.
Total nonsense!
I started using Avast when it was one of the few that supported Win2k x64. I stopped using it because it started to pester me into buying more of their products, even after buying the AV suite.
It’s very obvious you have no clue how to use a computer. I did not use any antivirus at all for the past 10 years, and just occasionally run full system scan using either ESET Online Scanner or by installing some popular AV, performing full scan, and uninstalling. Guess what? Never found any viruses on my system, never had any virus-related issues. In short: if you’re a moron, don’t blame software for your problems.
Sadly even with knowledge and adblockers, you can’t defend from 0 day attacks being used online. And most people don’t even want to learn how to use the computer, so antivirus programs that block shady websites are far better for them because they are foolish enough to install the crypto locker software, or call the phone number and let some one in India sell them things they don’t need.
I use F-Prot from Frisk software, which is now part of Cyren. They have a reasonable 5-computer license at a decent price and I haven’t found it to be intrusive or a performance hog. YMMV.
I’m pretty sure this recommendation is an oxymoron…
The solution is to install an Operating System that doesn’t have numerous remote exploits, keep it up to date, install a browser with adblock… beyond that just don’t get phished.
I don’t think I’ve had a computer virus since the last time I was on dialup in the mid-late 2000’s.
Edited 2017-01-28 02:57 UTC
cb88,
Except all operating systems have zero day exploits, and it’s not always the user’s fault. As the pawn2own contest and google’s project zero prove, some of them are even open for years. Linux isn’t an exception and nor is legitimate commercial software:
http://www.networkworld.com/article/3162012/security/cisco-starts-p…
Running open source software such as OScommerce, phpMyAdmin, wordpress on a webserver that is otherwise secure can open up vulnerabilities. I’ve experienced exploitation from all three of those vectors. It can take hours to clean this up on customer VM instances that I oversee to the point where it’s often easier to reinstall everything and hope that the exploits have been fixed, but you never know and without any kind of scanner the danger is that activity can continue for a long time without anybody knowing it.
Many people unwittingly participated in the recent DNS attacks through linux webcams and dvrs.
https://www.hackread.com/linux-mirai-trojan-a-ddos-nightmare/
One could take the attitude that userspace exploits don’t count against “linux” (a distinction without a difference for afflicted users), but even so the linux kernel proper has also had critical exploits over time and nobody can say for sure their system doesn’t have one right now.
http://thehackernews.com/2016/12/linux-kernel-local-root-exploit.ht…
Here are the steps I feel would make a real improvement:
1. Switching to safer languages for systems programming.
2. Demand unlocked firmwares such that users can continue to update devices indefinitely even when the manufacturer ceases to.
3. Establish an open/public database of known malware to detect/track successful exploits in real time and develop standard tools/protocols for owners to monitor 100% of their devices and optionally give developers a feedback loop.
I think these changes would be great across devices, operating systems, software. And they’re all realistic goals technically, but it poses political challenges because vendors usually aren’t willing to work together in a community. In the worst cases some will see end-of-life vulnerabilities as good for sales when users can’t fix them, causing deliberate obsolescence.
We can keep blaming the ‘other’ operating systems and users as an easy target, but it doesn’t help resolve the deeper security issues for our industry IMHO and if we don’t do anything to address it, then it will continue.
Edited 2017-01-28 06:15 UTC
Sigh…”How to write a Linux virus in 5 easy steps” and it doesn’t even use any of the zero days like Shellshock or any of the commercial Linux metasploits, just good old social engineering which is where the majority of Windows bugs come from…
http://www.geekzone.co.nz/foobar/6229
If you’d like I can also link to the articles talking about the several instances where actual malware got into the repos, or how about when Linux.org got pwned?
I hate to break the news to ya but Linux is security by obscurity and thanks to Android using the Linux kernel and malware vendors finding out several large juicy targets used Linux backends? Yeah you’re not obscure enough for that to work anymore..
http://www.computerworlduk.com/galleries/security/10-linux-malware-…
Linux is by no means security through obscurity. Maybe my Amiga or my Atari STs are. Linux or FreeBSD are pretty much the majority of servers these days that are the targets, but of course social engineering doesn’t really target those, it’s for targeting the people who use their desktop system on a daily basis.
Sure, maybe in the 90s it was obscure enough, but not anymore. I once had someone tell me knockd was security through obscurity. I’m not sure people really knows what that means…
Certainly every bit of software has bugs and bugs can be exploited. Most of these exploits require you to have local access anyhow, and by very definition if you have local access to a system, you can more than likely get at it’s data. Even if it comes down to ripping the drives out of the physical machine and mounting them…
knockd doesn’t impress me. It’s Indiana Jones style security– “We built this ancient deathtrap to protect this object, but all the traps can be bypassed by someone clever”.
I wonder how many people out there are using the default of 7000,8000,9000 on their config?
And which operating system might that be?.. Dare to tell us? I bet my whole estate the only OS that does not have any remote exploits is the one that does not support networking.
He wrote this based on his experience writing browser code. Browser code. The code responsible for 99% of all viruses getting in. So, yeah, some vendors are shady and made his life trying to harden the software a little more difficult. But honestly, they guy lives in a green house. He shouldn’t throw stones. Antivirus is a huge industry because of bad browser code.
Virus>>>antivirus
(Disclaimer: I have been reading OSNews for years but don’t post much. I do work in the AV industry.)
Honestly, I don’t understand what the hate is about. If you’re a full technical, power user, runs Mac or Linux, and knows how to secure them then you’re *likely* going to be fine without an AV or with the bare minimum. The readers here are probably the 1%ers There are 99% other computer users out there.
The argument that AV slows down computers. Yes it does. So does all those safety feature that goes into your car. If you’re a race car drifter wizard, a rocket without air bags, seat belts and a safety cage is just the car for you. You can go fast and it’ll be light as a feather. For most regular folks they probably need those safety features. One can say that they should learn how to drive better but that’s the same as saying most people should have better computer skills. It’s not happening any time soon.
In a corporate environment, you’ll have people who are not computer wizards. Those are the ones who will open up your trojanized doc or PDFs, end up going to a web site with web exploits. What about those people? What happens when these people end up with a worm that spreads through the whole network? A ransomware that locks down every single document? Also, in a corporate environment a lot of slowness comes from mass deployment kits, monitoring traffic to make sure systems are up and up to date, etc. An Admin is not going to visit all 500 computers to deal with some updates or check the little lights to make sure all servers are up.
Can you end up using Linux or Macs in a corporate environment? Yes, for sure. Running all Macs is probably cost prohibitive except for the richest of companies. Linux? sure – if you are able to hire great admins and your existing software can be easily ported (or already exist) in the Linux world. Otherwise most companies against can’t justify the risk or cost moving to an Linux environment. There are people with who use Linux or Mac that can justify it – investigative journalists, dissidents for dictatorship countries, etc. These people predominantly use Macs. AV sometimes helps these people but they’re the ones facing nation-grade attacks with zero days. (I would say that except for unwanted apps most real Mac malware are targeting these groups).
Can you lock down a Windows environment? Sure thing too – if you have one without PDF, MSOffice, javascript, Flash, fully patched, and no Wscript. Is is feasible? Not if you don’t have a wizard of an admin to lock it down. Flash can probably go away but not the other bits. Most corporate environments can’t get rid of those software (or certain abilities) without seriously impairing ability to do work. You wouldn’t believe how many outfits that uses javascripts in PDFs or macros in MSOffice. Unfortunately there are also many bad programmers who write horrible scripts as well so they’ll trip AV. Quite a few times at my daily work I see *independent developers* complaining about AV detecting their software. Well, some of these devs use cracker versions of commercial packers that are already blacklisted by the vendor, or lifted code from some forum that posted *AV-evaded* code that ends up protecting malware rather than legit software (except for this dev who decide to use that code).
Is AV perfect? No – there are times when vendors FP. Everyone does it. Cops sometimes arrests the wrong people to – maybe we should get rid of them as well? In the AV land there are vendors who are more aggressive and there are more FPs. There are also vendors who are more conservative but misses more. Just like a blood test you get.
On to the topic of Windows Defender. It may seem all the same on the outside, but people in the industry knows that Windows Defender is not so great for on-access scan. That’s the reason Defender will need to automatically schedule a full system scan weekly because it wouldn’t have caught some malware otherwise. If you check test organizations such as AVTest or AVCompareatives (or NSS Labs, SE Labs), MS Defender is the low-end bar and everyone is above that. They’re probably in the 98% range and most vendor these days are in the 99% range. Gone are the days of 95-98% coverage.
So, what does the paid-for AV have over defender? 1. extra detection features – that extra 1% detection rate comes from web/URL reputation, HIPS, heuristics, memory scanning, behavior monitoring, web page filtering and so on. These does have a performance impact but with the long-tail 1% improvement in detection costs a lot more than 1% performance. In the end that’s a choice of the user. 2. Enterprise console – Defender doesn’t support a centralized reporting structure. This is a must for medium size+ environments. 3. (goes with 2) compliance monitoring. Many enterprise products now will isolate machines that are not fully patched or not-up-to-date as a safety feature. Not something that Defender has either.
Go ahead and turn off your AV if you know what you’re doing. That advice is true for most reader of this site but not true for many others. Blasting that message may do disservice for most of the general public.
I agree mostly, but I think you are way too lenient on these people who think they are above running AV. They aren’t. They’re at the mercy of their browsers code. A dangerous gambit.
Most people are not as smart as they think they are, nor are their adversaries as dumb as they assume.
flav2000,
Well said!
It’s too bad that I don’t have much clout in the industry. Basics – that’s what I keep pushing others to do. I always tell people not to do anything that they have to clean up 5 years down the road (but it still happens). As software shop goes all sorts of shortcuts and shenanigans goes on within the AV industry just like everyone else.
As for mission creep – as much as we love great performance a lot of the times it’s about responding to new threats (and the clobbering something together to address that).
Ex1. Powerliks (the registry-only stay-resident blob) necessitated expensive registry scanning.
Ex2. (forgot the name) in-memory only malware that will be gone when you turn off the machine but infection is through some unsecured network app on servers. Required extensive memory scanning – and on top of that had to do dangerous in-memory cleanup b/c admins refuses to reboot their servers even if it means the virus stays there.
Ex3. Exploit kits are coming from (even legit) websites – so to answer that web reputation and url scanning is the norm.
There are so many (required) innovations in the AV industry that slows things. Unfortunately with bad coding practices and new computer paradigms you always have new vectors that you need to protect. I agree though that there are too many gimmicky stuff added regular to the AV suites. Those tend to die pretty quickly though.
I have used NOD32antivirus and I am currently using F-Secure antivirus. I have not noticed any performance hits.
I agree to using Microsofts Defender/antivirus over any free alternatives.
Edited 2017-01-29 17:44 UTC
Been running Windows Defender for at least six years now (Windows 7, then Windows 10), browsed the internet extensively, downloaded a lot from file sharing sites, used the PC as power user (developer / graphic designer / sound and video editor)…
Never. Had. A Single. Problem.
To those pretending that Defender does nothing: have you ever wondered whether YOU – and your way of using the PC, or choosing a site or a download – are the real issue here, or is it really because of the antivirus software? 😉
I have installed 2 laptops running Windows 7 for my parents: 60-year-old father and near 50-year-old mother. Neither of them has any kind of antivirus, only AdBlock plug-ins for browsers. They have been using these laptops for many years now, with ZERO problems.
It’s been my experience, especially in the past few years, that an adblocker is really all you need to stem the threats coming in from web pages directly. It won’t help with emails or local downloads obviously, but it’ll block darned near every drive-by exploit out there because these exploits are set up on advertising networks. This is why, no matter how web page owners may beg, I will not turn off my ad blocker until or unless the advertising industry makes a concerted, full-time effort to take the bad ads down. I’m sorry, I really am, for how this affects sites like OSNews. However, so long as you rely on third-party ad networks to serve ads for your page, you are putting everyone at risk by bringing in random elements of which you may not be aware. It’s not the web page itself I’m worried about. It’s the crap you’re willing to pull in that is dangerous.
Okay, rant off. Sorry.