Anyone Use AV at home?
- Thread starter swain90
- Start date
I guess it depends entirely what you use it for.
For example if you don't do any internet browsing, and all your media has come from a reliable source, then it's likely any risk is potentially low.
However if you obtain your media from other sources, or use it for browsing the internet, i probably would just on the safe-side.
I did have Avast installed on mine, although the pop-ups are starting to annoy me, so will soon be on the lookout for something different. In terms of scanning speed though, it's very quick as it blips through media files no problem.
For example if you don't do any internet browsing, and all your media has come from a reliable source, then it's likely any risk is potentially low.
However if you obtain your media from other sources, or use it for browsing the internet, i probably would just on the safe-side.
I did have Avast installed on mine, although the pop-ups are starting to annoy me, so will soon be on the lookout for something different. In terms of scanning speed though, it's very quick as it blips through media files no problem.
Soldato
- Joined
- 24 Sep 2015
- Posts
- 3,980
I found that those methods work on 2012, but not on 2012 R2.
Ahh, I'm pretty sure I have the R2 release.
I quite like MSE as it seems very light weight, what's Sophos like?
It does use a little bit more memory than MSE from what I've seen but makes no noticable difference in performance.
Might as well run no AV with the horrendous detection rate I've seen with it over the years. My home preference is ESET, work's is AVG. AVG used to be really bad until they released 2016, detection rates improved massively.
Swings in roundabouts...
Anyway its all about defense in depth...
EMET, Firewalls, IPS, Application Whitelisting...
This is very true. Add in user vigilance.
There's growing evidence that anti-virus actually exposes you to more security flaws than it protects you against. Security researchers have found dozens of critical vulnerabilities in common AV clients that expose you to anything up to remote code execution. There was a recent one where a researcher emailed a proof of concept of an attack on Symantec AV to them, but it turned out they used their own AV to protect their email servers and the PoC code brought down the server:
https://www.wired.com/2016/06/symantecs-woes-expose-antivirus-software-security-gaps/
Moreover, AV is really bad at handling the most common threats out there at the moment. It's useless for defending against most ransomware for example, especially if Cryptolocker or whatever is actually on your clients and is attacking a fileshare or something. No AV will protect your files in that case.
I work for a security vendor and we strongly recommend that no AV is installed on any of the servers where our software is deployed for exactly this reason. If you want to defend yourself:
- use only the MS built in AV (whatever it's called this week - MSE or Defender or something) don't bother with anything else
- restrict access to the server, only open up those ports necessary for your applications
- wherever possible don't RDP onto a Windows server. Use remote management tools or Powershell Remoting instead
- rotate passwords frequently. If you use SSH keys on Linux/Unix, rotate them as well. Better yet, use two-factor for everything.
- implement application whitelisting
- protect all services, especially web pages, with SSL
https://www.wired.com/2016/06/symantecs-woes-expose-antivirus-software-security-gaps/
Moreover, AV is really bad at handling the most common threats out there at the moment. It's useless for defending against most ransomware for example, especially if Cryptolocker or whatever is actually on your clients and is attacking a fileshare or something. No AV will protect your files in that case.
I work for a security vendor and we strongly recommend that no AV is installed on any of the servers where our software is deployed for exactly this reason. If you want to defend yourself:
- use only the MS built in AV (whatever it's called this week - MSE or Defender or something) don't bother with anything else
- restrict access to the server, only open up those ports necessary for your applications
- wherever possible don't RDP onto a Windows server. Use remote management tools or Powershell Remoting instead
- rotate passwords frequently. If you use SSH keys on Linux/Unix, rotate them as well. Better yet, use two-factor for everything.
- implement application whitelisting
- protect all services, especially web pages, with SSL
Agree with the second part but there's a lot more evidence to suggest it makes sense to have AV on the servers as well.
This is where things like FSRM restricting file types, macro polices and the importance of NTFS and Share permissions accross the organisation is extremely important.
AV is still a extremely important part of the defense system. I wouldnt start removing it on the basis of a few organisations research.
Last edited:
On balance, I disagree. Any sort of vulnerability that allows someone to take remote control via AV on a server is going to be very, very bad. Most AVs run as Local System or even Local Administrator, any attacker getting control of it is going to be able to to some Very Bad Things, up to and including getting hold of Domain Admin password hashes, doing a Pass-The-Hash attack on a DC, then executing a Golden Ticket attack on the domain. When that happens, your only option is to trash the domain and rebuild your infrastructure from scratch. I've seen it happen.
If you set up your server estate properly, having a virus actually execute on a server is pretty low down in terms of both probability and overall risk. If users are getting to the point that they can accidentally run malicious code on a server, then there's something wrong with your approach that an AV isn't going to help you with. Much better to harden the OS, and implement proper access controls.
On normal desktops I can still just about see some value (even if that value is mainly "it satisfies our auditors"). For admin desktops, AV is problematic due to the higher probability of using AV as a vector for getting hold of admin privileges. For servers, it's a downright liability, and this is starting to become the accepted wisdom.
This. AV is a relic of the 90s.
AV is trash quality code running in the most important part of your system. At best it will catch some low hanging fruit and make you feel warm about your investment, but at worst it can be an attack vector or a faulty signature update can bring your system down as it starts to quarantine system files.
Give your end users limited accounts, give them training, use AppLocker, make sure your backups work and aren't part of the system you're backing up - e.g. don't back up onto a domain-joined NAS with write access granted to the account you use daily. No AV is going to stop the modern style threats so focus your efforts elsewhere.
Give your end users limited accounts, give them training, use AppLocker, make sure your backups work and aren't part of the system you're backing up - e.g. don't back up onto a domain-joined NAS with write access granted to the account you use daily. No AV is going to stop the modern style threats so focus your efforts elsewhere.
Last edited: