FAO: Microsoft Security Essentials lovers...

NathanE said:
Autoruns, Rootkit Revealer et al? And then there's non direct approaches like listening to what your computer is telling you. Is it running slow? Are apps randomly crashing with no obvious pattern? Has your bandwidth suddenly taken a severe drop? Is the Event Viewer full of suspicious activity? If any of these suspicions seem founded then it takes 5 minutes to boot into a Recovery Console prompt and take a peep at your System32 folder for any strange looking .sys files. Even the most advanced rootkits can't hide themselves if you don't boot from the OS on which they're installed ;)
Click to expand...

All great, useful tools. However, how long are you willing to wait and monitor whether that random application crash was benign or not? Do you trust what process explorer is telling you? If I take the machine offline do I really want to trust my knowledge of the system32 folder or would it just be easier and more convenient to run an offline scan?

You can get away without using antivirus software but that doesn't preclude it from being useful in some instances.

NathanE said:
Generally though if a virus is sophisticated enough then no tool, and certainly not some poxy "anti virus", will be able to detect it. Just look at the Iranians. I'm sure they were running AV on their nuke lab computers but it didn't save them did it?
Click to expand...

And if we're talking about the same piece of malware, part of it's propagation method was using code signed by Microsoft so relying on image verification wouldn't have worked for them either.
 
theheyes said:
If the security value in verifying image signatures is based on gathering information to make an informed decision, then antivirus software and/or services can contribute to that information.

1. UsefulProgram.exe has a verified signature

2. UsefulProgram.exe has a verified signature and also checks clean against hundreds of thousands of known malware definitions.

The second scenario is logically more informed than the first and can aid decision making in a positive way.
Click to expand...

SmartScreen Filter that's built in to Windows performs that purpose, in a far more reliable way. In W8 they moved it up a notch to become a first class citizen of the OS experience.

http://www.howtogeek.com/123938/htg-explains-how-the-smartscreen-filter-works-in-windows-8/
 
shuffle said:
Ignorance isn't bliss. That's why I installed Kaspersky on their laptop last year. I'm not an expert. But Updating to an new OS would be a good idea
Click to expand...

Not really. There's very little difference between Vista, 7 and 8 in terms of OS security. They all have UAC for instance which is the main thing that sets them apart from previous versions of Windows. If that machine is getting infected regularly then it's not been configured correctly for use by computer illiterate persons.
 
theheyes said:
All great, useful tools. However, how long are you willing to wait and monitor whether that random application crash was benign or not? Do you trust what process explorer is telling you? If I take the machine offline do I really want to trust my knowledge of the system32 folder or would it just be easier and more convenient to run an offline scan?

You can get away without using antivirus software but that doesn't preclude it from being useful in some instances.



And if we're talking about the same piece of malware, part of it's propagation method was using code signed by Microsoft so relying on image verification wouldn't have worked for them either.
Click to expand...

No knowledge of System32 required. Simply sort the file/folder listing by Date Modified and hey presto you see all the recently created .sys files. Doesn't take much thought to try to correlate those timestamps back to "what you were doing" at that time.

AV is simply not useful today. The last time I got any value out of an AV product was to remove CIH back in the late 90s. I don't think "get away without" is the right phrase. It's more accurate to say "you can get away with having just AV and no other protection measures, education or care in the world" but it doesn't mean you will get away with it forever. That's unfortunately how people with AV think. They think the AV will protect them from everything but it won't. It will catch realistically about 10% of "out in the wild" threats thrown at it. And most of those will be months or years old. They won't be the cutting edge threats using 0-day exploits etc.

AV also tend to fail to detect the heavily obfuscated malware that are so common today before the infection occurs. They'll only spot it once its too late (i.e. the malware is memory resident). And of course then you have the issue of the AV naively trying to remove the infection and failing. And if its a rootkit they often don't like this and are prone to putting the system into an infinite BSOD reboot cycle...
 
Last edited:
NathanE said:
AV is simply not useful today. The last time I got any value out of an AV product was to remove CIH back in the late 90s.
Click to expand...

I disagree. It's been useful for me on more than one occasion.

NathanE said:
I don't think "get away without" is the right phrase. It's more accurate to say "you can get away with having AV and no other protection or care in the world" but it doesn't mean you will get away with it forever. That's unfortunately how people with AV think. They think the AV will protect them from everything but it won't. It will catch realistically about 10% of "out in the wild" threats thrown at it. And most of those will be months or years old. They won't be the cutting edge threats using 0-day exploits etc.
Click to expand...

Some people think that way, but not all who use antivirus do. And certainly not myself.
 
Halfmad said:
User education is far more powerful and effective than paying for an AV product and assuming it'll protect them from all ills. Did you sit down and explain about the web, email attachments etc?
Click to expand...

Yes I have, they know not to act on emails asking for bank details. I can not answer for other scenarios.
I would never expect 100% fail safe from an AV program, how can you. All I can say I'm very pleased that Kaspersky has stopped the laptop locking/crashing/asking for details every couple of months. That can change. Especially as last time I tried to upgrade their laptop to KIS 2013.. but without success. I had to roll it back to 2012 version. As I live away from them had limited time to work out why. Vista maybe.

I do agree common sense about loading times... applications installed... generally keeping an eye. But those people aren't looking at overclockers for the lastest CPU are they. so AV it is
 
Last edited:
shuffle said:
Yes I have, they know not to act on emails asking for bank details. I can not answer for other scenarios.
I would never expect 100% fail safe from an AV program, how can you. All I can say I'm very pleased that Kaspersky has stopped the laptop locking/crashing/asking for details every couple of months. That can change. Especially as last time I tried to upgrade their laptop to KIS 2013.. but without success. I had to roll it back to 2012 version. As I live away from them had limited time to work out why. Vista maybe.

I do agree common sense about loading times... applications installed... generally keeping an eye. But those people aren't looking at overclockers for the lastest CPU are they. so AV it is
Click to expand...

My parents never install applications. I suspect most are the same. So why not just lock the machine down by setting their user accounts to be non-administrators. That solves so many issues that could possible arise... And if they do need to install something a quick phone call can resolve that with you jumping on via RDP/VNC/TeamViewer and getting them past the UAC prompt with your admin credentials.
 
NathanE said:
What were the circumstances around those occasions then? You can't leave it on a cliffhanger like that ;)


PS: I'm just happy that I've still not been flamed the hell out of here like what would normally happen :D Proves that views are changing, slowly...
Click to expand...

If you want a recent example just last week I was handed a USB stick - AV alert popped up. I cleaned up the infected stick, got the files I needed and told the owner. That potential nuisance was dealt with and job done.

And nobody should be flaming anybody else. It's a legitimate decision to make an informed choice not to use antivirus. But I generally recommend using MSE and I'm more than willing to discuss it.
 
NathanE said:
My parents never install applications. I suspect most are the same. So why not just lock the machine down by setting their user accounts to be non-administrators. That solves so many issues that could possible arise... And if they do need to install something a quick phone call can resolve that with you jumping on via RDP/VNC/TeamViewer and getting them past the UAC prompt with your admin credentials.
Click to expand...

Ok - they do not install things either. its just browsing which I think gets them into trouble. As for admin rights, my brother put parental control on the laptop, to stop Dad looking at Page 3
 
theheyes said:
If you want a recent example just last week I was handed a USB stick - AV alert popped up. I cleaned up the infected stick, got the files I needed and told the owner. That potential nuisance was dealt with and job done.
Click to expand...

Connecting an unknown USB stick to a trusted computer is pretty nuts. The lack of autorun in recent versions of Windows probably saved you. In this case I would have nuked the USB drive. Bad idea to rely on AV giving the all clear. :)
 
KIA said:
Connecting an unknown USB stick to a trusted computer is pretty nuts. The lack of autorun in recent versions of Windows probably saved you. In this case I would have nuked the USB drive. Bad idea to rely on AV giving the all clear. :)
Click to expand...

Um, sharing files via USB sticks is a normal use case - certainly not nuts - and I never said I was relying on AV to stop it. It alerted me, and I formatted the stick.

That was the value of having antivirus software in this example.
 
KIA said:
It might be normal use in an insecure environment. I'm not willing to take the risk. :)
Click to expand...

(in)security is rarely black and white and almost always dependant on context. Add subjective opinion to the mix and you could debate till the cows come home what is insecure and what is not. The way I do things in my environment is wholly appropriate in context. Would i have plugged an unknown usb stick into a domain controller? Not a chance.

We're getting off the point though. It was simply an example of how antivirus provides some utility for dealing with malware.
 
KIA said:
A common misconception is that one has to browse "dodgy" sites to get infected, not true. Legit sites are compromised all the time.
Click to expand...

And that is also down to people not updating the OS/software to close any holes that hackers and the like can use to gain access and add whatever they want.
 
theheyes said:
Um, sharing files via USB sticks is a normal use case - certainly not nuts - and I never said I was relying on AV to stop it. It alerted me, and I formatted the stick.

That was the value of having antivirus software in this example.
Click to expand...

What is to say that UAC wouldn't have alerted you?

Surely it's kind of "nice" to be alerted a little bit earlier i.e. as soon as you plug the device in. But it's not the be-all end-all. Chances are the malware would have still got caught in the net had it been executed.

Security is all about layers and whilst yes an AV product can be one of those layers. It's an extremely extremely porous layer that is highly leaky and unpredictable.
 
NathanE said:
What is to say that UAC wouldn't have alerted you?

Surely it's kind of "nice" to be alerted a little bit earlier i.e. as soon as you plug the device in. But it's not the be-all end-all. Chances are the malware would have still got caught in the net had it been executed.

Security is all about layers and whilst yes an AV product can be one of those layers. It's an extremely extremely porous layer that is highly leaky and unpredictable.
Click to expand...

By the same token, what is to say that UAC would have been triggered at all? As you say, security is about layers - and antivirus can form part of that system.

In the hypothetical example I would much rather receive an antivirus warning than let the malware fail silently in the background, even if in both cases I am completely secure. The former provides me with useful information I can then act on.
 
Why wouldn't you run defender on win8 or another free unobtrusive AV?
As said above its another layer. I'm certainly not going to pay for an AV though and never have.
 
You must log in or register to reply here.
Back
Top Bottom