It's also common knowledge that the AV industry has a huge software quality and engineering problem ("let's unpack malware and emulate x86 in kernel space, because that never backfired before!").
I've actually heard many people (including one Chrome developer) that they don't even use AV anymore except Windows Defender because 99% of AV break Windows/applications by using non-standard hooks and may even introduce new vulnerabilities with their kernel drivers/etc.
Honestly, if they can't even stop viruses from infiltrating closed systems like Android and iOS, I don't see how an anti-virus suite could ever win the battle against a user intentionally installing a virus.
(Of course, desktop apps are a different ballpark than web apps/websites where you're merely connecting to a website vs installing a dedicated application with filesystem access.)
I'm one of those people. I would be really interested in seeing what percentage of exploits, malware and spyware is caught by each feature of the common AV suite. I suspect that Defender is at the sweet spot.
Additionally, I see the entire AV market as a leech that was only able to grow as it had because Microsoft was able to shirk its responsibilities with respect to security for so long. Now that Microsoft are trying to handle the problem the AV companies are crying foul because they think they deserve the right to exist, which means Microsoft shouldn't do too much to help their own customers.
AV companies are the car dealerships of the digital realm. Superficial middlemen ensconced in a bygone era leeching money from the unwary. We should be careful, lest we legally formalize that relationship as we have with the dealerships.
My experience so far (helped maintain lots of non IT people's computers) was also, that the performance gain from removing antivirus software (and just using defender) was worth the theoretically less protection.( If even so)
Besides, with the behavior of most free Antivirus I could not really distinguish from common spyware. Everything needs to call home these days ...
So when friends ask me if this computer is now virus/spyware free .. they are usually a bit disappointed when I tell them, probably not, even if we delete everything and remove windows (but it would help).
But most people, including me, need windows from time to time, so it's allways a compromise. But common (free) Antivirus is really just snake oil.
Many of my customers run the common free anti-virus programs and I can assure you that they are not snake oil. The logs and alerts from blocked infection attempts are testament to this.
I certainly would say that most of the free anti-virus is pushy, hungry and generally not a particularly great marketing exercise.
Sure they do things - but they promise real security and protection - which is a laughable claim, when you look at detection statistics.
They are not much better than defender.
But unlike defender, they themselves act like spy/adware sometimes.
Showing advertisement on the desktop etc. and communicating with the server a lot and not for updating.
Oh and my experience with most of their logs is, that they log and alert allmost everything - even when it is trivial as a tracking cookie - but make it look like a real threat to the ordinary user to show what good work they are doing. And especially on older computer really slow things down.
So I cannot recommend them and rather stress the importance of updates and not mindlessly install/click random things. (but with updates allmost everything important does that automatically now anyway)
> The logs and alerts from blocked infection attempts are testament to this.
Infection attempts by what? Scans of phishing mail attachments they wouldn't have opened anyway? At least if they know what they are doing. In addition, many AV have this annoying habit of reporting quite a bit of false-positives based on sys-calls or some weird heuristics, this leads to the situation where even totally legit software, from a trusted source, triggers a warning.
Which then conditions people to just click past the warning, at that point you might as well not even run the AV at all and instead just scan individual files online through some virustotal-like service and teach proper user behavior.
Due to this dynamic installing a good ad-blocker will probably do more for the security of the average windows user than any AV software ever would.
"Which then conditions people to just click past the warning, at that point you might as well not even run the AV at all"
anectode: a girl in my student flat wanted to give me some file and copied it to her usb-stick. But as she plugged her stick in, a antivirus warning popped up and said very clearly INFECTION DETECTED.
But she just clicked it away and said it does that all the time since weeks ...
Wait what?!?
And she was a student (for high school teacher), so supposed to be not stupid. But in this case the antivirus was actually one of the better once which mostly only said something if there was something. But to her it had the same meaning as "update me please". Not something to be bothered with her now, as her task was to copy something to the USB stick ...
So yes, definitely also bad conditioned, but also plain stupid. Or overburdened.
So for those people, antivirus (wheter from the os or third party) which really blocks stupid things and scans everything, make sense.
And there are a lot of those people ... in my example it was someone who grew up with computers, but there are still many around who had to learn it much later in life. And they just click onto everything.
> Infection attempts by what?
In January I've seen logs blocking drive-by malware attempts, lots of infected email attachments and an infected USB stick.
These are not false positives. They were not legitimate software from trusted sources. The logs I read were real-world true positives and they were not inconsequential trivia like tracking cookies or the like.
I don't think that in any of the cases the user would have had a warning to blindly click through.
Not entirely sure how an advert blocker can stop email or device-carrying malware.
> They were not legitimate software from trusted sources.
Infected email attachments, unless they come from a trusted sender, I consider "useless positives" because nobody, with the appropriate training, should be opening them in the first place.
Kinda along the same lines of tracking portscans and counting those as "thwarted cyber attacks", like many government agencies tend to boast about, it's nice for padding stats but is it a real security gain?
Afaik by now one of the most common successful attack vectors is drive-by kits [0], increasingly served trough advertisement channels. Ad-blockers/disabling Java minimize this risk quite a bit, with low overhead, while having the added comfort of making the web more user-friendly.
Which to me is the most sensible solution, unless one really likes opening weird email attachments and/or plugging in untrusted devices.
> I don't think that in any of the cases the user would have had a warning to blindly click through.
If the user is already careless enough to connect untrusted devices and/or opening random email attachments, then I have no trust in said user to heed any of the following warnings, as he/she already had to ignore previous best practice warnings to get there in the first place.
I recommend to keep the microsoft scanner active (Windows Defender or how they call it by now).
It catches all the common stuff with high accuracy and only some of the exotic stuff gets through (which would probably be a pass for most other scanners too)
I don’t think I know of windows users that use anything other than defender these days on their personal machines, but I (am forced to) use McAfee on my work machine. I suspect that the enterprise tooling is better for third party AV and that’s the only thing other than inertia keeping corporate desktops on those old AV products.
Real security is proactive security (exploit mitigation, sandboxing, correct code, safe languages).
Reactive security kinda sucks. You have to patch known vulnerabilities, sure, but detecting exploits? Ugh. Eww. Do not like.
And indeed users mostly install malware these days, because self spreading (actual "viruses") is hard (we're not in the DOS/Win9x days anymore). So users should be proactive as in not clicking on TotallyNotMalware.exe :)
This is really just not accurate. You can say that AVs are crap, but please don't put all of your eggs in the 'proactive security' basket. At one point that was actually the prevailing attitude, and it just failed absolutely miserably.
Instead, today, we see more companies invest in what's called "incident response". Part of a healthy incidence response program is signature detection - AV plays a role in this.
If you don't have good detection capabilities you're missing a huge portion of what makes an organization secure.
Relying on proactive users is also a recipe for disaster and not a realistic goal at all, nor should it be.
Of course you should be able to respond on security incidents. If you have a security incidents it's often too late and security boundaries are already borken. In the long term we want to have secure systems which are secure by design and by default.
We have to invest heavily in incident response because we have have all of these shitty and broken systems. We should already have started heavily on building secure systems and secure languages and should call on everybody to invest time to build these instead of building reactive technologies like AV.
When it runs code to detect if it is a virus, you have to trust the sandboxing and frankly I've yet to see a sandbox that at some point hasn't been taken control of and exploited (this goes for web browsers too). So it's better to just not execute code than to trust the AV's VM to execute the code without being compromised.
I use programs on a whitelist basis and only update for security patches. This avoids issues like what happened with Transmission.
AV also detect have pitiful detection rates - something like <50% of exploits daily. It's "something" but once you're compromised you're compromised and using an AV just gives a false sense of security.
E: I imagine the downvotes are from my claims of pitiful detection rates or claims that AV is basically security fanfare. Don't take my word for it then.
Obviously this is an anti malware company PR (but please look at the MS Consumer (defender) failed detection rate). This made me research again the AV landscape and then I found this https://fatsecurity.com/tools/test-results-calculator?compan... A website that seems to aggregate a lot of AV independent tests in an easy to use UI.
MS Defender is not really good now. Even free AV are better and have lesser performance impact than Defender (but obviously come with ads, less privacy, etc.).
(I submitted recently the map to start a discussion about it but did not seem to interest anyone)
Well the definition of a "virus" have expanded greatly over the years.
The original definition was a piece of code that would latch onto binaries, and be spread that way. And those had telltale signatures (a virus may have added a jump at the start of the binary to the end, where a copy of the virus code resided, and then jumping back to the beginning of the actual program code).
And i am not so sure there is much distinction between visiting a JS heavy site and running a program locally these days. After all, we are seeing the likes of Google exposing USB and Bluetooth via JS APIs now.
This statement does not at all pan out in my experience. It is very rare for me to come across broken applications or a faulty Windows installation because of anti-virus software.
Be a MSP with thousands or tens of thousands of different configurations, all the different antivirus software you can think of, and 20+ years of doing it and you'll see anti-virus break everything you can think of.
AV prevents windows from shutting down.
AV prevents windows from booting up.
AV prevents windows upgrades.
AV prevents windows updates.
AV causes blue screens.
AV quarantines critical windows system files.
AV blocks network resources unexpectedly.
AV cripples network performance.
AV breaks hardware drivers.
AV causes programs to unexpectedly close or crash.
I'd suggest you don't know what experience I have.
I've certainly had problems with anti-virus programs, but no more than I have had with any program, operating system, driver or hardware problem really. Mostly they behave, sometimes they misbehave.
I've rarely seen anti-virus causing shutdown problems. Boot problems have almost always been faulty storage devices or operating system corruption. I've fixed more faulty WU instances that are broken because of Microsoft (recent Win7 authcab problem, IE cumulative years ago, etc). than because of anti-virus. The programs that I have come across that are crashing are rarely solved by removing anti-virus software.
If anti-virus was as widely and horrendously crap as some people keep repeating then I'd know about it because I'd be saying the same thing.
Are you saying av isn't widely crap? Because as a senior sysadmin I agree with gp very much. I don't understand why you are defending av at all honestly. It is one of the crappiest software industries in existence!
Anyone remember GStreamer being a Linux vulnerability because it had a 6502 CPU emulator to run... NES music files, and hackers managed to jump outside of the VM.
It makes me wonder how easy it is to break out of a particular anti-virus vendor's VM, in a vulnerability that wouldn't exist if you weren't even running AV (outside Defender) at all.
https://it.slashdot.org/story/17/02/01/1334219/google-chrome...
Honestly, if they can't even stop viruses from infiltrating closed systems like Android and iOS, I don't see how an anti-virus suite could ever win the battle against a user intentionally installing a virus.
(Of course, desktop apps are a different ballpark than web apps/websites where you're merely connecting to a website vs installing a dedicated application with filesystem access.)