Hacker News new | ask | show | jobs
by proactivesvcs 3070 days ago
Many of my customers run the common free anti-virus programs and I can assure you that they are not snake oil. The logs and alerts from blocked infection attempts are testament to this.

I certainly would say that most of the free anti-virus is pushy, hungry and generally not a particularly great marketing exercise.
3 comments
hutzlibu 3070 days ago
Sure they do things - but they promise real security and protection - which is a laughable claim, when you look at detection statistics. They are not much better than defender. But unlike defender, they themselves act like spy/adware sometimes. Showing advertisement on the desktop etc. and communicating with the server a lot and not for updating.

Oh and my experience with most of their logs is, that they log and alert allmost everything - even when it is trivial as a tracking cookie - but make it look like a real threat to the ordinary user to show what good work they are doing. And especially on older computer really slow things down.

So I cannot recommend them and rather stress the importance of updates and not mindlessly install/click random things. (but with updates allmost everything important does that automatically now anyway)

link
freeflight 3070 days ago
> The logs and alerts from blocked infection attempts are testament to this.

Infection attempts by what? Scans of phishing mail attachments they wouldn't have opened anyway? At least if they know what they are doing. In addition, many AV have this annoying habit of reporting quite a bit of false-positives based on sys-calls or some weird heuristics, this leads to the situation where even totally legit software, from a trusted source, triggers a warning.

Which then conditions people to just click past the warning, at that point you might as well not even run the AV at all and instead just scan individual files online through some virustotal-like service and teach proper user behavior.

Due to this dynamic installing a good ad-blocker will probably do more for the security of the average windows user than any AV software ever would.

link
hutzlibu 3070 days ago
"Which then conditions people to just click past the warning, at that point you might as well not even run the AV at all"

anectode: a girl in my student flat wanted to give me some file and copied it to her usb-stick. But as she plugged her stick in, a antivirus warning popped up and said very clearly INFECTION DETECTED. But she just clicked it away and said it does that all the time since weeks ...

Wait what?!?

And she was a student (for high school teacher), so supposed to be not stupid. But in this case the antivirus was actually one of the better once which mostly only said something if there was something. But to her it had the same meaning as "update me please". Not something to be bothered with her now, as her task was to copy something to the USB stick ...

So yes, definitely also bad conditioned, but also plain stupid. Or overburdened.

So for those people, antivirus (wheter from the os or third party) which really blocks stupid things and scans everything, make sense. And there are a lot of those people ... in my example it was someone who grew up with computers, but there are still many around who had to learn it much later in life. And they just click onto everything.

link
proactivesvcs 3070 days ago
> Infection attempts by what? In January I've seen logs blocking drive-by malware attempts, lots of infected email attachments and an infected USB stick.

These are not false positives. They were not legitimate software from trusted sources. The logs I read were real-world true positives and they were not inconsequential trivia like tracking cookies or the like.

I don't think that in any of the cases the user would have had a warning to blindly click through.

Not entirely sure how an advert blocker can stop email or device-carrying malware.

link
freeflight 3070 days ago
> They were not legitimate software from trusted sources.

Infected email attachments, unless they come from a trusted sender, I consider "useless positives" because nobody, with the appropriate training, should be opening them in the first place.

Kinda along the same lines of tracking portscans and counting those as "thwarted cyber attacks", like many government agencies tend to boast about, it's nice for padding stats but is it a real security gain?

Afaik by now one of the most common successful attack vectors is drive-by kits [0], increasingly served trough advertisement channels. Ad-blockers/disabling Java minimize this risk quite a bit, with low overhead, while having the added comfort of making the web more user-friendly.

Which to me is the most sensible solution, unless one really likes opening weird email attachments and/or plugging in untrusted devices.

> I don't think that in any of the cases the user would have had a warning to blindly click through.

If the user is already careless enough to connect untrusted devices and/or opening random email attachments, then I have no trust in said user to heed any of the following warnings, as he/she already had to ignore previous best practice warnings to get there in the first place.

[0] http://www.securityweek.com/internets-big-threat-drive-attac...

link
irundebian 3069 days ago
> If the user is already careless enough to connect untrusted devices and/or opening random email attachments, then I have no trust in said user to heed any of the following warnings, as he/she already had to ignore previous best practice warnings to get there in the first place.

Don't blame the user, when we as computer scientists are too stupid to build secure systems. I expect from an computer system / software that I don't get infected if I plug in a USB stick or open a PDF file. The software devs of operatings systems and applications as well as hardware vendors are to blame. That's it.

link
Dylan16807 3068 days ago
If you want to protect the user from email attachments from strangers, block them all, don't base it on a scan that picks up some threats.
link
marshray 3070 days ago
> nobody, with the appropriate training, should be opening them in the first place

How many users do you administer again?

link
freeflight 3069 days ago
A whole lot of 5 users, I realize that in bigger companies it's probably less hassle to just install AV software and "hardblock" undesired behavior.

I imagine that depending on the country you are operating in this might even be a requirement to prevent legal hassle, getting sued for "neglect" if not running AV software and something actually goes wrong but IANAL.

But let's also keep in mind that AV solutions can have the exact opposite effect of what they're supposed to do, from data leakage [0] [1] to straight up remote code executions [2]. Which isn't that surprising, considering that more complexity is usually a bad thing to add to any system, especially if it's as deep-rooted as most AV suits tend to be.

[0] https://www.directdefense.com/harvesting-cb-response-data-le...

[1] https://www.siliconrepublic.com/enterprise/kaspersky-nsa-lea...

[2] https://landave.io/2017/06/avast-antivirus-remote-stack-buff...

link
hutzlibu 3070 days ago
I guess that doesn't matter as he said "should".

But yeah, reality is different ...

link
tscs37 3069 days ago
I recommend to keep the microsoft scanner active (Windows Defender or how they call it by now).

It catches all the common stuff with high accuracy and only some of the exotic stuff gets through (which would probably be a pass for most other scanners too)

link
Hello71 3070 days ago
https://en.wikipedia.org/wiki/List_of_rogue_security_softwar...
link
hutzlibu 3070 days ago
No no, it was original antivirus. But it's been a while(I got hesitant doing maintenance), so I can't tell for sure which ones.
link