[c0l0]

I will go on the record here and one-up them, warning against the use of any antivirus product. SO many vulns and gaping, smoking holes in that kind of software over the years, it's not even funny. Faux-security is what most vendors are peddling.

https://twitter.com/GossiTheDog/status/1427935182200492039 is one of my favourite bugs from recent years. I acknowledge this bug is not specific to an antivirus product (but of course, Fortigate offers that as an optional component for traffic inspection - and I keep wondering what that sub-component's code quality is like 8-)), but anyone who tries WILL find examples for grave problems aplenty.

[st_goliath]

Yes, basically this. On the one hand, being able to parse every protocol and file format under the sun in search for malware means high complexity and a lot of attack surface. On the other hand, being able to read every file, intercept all network traffic, or peek into any processes memory means pretty much highest system privilege level. Big attack surface and high privilege level are a bad combination.

And regarding the point that the BSI is trying to make here: A high privilege process with an auto-update channel back home (as modern software tends to have), is basically an extremely powerful backdoor. That's definitely not something you want to have installed across loads of systems across your countries industry and critical infrastructure.

It's funny that they apparently only realize this now. The same reasoning in the article can be used pretty much regardless of the AVs country of origin.

[kevingadd]

It's definitely reasonable at this point to just skip using AV. It won't protect users from bad security habits and it tends to make your system performance worse even if it doesn't have vulnerabilities.

I have Windows Defender enabled on my machines since it comes with the OS (and work policy requires it), but I definitely had to exclude most of my work folders to be able to get work done.

It would be nice to have software that specifically blocks ransomware by trying to detect it heuristically, but that would probably not be very effective and the right solution is just to have backups.

[dspillett]

> to have backups

With the usual additional notes: unless you include an off-site, an off-line (or at least soft-offline) backup, and your backups get tested regularly enough, you don't have a backup system, you have aspirations & hopes!

----

For your valuable information anyway. For most individuals the core “it would really inconvenience my life if I lost it” data is surprisingly small¹, and the next layer (“losing it would really annoy me”) is only a few tens of Gb². For personal use everything else in the grand scheme of things can be reacquired or won't be massively missed, things are a bit different for businesses of course.

[1] password store, financial details & other officialdom, code & docs for personal projects that might come to something else [2] meaningful digital photos & such

[jacquesm]

"With the usual additional notes: unless you include an off-site, an off-line (or at least soft-offline) backup, and your backups get tested regularly enough, you don't have a backup system, you have aspirations & hopes!"

This should be posted in every place where people are involved with IT operations.

[Ensorceled]

It gets posted on HN EVERY SINGLE TIME. Usually the words "have backups" triggers multiple lectures on offsite backups and testing and multiple factors and ...

[dspillett]

I'll stop repeating myself when the world gets the damned hint!

(or stops complaining when something is lost because they didn't)

[elesiuta]

Even if/when the world does get the hint, there will still be https://xkcd.com/1053/ (although most people probably won't find this as exciting)

[formerly_proven]

Don't forget to not roll your own crypto!!!

[Ygg2]

> your backups get tested regularly enough

And you test the tests and so forth.

[dspillett]

It is tests and verifications all the way down!

No matter how careful you are adding automated tests and test to verify those tests have run OK, and making them fail safe (fail with a warning in this case) where possible, it will always soon get to a point that there needs to be a manual “have we seen the everything is OK message recently?” or similar is by far more efficient than adding another tests to send a warning when the last layer of tests has failed.

[Helmut10001]

First I skipped using Antivirus altogether, but now I opted for intermediate solution using Microsoft's native Antivirus Defender. At least this is fairly guaranteed to be compatible with Windows itself. Regarding firewall: I don't trust Windows anymore - using an external HW firewall on my router (opnsense).

[vladvasiliu]

A new [0] feature in Windows is "protected folders", which denies access to specific folders (user-configurable) by default to applications, and the user needs to actively allow them access. The downside is that it's all or nothing, meaning that a given app either has access to none of those folders or to all of them.

You can do something similar with SELinux and AppArmor, and I think recent versions of macOS also have something similar.

---

[0] new to me, I'm only an occasional Windows user, for gaming, so it may have been there for a long time

[tored]

Protected folders has existed for a while, in practical terms is almost useless, because you can’t create groups of protected folders for different type of applications, thus protecting too many folders will have consequence of you need to allow almost every application you regularly use.

Therefore protected folders works best if either a) you only use a very limited set of approved applications, which of course is rarely the case if you are skilled enough to know what protected folders are, or b) you only protect one folder with text documents that you only read in notepad, but if you have that case it is better to put them in a encrypted storage.

[londons_explore]

> specifically blocks ransomware

If microsoft made the "shadow copy"/"previous versions"/"system restore" functionality a core part of the kernel that even someone with admin rights can't mess with (which it almost is already), then that could be used to roll the system back to 5 mins before ransomware infection easily.

[kevingadd]

Ransomware usually has delayed activation built in, so that it's possible for it to spread or activate simultaneously once it's encrypted a bunch of machines, afaik

[charcircuit]

Malware writers make sure their malware is undetected by most antivirus software. Antivirus will not save you.

[viraptor]

This is the case only for the first few hours. Sure, the new releases are checked against the current AV engines. But there's no magic that will prevent them from being detected in a week. And unless you're being actively targeted or extremely unlucky, that means AV will catch most things for you.

[tored]

Agree, but doesn’t that mean that heuristic based AV is useless, only creates annoyance by flagging legit software , when a list of known malware would be good enough if response time to add to that list is high enough.

[viraptor]

Heuristics are often good. The very basic one "has a significant number of users ever seen this file before" is both annoying for development and probably the best possible first line of defence for larger companies.

[qwertox]

Most insurances expect you to have an AV installed.

[sofixa]

Sometimes even on Linux servers, where the best an AV can do is take CPU and IO so that there's less for the malware.

[formerly_proven]

McAfee is a magical product indeed. Not only does it ensure your Intel CPU is always enjoying the benefits of TurboBoost, but it also provides a faithful emulation of a 5400 RPM drive when using tmpfs. Marvelous technology. (And if you have a kernel-level problem, don't worry - the enterprise support you're paying so much for won't answer your calls, because McAffe taints the kernel).

[qwertox]

Regarding Linux servers:

EP 10: MISADVENTURES OF A NATION STATE ACTOR

https://darknetdiaries.com/transcript/10/

NSA: So we’ve figured out here is the internet-facing box. The web server that they’re using was not patched, wasn’t updated, so I was able to actually use the known exploit to gain the right access to that machine. [MUSIC] Once I did that, I put an implant down on that machine because it was pretty safe. It was actually a Linux server and the nice thing about Linux is no antivirus, right? I’m not super concerned. Especially because it’s a web server, I don’t worry about a user seeing the screen and using it and see something weird going on. But anyway, so I get down on that box, sit there for a little bit. Everything looks pretty good. There’s not much to see; it’s a web server and it’s got a website on it, got a database back end to it. Not a whole lot going on.

[linspace]

A Linux virus that Just Works... I don't see it happening. Maybe if your distro officially supports it otherwise there will be missing libraries or incorrect drivers.

[salmo]

It’s also part of Windows hardening standards that are then pulled into compliance frameworks.

My company installs at least 3 antimalware/security management products that cripple, I mean, protect endpoint systems. 2 vendors. None of them are integrated with each other. So files and executables are all scanned 3x. Git runs abysmally slow because of all the processes involved and tiny files.

One of the reasons I run the paperwork gauntlet to run a Mac. Windows is crippled, Linux is banned on endpoints, so Mac it is. I have to run 1 AV, but it doesn’t do a lot. And I love apple kicking everyone out of the kernel over time (except VirtualBox, that’s annoying).

Luckily it’s mostly an application-level concern on Linux. Scanning files and such on file-servers, mail gateways, etc. ultimately protecting windows systems w/ normal user processes not all up in my kernel, and on limited systems. It actually kinda makes sense.

Now, commercial IDS/IPS, I don’t even want to know how those are architected. I haven’t touched an OSS one (Snort) in years.

If I won the lottery, it would be kind of fun to just sit and find horrific exploits in these things.

[sebazzz]

You must work where I work. Symantec Endpoint Protection (of course set to scan at any access), CarbonBlack, Avecto, etc etc etc. And because the people complain about it they install stuff like Nexthink to diagnose performance issues.

Eventually you end with a system that has so much latency on every I/O operation and over 60 ETW traces running you can't even run or finish a WPR trace.

[salmo]

LOL. Different batch of software.

I think this experience is called “enterprise.”

MS really shot themselves in the foot adding the ability for stuff to insert itself into I/O that easily.

[polymatter]

Does Windows Defeneder not count?

[GTP]

It should count, and this is what I would recommend to use.

[neallindsay]

And MRT (Malware Removal Tool, catchy) on the Mac.

[fphhotchips]

My favourite part of this tweet is the down-thread reply from the author:

"In fairness MSFT are really good in terms of web facing things, particularly security things." [1]

This, of course, aged like milk the very next month. [2]

[1] https://twitter.com/GossiTheDog/status/1427966653938143233

[2] https://www.paloaltonetworks.com/blog/2021/09/azurescape/

[tablespoon]

> My favourite part of this tweet is the down-thread reply from the author:

> "In fairness MSFT are really good in terms of web facing things, particularly security things." [1]

> This, of course, aged like milk the very next month. [2]

Being "good at software security" (in modern terms) doesn't imply not having any vulnerabilities ever, or even serious vulnerabilities.

[phendrenad2]

That's bad advice. It's a trade-off. Installing antivirus opens some security holes and closes others. It also adds heuristic analysis. It seems to me that the security world has come to the consensus that AV is better than no AV.

[fsflover]

> the security world has come to the consensus

Any links? If you really care about security of your OS, consider security through compartmentalization approach, which actually works. See also: https://qubes-os.org.

[phendrenad2]

Security and convenience are on a spectrum. Often security works against itself by being too inconvenient, leading to human attacks as people work around the security features. If someone wants more security, it doesn't mean that they "really care about security" and want 100% bulletproof coverage. There are grey areas.