Blacklists Don't Work

Jon Galloway and I got into a heated debate a few weeks ago about the efficacy of anti-virus software. My position is that anti-virus software sucks, and worst of all, it doesn't work anyway. That's what I've been saying all along, and it's exactly what I told Jon, too:

This is a companion discussion topic for the original blog entry at:

Antivirus software has always worked fine, for me, both at home and at work. Realtime protection blocks the intruders every time.

And why unix or mac users don’t need an antivirus? Simple: because there are 0,1% the number of viruses for those operating systems than for Windows.

Like real viruses, the best way to fight viruses on your computer is prevention. Learn to use the Internet. If a site looks suspicious, stay away. If you’re looking for porn, don’t click anything that says “free”. It’s not, and you’ll regret trying. Watch out for places with lots of ads. If you see a banner offering a free toolbar, DON’T DOWNLOAD IT. In fact, you may want to use an ad blocker. I recommend Adblock+ if you’re using Firefox. And if you get email attachments, don’t download them unless you know exactly what they are. If you got an unexpected attachment from a friend, it doesn’t hurt to ask if they actually sent it themselves.

If you’re going to spend money securing your computer, PLEASE, don’t waste it on antivirus. If you play your cards right, you won’t need it. Get a firewall or something.

Personally, I’m glad to be on a Mac. I just don’t have a problem with viruses.

In fact, as an added measure of security (though not perfect), absolutely do not surf for porn with IE, and don’t use Outlook Express to read email (and make sure whatever email program you use lets you read them as text-only and isn’t rendering HTML automatically).

The unfortunate fact is that the most effective “virus” problems are trojans and worms taking advantage of exploits in common software (IE, OE, WMP, QuickTime in the case of Mac users). Instead of keeping anti-virus software up to date, people should be keeping their every-day programs, including but not limited to the OS, up to date. This is especially true for anything that renders HTML and/or includes scripting support for any reason.

Of course, these are all things that everyone here should already know. Furthermore, we should all know that it doesn’t really matter what OS you’re on, because they all have the same basic issues when someone decides to go ahead and let a piece of software that should be suspicious to them execute on their system.

  1. I think the reason that most viruses are written to infect M$ Windows is because it has such a big market share

  2. if you’re running as non-admin you can still catch a virus that kills your data. It can’t do everything but it still can do something

Since I usually only comment on your blog when I disagree with you, I thought Id break that pattern: this post is right on the money, Jeff!

One thing that I’m surprised that nobody has touched on is the fact that most (if not all) good software firewalls these days include action prevention mechanisms and Application Behavior blocking. Granted this is similar to the Vista Permit/Deny setup - but sometimes preventing unwanted behavior isn’t just a matter of preventing it from actually reaching your computer. Having the tools ready to prevent unwanted behavior from even ‘good’ applications can protect you as surely as never running ‘bad’ apps.

As for myself, I don’t run anti-virus on my main PC either - but I also use a completely separate computer as a ‘workhorse’ to do downloading extraction so as to be able to continue whatever I happen to be doing on my main PC without interruption. Virtualization taken to an extreme, heh.

These are some of the same reasons that I haven’t run any anti-malware products on my workstation(s) in about 3 years. First with XP and now with Vista, and I’m loving every minute of it.

A few basic precautions are all that are necessary. Treat your computer like you would your own body. If you don’t sleep around with random people you meet in the bar, you won’t get the clap.

If I really want to do something risky, I use a virtual machine. That’s something that everybody should do, regardless of whether you run Windows, or the most hardened Unix OS. It’s when you start thinking that you are invincible, and don’t take any precautions at all, then you will end up as just another spambot.

I mostly agree with what you have said, but I don’t think it fair to claim that windows only suffers from viruses, trojans and other malware.

I read a report where a research group set up boxes with unpatched OS’s, and while the unpatched windows machines were, on average, compromised in under a minute, the Linux and BSD flavours were compromised, on average, in under an hour.

Like a post already said, window is a prime target, because of its market share, and yes, because it generally easier to attack then other OS’s, but that doesn’t make the other OS’s safer, it just means you can pretend to be safer an hour longer than windows users.

What’s really stupid is I’ve seen anti-virus packages that run appallingly badly for non-Admin users.

Off topic but does anyone have a suggested list of blogs similar to this one.

I’ll talk about RDF… please don’t run away ! :slight_smile:

The Decentralized Information Group at MIT has a whitelist policy based on FOAF and OpenID which is IMHO very interesting. Basically, you’re have to be a foaf:knows (two level deeps) of a foaf:member of the DIG group. Sean B. Palmer has a nice summary on the subject :

Also, other people started to implement exactly that but based on XFN (you know, the microformat) and for WordPress, as a plugin :

The problem is not running as non-root, the problem is how each OS handles a task that requires root to procede.

Windows works on a ‘This program wants to do something, should I allow it?’ which quickly becomes the nightmare that Vista has become, every action requires a Yes or No - and every application is allowed to (just like your previous article) annoyingly steal focus to ask for permission.

Whereas on *nix, everything is told to bugger off if they want to do a task they’re not allowed. The only way a virus could do damage is if the user himself requests it by manually typing sudo.

Sudo can be annoying, installing new apps usually go along the line of:

$ apt-get install python
$ sudo apt-get install python
the rest

But I’d rather put up with a minor annoyance that happens only once in a while when I forget to type sudo, than every single damn process my pc runs demanding to run as root.

So run Unix or X


You know, it may not be a good idea to say that running without administrator privileges means you “never have any chance of getting in trouble. Ever.” It’s true that most current viruses run as administrator, but that can easily change. Virus writers currently use their administrator status to dig deeper into the system, but the primary task is rarely anything other than making network connections (send spam, DDoS targets, join botnet), which is obviously something limited users can do. When Microsoft completes the switchover to limited default user permissions that Vista started, virus writers will simply adjust their tactics to avoid protected parts of the system.

I haven’t run with a virus scanner since my last one expired. I’ve found that I know my system well enough to notice things that shouldn’t be there and I haven’t yet come across a virus that needed a special program (beyond regedit and a debugger in one case) to get rid of.

Since my last reformat (due to hard drive failure, not a virus) I’ve run as a regular user account (Power User is basically as bad as Administrator on XP and had no issues at all. “runas /savecred /user:administrator” is slightly longer than “sudo”, but that’s nothing a simple batch file can’t fix.

@Joe: In theory virus code won’t be able to break a non-admin account because it won’t have the privaledges to run. Code would have to have permissions to be executed - and that would be set deliberately by the admin user.

Of course, Trojans can still be a problem:

  1. User-A logs onto site and sees a screensaver/useful app/game that they want.
  2. User-A downloads executable and elevates to admin to give it execute permission.
  3. User-A (now back as an unpriviledged user) runs the executable, it has a trojan that copies their addressbook and mydocuments folders and e-mails them to a Russian* address (or does other stuff permitted by that account).

Education is the best way to reduce this (don’t download from dodgy sites). But there will always be stupid people.


*nothing against Russians.

This’ll sound naive, but what are the actions that we are saying that malware,etc does?

You do not need administrative purposes to:
1 - Delete a file owned by you (that seems pretty harmful)
2 - Browse to a website, connect to IRC, ftp (could be used for DDOS)
3 - Download large files (slow down computer) and save to directories owned by current user
4 - Connect to an arbitrary server (can be used for command and control of botnet)
5 - Send emails (spam)

(These all apply to nx as well)

As far as I’m aware, the only thing you can really do as administrator /without getting popups is try to listen on a port (or modify system files). Or maybe you cant do any of the things I mentioned because I’m so used to running as a user which has some admin privileges.

Most users care about their personal documents, music, photos which can be freely messed with without any privileges.

the only reason antivirus vendors dont change their practice is because they rely on the profits generated from continued subscription - they wont “bite” the hands that feed them in a sense, since its in their interest to just fix up symptoms of a problem, not the cause.

this is similar to some pharmaceuticals - they produce drugs which suppress symptoms, but not cure the disease. that way, the patient will need to continously buy the drug, and thus the company makes more dough. replace with antivirus vendor, and the scenario still makes sense.

Nice post about the reality of the virus scanners, but there are a few points I would like to add.

Running in non admin mode would indeed limit the possibilities of an program. But there are enough privilege escalation exploits, for windows components but also for virusscanners etc. So it is possible to get infected while in non admin mode.

I myself have a virusscanner running, but I never do the daily/monthly full scan. I do however like the Active protection mode, which monitors the files which are executed and scans them (thats just the normal virusscanner stuff) but what I like more is the part which looks at the behavior of the program (for instance writing to registry where it should not). That kind of protection is a good extra line of defense which blocks the new exploits too. Allthough if you look on Kaspersky has a nice open gap in the communication to the kernel driver, so a virus could just disable Kaspersky and than do the dirty stuff.