On my desktop, which I’ve been running since Vista’s release, I’ve no antivirus running. I believe I’m a competent enough user to not foolishly execute suspicious looking files. I do have a backup process just like cylo which images the system once a week. I occasionally scan it with online virus scanners. So far, 0 viruses.
I’ve mentioned before previously in comment on your other AV article, the one rare time I did get hit by a virus which propagated itself throughout my home network, both AVG and SAV failed to pick it up. Yes, blacklists are worthless, all it takes is a small amendment to an existing virus to circumvent it, and a few days to months before the AV vendors pick up that particular variation.
The situation on my laptop is different however. In my working environment, flash drives are regularly swapped around, and often many of them contain viruses which are rather dated. An AV software works extremely well in this scenario.
I’d always recommend keeping an AV program running to the majority of the users (that is, people who don’t read blogs like these) since the chances of them stumbling onto one due to the lack of technical expertise/experience is pretty damn high.
Can you imagine just how many people get money by producing anti-virus
software.
I don’t know how much Grisoft get from the free AVG virus checker. I mean, I assume it’s nothing, as that’s how much they’ve got from me over the years. I don’t notice any drop in the power of my PC running it, although I’ve not run exaustive tests or anything. I have no idea how much good it’s doing but I guess it’s doing something. Would not running it be better? I don’t get it. Why? Even if I ran as a regular user and not administrator an executable could delete all my files. That’s all I really care about.
While running as root/administrator is insecure, it doesn’t mean that you are secure while running as a normal user. I maintain the position that the best protection from viruses, trojans and other malicious software is a decent education. Namely, one shouldn’t trust everything on the web. A program running as user can still delete your data, for instance…very harmful.
In many distros you can find the repository installation model, where applications are installed from a central repository. I believe it is more secure than going on any random site and installing a program from there, unless the repository is compromised, of course.
The best antivirus is to always run on a virtual machine with a backup. If you want to surf the net, run on a virtualized linux. Not a perfect system, it takes some maintenance and eventually someone comes up with a virus that infects the base OS from the virtualized OS. The battle will never stop.
By the way, I’m running Vista with antivirus OFF. No problems at all for six months.
Did anyone stop to think about the vast majority of users that just want to use computers? Do you really expect everyone to know how to take care while using one?
Since I use that program I have had not a single problem running as a normal user.
Of course one problem that you could have is that a virus could wipe out all YOUR files but not those of others. Unfortunately, on my home system my files are approx. all the files on the computer.
Which leads to the other important thing everybody should do: backups!
Maybe an article about how TimeMachine revolutionizes backups?
(I don’t know, don’t have Leopard yet)
Joel Eidsath: and how were those Unix boxes owned? Via the HTTP server process, I presume? And I’ll bet the hole wasn’t even in Apache (or whatever you’re running) but in a poorly secured PHP application. Well, regular users won’t run a HTTP server, and a developer like me) will probably have it behind a firewall.
As for a trojan attacking my user account, that’s of course perfectly possible. But it would have very few places to hide, and I can spot it at a cursory check. Which, of course, isn’t true about your regular Joe, but this just proves that social engineering is the single biggest threat to security.
Blacklists work perfectly fine for my awesome ad/popup blocker, AdBlock Plus. Every other month (seriously) one gets through, and I have to manually add it. But it catches SO much that often I forget that normal people still have an ad-littered internet.
As for viruses, I think that topic is widely misunderstood and misinterpreted (by Jeff too). For starters, there is no reason why viruses would need admin rights, they just use them because right now they can. You think if tomorrow everyone would stop using the admin accounts viruses would be dead ? That idea alone is ridiculous. Also, only a small percentage of viruses actually intentionally damages your PC. Most try to do some annoying stuff, true, but the chance that a virus will eat all your files is next to zero.
On Windows, I think that most virus and other bad things seem to come from using Outlook (Express) and/or Internet Explorer. If you don’t use either of those apps, your chances of picking up anything bad go way down.
In fact, on my Windows machines I have recently removed all my anti-virus software. In years of running Windows, I have never had a single virus detected.
However, I’ve fixed plenty of people’s computers who have become infected and they did have anti-virus software, but it typically wasn’t up-to-date (and they were using IE and Outlook). I’ve switched them from those apps and any issues when away.
(1) I agree that realtime antivirus scanning on Desktops is absurd, but virus scanning is a necessity for e-mail servers. I had several accounts that got 100,000+ viruses a day during the MYDOOM/NETSKY crisis. My mail reader and my mail server both ran Linux, but that didn’t keep my /var partition from filling or my e-mail client crumbling under the load. Virus scanning eliminates one major category of BS that mail server administrators need to deal with.
Similarly, I’ve created several systems that accept uploaded files in MS formats. Malware scanning at that point doesn’t stop bespoke attacks, but it prevents incidents that waste time.
I haven’t seen false positives to be a big problem with malware scanners. In the last ten years I’ve seen one false positive for a virus scan… And I’ve dealt with the consequences of 10,000+ false positive “spam” emails.
(2) It’s completely wrong that the UNIX permission system stops virus activity on UNIXoid systems. It’s entirely possible for an email virus to:
That’s more than enough to support viable malware. Yes, having a secure “root” domain makes it easier to clean up the mess later, and prevents malware from boogering the kernel and/or userspace to hide it’s activities. But so what?
People don’t attack Linux because there are far fewer Linux machines, and the software they use is less homogenous. Nothing dominates the market like Outlook in the Linux world… An attack on a particular e-mail client would only affect 10% of Linux users if that – and Linux users are 1% of the market.
Why spend time developing malware that works on 0.1% of users when you could write one for windows and infect 50%?
I beg to differ: blacklists, specifically for spam, can help if the context in which they are used is very narrow. Speaking from experience, mail filters and firewall rules tailored for a specific mail server can cut down the volume of junk mail by more than 90%.
Trying to extend the blacklist approach from the specific context to the general case is where the wheels come off the cart. What works reasonably well as a first line of defence against spam for a small shop will become unmanageable the wider you have to cast the net, e.g. how often you have to update the spam mail search patterns, or the IP address ranges you block.
Also, how you choose what to put into the blacklist will differ between a company’s internal mail management and, for example, if you have to cater users for which you offer webmail services. If the blacklist is still “sharp” enough for one scenario, it becomes a much blunter tool if you have to include both, or more.
In the end it’s a trade-off. What kind of resources are you willing to spend to keep your mail server operational? And a blacklist, or a combination of several such lists, may be more effective than a different solution that consumes more resources (memory, CPU time, false-positive rate, etc.).
Regarding running as non-admin users to avoid the need for an anti-virus solution: my AV recently launched my browser under the LOCAL SYSTEM account so it could show me an advert! Not quite moving in the right direction…
I surf the web using a limited account. I’ve yet to get anything more serious than tracking cookies. I think I got hit with 1 virus in the 4 YEARS I’ve had the computer. the anti-virus killed it and we’re back to good again. I’m not sure I agree with you on the no antivirus, but I DO agree with the limited user account.
Besides, if I need admin access, I’ll just right click and “run as” my admin account. Best of both worlds.
My biggest problem with the Windows non-Administrator user is that some programs have a automatic startup configuration (ADOBE in particular) that needs to complete for every user… but can’t if you’re not Admin. Really annoying. Even Firefox has problems with it’s auto-update. You have to log back in as admin, and then re-log as your user.
Adblock is a perfect example of a blacklist that works. It blocks out all those flashy bright annoying ads. It won’t fool the smarter advertisers, like Google, but it gets rid of most.