dumping 'real' anti-virus for ad-aware & malwarebytes?

Forum for anything else which doesn't fit in the above forums. Site feedback, random talk, whatever, are welcome.
Post Reply
newsposter
Posts: 1131
Joined: Wed Sep 14, 2005 11:31 am

dumping 'real' anti-virus for ad-aware & malwarebytes?

Post by newsposter » Fri Mar 13, 2009 4:28 pm

If you work up a comparison sheet of 'features' (not technologies), a combination of ad-aware and malwarebytes appears to match what mcafee and norton offer. Upside is a smaller cpu and memory footprint, downside is the unknowns.

Has anyone tried something like this or dumped a 'real' antivirus package for a combination of other tech?

I'm mostly looking for protection on the process and network activity front. My file servers are running mcafee enterprise very easily. For some reason, desktop products are not as easily managed and take a lot more resources than server products.

thanks!

User avatar
beats
Posts: 772
Joined: Tue Nov 27, 2007 4:11 am
Location: Netherlands

Post by beats » Fri Mar 13, 2009 4:51 pm

McAfee VirusScan Enterprise can run on servers as well workstations. What version are you using on the workstations?
Last edited by beats on Fri Mar 13, 2009 4:54 pm, edited 1 time in total.

newsposter
Posts: 1131
Joined: Wed Sep 14, 2005 11:31 am

Post by newsposter » Fri Mar 13, 2009 4:52 pm

I've got a limited number of licenses for 8.5i which is why I"m only running it on my servers.

Yes, I pay attention to license counts.

User avatar
beats
Posts: 772
Joined: Tue Nov 27, 2007 4:11 am
Location: Netherlands

Post by beats » Fri Mar 13, 2009 5:16 pm

Their Enterprise products are very good, unlike their Desktop stuff. But isn't buying more licenses an option? That way you can manage it all centrally with EPO. And unless you already have them, Ad-aware, which I personally do not recommend (get SuperAntiSpyware instead), and malwarebytes will require licenses as well in a commercial environment...

newsposter
Posts: 1131
Joined: Wed Sep 14, 2005 11:31 am

Post by newsposter » Fri Mar 13, 2009 6:20 pm

this is all for home use. I 'inherited my three mcafee enterprise licenses from a former employer who went out of business, i actually hold the title to the licenses, etc, etc. Buying more isn't an option for me just now.

Yes, I know that the perfect solution is McAfee Enterprise. Not an option for my 3x desktops/laptops which is why I'm researching alternatives.

User avatar
code65536
Posts: 735
Joined: Wed Mar 14, 2007 2:58 pm
Location: .us
Contact:

Post by code65536 » Fri Mar 13, 2009 7:37 pm

Or you could just go commando. I've been running Windows without any sort of anti-virus, anti-spyware or firewall (with the exception of the router that keeps out unsolicited inbound traffic, except for those on 22, 80, 443, and 3389; I have no outbound restrictions) for many, many years and have never ever ran into a situation where I needed them. With the exception of a non-software firewall, it's all useless snake oil...

...unless this is a computer that will be used by Aunt Tillie, but the impression that I get is that you are using these machines.
My addons: CmdOpen - HashCheck - Notepad2 - MS Runtimes - DirectX

Into the breach, meatbags!

newsposter
Posts: 1131
Joined: Wed Sep 14, 2005 11:31 am

Post by newsposter » Fri Mar 13, 2009 8:53 pm

Yup, just me.

But the laptops get conected to college networks a couple of times a week (both wired and wireless). So I'm thinking that I need something not so commando even if it's just a fairly strict process and network trafic monitor.

User avatar
code65536
Posts: 735
Joined: Wed Mar 14, 2007 2:58 pm
Location: .us
Contact:

Post by code65536 » Fri Mar 13, 2009 10:57 pm

newsposter wrote:But the laptops get conected to college networks a couple of times a week (both wired and wireless). So I'm thinking that I need something not so commando even if it's just a fairly strict process and network trafic monitor.
When I was in college, all of my systems were hooked to the campus network without a software firewall (or a protective personal router). I even had Windows file sharing turned on with public access. Yes, it meant that I had to be more careful about keeping up with security patches than otherwise (I also have automatic updates turned off, but I monitored the security bulletins, which was more useful since I also had non-MS services running on my Windows boxes, like Apache and OpenSSH), but I never ran into any problems during those years either (during which time, I watched the infamous Blaster worm infect a good chunk of the dorm networks, but it never affected me because I was up-to-date with patches).

Oh, and each one of my machines also had its own statically-assigned globally-routable IP (though the school did block incoming off-campus traffic to ports specific to Windows networking). And I still had no incidents.

If you are concerned about security, get the Sysinternals tcpview. It's a great way to audit your exposed attack surface. Most people treat a firewall as the first line of defense (which it is), but I like to treat it more as frosting on the cake: it's certainly nice to have, but I feel far better knowing that my system can stand up "in the wild" even if I don't have that first layer.
My addons: CmdOpen - HashCheck - Notepad2 - MS Runtimes - DirectX

Into the breach, meatbags!

User avatar
crashfly
Posts: 789
Joined: Thu Mar 13, 2008 11:39 pm
Location: Arkansas, USA

Post by crashfly » Sat Mar 14, 2009 1:33 pm

I myself am partial to COMODO Internet Security. It is free for personal use.

Grant you, yes there have been some people that do not like it. And yes, I have had a few minor issues the the Defense+ portion of the program. However, the antivirus is updated regularly, and I have had very few issues with the first rate firewall.

If you are not feeling "frisky" enough for the full package, you can install specific items when first installing it (such as just the antivirus or just the firewall). If you do install the full package, one can completely disable the defense+ portion of the software (and then do a reboot). So far, I have had little to no issues with incoming viruses or problems.
A mind is like a parachute, it only functions when it is open.
--Anonymous

How to Ask Questions the Smart Way

User avatar
roirraW "edor"
Posts: 761
Joined: Sun Oct 15, 2006 2:25 pm

Post by roirraW "edor" » Sun Mar 22, 2009 9:39 pm

code65536 wrote:Or you could just go commando. I've been running Windows without any sort of anti-virus, anti-spyware or firewall (with the exception of the router that keeps out unsolicited inbound traffic, except for those on 22, 80, 443, and 3389; I have no outbound restrictions)
What did you say your IP address is again? ;)
Gigabyte case GZ-FA2CA-AJB
Gigabyte MA790X-UD4P with Realtek High Definition Audio
HIS Radeon HD 4850 512MB
AMD Athlon 64 X2 4400+ 2.3GHz
Corsair 4GB DDR2-6400 4-4-4-12
4x1TB SATA RAID 0+1/2x640GB SATA RAID 0/Misc. PATA
Windows 7 x64

User avatar
code65536
Posts: 735
Joined: Wed Mar 14, 2007 2:58 pm
Location: .us
Contact:

Post by code65536 » Sun Mar 22, 2009 11:00 pm

[quote="roirraW "edor""]What did you say your IP address is again? ;)[/quote]
If you have to ask, then I have no need to worry about you. :P (it's not a secret; you just have to know where to look)

But the fact of the matter is this: the crap that gets peddled in the name of "security" will do diddly squat to save me from any real attack.

* Anti-virus, anti-spyware, etc.: placebo feel-good defenses that are about as effective as that Airborne crap; useful only for protecting against user error (albeit a broad definition thereof) (so install it on Aunt Tillie's machine); totally useless against real attacks

* Inbound firewalls (or a NAT router): useful for defense-in-depth, but should really be treated as a backup (what if a guest connects an infected/malicious computer to your home network? what if you are using a public network?) ... it's also no substitute for shutting down unneeded or insecure processes that listens on non-localhost ports (ahem, Microsoft, pay attention!)

* Outbound firewalls: also defense-in-depth, except that this only mitigates certain types of damage after your system has been hosed; if you get to the point where an outbound firewall helps you, then you're already screwed (though it may save you from being royally screwed)... personally, I don't think that post-screwing damage control is worth the usability hassle of outbound restrictions
My addons: CmdOpen - HashCheck - Notepad2 - MS Runtimes - DirectX

Into the breach, meatbags!

ccl0
Posts: 817
Joined: Tue Jan 02, 2007 1:56 am

Post by ccl0 » Mon Mar 23, 2009 12:04 am

what about people who look at p0rn sites and download stuff.. er.. hypothetically speaking

User avatar
crashfly
Posts: 789
Joined: Thu Mar 13, 2008 11:39 pm
Location: Arkansas, USA

Post by crashfly » Mon Mar 23, 2009 12:09 am

I would have to disagree with some of code65536's comments here because there are so many more scenarios that are not considered.
code65536 wrote:* Anti-virus, anti-spyware, etc.: placebo feel-good defenses that are about as effective as that Airborne crap; useful only for protecting against user error (albeit a broad definition thereof) (so install it on Aunt Tillie's machine); totally useless against real attacks
What happens when a friend hands you some data from a source that was not checked/scanned/or whatever? Lets say that you have no reason to believe this friend would "do you harm." By using/executing the data without proper anti-virus, well ... even if you did trust this friend, then your computer is hosed.

Even in instances where one must look at someone else's data to either retrieve or clean up something, anti-virus can be a big life saver.
code65536 wrote:* Inbound firewalls (or a NAT router): useful for defense-in-depth, but should really be treated as a backup (what if a guest connects an infected/malicious computer to your home network? what if you are using a public network?) ...
How many people do you let guest on your home network code65636?
code65536 wrote:* Outbound firewalls: also defense-in-depth, except that this only mitigates certain types of damage after your system has been hosed; if you get to the point where an outbound firewall helps you, then you're already screwed (though it may save you from being royally screwed)... personally, I don't think that post-screwing damage control is worth the usability hassle of outbound restrictions
So from this statement, you do not evaluate any other software that is not supposed to communicate with the internet or "phone home"? Many times an outbound firewall lets you know what *is* trying to communicate in a way that was not specified. Be it an innocent program that checks for updates (even when you did not ask), or some spyware that someone installed while trying out a program (very few people ever read an entire eula). Honestly, an outbound firewall can protect a person from many unknowns.


In the end, good security is prudent. However, anti-virus that does its job well is an indispensable product. Firewalls that offer good inbound *and* outbound protection are quite useful for keeping people who do not know how to tinker with their computer from damaging it.

I could live without a firewall, but I choose not to for the convenience. I will not live without anti-virus due to data from unknown sources.
A mind is like a parachute, it only functions when it is open.
--Anonymous

How to Ask Questions the Smart Way

newsposter
Posts: 1131
Joined: Wed Sep 14, 2005 11:31 am

Post by newsposter » Mon Mar 23, 2009 12:09 am

you're screwed, you may as well cancel your internet accounts, burn your computers, and not bother us anymore.

User avatar
code65536
Posts: 735
Joined: Wed Mar 14, 2007 2:58 pm
Location: .us
Contact:

Post by code65536 » Mon Mar 23, 2009 2:28 am

ccl0 wrote:what about people who look at p0rn sites and download stuff.. er.. hypothetically speaking
Shouldn't be a problem with a decent browser. I *very* strongly recommend Firefox with NoScript (plus a few Fx config tweaks). Hopefully, computer literate people will recognize that when a site takes you to a video that is, strangely, a .exe file, that alarms should sound. For opening pictures and videos in general, see my next section.

BTW, what is so cool about NoScript isn't so much the protection (which is marginal, IMHO; if all you want is safety, NoScript will not get you much), but the fact that it shields you from nuisances. After-click popup ads? Gone. Immoralities like Flash, Silverlight and Java? All gone. Layer ads? Gone. Annoying decorative snowflakes that float down your screen and eat CPU? Gone. NoScript has per-site controls that allow you to toggle things on and off for a site with just a couple of clicks. I don't have a separate ad-blocking extension installed since NoScript does a good job of keeping out most of the really annoying stuff. For me, NoScript is really like NoNuisance

I also hate plugins. I killed the Windows Media plugin, the Acrobat plugin, the QuickTime plugin, etc. That forces Fx to download stuff to the HDD, and then you can open it manually. It's a bit of a hassle, but I love doing it for the stability--buggy plugins can't bring down the browser this way. And in terms of security, it's slightly safer this way (but once again, I do this for the anti-nuisance, not for the security).

One thing that I should add is this: If you do get hosed by a browser security bug (or by Yet Another Dumb Adobe Security Hole), anti-virus won't help you one bit. It's really for the situations where you download Something Bad and then try to run Something Bad. And even with IE, you are safe from this.
What happens when a friend hands you some data from a source that was not checked/scanned/or whatever? Lets say that you have no reason to believe this friend would "do you harm." By using/executing the data without proper anti-virus, well ... even if you did trust this friend, then your computer is hosed.
To protect against infected physical media, autorun should be disabled for all removeable drives. By default, 2K and 2K3 disabled AR for removeable drives, but it's enabled by default for XP, Vista, and, appallingly, 2K8 Server. This is one default setting in Windows that I disagree with strongly (and thanks to Conficker, I feel vindicated :twisted: )

In general, Explorer should be made to always show file extensions. Once again, another default Windows setting that I disagree with very strongly.

As for documents, this is why it's important for Office (and other document viewers, like Acrobat) to always be up to date (or to use another document viewer that isn't as prone to problems). This applies to media players, too, like Winamp.

Generally speaking...

* Data is harmless unless your data viewing program has an unpatched security hole that allows maliciously-crafted data to do Bad Things. This is a rare occurrence, and most importantly, this is something that AV software will generally not protect against (though most people get the impression that AV will protect them from this--but hey, as I said, AV is mostly about false hope :))

* Executable data is dangerous only if you execute it. I have knowingly saved viruses to my computer so that I can poke at them. As long as I don't execute them (I rename them from .exe to .bin so that I don't accidentally run them), that's perfectly safe. But, seriously, how often do people send you executable files? For me, it's very rare. And the few times that it does happen, it's been from someone who I trust ("trust" in the sense that I know that they have a good grasp of security). And if I was extremely paranoid, I could always use a sacrificial VPC, but I've never had to do that.
How many people do you let guest on your home network
Guests, visiting relatives, etc. And there's also the issue of me leaving the home network; e.g., using a laptop at a bookstore. I admit that an inbound physical firewall is a nice extra layer of defense, but it should be regarded only as a backup, never as anything more.
So from this statement, you do not evaluate any other software that is not supposed to communicate with the internet or "phone home"? Many times an outbound firewall lets you know what *is* trying to communicate in a way that was not specified. Be it an innocent program that checks for updates (even when you did not ask)
I have nothing against software that try to "phone home"; I'm not that paranoid. I do check tcpview now and then to see what process are doing what in the networking department.
some spyware that someone installed while trying out a program
Well, I did list caveats in my post. Notably that anti-BadStuff software will protect against a range of things that can be broadly defined as "user error" (that includes not knowing beforehand what an installer does). First, I do install anti-virus on the "Aunt Tillie" systems (as I had indicated twice in this thread, the things that I say apply to people who know what they are doing, which is the general audience of this forum). And second, I am extremely selective about what software I install. Certain software, like stuff by reputable sources such as Google, Microsoft, Adobe, Mozilla, et al., I will trust and install (though I always go with "custom" if they offer that so that I know what's going on). Everything else, I will install only if I know what the installer does. So I will prefer unzip-and-run over installers, and easily-analyzed installers (NSIS) over opaque installers. If I'm suspicious, I will run it on my sacrificial guinea pig VPC to make sure that the installer is kosher. But in general, this happens very rarely (I haven't installed any new software in months), so it's worth the hassle.

Anti-virus, OTOH, is never worth it. It shortens battery life. Eats memory. Eats CPU. Slows things down. And most damningly, AV eats disk IO, which is often the most critical bottleneck in modern systems. And all for what? Any real attacker who targets me will not be deterred one bit by some dinky AV suite--all that AV can do is protect me from myself. Now, if I was Aunt Tillie, then yes, I would need to protect me from myself, but I suspect that for many people who frequent technical forums, they need no such thing.
My addons: CmdOpen - HashCheck - Notepad2 - MS Runtimes - DirectX

Into the breach, meatbags!

User avatar
redxii
Posts: 395
Joined: Sun Dec 17, 2006 5:50 pm

Post by redxii » Mon Mar 23, 2009 7:46 am

Not running AV on Windows is sacrilege and punishment is a good ol' fashioned burning on the stake.

User avatar
code65536
Posts: 735
Joined: Wed Mar 14, 2007 2:58 pm
Location: .us
Contact:

Post by code65536 » Mon Mar 23, 2009 10:21 am

He's a witch! Get him! :lol:
My addons: CmdOpen - HashCheck - Notepad2 - MS Runtimes - DirectX

Into the breach, meatbags!

User avatar
roirraW "edor"
Posts: 761
Joined: Sun Oct 15, 2006 2:25 pm

Post by roirraW "edor" » Mon Mar 23, 2009 4:23 pm

code65536 wrote:[quote="roirraW "edor""]What did you say your IP address is again? ;)
If you have to ask, then I have no need to worry about you. :P (it's not a secret; you just have to know where to look)[/quote]

I know, I was just joshing you. :)
Gigabyte case GZ-FA2CA-AJB
Gigabyte MA790X-UD4P with Realtek High Definition Audio
HIS Radeon HD 4850 512MB
AMD Athlon 64 X2 4400+ 2.3GHz
Corsair 4GB DDR2-6400 4-4-4-12
4x1TB SATA RAID 0+1/2x640GB SATA RAID 0/Misc. PATA
Windows 7 x64

newsposter
Posts: 1131
Joined: Wed Sep 14, 2005 11:31 am

Post by newsposter » Mon Mar 23, 2009 5:44 pm

Well, I'm into the beginning of my second week without any 'active' AV, software firewall, or malware protections. No problems so far. I'm on the wireless 8-10 hours a day; 4 or so at school, 1-2 hours in a Starbucks or Caribou, the rest at home.

In the morning between classes I've been running a manual scan on the laptop with malwarebytes and ad-aware. Those two haven't picked anything up.

My home machines and server still have McAfee Enterprise running on them. No reports of 'trouble' there either. The home machines/servers are up and running 24/7 so if something crept in presumeably it would try to infect the whole network. I run no-network virtual machines (VirtualBox) where I test fresh downloads and utilities so one would hope that those isolated sandbox environments are able to catch dodgy happenings.

Occasionally, my web surfing gets to be pretty 'liberal' :oops: and if I were to ever pick up malware I would expect it to come from there.

Still, it's only been a week. I'll report back from time to time with positive/negative occurances.

One immediate positive; my laptop boots faster and is *much* more responsive.

One thing I'm thinking of doing is to set up a fully mirrored port on my switch and feed that into a junker box setup to run sonicwall and a few other pieces of protective software. Not that this would do anything to prevent an infection. But it would constantly be scanning the datastream for crap and so might serve a purpose, even if that purpose is fuzzy-wuzzy peace of mind stuff. I have one old junker mATX machine with a 32bit Athlon 3000 cpu that either goes back to some kind of work or gets tossed at one of the local catholic schools.
Last edited by newsposter on Tue Mar 24, 2009 11:52 am, edited 1 time in total.

User avatar
code65536
Posts: 735
Joined: Wed Mar 14, 2007 2:58 pm
Location: .us
Contact:

Post by code65536 » Mon Mar 23, 2009 8:33 pm

[quote="roirraW "edor""]I know, I was just joshing you. :)[/quote]
I know. ;)
newsposter wrote:One immediate positive; my laptop boots faster and is more responsive.
Ain't it great? Welcome to the world of anti-AV! :D

That's probably the best reason for going "naked": Faster performance and longer battery life. Anti-BadWare really slaughters disk I/O.

One of the things that you learn as a software developer is where your bottlenecks are:
* Latency for accessing data from the on-die cache is measured in tens of CPU cycles
* Latency for accessing data in main memory is measured in hundreds of CPU cycles
* Latency for accessing data on a hard disk is measured in, depending on the relative speeds of the hard drive and the CPU, anywhere from tens of thousands to millions of CPU cycles

This is why reducing disk access and reducing page faults are so important. For example, in many cases, running a PE-packed file is faster than running a regular file: you incur an extra cost of unpacking the file when you run it, but it means that you incur less disk access when loading the executable, and often, that actually results in faster performance because of that huge discrepancy between disk access and memory access (Off-topic: OTOH, if you run multiple copies of the same process, PE-packing will hurt because it means that the pages can't be shared, thus increasing memory pressure and disk access, which is why I don't like to PE-pack Notepad2).

And just as the biggest performance wins come from easing that disk I/O bottleneck, the worst performance hits come from tightening that. We spend so much money adding memory to reduce paging (and reduce disk I/O), and then we spend even more money to install software that jacks that disk I/O right back up. It's insane.

The truth is that if you know what you are doing, you don't need AV. Period. Buying into the "conventional wisdom" that all Windows boxes need AV is playing right into the slimy paws of Steve Jobs (yes, I'm quite the curmudgeon :P).
My addons: CmdOpen - HashCheck - Notepad2 - MS Runtimes - DirectX

Into the breach, meatbags!

User avatar
5eraph
Site Admin
Posts: 4621
Joined: Tue Jul 05, 2005 9:38 pm
Location: Riverview, MI USA

Post by 5eraph » Tue Mar 24, 2009 2:07 am

code65536, are you sure you meant the Apple guy, and not Peter Norton or John McAfee? Macs are just as vulnerable when a problem exists between keyboard and chair.

I'd still recommend a software filrewall on your laptop, newsposter, even XP's built-in solution, if you connect to public networks where you can't trust every member of that network--like public libraries or school networks.

In general, I agree with code's advice. An up-to-date OS is always the best defense.

User avatar
code65536
Posts: 735
Joined: Wed Mar 14, 2007 2:58 pm
Location: .us
Contact:

Post by code65536 » Tue Mar 24, 2009 8:15 am

5eraph wrote:code65536, are you sure you meant the Apple guy, and not Peter Norton or John McAfee? Macs are just as vulnerable when a problem exists between keyboard and chair.
What I meant by that is that the whole AV thing plays into Apple's marketing perfectly because it lets Apple make the claim, "see, Windows is so insecure that you must use AV" (of course, Apple is just as vulnerable, and depending on how you look at it, Windows is just as safe, but they get a free pass because black hats don't like to bother with tiny market shares).

And of course, AV is one big reason why Windows seems sluggish and why some programs sometimes don't work as expected. More ammunition for Apple's marketing department.

The AV companies benefit from all this too, but most people already think poorly of the AV companies, so I don't have much beef with them. On the other hand, Apple walks around smugly with a (mostly undeserved) halo, so I like to target them.
My addons: CmdOpen - HashCheck - Notepad2 - MS Runtimes - DirectX

Into the breach, meatbags!

ccl0
Posts: 817
Joined: Tue Jan 02, 2007 1:56 am

Post by ccl0 » Tue Mar 24, 2009 1:22 pm

i wonder how much of a performance hit would it really make this day in age? that article was from 2006, so i'd be interested to know if its the same numbers modern components like an i7 proc and a western digital velociRaptor hd etc

newsposter
Posts: 1131
Joined: Wed Sep 14, 2005 11:31 am

Post by newsposter » Tue Mar 24, 2009 1:28 pm

Another way to look at this is the relative performance of a system with no anti-virus and 'conventional' hardware (c2d @ 3gz, 4Gb ram, 5400 rpm drive) with a bleeding edge system that is burdened by an AV suite and software firewall.

The price delta for the bleeding hardware is about $400 plus the cost of the AV ($0.00 to $150-). There are no affordable i7 laptops (yet). Not trivial.

If dumping AV is safe and lets me push back a hardware upgrade 12-24 months, it's something to consider.

User avatar
code65536
Posts: 735
Joined: Wed Mar 14, 2007 2:58 pm
Location: .us
Contact:

Post by code65536 » Tue Mar 24, 2009 1:56 pm

ccl0 wrote:i wonder how much of a performance hit would it really make this day in age? that article was from 2006, so i'd be interested to know if its the same numbers modern components like an i7 proc and a western digital velociRaptor hd etc
CPU speeds and memory bandwidth advance much more quickly than HDD speeds. So that, relative to the CPU and memory, disk drives will become more of a bottleneck in the future.

SSDs can mitigate this, but they are far too expensive and will likely never match magnetic drives in terms of capacity (or more importantly, capacity per buck). High-rotation HDDs (like the VR) have yet to enter the mainstream despite having been around for a long time. And in all likelihood, they are never going to enter the mainstream and will always remain on the fringe because high rotation speeds are costly: they require more power, generate more heat and noise, and are harder to stabilize.

And of course, there's the "don't waste hardware just because you can" argument that newsposter brought up: my $500 laptop is outclassed in many ways by the laptop of someone I know. The other laptop has better hardware (and cost its owner 3x as much), but my system is still noticeably faster and more responsive. I am usually stingy with hardware: my server is still humming along after nearly 10 years of operation, and despite having horribly obsolete hardware (okay, it's had a few upgrades during that time), it still performs marvelously, largely in part to a strict avoidance of software bloat.
My addons: CmdOpen - HashCheck - Notepad2 - MS Runtimes - DirectX

Into the breach, meatbags!

ccl0
Posts: 817
Joined: Tue Jan 02, 2007 1:56 am

Post by ccl0 » Tue Mar 24, 2009 3:46 pm

i'm just wondering about the real impact vs perceived impact.

sure av uses extra resources but lets say av uses 10% resources.. would anyone *really* notice much of a difference?

if it takes 50 seconds to boot, an extra 5 seconds or so would probably not be noticed. i know thats very generalized, but you see what i mean i'm sure. also with quad cores becoming more mainstream and ram being so cheap, a lot of computer resources these days are probably wasted by being idle. so in that regard with or without av software etc, it would still probably be underutilized most of the time (hardly ever using 100% of the computer's resources)

ssd.. i think in 5 years or so you'll see much more common. densities and performance will increase while prices will lower. remember those 100mb hard drives? i bet back then nobody would imagine 1 terabyte drives in a 3.5in body. they also were quite expensive back then too if i recall.

wd did a really good job with the new velociraptor hds. i had always thought that it used more power and produced more heat too but actually its not quite as i originally thought http://www.behardware.com/articles/727- ... aptor.html

User avatar
code65536
Posts: 735
Joined: Wed Mar 14, 2007 2:58 pm
Location: .us
Contact:

Post by code65536 » Tue Mar 24, 2009 4:33 pm

ccl0 wrote:would anyone *really* notice much of a difference?
Yes.

But even if the impact was small (which it isn't because AV's biggest hit is on the most "vulnerable" link), there is still the principle of the matter: why throw resources away needlessly? Just because you can waste resources, lower battery life, etc., doesn't meant that you should.

The fact still remains: aside from protecting against user error, AV serves no purpose whatsoever. AV cannot protect you against threats arising from software bugs. It cannot protect you against a real black hat attack. And even in the user error department, it's far from perfect: it can't protect against new, 0day threats, only against those that it can detect. Yes, AV software also provide heuristics to try to catch things that it hasn't seen before, but here's a dirty little secret: all that these heuristic algorithms do is increase the number of false positives (of which we see many on this forum) because real malware authors know how to get past them (e.g., at a recent DefCon, there was a competition where people are provided with an existing known virus that all the AV suites know how to detect, and they are told to modify so that it can slip past the latest versions of all the major AV suites--this event was over in hours--not surprisingly, the AV vendors were less than thrilled about it because, well, they don't like being exposed as frauds). AV is the airport screening equivalent of computer security: it's feel-good placebo security. Okay, it'll protect Aunt Tillie from accidentally opening a "special greeting card", but that's about it.

So in the final cost-benefit analysis, even if the issue of performance cost was reduced, the benefit is still laughable, at best.
My addons: CmdOpen - HashCheck - Notepad2 - MS Runtimes - DirectX

Into the breach, meatbags!

ccl0
Posts: 817
Joined: Tue Jan 02, 2007 1:56 am

Post by ccl0 » Tue Mar 24, 2009 5:16 pm

i think nav 2009 is set to dl new sigs every 15 minutes or something. some av programs download once a day or once an hour etc.

desktops dont require batteries(not everyone has a laptop)

i dont think it would be needless if it offers some kind of general protection.

theres not many things in this world that are completely invulnerable

i dont know how many regular people would suffer from a black hat attack.

but having some protection..say like something to scan incoming emails to your outlook inbox ect is all the average joe requires. user error.. well i think it goes w/o saying a lot of people out there are not as computer literate and thus are unaware of certain potential pitfalls.

User avatar
code65536
Posts: 735
Joined: Wed Mar 14, 2007 2:58 pm
Location: .us
Contact:

Post by code65536 » Tue Mar 24, 2009 5:56 pm

ccl0 wrote:i think nav 2009 is set to dl new sigs every 15 minutes or something. some av programs download once a day or once an hour etc.
That, my dear, is an extremely cute marketing gimmick, because even if you update every second, it doesn't change the fact that it still takes a long time for a virus in the wild to first be reported (this could take a while, since this usually requires a human to notice that there's an uncaught virus), analyzed, and added to the database. They can cut the deployment phase of the response time all they want, but that won't help if most of that response time is in the form of report and analysis, which you can't hurry.

If you look at some of the great outbreaks in the past, by the time the AV people notice them, they've already spread quite a lot (and it's usually this spread that finally gets them to surface on the radar).
desktops dont require batteries(not everyone has a laptop)
Electricity still isn't free. Extra heat in the summer also means extra work for the AC. I mean, what would Al Gore say?! :lol:
i dont think it would be needless if it offers some kind of general protection.
But it's mediocre protection at best.
theres not many things in this world that are completely invulnerable
Yes. So?
i dont know how many regular people would suffer from a black hat attack.
No, they don't. And that's the point! The threats that people encounter every day are generally easily avoidable with a little bit of common sense--you don't need AV to protect yourself from that. And as for the hard stuff that you can't avoid with the application of common sense, well, AV ain't gonna help you there either.
user error.. well i think it goes w/o saying a lot of people out there are not as computer literate and thus are unaware of certain potential pitfalls.
Unfortunately, there are plenty of people out there who lack the common sense defense and for whom I think that AV is essential. But I've been conceding that point since the very beginning.
My addons: CmdOpen - HashCheck - Notepad2 - MS Runtimes - DirectX

Into the breach, meatbags!

ccl0
Posts: 817
Joined: Tue Jan 02, 2007 1:56 am

Post by ccl0 » Tue Mar 24, 2009 6:20 pm

my point was this:


anyone can make some argument which seems logical about why this or that. people can rationalize things in order to fit their views.


its all a matter of perspective


i could say something like why do people eat? i mean people grow old and die eventually, they cant prevent that so why bother? why put off the inevitable? its going to happen no matter what. cant stop it from happening even if you wanted it to, so basically eating serves no real purpose

but you see people eating every day. but i could say its all pointless and useless and just consumes resources while not really doing anything to change the outcome (death)

User avatar
RogueSpear
Posts: 1155
Joined: Tue Nov 23, 2004 9:50 pm
Location: Buffalo, NY

Post by RogueSpear » Tue Mar 24, 2009 7:22 pm

I remember reading someplace that all of the electricity required to run anti-malware software on Windows machines equates to roughly what one nuclear power plants generates - so think in terms of gigawatts.

Two things strike me about the topic and the conversation. First would be Windows. This is a direct result of what happens when everybody is running with root access morning, noon, and night. All band-aids, jimmy rigging, and UACing in the world that you stick in a fundamentally defective operating system won't help you. You shine a shit.

The second issue is that people are just plain stupid. Why do we have spam? Because some chowderhead actually clicks on the link and puts in their credit card information. The social engineering aspect is both amusing to witness and completely wipes out all of my faith in humanity. Want to target women? Just offer them a bunch of free smiley faces and assorted shiny blinking things that they can put in their email signatures. Want to target men? Porn, sports, and gambling are all sure bets. I'm constantly amazed at doctorate level educated people who have 20+ years experience with computer technology, clicking on a windows that informs them that they might be infected. Believing that their bank would actually send them an email in order to inform them that something is amiss with their bank account.

No operating system, no protective software, no amount of informative training will ever save people from themselves. At the same time, if there is a quick buck to be made, then there are no laws, no treaties, no threats, and sadly, there is likely no technology that will ever stop an ingenuitive con artist.

I run Symantec AntiVirus Corporate at work. Version 10.1.6, not even 10.2, and not even that criminally negligent abortion they call EndPoint Protection. It's more than three years old now, it still gets daily updates, it probably can't detect crap. So why do I bother? Because it makes everyone feel warm inside and more importantly is because all of my users run as users and not admins, and lastly because all of my workstations are locked up tighter than the skin on a grape. They run Firefox with NoScript. I've prepopulated NoScript with the domains that they need to go to in order to get their jobs done. And if you take anything away from this at all - I provided no training or instruction on how to use NoScript. So 99.99% of web site don't work properly.

Post Reply