Ezine 160 – Guy Says: ‘The Antivirus Emperor is Not Wearing Any Clothes’
My first objection to antivirus software is that under pressure its protection falls down. Even up-to-date packages don’t always keep out worms, Trojan horses, back-door diallers and rogue scripts. Like many military generals, antivirus software always seems to be fighting the last battle, rather than defending against the next wave of better equipped programmers with smarter tactics.
‘Good’ virus writers are going to exploit a flaw that antivirus software writers have not yet seen, thus the new virus will be successful for a few hours, or even a few days until antivirus companies reverse engineer what the virus does, and come up with a cure.
Here are 5 more questions that I encourage you to ask: given everything in its favour, does your antivirus software stop spam? Does it prevent people installing keyboard loggers? Running scripts? Exploiting Port 135. Does it deal with Spyware installations?
My second major objection to antivirus software is the grief it causes with false positives. The antivirus utility often claims that unusual but innocent activity is a virus, when it’s just a new program making a legitimate change in configuration. What makes me scratch my head is if you have to troubleshoot a computer, the first thing you have to do is disable the antivirus software. Logically, and intellectually this procedure does not seem ‘right’. A related problem is that when you get an antivirus upgrade, it gets hyper-active and stops at least 2 genuine programs from working.
My third objection is cost effectiveness. I ask the question, ‘Is the dollar cost and the time cost in fiddling with antivirus software updates worth the protection I get? Guy answers, ‘No. Based on history, antivirus software will not prevent the next really big virus’.
Each antivirus manufacture works in a slightly different way, but broadly, each package scans the files on your computer looking for patterns that match its ‘definitions of a virus’. Could it be that it ever makes a false positive, and flags a new but ‘good’ file as a virus? If so what is the ratio, what is the annoyance factor of false alarms?
Antivirus software has a second string to its bow and this is to indentify unusual behaviour, such as a virus trying to replicate or deliver its payload. Again, how often does the antivirus software get it wrong and alert when the task was something you wanted to do on your computer?
One lesson is that antivirus checkers are most effective on computers where the files don’t change very often, thus any processes writing to files or doing masses of copying has a good chance of indeed being a virus.
"Companies that sell antivirus software seem to have a financial incentive for viruses to be written and to spread, and for the public to panic over the threat." My sentiments precisely, however, I did not write those words, they came from the AntiVirusWorld site.
Rogue Anti-spyware programs are themselves one of the biggest causes of viruses. I cannot help wondering if some people are not outsmarting themselves by avoiding Windows Defender, and instead, wasting their money on a commercial alternative. Why do people buy a third-party anti-spyware program when Microsoft’s Defender does an adequate job? Moreover, it’s free, manages itself, provides real-time protection and is relatively unobtrusive. Furthermore Defender has Microsoft’s resources behind it and its only mission is to free Windows operating systems from spyware. While I don’t use antivirus software, I do deploy Windows Defender, even on my Server 2008.
Perhaps my most useful task in this ezine is to explain what it’s like living a strategy of no antivirus software. I would suggest that it gives me heightened sensitivity to virus attacks. People who have antivirus software, tend to believe they are immune from danger. Because I have no safety net, I am on alert and constantly check email attachments, websites, and especially downloads, for the likelihood of malware.
I am not completely anti computer security; for instance, I deploy two firewalls, one on the Windows Server 2008 computer and the other on the internet router. Also enabling the Windows Update Service means that I automatically receive security patches from Microsoft. While some people find these operating system updates annoying, to me they are no more irritating than antivirus definition updates, and I believe updates fix the root problem, whereas antivirus software just deals with the symptoms.
For email I use Cloudmark software to filter spam email. I also run the Defender Anti-Spyware program to tackle greyware. But what I don’t do is install any antivirus software, no MacAfee, Norton, AVG or Trend Micro for me.
My guess is that most potential viruses come via email, thus I do invest in a spam filter called Cloudmark, but I am sure many more products which are just as good. One way to become infected would be to double click an attachment from an unknown source, zip files. Actually, pdf’s seem to be the virus writer’s current favorite. Another ruse is a file claiming to be a picture but really is virus that infects your address book or may lay dormant in your computer.
Incidentally one malware that nearly beat me was the fake electronic Christmas ecard. In previous years people on fringe of my social network sent me links to collect online Christmas cards, thus this year I did not recognise the address and clicked on the fake link. Fortunately, machines (such as mine) with up-to-date security patches are not affected by these fake ecards. What this near miss did was to reinforce the idea that the past does not equal the future, none of us, even antivirus companies, will see the next big virus attack coming.
CDs are another source of malware infection. I almost never install stuff from free DVD (CDs) distributed in magazines. These free offerings have cleaned up their acts in recent times, but once a year some joker infiltrates the process and adds a virus to the free gift. My pappy always told me there was no such thing as a free lunch (or a free DVD).
Because I don’t have the comfort of antivirus program, it makes me wary of email attachments, phishing websites, and especially of messages from programs I don’t recognise wanting to install. I don’t normally visit sites with tempting downloads that are disguised Trojans. On the rare occasion that I get prompted to download something I don’t understand, I decline, or abort if it starts downloading something for no apparent reason.
Macro Viruses. I don’t download or accept any unknown Excel or Word files that could have rogue macros.
Each year on average one neighbour or relative calls me to fix their machine with a virus infection. Thus there clearly is a real virus problem, but equally evident is that antivirus software did not provide protection.
People never admit how their machine got infected, maybe they genuinely don’t know. Therefore, it rarely pays to spend time trying to work out what happened, it’s much better to focus on the symptoms. The secret in troubleshooting an infection is to write down the precise error messages. Then ‘Google’ with crisp technical words, for example, ‘Virus disables taskbar’. Or research: SmitFraudFix.
As a non-believer, I do feel a little guilty when I visit antivirus sites to take advantage of their free health check tools and read their advice on cures for various symptoms. Other useful tools include the Malicious Software Removal Tool.
My point is that for a savvy operator even if the virus does its worst, it does not ‘destroy’ the machine; furthermore, the solution does not rely on an antivirus subscription.
I visit a lot of computer shows. Now because my cavalier attitude to antivirus software induces pangs of guilt, I always check out the antivirus stand. If there is something I am missing, if there really is a magic solution, then I would embrace it.
What I find is that company A says: ‘Our software finds and destroys 98% of virus. (Whereas company B only destroys 48%)’. Next month I visit a different show which features company B. Now they boast that there software destroys 99% of all known viruses, whereas company A only destroys 47%. The next month company C features at the show. You have guessed it, their product destroys 96% of all viruses whereas Companies A and B are only effective against 51% and 53% respectively. Clearly it’s a case of lies, damn lies and statistics, these figures cannot be true for every antivirus manufacturer.
Summary – Is Antivirus Software Worth the Hassle?
The antivirus debate all comes down to risk versus reward. What are the gains from running antivirus? What are the problems? I will put aside the cost of running antivirus software, I am not a cheap-skate. What annoys me is that antivirus software interferes with installing other software on my machines. Also I do a lot of troubleshooting, and the first thing you do when troubleshooting software problems is disable the antivirus software. The reason is because the antivirus software won’t let the real program install, update or do what it needs to do to work properly.
Well I hope this article will at least encourage you muse, ‘Is the antivirus emperor wearing no clothes, or is it really Guy who is the fool?
Windows Syslog Analyzing
Logs are full of information for troubleshooting network problems. When something really goes wrong then surely there will be an error message in the log – if only we can find that record and interpret the event. What will help to analyze such network messages on a Windows computer is the Kiwi Syslog Server.
A clever system such as the Kiwi Syslog server can provide extra vital information such as group events so that you can see how long the problem has existed, and gain valuable clues from the time patterns.
Finally, a great log analyzer, such as Kiwi, will anticipate problems and make you a better administrator.
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
Will and Guy’s Humour
This week Will and Guy have some Valentine’s Day Trivia about kissing
See more interesting Internet Explorer articles