A Revolution is the Solution
On the flip side, security software alone is not as solid a defense as people might think. I did an informal test with a smorgasboard of fresh malware and found an average detection rate of only ~50%. Some apps did better, some did worse, but none proved to be the silver bullet, not even in combinations. For those curious:
http://forums.anandtech.com/mess...2&
enterthread=y
As usual, my point is that there are merits to a layered defense that's founded upon least-privilege operation. I agree that people need to wake up to the seriousness consequences of today's malware and the need to be responsible with their computers for everyone's good.
Ijust had to comment on this one Talk about a little knowledge being a dangerous thing,
And they do have a little knowledge someone has to invent a word for how dense that idea is they sit there allowing their computer to spread viruses and bot nets and rootkits and they simply dont understand what they are doing wrong...
In other words ARGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGH
Some people should *not* have computers and that user is one of them.
It sounds to me like the user has imaging software such as Acronis True Image and just reimages. Lots of folks do that instead of using antivirus. Just because you don't use antivirus doesn't mean you are infected. You can reimage in just a few minutes. Or maybe the user is on VMware and just moves to a clean snapshot.
As far the comment about being slowed down drastically by the antivirus software, obviously the person is referring to webscanners such as those from Kaspersky, NOD32 and Avira. Those do slow your internet connection by more than 50%. I refuse to use them. They are extremely popular though and most naive users think they have to use them if they use antivirus and want to be protected.
We know nothing of what else this person does security wise so there is no reason to get so upset. If they do most Microsoft security patches and perhaps use the Proxomitron, Firefox or Opera instead of IE and practice safe computing then they probably don't need an antivirus other than an on demand scanner for scanning files they download or scanning email attachments (but most likely all their email is already stringently scanned, both outgoing and incoming, by their ISP.
I don't understand why you saw red (green I believe you characterized it) because someone doesn't use antivirus software. I have had only one virus (stealth boot) in more than eight years of having computers and that was the first year when I did not know that a new store bought blank floppy could have a virus on it and did not scan it.
Most of the time, I do not use a real time AV scanner. I do keep an on demand scanner around that is uptodate and I use Jotti and Virus Total to submit suspicious files to. I have had NO viruses, NO spyware in all these years.
AV software, even the best, does not detect very much as the first comment points out. Responsible computing is more effective (don't visit porn or gambling sites for one thing). The use of software such as the Proxomitron with current configurations and HIPS type software such as DiamondCS ProcessGuard are far more effective than most antivirus software.
"I don't understand why you saw red (green I believe you characterized it) because someone doesn't use antivirus software."
Note that I said
"and I'm going to assume you mean *all* security products when you say "anti-virus"
...all, meaning lots of the tools you listed and more besides. The clue that they likely don't use anything *besides* AV software is also the thing that would rather obviously make anyone involved in security see red:
"Anything at all can happen to my XP and I DON'T CARE."
Seriously, run that back to yourself in your head - *anything* can happen to her PC and she doesn't care?
On the basis of that statement, does that sound like something someone would say if they
a) had everything locked down - because if you DID have everything locked down, why would you be so flippant about something then happening to the machine, even allowing for reimaging? If you were locked down so well, how could (literally) "Anything" happen in the first place? She doesn't sound like she would be even remotely annoyed that her wonderfully layered defences had been steamrollered so badly that "anything" could happen.
or does it sound like they
b) had a totally wide open PC, falling back on a "magic bullet" reimage as if that solves everything?
This is a totally crazy statement for someone to make. And if they "DON'T CARE" (as they put it), and can be "done reinstalling in the hour" (which sort of refutes your idea that they use something to reimage in a few minutes), do you honestly think they bother installing HIPS, or spyware scanners, or registry checkers, or firewalls, anything else at all for that matter?
Nah, of course they don't.
But you know, an awful lot of damage can be done from an infected machine in an hour, which is the time they cite as their usual reinstall routine.
And it only takes seconds to steal banking data and / or login details for various websites and services, or harvest your email contact list, or any other of a number of things.
The rant stands, I'm afraid.
"If they do most Microsoft security patches and perhaps use the Proxomitron, Firefox or Opera instead of IE and practice safe computing then they probably don't need an antivirus other than an on demand scanner for scanning files they download or scanning email attachments (but most likely all their email is already stringently scanned, both outgoing and incoming, by their ISP."
Hilarious. When did ISPs suddenly get all stringent on their email scanning? ISPs are USELESS in terms of scanning emails at the gateway, thats pretty much why we're currently buried beneath a mountain of spam mails every single day.
one in 28 emails in India is infected.
ONE SINGLE SURGE in the Stormworm was responsible for the August 15 outburst, which involved the distribution of 600,000 Trojans in only 24 hours, and junk levels increased on August 17 by more than 30 per cent.
and thats from one single freaking infection.
Don't get me started on the "myth" of firefox and opera security either, there are plenty....plenty.....of infections and hijacks that exploit those browsers.
"Responsible computing is more effective (don't visit porn or gambling sites for one thing)."
LOL.
the old faithful "don't go to porn and gambling sites" routine.
That's funny, considering the majority of gambling sites out there are legit, and the porn industry has spent the longest time driving out spyware hijacks from their industry when they realised it was starting to kill it.
Don't you see the daily reports of TOTALLY INNOCENT SITES being hacked and used for drivebys?
Colleges, government sites, hospitals, kids sites, gaming sites - you name it, they hack it and use it to try and hijack you.
THATS where all the hijacking action is.
reciting the mantra about "no porn and gambling = safe computing" is a dangerous, outdated fallacy.
"I have had only one virus (stealth boot) in more than eight years of having computers and that was the first year when I did not know that a new store bought blank floppy could have a virus on it and did not scan it."
Thats great, but there are something like 1.8 MILLION people currently in the stormworm botnet, and they ended up there merely by clicking a link saying "download this" from a spam email that their "stringent" ISP completely missed (despite all of these mails following a fairly generic and easy to spot pattern), then downloading the EXE, then double clicking it after it sat on their desktop to run it.
you don't sound anything LIKE the individual in that forum post. In fact, you come scarily close to something one of the other forum posters noted:
"I have heard people running without AV quite happily and safely but they're not 'normal' and do stuff like browse the web with all scripting turned off (rendering most sites inoperble), sandbox ie or ff all the time, run in virtual machines, etc, and still have a good hardware security gateway such as Astaro's."
That does NOT sound like a description of the individual claiming they "don't care".
I can just as easily claim "I don't care" because I do have my defenses. They just aren't AV necessarily.
I don't use NoScript for Firefox but everyone I hang with does. I don't find it necessary but they think I and everyone should use it. But they don't use the Proxomitron or ProcessGuard which, if I did somehow get a nasty, would not allow it to start. Heck, I even have IE tied down so it can't start without my express permssion. It started up one day all on its own (I seldom use it ...I am a Fx and Opera user) and to my amazement took itself over to WU and was busily trying to download WGA when I stopped it. After that, I decided IE had to be tied down as I don't have WGA (I have a legit OEM install of XP Pro SP2 ...I just don't appreciate Microsoft calling me a thief when I am not so I don't use WU/MU and get my patches directly from MS Download site). Anyhow, if I did get a nasty, ProcessGuard would stop it from starting and ask me what to do. That sort of control is very effective.
I also don't run as limited user but maybe this person we are talking about does. That too is quite effective in stopping malware infections. I don't understand why the use of AV such as the best (Kaspersky) is so heavily promoted here. Kaspersky 2006 and 2007 causes irreparable damage to chkdsk even when you are just doing a trial of the software. Microsoft has recently slapped Kaspersky for their reckless and unauthorized use of Object Identifiers in their ISwift technology as this is the cause of the damage to my, and others computers, and Microsoft has stated publicly that Kaspersky had no business doing this.
So, you feel that users should use an AV (and if you are going to use one you want the best in detection and that is Kaspersky) even though it will permanently damage their computer? Reimaging/cloning doesn't fix the Kaspersky damage. A reformat is the only current solution (or a complicated fix that has been proposed by some users at dslreports but that has drawbacks). I just read a post at GRC Newsgroups on this blog and the person said they have Kaspersky, with the chkdsk damage, and they have been thinking of doing the very thing this person you are calling so irresponsible is doing. This particular poster at GRC NGs is a highly knowledgeable computer user. I don't think we can assume all that has been assumed about this "irresponsible" user or other users who might do the same.
As for ISPs checking email, my ISP, Road Runner, is SO STRICT that I was unable to receive Microsoft TechNet Bulletins for several years because ONE RR user complained to RR Abuse that someone signed them up without their permission for the TechNet Bulletins. Road Runner immediately blocked ALL email from ALL Microsoft domains to all RR users. Road Runner didn't bother to notify those of us who had been receiving the bulletins for years and then suddenly didn't get them. It was a big mess all because of a way over eager abuse department at RR. It was years before I, working with Microsoft, finally was able to get RR to allow mail again from Microsoft.
I wish that Road Runner would stay the heck away from my email. I also have had a MyRealbox email account since MyRealbox came into existence many years ago. I can't receive ANY mail from Myrealbox in a Road Runner email account. Myrealbox has a lot of spam. I will deal with the spam. I don't want my ISP blocking email to me because they think it is spam (much less blocking all email from myrealbox users). It is MY decision what is spam and what is not. I can't send an email from myself at myrealbox address to my RR email address. It is blocked by RR abuse. I don't pay my ISP to interfere with my email. I am not sending myself spam! I can deal with spam myself.
My ISP has no business interfering with my receiving email from Microsoft or a true spammer. My ISP checks all outgoing mail as well as incoming with Symantec corporate. That means that if I want to send a sample of a virus to someone for research purposes, I have to password protect the attachment and I have heard rumours that Road Runner is going to start dropping all attachments that are password protected! That would be infuriating! My ISP has no business doing anything other than giving me the connection close to advertised speed. That is it. They should keep their judgemental nose out of the rest of my business.
I'm aware that there are a great number of idiots who open all email and stupidly install stuff linked in spam email. But if they practiced safe hex this would not happen. No preview pane in Outlook Express, never open any email from anyone you don't know (if you absolutely have to check it do so from the properties tab so that you are not actually opening the email and thus letting the spammers know they have a live address), always, without exception, delete any and all attachments without opening that you are not expressly expecting and for those always download to disk and scan with your AV before opening. Simple rules like these will eliminate most all threats of getting infected.
"I don't think we can assume all that has been assumed about this "irresponsible" user or other users who might do the same."
..yet I keep seeing people *assuming* they actually are using some sort of imaging tool which takes "minutes", even though the full post clearly states that it takes them an "hour of their day" to do, and (elsewhere in the same post):
"all you have to do to 'fix' is reinstall onto C, and an hour later you have a fresh new copy and you are good to go."
I mean, thats some pretty crappy imaging tool they're using if that's the case. And the fact remains - if they really DON'T care about "what happens", and they're NOT running anything on the PC, then that infected PC can do a whole lot of damage to both the PC owner and the victims on the other side in that hour.
There is nothing in that post to suggest anything other than they're running the PC as a "magic bullet". At least one other poster on the forum raised this as a possibility too, so I don't think I'm just imagining this. I've seen this kind of post, and this kind of attitude, expressed in EXACTLY that sort of way, too many times. If that *isn't* the case, they didn't do a particularly good job of conveying that. They did, however, seem to be incredibly excited about making dinner for their kids. So there's that I guess.
"There is nothing in that post to suggest anything other than they're running the PC as a "magic bullet"."
And you know, whether or not the specific poster in question actually DOES run these tools or not is kind of irrelevant to the main thrust of the discussion, which is an extremely interesting one: do people actually rely on backups and wipes and reimages to the extent that they simply dont bother with any sort of security best practices?
in that sense, i see the person that sparked this debate as more of a starting point than the eventual destination. These are still questions that need to be asked, and ultimately *something* needs to spark a debate such as this, or else nothing would at all and we'd all be the poorer for it. thanks for making me think about something I hadn't considered previously.
Commenting by HaloScan
