Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Antivirus software -- who needs it?

Antivirus software -- who needs it?

  • Comments 22
  • Likes

In the newsgroups a few weeks ago, someone asked about which anti-virus software is best for experts. This is a really curious question. I've been involved in computer security -- as a practitioner, a consultant, and an instructor/speaker -- for several years. I feel fairly confident in calling myself an expert. I don't run anti-malware on any of my own computers. Why not? It's simple: I know what to click and what to skip, what to visit and what to avoid. I have control over what I choose to open, what I choose to load, and what I choose to run. And yeah, before the question arises, every four months or so I run a scan, and I've never gotten infected with anything.

Now don't think that I run totally naked (the other residents of my house probably would object, and I shudder to imagine how hot the laptop would feel then, haha). Because there's no way to control what someone else might throw at my Ethernet port, I do run the Windows firewall. I also run with UAC enabled because I want IE's protected mode, but I configure the policy to elevate without prompting.

Am I saying that anti-malware is useless? Absolutely not. In many instances, and for many people, it's still necessary. But we can't ignore the fact that malware is getting more sophisticated. Nor can we ignore the fact that, as I have this conversation with other security experts and similarly-minded folk, I often ask this question: "When's the last time your antivirus or antispyware detected anything?" Invariably, the answer is, "Never."

  • And even when AV might offer value, is it worth it to run it if the AV software requires that you run as admin?  (Short answer:  hell no!  wrote this a bit over a year ago:

  • Agreed.

    Don't run as admin and surf the web.  Antivirus won't do anything for you, no matter how up-to-date it is, if you click on every single link and run application you download.

  • How can I configure UAC to elevate without prompting?

    Please help, Thank you

  • Remo, check out the documentation on technet2:

    Windows Vista User Account Control Step by Step Guide

  • The point is well taken that malware's capability has outstripped AV software, but nonetheless I think you should always run AV - even software from reputable sources has been known to ship, inadvertently, with malware.

  • Windows comes with malware included, even if you don't consider Windows to be malware.  Install a fresh copy of windows and then you run adaware without connecting to the internet and it will detect malware right away.

  • Agreed.

    I find that running as a limited user offers plenty of protection when you know what to avoid, and software restriction policies give a little more peace of mind when sharing your system with others.

  • > "When's the last time your antivirus or

    > antispyware detected anything?" Invariably,

    > the answer is, "Never."

    Hey - you folks tell me from time to time, that the fact, that my antivirus won't find anything does *not* mean that there isn't anything...

    With this in my mind, I don't understand the above question.

  • A few days ago, I wrote a brief post about my non-use of antivirus software on my own computers. A number

  • There are so many if's and's or butt's if you are online nowadays and want to insure your online safety.

    I agree with steriley on the point that computer security products have created a huge market for themselves. Are they needed? Depends on your education I always say.

    I never used anything, till,,,

    I became a businessperson online. I quickly found as I moved about the net promoting my Biz that I was coming into contact with lots of threats. It became necessary to get a lil help if I wanted to get anything done.

    So I started using a AntiVirus, AntiSpyware and a good Firewall, along with Firefox.

  • Steve - I found your post interesting and while I dont necessarily agree, I do understand your point. I agree that AV is not a "silver bullet" in protecting against malware or worms, etc but I feel it is definitely a compensating control and should not be removed from workstations.

    Its true that threats are increasing in sophistication - issues like botnets and data compromises are growing at an alarming rate - but I feel that a blend of defenses is necessary. Security awareness is core but there is always a need to create that layered approach to security. Firewalls, IDS, AV, HIDS, etc are all building blocks of those defenses. A well architected solution shouldn't be cumbersome but should compliment the system you're using.


    Application Security Reviews, Ethical Hacking, Compliance Gap Analysis, Network Security

  • ' "When's the last time your antivirus or antispyware detected anything?" Invariably, the answer is, "Never." '

    This is what I describe as using anti-virus to keep away the elephants:

  • Hi Steve, just stumbled upon your blog via google search. Interesting post… so I stopped by to comment. I think AV software (or anti-malware software) is an essential component and one of the many “defense in depth” strategies in order to protect computers, no matter how secure the OS “seems” to be. In the end, OS or other security products are still software - which means they are buggy, breakable and penetrable. Always better to have a layered defense, one of the components being an AV software.

    In spite of all protection, the average computer user is still fallible due to their own stupidity or intellectuality, widely because the average user does not take computer security seriously. I recently posted a blog entry about this on my blog. Please visit if you get a chance:


    Eric Kumar

  • Ah, "defense in depth." Eric, please don't take this personally at all -- however, I hate that phrase! It's been so overused that it's lost its meaning. I avoid it now completely...

    Anyway, back to the idea at hand. Anti-malware is just one of many many choices we all have when it comes to securing our systems. But before making any choices, we must first understand the risks each of us faces and also have a feel for our individual "risk tolerances."

    Not every security feature is good. And not every feature needs to be used by everyone. For example, I have long been recommending that folks not use account lockout, because it creates more risks than it alleviates, and you can satisfy the supposed threat by using long passphrases. Just because a security feature exists, does it have to be enabled or used?

    Nowhere have I said that avoiding anti-malware is good for everyone. I said that I don't use it on my own computers because I am addressing the malware threats in other ways. And, as I wrote, it's working for me: I've avoided infections in all my machines for as long as I've been in computing (hint: who remembers the S-100 bus? haha)

    Remember this important fact: for every threat, there are multiple mitigations. What works for one person might not work for someone else. It all comes back to building your own risk profile and understanding which threats you are vulnerable to (and which you can ignore).

  • I've been saying for years that anti-virus software is unnecessary.  Nice to hear it from a security professional. :)

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment