Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

More on the necessity of antivirus software

More on the necessity of antivirus software

  • Comments 14
  • Likes

A few days ago, I wrote a brief post about my non-use of antivirus software on my own computers. A number of people have asked me privately if I am recommending such a stance to other individuals or to organizations. Let me be perfectly clear: absolutely not. For the vast majority of folks, the four important steps to protect your PC still hold:

  1. Run the Windows Firewall
  2. Keep Windows and your applications up-to-date
  3. Use current antivirus software
  4. Use current antispyware

These are good recommendations for organizations, as well.

But as I've talked about many times in the past, security decisions always involve tradeoffs. They also (should) involve an intimate understanding of what the users will be doing with their computers. Fact is, most individuals who are not full-time security professionals often make mistakes when trying to decide whether something is legitimate -- witness the ongoing success of phishing and 419 scams. And organizations, unless they run highly locked-down environments, often can't know everything their users are doing.

As I said in the previous post, anti-malware is not useless. It is a necessary element in your suite of defensive technologies to help keep the bad guys at bay. In my post I'm simply explaining a personal tradeoff I've made on my own machines at home--that by not running as admin (which I didn't mention before), by using UAC, by relying on the firewall, and by training my family--I have made the decision not to use anti-malware.

So should you make the same tradeoff? Well, that depends. If you're asking me about your own use of your own personal computers at home, I can't answer that for you, you need to. Remember what I wrote: "I know what to click and what to skip, what to visit and what to avoid. I have control over what I choose to open, what I choose to load, and what I choose to run." Do you have similar self-control? :)

If you're the security administrator for an organization, you should not make this tradeoff. Again, remember what I wrote about my own self-control; I doubt that anyone could make such a statement for everyone in their organization! Antimalware definitely belongs on machines where users can store or transfer files:

  • client computers
  • email servers
  • file servers
  • SharePoint servers

The purpose of my earlier post was to spark a little discussion, to see what other opinions there might be. Some folks are doing the same thing I am, others always run anti-malware on every computer. Neither stance can be declared "right" or "wrong." It's simply a reflection that we all make tradeoffs, every day, when we decide how to manage and use our computers. And as I suspected, different folks make different tradeoffs, based on their own risk tolerance and experience. These are always good conversations to have.

Comments
  • May I point out that the statement that is being made is "where users store or transfer files" lest anyone not key in on that phrase that is being used.  

    Because when you start looking into the 'best practices' for antivirus, you'll find that we're probably not setting them up as well as we should be with appropriate exclusions.

    This blog post here has a nice recap:

    What Anti-Virus scanning exclusions should be considered for system and servers? - Shaun Cassells at MyITForum.com:

    http://myitforum.com/cs2/blogs/scassells/archive/2007/05/14/what-anti-virus-scanning-exclusions-should-be-considered-for-system-and-servers.aspx

    And at the end of reading all those KBs you'll wonder what nook or cranny of a server is left that we SHOULD be scanning?

    Add to that the number of times a/v and anti-malware has accidentally cratered a server or two, and I can say I've seen more damage from a/v than I have from viruses.

    It's amazing to me that we don't trust "steath updates" from Microsoft, but every hour on the hour my antivirus vendor has the potential to inflict change management on my network.

  • Wow! That's a pretty daunting list. Let me explain a bit more what I mean by "where users store or transfer files."

    Specifically, I mean that I view AV unnecessary on: domain controllers, RADIUS/DNS/DHCP servers, print servers, SQL Servers, SMS/MOM/WSUS/System Center servers, web servers -- and anything else not in my specific list of included servers. Users do not (typically!) have the ability to store files in these locations. Installing AV on these servers significantly increases your complexity and adds to your management burden, while providing you with no security benefit.

    If you think about where users can store or transfer files, then it makes perfect sense to limit server AV to my short list: email/Exchange servers and file/SharePoint servers. And one of the many cool things about Forefront Server Security is that it already knows which parts of those servers to scan and not to scan. So there's less configuration and maintenance work on the security administrator's part.

  • The only reason I have AV software installed on my computer is that there are several networks I connect to that require it. But I always have all the unnecessary features turned off, and leave the file monitor deactivated - unless I'm about to connect to a network that requires up to date AV software.

    I would never recommend this to anyone of my friends or family though!

  • I couldn't agree more. Your original post actually sparked me to write a post on my own blog- referencing yours- where I discussed some of the issues with antimalware and why it may be unnecessary for some. But, as you do here, I stressed that this is not the case for the vast majority of home PC users or corporate network users.

  • My experience with antivirus software is that it's generally intrusive and crappy. I feel that having it exposes me to more security issues than doing without.

    Furthermore, the very fact that antivirus software is necessary for less experienced users demonstrates a failure of OS vendors to deliver operating systems that don't easily become insecure. The very need for antivirus software is a shame.

  • Ok, I have a question in regards to the Microsoft Firewall and Norton.  I have the Microsoft Firewall on and a Corporate Edition of Norton.  But ever since I turned on the Microsoft Firewall I get a message that says "Norton Internet Worm Protection is turned off".  

    Is there a need to be concerned?

    Is there a way to fix this?

    I am searching for all kinds of help.

    Thanks,

    Donna

  • Donna, unfortunately I can't help you with the Norton problem--I've never used any of those products. Have you contacted Symantec? That's about the only thing I can think of. Have you tried entering that error message in your favorite search engine? Maybe you'll find something that way.

  • Now it just sounds like elitist garbage.

    I don't run av, but it's not because I think I know what not to click but most other people don't.

    It's because AV software is pointless and useless.

  • Michael, I suppose if you think my position is "elitist," that's your opinion. However, you're making an overstatement.

    Anti-malware is just one of many many choices we all have when it comes to securing our systems. But before making any choices, we must first understand the risks each of us faces and also have a feel for our individual "risk tolerances."

    For example, I have long been recommending that folks not use account lockout, because it creates more risks than it alleviates, and you can satisfy the supposed threat by using long passphrases. Is it also "elitist garbage" not to use account lockout as well? Just because a security feature exists, does it have to be enabled or used?

    Nowhere have I said that avoiding anti-malware is something for everyone. I said that I don't use it on my own computers because I am addressing the malware threats in other ways. This is always an option, of course: for every threat, there are multiple mitigations.

  • STEVE, you a strong military as i can say becuase of your strong defence against the attacker of data, i give to you big salute, but for my own veiw by using the anti- virus programe is very important to protect our data against the attackers, because not all people have the kind of experience you had, by not using anti-virus software, but for my own veiw, for not professional users of computer its strongly advise to be using anti-virus programe. Thanks so much Steve boy.

  • Joe-- As I have repeatedly said, my own decision not to use anti-malware on my computers is not a recommendation that I'm making for everyone. Because many people have asked me, I decided to write about my own decision, for my own machines. There's absolutely nothing wrong with continuting to use anti-malware software if you want to. Just like I believe it's wrong to state that anti-malware should never be used by anyone, it's also wrong to state that anti-malware should always be used everywhere by everyone. Security decisions must descend from individual risk analyses, never from reading someone else's list of "best practices."

  • TheGoldFish.net Blog » Blog Archive » No Server-Side AV: http://blog.thegoldfish.net/no-server-side-av

  • TheGoldFish.net Blog » Blog Archive » No Server-Side AV: http://blog.thegoldfish.net/no-server-side-av

  • Have you ever tried feeding something you wrote into an online language translator, then doing it a second

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment