Antivirus software -- who needs it?

In the newsgroups a few weeks ago, someone asked about which anti-virus software is best for experts. This is a really curious question. I've been involved in computer security -- as a practitioner, a consultant, and an instructor/speaker -- for several years. I feel fairly confident in calling myself an expert. I don't run anti-malware on any of my own computers. Why not? It's simple: I know what to click and what to skip, what to visit and what to avoid. I have control over what I choose to open, what I choose to load, and what I choose to run. And yeah, before the question arises, every four months or so I run a scan, and I've never gotten infected with anything.

Now don't think that I run totally naked (the other residents of my house probably would object, and I shudder to imagine how hot the laptop would feel then, haha). Because there's no way to control what someone else might throw at my Ethernet port, I do run the Windows firewall. I also run with UAC enabled because I want IE's protected mode, but I configure the policy to elevate without prompting.

Am I saying that anti-malware is useless? Absolutely not. In many instances, and for many people, it's still necessary. But we can't ignore the fact that malware is getting more sophisticated. Nor can we ignore the fact that, as I have this conversation with other security experts and similarly-minded folk, I often ask this question: "When's the last time your antivirus or antispyware detected anything?" Invariably, the answer is, "Never."

Published 22 September 07 09:14 by Steve Riley

Comments

# Aaron Margosis said on September 23, 2007 12:29 AM:

And even when AV might offer value, is it worth it to run it if the AV software requires that you run as admin?  (Short answer:  hell no!  wrote this a bit over a year ago:

http://blogs.msdn.com/aaron_margosis/archive/2006/06/02/614226.aspx

# Justin Ho said on September 23, 2007 1:51 AM:

Agreed.

Don't run as admin and surf the web.  Antivirus won't do anything for you, no matter how up-to-date it is, if you click on every single link and run application you download.

# Remo said on September 23, 2007 8:18 AM:

How can I configure UAC to elevate without prompting?

Please help, Thank you

# Peder Vendelbo Mikkelsen said on September 23, 2007 9:46 AM:

Remo, check out the documentation on technet2:

Windows Vista User Account Control Step by Step Guide

http://technet2.microsoft.com/WindowsVista/en/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d91033.mspx

# Forest said on September 23, 2007 9:30 PM:

The point is well taken that malware's capability has outstripped AV software, but nonetheless I think you should always run AV - even software from reputable sources has been known to ship, inadvertently, with malware.

# The Gort said on September 24, 2007 3:53 PM:

Windows comes with malware included, even if you don't consider Windows to be malware.  Install a fresh copy of windows and then you run adaware without connecting to the internet and it will detect malware right away.

# Andy Dowling said on September 25, 2007 12:10 AM:

Agreed.

I find that running as a limited user offers plenty of protection when you know what to avoid, and software restriction policies give a little more peace of mind when sharing your system with others.

# cwoller said on September 25, 2007 9:02 AM:

> "When's the last time your antivirus or

> antispyware detected anything?" Invariably,

> the answer is, "Never."

Hey - you folks tell me from time to time, that the fact, that my antivirus won't find anything does *not* mean that there isn't anything...

With this in my mind, I don't understand the above question.

# Steve Riley on Security said on September 25, 2007 1:53 PM:

A few days ago, I wrote a brief post about my non-use of antivirus software on my own computers. A number

# Doug Woodall said on September 26, 2007 1:31 PM:

There are so many if's and's or butt's if you are online nowadays and want to insure your online safety.

I agree with steriley on the point that computer security products have created a huge market for themselves. Are they needed? Depends on your education I always say.

I never used anything, till,,,

I became a businessperson online. I quickly found as I moved about the net promoting my Biz that I was coming into contact with lots of threats. It became necessary to get a lil help if I wanted to get anything done.

So I started using a AntiVirus, AntiSpyware and a good Firewall, along with Firefox.

# Application Security Reviews at www.securasys.net said on September 27, 2007 4:31 PM:

Steve - I found your post interesting and while I dont necessarily agree, I do understand your point. I agree that AV is not a "silver bullet" in protecting against malware or worms, etc but I feel it is definitely a compensating control and should not be removed from workstations.

Its true that threats are increasing in sophistication - issues like botnets and data compromises are growing at an alarming rate - but I feel that a blend of defenses is necessary. Security awareness is core but there is always a need to create that layered approach to security. Firewalls, IDS, AV, HIDS, etc are all building blocks of those defenses. A well architected solution shouldn't be cumbersome but should compliment the system you're using.

Jesse

www.securasys.net

Application Security Reviews, Ethical Hacking, Compliance Gap Analysis, Network Security

# AdamV said on October 2, 2007 3:38 PM:

' "When's the last time your antivirus or antispyware detected anything?" Invariably, the answer is, "Never." '

This is what I describe as using anti-virus to keep away the elephants:

http://veroblog.wordpress.com/2007/10/01/using-anti-virus-software-to-keep-the-elephants-away/

# Eric Kumar said on November 2, 2007 12:54 AM:

Hi Steve, just stumbled upon your blog via google search. Interesting post… so I stopped by to comment. I think AV software (or anti-malware software) is an essential component and one of the many “defense in depth” strategies in order to protect computers, no matter how secure the OS “seems” to be. In the end, OS or other security products are still software - which means they are buggy, breakable and penetrable. Always better to have a layered defense, one of the components being an AV software.

In spite of all protection, the average computer user is still fallible due to their own stupidity or intellectuality, widely because the average user does not take computer security seriously. I recently posted a blog entry about this on my blog. Please visit if you get a chance:

http://fightmalware.blogspot.com/2007/10/average-computer-user-and-computer.html

Regards,

Eric Kumar

# Steve Riley said on November 5, 2007 1:58 AM:

Ah, "defense in depth." Eric, please don't take this personally at all -- however, I hate that phrase! It's been so overused that it's lost its meaning. I avoid it now completely...

Anyway, back to the idea at hand. Anti-malware is just one of many many choices we all have when it comes to securing our systems. But before making any choices, we must first understand the risks each of us faces and also have a feel for our individual "risk tolerances."

Not every security feature is good. And not every feature needs to be used by everyone. For example, I have long been recommending that folks not use account lockout, because it creates more risks than it alleviates, and you can satisfy the supposed threat by using long passphrases. Just because a security feature exists, does it have to be enabled or used?

Nowhere have I said that avoiding anti-malware is good for everyone. I said that I don't use it on my own computers because I am addressing the malware threats in other ways. And, as I wrote, it's working for me: I've avoided infections in all my machines for as long as I've been in computing (hint: who remembers the S-100 bus? haha)

Remember this important fact: for every threat, there are multiple mitigations. What works for one person might not work for someone else. It all comes back to building your own risk profile and understanding which threats you are vulnerable to (and which you can ignore).

# Nick Brown said on November 11, 2007 5:27 PM:

I've been saying for years that anti-virus software is unnecessary.  Nice to hear it from a security professional. :)

# Steve Riley on Security said on February 13, 2008 12:45 PM:

By Steve Riley Senior Security Strategist Trustworthy Computing Group, Microsoft Corporation (originally

New Comments to this post are disabled
Page view tracker