Do you really need antivirus software?

Do you really need antivirus software?

Summary: Do you need antivirus software on your PC? If you're not sure of the answer to that question, then the short answer is yes. The longer answer is that security software is only one piece of what should be a simple, straightforward, and systematic approach to your PC's health. Here's my seven-step program.

SHARE:

Do you need antivirus software on your PC?

If you're not sure of the answer to that question, then the short answer is yes. The longer answer is that security software is only one piece of what should be a simple, straightforward, and systematic approach to your PC's health. I'll outline my recommendations in this post. If you're visiting the family over the holidays, you might want to take my list along with you.

But first, let me rant a bit. It's no secret that I dislike the security software industry. In one of my very first posts here, nearly four years ago, I called it a "protection racket" and said, "I can already see the beginnings of an 'arms war' among security software companies, with ads and whisper campaigns based on fear." Back in 2005, I wrote a post arguing, "The security software industry wants you to be afraid."

I have deeply mixed feelings about antivirus software, especially when it's part of a big security suite that tries to protect you from every imaginable form of online threat. The companies that sell you that software have an interest in keeping you afraid, and so they publish countless studies proving how dangerous the online world is.

They also have a vested interest in proving that you haven't wasted your subscription dollars on their product, so they need to occasionally (or continually) pop up messages and alerts and reminders to show you exactly which threats they've blocked. Even when those "threats" are trivial or nonexistent.

Just how dangerous is it out there? Here's what you need to know:

  • No computing environment is immune. Every platform can be exploited by an attacker. This month's Mac OS X v10.6.5 and Security Update 2010-007 included well over 100 fixes to critical security vulnerabilities, many of which could lead to arbitrary code execution. These are exactly the same types of vulnerabilities that Windows malware writers take advantage of. Fortunately for Mac (and Linux) users, their worldwide market share is small enough that malware writers simply haven't bothered with them. If you use OS X on a Mac, I don't think you need to install security software, but that recommendation could change someday if Apple's platform continues to grow in popularity and attracts enough attention from bad guys.
  • Good behavior alone is not enough to protect you from attacks. Visiting porn sites and downloading pirated software puts you at a much higher risk of infection, but even legitimate web sites can be compromised, and seemingly innocent results in a search engine can lead to hostile sites.
  • Antivirus software is one layer among several. Depending on the type of threat, it can be very helpful, even if you consider yourself an expert PC user. But it is not a magic bullet, and it is no replacement for a well-rounded approach to security.
  • No antivirus software is perfect. It is literally impossible for any security product to identify every possible threat, especially when malware writers are constantly updating their products to avoid detection. Most of the leading antivirus programs can identify and block the overwhelming majority of threats you're likely to encounter online. The fact that they can't reach 100% protection is why security software is only one part of a layered security strategy.
  • Many types of malware are installed voluntarily. Among the most common threats are Trojans, which spread via social engineering. The job of a malware writer is to convince you to run his innocent-sounding program, which secretly does something other than its stated purpose. It might claim to be a new video playback plugin (like the one I saw last week) but actually turns out to be a program that hides on your PC and steals passwords or sends spam. Social engineering explains how an entire class of malicious fake antivirus programs made it onto the top 10 malware list for the first half of this year.
  • Malware writers make their living exploiting unpatched systems. One of the top 10 threats found and removed from Windows PCs in the first half of this year was Win32/Conficker. The vulnerability that Conficker exploits was blocked by a Microsoft patch released in October 2008. In fact, that's true of most of the top PC malware variants found in the wild. Four of the entries on the top 10 list for 2010 are based on vulnerabilities that were identified and patched in 2007 or 2008, and none of the others could have been installed without explicit user interaction on a fully updated copy of Windows.
  • It's not just Windows that needs patching. Some of the most effective malware vectors these days are coming through vulnerabilities in products like Adobe Flash and Reader, in the Java runtime, and in Microsoft Office. In most cases, the vulnerabilities were patched quickly by the software maker, but if you didn't apply that update, you remain vulnerable. Ironically, most of these exploited programs are cross-platform; in theory, malware authors can add code to their PDF or Java exploits that target Macs or Linux PCs. So far, they haven't done that. 
  • Attacks via zero-day exploits are rare. Zero-day exploits get a lot of publicity, but they rarely have a widespread impact. The worst variants of these attacks are the ones aimed at specific companies, like the targeted wave of attacks against Adobe, Google, and other high-profile companies in early 2010. And even those only succeeded because they exploited unpatched systems using an outdated browser.

So how do you protect your PC online?

Page 2: My 7-point security regimen -->

<-- Previous page

If you want your Windows PC to be secure, here are the essential steps.

  1. Use a modern operating system. Sorry, folks—Windows XP simply isn't secure enough for ordinary people to use today. It was designed more than 10 years ago, and it lacks many of the core architectural changes that make later Windows versions more resistant to attacks. Address Space Layout Randomization and Data Execution Prevention are core features that block some classes of exploits completely. File and registry virtualization (a key part of the much-maligned and misunderstood User Account Control feature) prevents hostile programs from writing to system folders. Removable drive exploits, which have represented a very common vector for spreading malware recently, do not affect Windows 7.
  2. Keep your OS up to date and backed up. Turn on Windows Update and make sure it's running properly. That single step will protect you from virtually all widespread malware attacks these days. If you're worried about a buggy update hosing your system (highly unlikely, but theoretically possible) make sure you have a full image backup on hand. Every version of Windows 7 allows you to perform a full image backup to an external hard drive; if you schedule that operation for the day before Patch Tuesday every month (or better yet, for every Monday), you'll be able to recover from any kind of problem. Oh, and leave the Windows Firewall turned on unless you've replaced it with a third-party alternative.
  3. Keep applications updated also. Adobe has greatly improved its updaters in the past year. If you're prompted to update to a new version of Flash or Reader, do it. Microsoft Office updates are delivered automatically through Microsoft Update; make sure that those are being installed as well. Remove unwanted programs that could represent a security threat. Many new PCs come with Java installed automatically. If you don't use it, remove it.
  4. Be suspicious of any new software. As I noted on the previous page, malware authors count on tricking you into installing software that claims to do one thing but actually takes over your system, stealing passwords or adding your system to a worldwide botnet. If you're not sure a program is safe, don't install it.
  5. Set up standard (non-administrator) accounts for unsophisticated users. That category includes kids, parents, employees, and all of your non-geek friends and family members. With a standard account a user needs to talk to you (and convince you to enter the administrator's password) before installing any new software. That conversation is an ideal opportunity to teach your family members and employees about the warning signs of potentially dangerous programs. (This is another good reason to upgrade from Windows XP, by the way, where running with a standard account is difficult because of badly written programs that require administrator rights; both Vista and Windows 7 do a better job of allowing those programs to run without compromising the integrity of the system.)
  6. Use a modern browser. If you're still using Windows XP and Internet Explorer 6, stop it. I think IE8 is a good alternative, especially when coupled with Protected Mode (a security feature in Windows Vista and Windows 7). If you prefer to avoid IE altogether, that's fine with me. As I argued earlier this year, "[T]here are several good reasons to prefer alternative browsers such as Firefox or Google Chrome to any version of Internet Explorer. For starters, both Mozilla and Google have generally been faster at releasing updates to security issues than Microsoft."
  7. Install an antivirus program and keep it up to date. There are plenty of effective programs in this category that can run with a minimum of chatter and will block the overwhelming majority of threats. I recommend the free Microsoft Security Essentials, which is available for download or as an optional update on systems where Windows does not detect an antivirus program. If you prefer an alternative program, paid or otherwise, be my guest. Just don't let its subscription lapse.

And one final word: Don't be paranoid. Common sense and the good practices I outlined above will offer excellent protection for any consumer PC and leave you free to work and play in comfort.

Topics: Windows, Hardware, Malware, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

197 comments
Log in or register to join the discussion
  • RE: Do you really need antivirus software?

    Personally I consider antivirus software to be more of a safety net - IMHO using common sense is the best deterrent to getting any sort of virus. I'm good about keeping things up to date and I tend to leave the pirated stuff and porn alone and to me that is simply common sense as is having antivirus, ad blockers, and flash blockers installed.
    athynz
    • I agree, it is a safety net

      @athynz
      AV isn't a security tool. If your AV catches anything, it means your security has FAILED, just like falling off a high wire means your training has FAILED. In both cases, it is nice to have something that might catch you.
      NonZealot
      • RE: Do you really need antivirus software?

        @NonZealot Not necessarily. If you stumble across malware on a normally good website and AV catches you trying to download something bad, then which security measure has failed?

        No security measure I know of other than AV prevents you from downloading malware.

        "just like falling off a high wire means your training has FAILED."

        Umm, no. Ask anybody who's done the high wire, they're human, stuff happens. There's a safety net underneath them for a reason.
        CobraA1
      • Not a security tool?

        @NonZealot <br><br>I'm not sure what you are defining as security, but from what I know, security occurs prior to and subsequent to a possible breach, if necessary. Security guards don't just say: "Dang. Well, the crook got in already. Nothing to do now." But they try to find the culprit even after entry.<br><br>Then they work to prevent the same and more in the future.
        PlayFair
      • Way to show your ignorance.

        @NonZealot... Many AV program will catch a known threat before it even enters your system, as many monitor active browser sessions. On my home machines, I very rarely get a notification, of course I do have predictable browsing habits, coupled with using Chrome or FF with extensions that block flash based ads, IE fails in this regard.

        I am also smart enough to know that if a video prompts me to update my flash player, to go directly to adobe for the update, if it still tries to get me to update, I know the video is phony and is only there to try to get people to voluntarily hijack their computer.

        For my security at home, I am using Microsoft Security Essentials and Windows Firewall. Seems to do a fair enough job, and not at the expense of system resources.

        Windows of course is set to update itself, which includes IE, MSE, and all of Microsofts Software. Chrome does a nice job of updating everything it needs including the flash player. Adobe does a good job of notifying me on the updates it needs.
        Snooki_smoosh_smoosh
      • RE: Do you really need antivirus software?

        @NonZealot

        You can't be serious. You're trying to tell us that you have the ability - through nothing more than using "best practices" - to eliminate the threat of malicious code and other exploits?

        You're nuts.
        trickytom3
      • RE: Do you really need antivirus software?

        @NonZealot , up the ante, use OPENDNS and siteadvisor, so that you cannot even browse to most dodgy sites. Suprised that this is not even one of the 7 steps, seems very worthwhile to me.
        ukbrown
      • failed

        @Zealot ((( "If your AV catches anything, it means your security has FAILED..." )))

        It also means you aren't running OS X.
        buddhistMonkey
    • RE: Do you really need antivirus software?

      @athynz honestly, I don't even think of it as a safety-net. I am speaking from an enterprise POV. The worst bad-ware is the newest - the stuff that none of the security firms have figured out or even heard of (not just zero-day, but new ways to exploit old weaknesses). And it basically boils down to bad habits. Bringing USB flash drives from home. Believing you'll get a free Xbox by clicking a link. Believing that your enterprise computer is unprotected from viruses. Or trying to update your Flash just because a website says you're out-of-date.

      People do this to themselves, and then get angry at me (us) when they have a virus. Security firms live off this fear, not off effectiveness (by and large).

      My company is moving to managed desktops, just to be sure that patches are implemented, and they will be locking out USB flash drives soon. But honestly, there is no way to protect most people, short of disallowing the internet OR teaching everyone in the world how to use common sense in avoiding viruses. Neither of these options is very practical.

      My daughter, bless her heart, has a talent for finding the newest exploits and installing them. Makes me very thankful for home servers.
      WookieFan
      • The worst is...

        The one(s) that gets through. Presuming these will be the newest is base naivety.
        zkiwi
      • The Newest Are More Likely

        @zkiwi
        What you're saying isn't really at odds with what WookieFan is saying. He is just pointing out that the same ones you'll be protected from by keeping up-to-date are the ones that anti-virus will catch. The newest ones won't get caught by anti-virus. It's not that old ones can't get through. It's just that the odds are better that new ones will.

        Of course, if you're willing to download and install malware yourself, then it won't matter much how old it is.
        CFWhitman
      • RE: Do you really need antivirus software?

        @WookieFan I understand where you are coming from - fortunately I support a very small user base as a side for my own job and really it's more like residential use as we do not have an enterprise system (very small office) so usually by the time something comes down the pike for us most AV software companies have figured how to block it... and fortunately for me the users have common sense which makes my job much easier than most... :-)
        athynz
    • knowledge gap

      Its a shame Ed earns money by spouting about things he is clearly clueless about. Where he does know stuff it seems to make sense but security is not his strong suit.<br><br>While claiming to distrust antivirus companies he then re-iterates some of the popular misconceptions they try hard to perpetuate. Perhaps his experiments with using a Mac platform might open his eyes to some truths.<br><br>While Windows dominates on the desktop it cannot make any headway in Server Markets because it is inherently unsafe and unstable as keeps being proven. While it is fine to have to reboot a desktop once a day or more this is not ok for servers. Linux and other unix-based platforms are used on servers precisely because they are inherently safer and more robust than Windows systems.<br><br>If you were a virus writer do you think you would want the fame and kudos of writing something that just infected a few desktops or would bringing down massive servers and crippling the entire internet be more enticing? Yet we almost never hear about large chunks of the internet being brought down by anything, not viruses, not other malware. We sometimes hear of a couple of machines suffering under large-scale concentrated and highly skilful attacks but these are usually dealt with quite fast. Faster than getting rid of malware on a few desktop machines.<br><br>So, if all Operating Systems are equally vulnerable, then why don't we hear of servers going down, why do we only hear of desktops getting crippled? Think about it.<br>Regards from<br>Tom <img border="0" src="http://www.cnet.com/i/mb/emoticons/happy.gif" alt="happy">
      Tom6
      • RE: Do you really need antivirus software?

        @Tom6: <i>"So, if all Operating Systems are equally vulnerable, then why don't we hear of servers going down, why do we only hear of desktops getting crippled? Think about it."</i>

        Because desktops are mostly maintained by kids and granny's and by non-tech savvy types, while servers are mostly maintained by IT professionals/admins who are at risk of losing there job if they fail securing their servers.

        So logically, a desktop secured by a non-tech savvy type is more vulnerable than a server being maintained by Professional IT admins.
        Martmarty
      • RE: Do you really need antivirus software?

        @Tom6,

        Why do you have to be insulting? Ok, so here it is. Servers are not at as much at risk because:

        1. They are usually behind a very restricted firewall, unless they are a webserver. Even then, every port besides 80 and 443 are locked down. Other ports that might use webservices are only allowed access to a certain range of IP addresses.

        2. Installation of programs are planned, and the applications that are installed are well vetted.

        3. Access to install programs on servers is very limited.

        "While Windows dominates on the desktop it cannot make any headway in Server Markets because it is inherently unsafe and unstable as keeps being proven."

        What are you talking about?

        Link:
        http://www.zdnet.com/blog/microsoft/behind-the-idc-data-windows-still-no-1-in-server-operating-systems/5408

        This shows Windows Servers at about 73.9% of server share in terms of dollars. Now the Linux guys will say, "That's because Linux is free". Noted. But you're saying that Windows hasn't gained any traction in the server market? Give me break.
        bmonsterman
      • RE: Do you really need antivirus software?

        @Tom6<br>Servers generally have more capable administrators than the home computer. Even if that were not strictly the case, for the administrators security is the job and why they get paid. For the home user being an administrator is friction and cost.<br><br>Servers are also passive. They don't decide to download a poisoned cat video because a Facebook friend linked it.<br><br>They are also isolated and have minimized the threat posed by physical access.<br><br>I guess you are bristling that Windows gets some sort of pass for security issues because of its popularity. Or that Linux and OS X are given back-handed compliments. (Yeah, no one's breaking in, but that's because no one uses them.)<br><br>Stop it. Doesn't matter. Operating systems are a lower layer to the real functionality, as manifest by the applications we use. Security is a cost and is offset manifold by the benefits of the entire stack we use. Problem appears? Patch it please, because wiping the machine and using Linux, re-training our workers, re-sourcing our applications, performing ports, etc., while doable, is not how we want to utilize our resources.<br><br>All the modern operating systems are better than their predecessors five years back. They will be better still in the future, though not as rapidly, because "security" is an asymptote.<br><br>And the real weak spots are higher up in the stack, in the software, and vulnerability will still exist via the inescapable vector of a user connecting with a strange computer somewhere out there.
        DannyO_0x98
    • Security

      People that are serious about running secure, robust systems (such as people running large-scale servers) use linux or other unix-based systems. Well over 60% of the top 500 supercomputers run on linux.<br><br>People that want to make a fuss and don't mind suffering a bit when it goes wrong run Windows. Less than 1% of the worlds top 500 supercomputers run WIndows. Why?<br><br>Why is it only Windows desktops that get taken down so often by security issues? Surely malware writers would be more interested in taking down vast chunks of the internet rather than just a few old desktops?<br><br>Yes, with Windows you need to take Ed's advice but with linux most of this sort of stuff is built-in. For example updating the system and then separately going through each app and driver to update them separately is insane. Linux updates everything in one go and also does that more politely. <br><br>With linux you don't have to block people from making use of the machine in order to keep them safe. Users can often install programs themselves without having to call for some SuperUser Administrator to do it for them. Since programs are NOT run as Root/SuperUser/Administrator in linux the system remains safe. It is possible (easily) to totally lock-down a system so certain users can do almost nothing but unlike Windows there are many intermediate steps which can give certain users access to certain devices and systems but not others and this can be easily set-up on a per-user basis. <br><br>There is a story about a doctor performing something fairly crucial by remote where Windows suddenly decided it's updates were more important and then forced a reboot despite being told not to. Linux doesn't automatically assume it is more important than the tasks the user is doing. It lets you know that a reboot is required to bring the updates online and then sits back allowing you to choose when YOU want to reboot. So, if you are stuck in the middle of brain surgery (it wasn't brain surgery in the recent story) you wouldn't have to wait 15mins for the machine to sort itself out.<br>Regards from<br>Tom <img border="0" src="http://www.cnet.com/i/mb/emoticons/happy.gif" alt="happy">
      Tom6
      • As been said tens of thousands of times: Market Share.

        @Tom6: [i]Why is it only Windows desktops that get taken down so often by security issues?[/i]

        You're welcome.

        [i]Since programs are NOT run as Root/SuperUser/Administrator in linux the system remains safe.[/i]

        They are if you're running them as Root/SuperUser/Administrator.

        [i]There is a story about a doctor performing something fairly crucial by remote where Windows suddenly decided it's updates were more important and then forced a reboot despite being told not to.[/i]

        The only existence of this story is right here in your post. I was unable to find a reference otherwise. Perhaps you can provide a reference?

        Like it or not Linux and Windows are very similar in their security design.
        ye
      • Closer Than They Used to Be

        @ye<br>The market share myth has been disproved in a few different cases. For example, Apache grew to a much greater market share than Microsoft IIS. However, even after this happened, IIS still had many more worms running rampant across the Internet. Another example: Sendmail has taken a lot of abuse among Unix/Linux administrators for it's many security exploits. However, the last I looked, Sendmail, the security embarrassment of the Unix community, still had fewer exploits than Exchange, though it's been around longer.<br><br>Recently, in general, Windows has gotten a lot more secure than it used to be. It's much more like Unix and Linux than it was. However, there are still a couple of legacy issues that Windows has to deal with which damage its security model.<br><br>One issue is that it's still much more convenient to run Windows with administrative privileges always available than it is to run it as a regular user and switch to administrator only for certain tasks. Part of the issue here is not just with Microsoft, but with the expectations of third party software vendors when it comes to how their programs will run on Windows.<br><br>A second nagging issue with Windows is that it depends upon the file extension rather than a file property to tell whether a file is executable or not. Microsoft has put safeguards into Internet Explorer and Outlook and Exchange recently to warn users about this issue when they download an executable file (a file with a .exe, .com, or .scr extension). Basically, there is only so much that they can do about this issue because of the weight of all the legacy software out there. This is something so basic about the way the operating system works that it makes it difficult to change.<br><br>Of course Windows' improved security has led to the focus of malware authors switching a lot to phishing attacks, since they depend on breaching the user's safeguards rather than the system's safeguards. Focus has also switched somewhat to third party avenues to breach security like Java, Flash, and even PDF reader exploits.<br><br>Edit: Incidentally, I had meant to mention that phishing exploits really do scale with market share. So to some extent, as more malware becomes dependent on social engineering to be installed, the market share myth gains more credibility.

        Edit: Fixed typo.
        CFWhitman
      • RE: Do you really need antivirus software?

        @CFWhitman,

        Pretty fair critizism of Windows OS. I wish Microsoft could use file properties instead of file extensions to determine whether the file is executable. I'm not sure what the impact would be for backwards compatability.
        bmonsterman