ie8 fix
madison

Real World IT

George Ou
Home / News & Blogs / Real World IT

It's time to toss out your antivirus software

By | May 26, 2006, 2:01am PDT

Summary: Running antivirus on a personal computer is like having the bomb squad inspect a suspicious package inside the house right next to you. No matter how careful or how good that bomb squad is, one of these days they’ll make a mistake and explode in your house. As a matter of fact, the bad guys are deliberately rigging the bombs in a way that will blow up the house if someone tries to scan it and this is exactly what’s happening with malformed ARJ or ZIP packages.

There’s been plenty of debate lately that maybe with the release of Windows Vista, we might be able to get away with not using antivirus on our computers.  Running antivirus on a personal computer is like having the bomb squad inspect a suspicious package inside the house right next to you. Well I’m about to make an even bolder assertion, that running antivirus or even additional third party security software such as firewalls on your computer makes you even less safe!  Now before you start the flaming, hear me out first.

It’s well understood in the security community that every additional piece of software on a computer system is another potential target for attack.  That’s why it comes as no surprise that another antivirus package is open to a massive attack that can affect 200 million Symantec antivirus users running Symantec Antivirus 10.x or Symantec Client Security 3.x.  This is actually nothing new and virtually every Antivirus vendor has had their share of remote exploits.  Even an extra security feature such as compressed file scanning opens the user up to additional vulnerabilities and all the major AV solutions have had their share of malformed compressed file vulnerabilities.  Just the mere act of decompressing a ZIP or ARJ file to see what’s inside of it could set off a malicious payload.

Every third party firewall product such as ZoneAlarm and Kerio have exposed the very users they’re suppose to protect to complete system level compromise.  Ironically the built in Windows XP SP2 firewall which always gets unfairly picked on has never had any remote exploits.  Sure it doesn’t provide any outbound packet filtering which is only relevant if my computer is already owned in which case any firewall could be disabled anyways, but at least it doesn’t leave me wide open to a remote attacker.  With the Windows Vista built-in firewall, outbound packet filtering is now supported but the pundits are already jumping on it because it doesn’t turn on outbound blocking for user actions by default and requires command line manipulation to access the outbound controls.  What’s left out is that the XP SP2 and Vista firewall can be centrally managed via Microsoft’s Active Directory group policy whereas the third party firewall vendors want you to buy an expensive enterprise management and policy deployment system.  But with Microsoft’s personal firewall and its superior security track record, and the fact that it doesn’t cost anything extra, one has to wonder what the point of third party firewalls is.

I’ve owned personal computers for 15 years running some form of Windows or another and I have never had any virus problems on my computer and this is consistent with every other expert user I’ve talked to.  I personally can’t stand the performance overhead and extra expense of third party security software and I simply don’t use them.  For my family computer which is used by plenty of less security-savvy users, I don’t use any antivirus or anti-spyware software on them and they never have any problems though I never let anyone else run as an administrator.  While running as a standard user isn’t always practical under Windows XP, it most definitely is practical under Windows Vista.

Windows Vista not only runs users in restricted mode, but goes as far as running all its services in restricted mode and has default outbound firewall policies in place to prevent services from making outbound connections that they have no business making in the first place.  Internet Explorer 7 under Windows Vista runs under a severely restricted jail cell and the same technique is available to all other ISVs such as Mozilla and Opera.  Along with hardware-enforced DEP which has proactively stopped the two most recent zero-day Internet Explorer 6 exploits in their tracks without the assistance of any antivirus software with updated definition, or software patch, Windows Vista is actually more secure than ever compared to an AV/AS loaded Windows XP computer.

Does this mean there is no place for antivirus scanning in the world?  No, I’ve been on record as far back as four years ago saying that gateway level scanning was the way to go and this exactly what I mean when I say "it’s time to toss out your antivirus".  This means you scan for viruses transparently at the HTTP and FTP gateway and at the SMTP mail gateway BEFORE it enters your internal network and your PC.  As an added bonus, the scanning is only done once and the cleaned file is cached at the gateway so that you’re not scanning the file on the client side thousands of times if you have thousands of users.  Since scanning viruses is such a dangerous task because the software is handling raw and potentially malicious payloads coming from the Internet, the task should only be handled in the DMZ and under a service or daemon operating in a jail cell.  Handling raw Internet files at the client level under a system level service is simply more of a liability than a benefit.  We should probably even stop antivirus scanning on the internal mail server and have all mail attachments forwarded to the DMZ gateway scanner to check the file in a jail cell before it’s handed back to the internal mail server.  Note that on TechRepublic, we’ll start doing some articles on how to implement inexpensive gateway antivirus for the home.

Running antivirus on a personal computer is like having the bomb squad inspect a suspicious package inside the house right next to you.  No matter how careful or how good that bomb squad is, one of these days they’ll make a mistake and explode in your house.  As a matter of fact, the bad guys are deliberately rigging the bombs in a way that will blow up the house if someone tries to scan it and this is exactly what’s happening with malformed ARJ or ZIP packages.  It’s time we started thinking of antivirus activities the same way and that it’s too dangerous to be done on your personal computer or even inside the internal network.  Check that bomb before it enters the house and the end result is that we’d all be spending less money, we’d all have faster computers, and we’d all be a lot safer.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Real World IT”

Topics

Disclosure

George Ou

http://blogs.zdnet.com/Ou/?page_id=557

Biography

George Ou

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
374
Comments
Add Your Opinion

Join the conversation!

Just In

linux has never failed me
cheryljosie 3rd Apr
After decades of running computers I can say from experience that Microsoft has been a nightmare of infections, crashes, fragmentation, and operating system corruption, whereas Linux has never given me any such problem. Then there is the cost...

Everyone who has never used Linux 'knows' it is just as bad as Windows. After all, you get what you don't pay for, right?

Yes, by all means, scan all files at the gateway, but do it in a 'nix box for reliability. Also please run 'nix behind the firewall too wherever possible. Why wait another 20 years and 15 CEO's for Microsoft to finally enter the 21st century? Why waste all that money? Why endure all that aggravation?

The more who adopt Linux, the more that will build proprietary software and hardware for it. That is where the shortcoming is. Most proprietary applications for Linux are high-powered computer-aided design tools for the corporate environment. We need an occasional checkbook and tax application for mom and pop too, or at least mom and pop need to learn how to run Windows Emulator under Linux, which after all is not that hard.

The amazing thing is that people actually throw away working hardware when it is too small and slow for the current version of Windows. They could download free Linux and keep using that machine until if finally burns out. I am fairly certain that there is at least one version of Linux that will still run on a 386, and ten years from now there will still be Linux for that Mac that has otherwise become a doorstop. Even my old DirecTV box runs Linux. I am still using it as a terrestrial tuner for my old tube TV.

Sometimes people develop an emotional investment in an attitude that does not make sense. People are way too fond of Microsoft.
View in thread
0 Votes
+ -
George, your glasses are a little fogged
whisperycat 26th May 2006
Of course anti-virus is an overhead. It's a performance, useability and cost overhead that's been integrated into Windows by necessity ever since the days of the Brain virus for Windows 3.1. 15 years and 100,000 new Windows viruses later, that overhead is still a necessity for the majority of Windows user with a PC at home.

You PC "power users" are hilarious. "Millions of other users might have been hit by Code Red, Nimda, MSblast (etc), but not me, *I'VE* never had a virus. I've never suffered data loss due to remote exploit on my PC. Therefore there is no WIndows problem".

Ha!


On that basis, all that stuff about malaria being the biggest killer of humans since the dawn of time? Well, I'VE never had malaria, and no-one I know has ever had it either, so it can't be true, can it? And as for all those alleged AIDS deaths, I'VE never had AIDS, and no-one I know has had AIDS, so it must be untrue, musn't it?

And its strange, but while I truly have NEVER had a virus (on my Linux machine), I have spent hundreds of hours- free hours- over the last four years, helping out those of my friends and family who do have Windows PCs at home, to disinfect, clean up, re-install their trashed machines. Again and again. These are not stupid people, They are people who's money Microsoft has pocketed in exchange for a second rate system for which Microsoft themselves refuse to be accountable.

For the MS party faithful to say that "I've never had a Windows virus so everyone else must be stupid" is to shoot themsleves in the foot. The Windows users who trot that stuff out are the tech-savvy, a teeny, tiny minority of the user-base. Are you REALLY saying that unless all users are as "clever" as you are, they are doomed to suffer the Windows drop-off consequences? That kind of demeans your perceived cleverness rather a lot. You're not expected to know as much as your doctor, or your electrician, or your mechanic, so why are they all expected to know as much as you about PC hardware and software?

Windows is inherently insecure because it's design is inherently prone to virus and worms. Windows is a single user, non-networked OS into which proprietary, commercial applications were welded in order to preclude third party competition. Complicated, of course, by the fact that 100's of Mb of patches are applied to this tottering system every few weeks. Can you imagine any other software product who's deficiencies were so much a part of it that the end user routinely downloaded its own weight in code (as a patch) every few weeks? In a never ending circus? And always AFTER the critical exploits had already impacted some of those users? It would be funny if it wasn't so sad.

Face facts George- when Microsoft elected to compromise the OS by embedding proprietary applications into it, they were in effect cementing a row of ever open doors into their low-level OS functionality. All that can be done now, is to retrospectively nail wood over the cracks.
0 Votes
+ -
EXTREMELY well said! George? Snappy come back? (NT)
MTMacPhee 26th May 2006
nt
0 Votes
+ -
Yes, it was extremely well said!
NonZealot 26th May 2006
Well, other than the grievous factual errors but we won't let that stop us in our zealotry, will we? wink
0 Votes
+ -
What factual errors?
msolgeek 26th May 2006
Please be specific. I find that the amount of code and patches needed to bring a restored Win XP Pro SP2 computer, that has been returned to factory state, to take several hours to download and apply. It would really be quite comical if I hadn't had to spend so much of my time doing just that.

Windows Firewall is a glue-on. It came about in SP2, remember? Their new foray into AV is a glue-on too. Why should I believe that their code is any less prone to vulnerabilities than other vendors such as Zone Labs and Norton? Both of these vendors have been doing it a lot longer than MS, albeit hampered by not having direct access to the OS code base.

I did not even hear any "zealotry" in his post or anything at all about other OSes such as Linux. Further, I use Windows as my primary and only OS for my daily work, so I don't have any Linux agenda either. Your post on the other hand, makes you sound like a pompous @ss.
0 Votes
+ -
Okay, I'll be specific
NonZealot 26th May 2006
I use Windows as my primary and only OS for my daily work, so I don't have any Linux agenda either.

And I use Linux at home more than I use Windows so I don't have a Windows agendy.

I'll start with you:
I find that the amount of code and patches needed to bring a restored Win XP Pro SP2 computer, that has been returned to factory state, to take several hours to download and apply.

Yikes, are you on a modem? First, I don't find it takes hours so I can't really say that has bothered me. Regardless, I find that it takes longer to update my 3 Linux boxes than I do my Windows boxes so I don't view the time it takes to update a fresh install as a Windows only issue.

Windows Firewall is a glue-on. It came about in SP2, remember?

This is factually incorrect. The initial release of XP came with a firewall. SP2 simply turned that firewall on by default. And what do you mean by "glue-on"? If you mean "not a part of the OS" then I would say this is a good thing! If you meant something else, could you explain what you meant?

Now, you asked me to be specific about errors in whisperycat's post.
15 years and 100,000 new Windows viruses later, that overhead is still a necessity for the majority of Windows user with a PC at home.

It sounds scary to say 100,000 viruses! Actually, I usually hear the term 140,000 viruses which is 40% scarier! Oh no, there are 140,000 pieces of code out there that can hurt my machine!! Well, I have a firewall so actually, only 80,000 pieces of code can hurt my machine. Oh, I use Firefox so actually, only 50,000 pieces of code can hurt my machine. Oh, I don't run executable attachments that promise to show me naked pictures of famous people so actually, only 10 pieces of code can hurt my machine. I can live with that. The truth is that out of the 140,000 pieces of malware, there are only a handful that aren't a very simple variation of another piece of malware. There are only a handful of unique pieces of malware and out of that handful, they can all be defended against through extremely simple means. To bring up the malaria example again, it sounds scary to think that MILLIONS of people catch malaria every year. Ooooo!!! Then you think about how easy it is to avoid getting malaria and it isn't quite so scary any more.

Windows is inherently insecure because it's design is inherently prone to virus and worms. Windows is a single user, non-networked OS

This is 100% factually untrue. whisperycat is obviously unaware that the NT branch of Windows application (from which 2000/XP/2003/Vista come from) has been multi-user and networked for 15+ years. It would be like me saying "OSX is not a preemptive multitasking OS and has lousy memory management because OS9 was that way". XP is as closely related to the Win9X series of OSs as OSX is to MacOS9: not very.

into which proprietary, commercial applications were welded in order to preclude third party competition.

Again, factually untrue. I can only imagine he is alluding to the commonly held belief that "IE the browser is welded into the OS". Factually untrue. I can uninstall "IE the browser" any time I want. What is more difficult is removing "IE the HTML rendere" but I would have almost as much difficulty removing Web Core from OSX or KHTML from KDE. There is nothing wrong with including HTML rendering libraries in an OSs set of included libraries. It is especially more embarassing to make such comments considering Windows isn't the only one to do it. I'm not even sure if Microsoft was the first to do it although if they were, I guess people would have to admit that it was pretty innovative. wink

Complicated, of course, by the fact that 100's of Mb of patches are applied to this tottering system every few weeks.

Again, factually untrue. I actually find that the monthly patch from MS is pretty small when compared to a month's worth of patches I need to install on my Linux boxes.

So, is that specific enough?

Your post on the other hand, makes you sound like a pompous @ss.

Yeah, probably. It is how I sound when confronted with willful ignorance on a scale shown by whisperycat. I won't apologize for it in this case. I'm much nicer to people who show the desire to learn instead of just repeating oft rebuked statements that they picked up on slashdot.
0 Votes
+ -
IE the Browser
belkorin 30th May 2006
Factually untrue. I can uninstall "IE the browser" any time I want. What is more difficult is removing "IE the HTML rendere" but I would have almost as much difficulty removing Web Core from OSX or KHTML from KDE. There is nothing wrong with including HTML rendering libraries in an OSs set of included libraries.

Not quite right. Once you uninstall "IE the browser" (IE 5/6/7), you will find that IE 4 is welded into your OS. Try it some time. Throw a simple browser detection javascript in a file on a server, and put in that url in a Windows Explorer window. You'll find that it loads up, displays the content, and detects as IE 4. Windows Explorer is just a fancy name for a modified IE 4.
0 Votes
+ -
Same with KDE
NonZealot 30th May 2006
KDE makes even less of an effort to distinguish between the default file explorer and the web browser. They both use an HTML renderer to render whatever contents are to be displayed and they both have the ability to download content, via the address bar, from URIs. It doesn't stop me from installing Firefox in both OSs (which I do) and completely bypassing KHTML/IE. Sure, IE (the library) is being used to browse the local computer but I haven't personally heard of any exploits that take advantage of this. You would have to infect the local computer before this would work and if you've infected the local computer, why do you need windows explorer exploits anymore?

But back to the original question: can you remove IE the browser? Yes, you can. The fact that Windows Explorer uses the same HTML renderer does not change that fact any more than the fact that when you remove Safari from OSX, you are still using Web Core in a myriad of other applications. No one blinks twice about saying that that Safari is gone so why the double standard?
0 Votes
+ -
KDE
belkorin 31st May 2006
KDE is a window manager, not an operating system. There are other window managers for linux that don't do that.

As for OS X, if you were to remove the web core, would the OS lose significant ammounts of functionality like it does when you remove the IE 4 html hooks from windows?
0 Votes
+ -
size of the Linux patches
Me_too 4th Nov 2007
I actually find that the monthly patch from MS is pretty small when compared to a month's worth of patches I need to install on my Linux boxes.

I wonder if the size of the Linux patches is because they include patches for all the apps installed on your systems?
0 Votes
+ -
Very well said
richvball44 28th May 2006
dont forget the ever popular back track phrase

I didn't say.....
0 Votes
+ -
George is telling us
msolgeek 26th May 2006
that the best way to ride your Harley is without a helmet because a good rider will never crash and the helmet is too much overhead. In fact, it might even contribute to an accident because it's too cumbersome and may have blind spots. Well, a lot of people take that advice at Daytona Bike Week and every year, several of them die.

If you're going to ride a motorcycle, George, be sure to leave the helmet at home.
0 Votes
+ -
Nope
ccrashh2@... 26th May 2006
You screwed up the analogy. George isn't saying don't wear a helmet. The correct analogy should be:

You have a perfectly good helmet...one which came with your Harley and fully protects your head. So don't go out and put another helmet over top of it. That will just cause more problems and compromise you as a rider.

See the difference?
0 Votes
+ -
Go ever further
NonZealot 26th May 2006
Good point but I think George is going further. I think people are paying more attention to admittedly sensationalist headline and not actually reading the article. Once you read the article, it is easy to go through the talkbacks and pick out the clueless like whisperycat.

From his article:
Does this mean there is no place for antivirus scanning in the world? No, I've been on record as far back as four years ago saying that gateway level scanning was the way to go and this exactly what I mean when I say "it's time to toss out your antivirus". This means you scan for viruses transparently at the HTTP and FTP gateway and at the SMTP mail gateway BEFORE it enters your internal network and your PC.

I read this article as more targetting corporate environments, not the home user (which is what most of the talkbacks seem to be focusing on). What I read George to be saying is: scan for viruses, just don't do it on the same computer that has all your valuable information on it. If a gateway computer is compromised, this is less of a problem than if a worker's computer is compromised. A gateway computer shouldn't have any access rights to anything on the internal network and certainly not to sensitive data. Workers do.

So to take your analogy even further:
1. Wear the helmet that came with your Harley.
2. Drive in the middle of a pack of semis and let them get in the accidents!
0 Votes
+ -
Really - guard just the perimeter?
msolgeek 26th May 2006
That's doesn't save you at all. I worked at a large enterprise (>1500 desktops) that was completely and stringently protected at the gateways. The whole enterprise went down for two days because an employee returned from travel with an infected corp. laptop (no antivirus or firewall here) and everyone got the "slammer" worm that roamed without hinerance through the entire, completely unprotected, enterprise.

Hey, but why should I complain? I got two days off with pay. Thanks MS!
0 Votes
+ -
LOL
ccrashh2@... 26th May 2006
That's perfect! I agree that people seem to either not understand what he wrote, or didn't bother reading it.

"Drive in the middle of a pack of semis and let them get in the accidents!" I LOVE IT lol.
0 Votes
+ -
Actually for the home and SOHO too
georgeou 26th May 2006
Build a Linux firewall appliance and run Trend Gateway transparent AV on it. No server licensing required, they have a cheap per user model which is around $30 I think. I'm going to put up a how-to on TechRepublic for the home and SOHO users on how to do this. Then defense in depth with an extremely locked down Vista configuration means you don't have to have the bomb squad put you at risk and eat all the good food and drink all your cold drinks. Ah and did I forget to mention they tend stink up the bathroom right before you want to use it? This is exactly what AV/AS/IDS/FW on the PC is. You end up with a PC that?s so crippled that it?s hell.
0 Votes
+ -
What about road warriors among us, George?
mikeald 19th Jun 2007
I work for a small company that doesn't have a dedicated IT guy, much less a department.
I use a personal VPN to access the web when I'm logged into the WiFi. Are you advocating removing AV and firewall in such an instance?
I understand that the security software is itself a potential target. It may not be the best solution, but isn't it better than no solution at all?

I look forward to your (or anyone's) constructive advice.

Mike Aldridge
0 Votes
+ -
Okay...
msolgeek 26th May 2006
I see your point. But I don't believe that the MS helmet is more like a yarmulke. You are right about wearing another one over it, cause you can't take the yarmulke off. It's glued and riveted into the skull.
0 Votes
+ -
rephrase
Canadian falcon 30th May 2006
Let me put this another way.
For many people, buying boxed computers is kinda pointless, why, cause you're getting one BIG feature, and a bunch of junk (AV software) So they go and buy the parts themselves. Now for those of you who have built your own computer, you'll surely know that there are tonnes of parts out there to possibly buy. We'll take the CPU for example. It's the brains of the computer. AMD sells the PIB versions (Processor In a Box) it comes with a fan, now almost 60% of people who build their own computer build it specifically to get exactly what they want, they don't really do anything more than slap parts together, and install an OS. For them, that Fan that comes with the processor is Perfect(windows firewall) So you install it, run your system, sure it's running at 40c but whatever, it works fine and is 50% lower than the max temp. Now, WHY would they want to go out and buy a nice big 3rd party fan(AV software), the third party fan requires changing braces, and installing new mounting brackets, and is noisier, and it drops CPU temps by, MAYBE 5c, AND you have to put up with the extra noise. Now, why not just stick with what the computer comes pre-configured to work with, sure, it doesn't feature a mossfet cooling chute, or heatpipe technology, but for the basics, it works perfectly fine.

George also mentioned gateway scanning, Most new routers feature firewalls in them, these work pretty well, and best thing is, they require very little to get them set up. Heck, the only real thing they require is the power plug, the LAN plug, and the connection to the computer... not that hard. AND best of all, no overhead, sure you get a little bit of a cost, but when you're also paying to share internet with a couple computers, and to create networks, it's not that much.

And my final statement.
Lets take a look at programs like napster, Kazaa, limewire. I work as a computer technician. The most common thing I am asked to do is remove viruses. 99% of the people who have viruses ALSO have Norton/Mcaffee/AVG/CA/Zone Alarm... and they still get viruses. WHY??? Simple, they all have programs like limewire, that allow you to bypass your firewall and drop virus infected illegal files right onto your computer. I have never actually looked at the stats, but I'd have to say that file sharing programs account for >50% of all virus transmissions on the web, why, because they are great big gaping holes in your security programs. 15mins of education for internet/computer users would decrease our virus woes by 75+%. Unfortunately, everyone has this horribly WRONG assumption that Windows=bad, AV program = good+safe
0 Votes
+ -
No, just hear me out
georgeou 26th May 2006
"Are you REALLY saying that unless all users are as "clever" as you are, they are doomed to suffer the Windows drop-off consequences? "

No, that was for Windows XP. Vista is different because it's locked down out of the box. Furthermore if we're talking a corporate environment, we can lock the users down. If the admin sets it so that no untrusted and unsigned code can run with standard or admin rights, then no one can harm themselves. All such code will run in side of the new reduced privilege mode where all it can do is damage some temporary files.

I?m saying the risk/benefit ratio of desktop AV has been altered to the point that we need to start taking a hard look at the way we do desktop security.

The benefit of AV isn?t as good as it use to be because Vista is much more secure running standard users with jailed IE and hardware-enforced DEP. AV was never that good in the first place because it can only look for known patterns. Any targeted attack with a malicious file can easily defeat any AV system on the market, the attacker has the benefit of running his payload through an AV scanner first to see if it will trigger it.

The risk of running AV has increased because the bad guys are booby trapping the payloads to exploit in the security scanner instead of the intended target. It's like having a bomb squad operate inside the house, no thanks. To add insult to injury, that bomb squad drinks you cold beer and soda and then makes a mess in your bathroom. This is exactly what AV does when it sucks up your resources and makes a mess in your registry and startup services. Best thing to do is have that bomb squad operate 100 feet away from the house at the gates. AV scanning is a very dangerous business. The bombs are now sophisticated enough to blow up as soon as you attempt to x-ray them. This could be alleviated if the AV vendors would start separating and isolating their scan code in to a sand box such that if the scanner is exploited then the damage is limited. The way it is now, you come across a malformed ZIP file and boom you?re owned!

What I'm talking about isn't practical until Vista is widely in deployment and has PROVEN itself. The purpose of this blog is not to change your mind, but to stimulate thought.
0 Votes
+ -
I've heard that one befoe.
CobraA1 26th May 2006
"Vista is different because it's locked down out of the box."

I've heard that one before.

I'll believe it - when I see it.

"This could be alleviated if the AV vendors would start separating and isolating their scan code in to a sand box such that if the scanner is exploited then the damage is limited. The way it is now, you come across a malformed ZIP file and boom you?re owned!"

Me thinks you've got the wrong AV software then. Most modern AV scanners that I know of *do* sandbox their stuff. If some antivirus is "blowing up" because of a zip file, they are not professional, IMHO.

And yes, it's my opinion that Symantec's antivirus is not professional.

They just found ways to make themselves look good to businesses and schools, by adding nice features.

But just like adding a stereo won't make a car run faster, adding features won't improve an antivirus' scanning engine.
0 Votes
+ -
Is Trend, McAfee, Symantec modern enough?
georgeou 26th May 2006
"I've heard that one before. I'll believe it - when I see it."

Well I've seen it, and beta 2 while unfinished is looking pretty decent.

"'This could be alleviated if the AV vendors would start separating and isolating their scan code in to a sand box such that if the scanner is exploited then the damage is limited. The way it is now, you come across a malformed ZIP file and boom you?re owned!'
Me thinks you've got the wrong AV software then. Most modern AV scanners that I know of *do* sandbox their stuff. If some antivirus is "blowing up" because of a zip file, they are not professional, IMHO."

Modern? Does Trend Micro, Symantec, McAfee sound modern to you? Those are only the three biggest AV vendors and they're all prone to remote exploits and they do NOT sandbox their software. They're deeply integrated in to the system and they need admin privileges. The only way to fix this is more granularity where the scanner portion is separated in to another isolated service.
0 Votes
+ -
I'll second that
pkrdk 26th May 2006
And raise with a first hand experience of a Windows machine being infected DURING INSTALL. We had forgotten to pull the ADSL cable, and as soon as the networking part was finished, we got fake "Microsoft" warnings the the AD was corrupted. I know it was nonsense, but installation didn't even finish.

After reinstall - with the cable to the world unplugged - we noted firewall (a real one the the XP crap) attacks after 3 (three) seconds, and then one every second.

Every Windows user stating never to have had an attack is either a liar or stupid - or have no network connection.
0 Votes
+ -
ummm
Canadian falcon 31st May 2006
I have windows XP (no sp1,2 or anything) I recently did a re-install on it(semi anual cleaning) and I had no issues whatsoever. However, when I looked at my router's activities log, and security logs, and well, yeah there were a lot of attacks. I patched to SP2, and ran 3 different online scans (computer associates virus scan, noted as one of the best, Trend micro's corporate online scan, and symantec's online scan) they all came up with zilch (aside from symantec, and trend micro finding tracking cookies *GASP!*)
And yes, I had my network cable plugged in at all times.
0 Votes
+ -
router
belkorin 1st Jun 2006
That's because you're behind a router. Most routers act as firewalls, keeping out most IP targetting attacks (unless you're clueless/foolish enough to DMZ your computer or disable NAT).
0 Votes
+ -
of course
Canadian falcon 3rd Jun 2006
I'm well aware of that, and I'm also well aware of just how incredibly cheap, and usefull they are. (you can pick wireless G ones for 50$cad) yet most people leave the firewall off, and depend solely on a piece of software that can be turned off by remote hacks.
To go on what was originally said, why not get virus scanners/firewalls on a gateway computer.
Why don't security companies go a step further. Get scanners hard wired (rom wise) into routers, and have them access RAM chips that store update-able Virus lists. toss about 64mb of RAM on the router so that they can do the scanning on the router themselves. No, it won't protect from infected media (CD's, flash drives...) but it will stop virtually all viruses/hacks/spyware... from hitting your computer from the i-net, AND it won't clog your system. Plus a router with Virus scanner would cost a LOT less than a whole computer to act as the scanning gateway.
0 Votes
+ -
some good points
Scott W 27th May 2006
you're right about the experienced user bits. there are many non-experts and these are the victims. i always find it interesting hear that (as experienced users) these people have no problems with windows, even though you need a good deal of knowledge to use it properly. yet at the same time they say that linux is a hard system to use. just my thought for the day. oh, and while i'm not saying anything is more secure, linux comes out of the box WAY more secure than a windows install, and THAT can make the difference.
0 Votes
+ -
*hands whisperycat some windex for the eyeballs
shadowgryphon@... 31st May 2006
All you linux fanboys and girls have missed a HUGE flaw in whisperycats argument.

Say it with me now: Just because it hasn't happened doesn't mean it CAN'T happen.

Granted the linux community is much faster on the uptake about finding and killing malicious code, hence the advantage to being opensource.
But all it takes is ONE virus,worm, trojan or what have you to slip past, and suddenly linux is on the business end of the whoopin' stick.

Nothing is impervious to harm, and to stand there (or sit there as the case may be) and say "NOPE! It'll never happen to me because I run Nth OS" is a good way to set yourself up for a huge fall.

Never say never folks.

And to George, as one other poster said "I'll believe it when I see it"
I think your idea is a great one and I'd love to see it come to pass, but MS has too much bad history with talking big and delivering small.

They should do as 3D Realms is with Duke Nukem Forever and simply say "It'll be done when it's done!" people might gripe about that, but at least MS would staying honest about things.

One question though..... why haven't AV companies delivered an AV that scans email and anything else on the server side?
0 Votes
+ -
scanning
belkorin 1st Jun 2006
One question though..... why haven't AV companies delivered an AV that scans email and anything else on the server side?

To some extent, they have, at least for email scanning. Yahoo's web email automatically scans all attachments with McAfee when they arrive in your inbox.

As for scanning and cleaning everything without the end user ever knowing, that's a dangerous thing to do. Every once in a while, programs come up that get detected as viruses, when in reality they are legitimate programs. (Spybot Search and Destroy is an example of this. Older versions of Norton AV detected it incorrectly as containing a virus).
0 Votes
+ -
linux has never failed me
cheryljosie 3rd Apr
After decades of running computers I can say from experience that Microsoft has been a nightmare of infections, crashes, fragmentation, and operating system corruption, whereas Linux has never given me any such problem. Then there is the cost...

Everyone who has never used Linux 'knows' it is just as bad as Windows. After all, you get what you don't pay for, right?

Yes, by all means, scan all files at the gateway, but do it in a 'nix box for reliability. Also please run 'nix behind the firewall too wherever possible. Why wait another 20 years and 15 CEO's for Microsoft to finally enter the 21st century? Why waste all that money? Why endure all that aggravation?

The more who adopt Linux, the more that will build proprietary software and hardware for it. That is where the shortcoming is. Most proprietary applications for Linux are high-powered computer-aided design tools for the corporate environment. We need an occasional checkbook and tax application for mom and pop too, or at least mom and pop need to learn how to run Windows Emulator under Linux, which after all is not that hard.

The amazing thing is that people actually throw away working hardware when it is too small and slow for the current version of Windows. They could download free Linux and keep using that machine until if finally burns out. I am fairly certain that there is at least one version of Linux that will still run on a 386, and ten years from now there will still be Linux for that Mac that has otherwise become a doorstop. Even my old DirecTV box runs Linux. I am still using it as a terrestrial tuner for my old tube TV.

Sometimes people develop an emotional investment in an attitude that does not make sense. People are way too fond of Microsoft.
0 Votes
+ -
You have foggy class too
iom88@... 30th Jun 2007
My first pc was a radio shack model 1 with 4k of memory increased to a whopping 32k through the expansion interface. I stored and loaded programs using audio cassettes so I'd say I'm on an experience level that exceeds most pc users reading the article in question.
The writer of the response to Mr. Ou is exhibiting a false sense of secure about Linux that the users of the once vaunted Firefox had when it was first released. The reality is if you're a hacker who are you going to go after 10 Firefox and Linux users or 10,000 Windows users? You may answer the question as your logic or lack of dictates.
Mr.Ou and company have been very fortunate indeed and should count there blessing. I would suspect that much of there ?success? in not acquiring a virus or similar malware has more to do with where they go on the internet than dumb luck. Over the years I?ve had numerous attacks. Some blocked by security software and some not and still others discovered after the initial attack by security software intend for that purpose.
I have an entire arsenal of software for finding and eliminating malware of all descriptions because I?ve discovered over the years that no one program does it all.
To assert that one can travel the length and breathe of the internal and not be attacked is simply na?ve. So, Mr. Ou, I doubt you?ll ever be a member of the Enterprise crew because I suspect you are not willing to go where no man has gone before.
0 Votes
+ -
I've got a word .doc for you
Robert Crocker 26th May 2006
as a reply.
0 Votes
+ -
Geoge's hit count is down again!
linux_for_me 26th May 2006
George doesn't use facts, he just post garbage like this to generate hits for his blog.

I been working in the IT area for over 35 years, back when computers were still using transisters. Since MS Windows hit the PC, I have spent A LOT of time cleaning virus's, trojans, and spyware off of users destops. Anti-virus programs are a necessary evil today, and will still be needed in the future until these types of malware are permanently erased. Since malware is getting more numerous, much more complex and smarter, I don't see the disappearance of malware happening anytime soon.

If you take Georges advice to not use any anti-virus programs, you will get EXACTLY what you deserve.

Way to go George!
0 Votes
+ -
Uh, you didn't even read the blog
georgeou 26th May 2006
You completely missed the point because it looks like you didn't even read it. I said toss out the AV, out of the PC to the gateway in the DMZ under a locked down jailed service or daemon.
0 Votes
+ -
Yes I did......
linux_for_me 26th May 2006
Most medium to small businesses will not have a gateway, nor DMZ, to do what you suggest. They have enough trouble these days trying to make enough of a profit to stay in business. SO I stand by statement.
0 Votes
+ -
Ah, but you can build one with Linux for $30
georgeou 26th May 2006
Trend gateway scanner has no server cost, you just pay a small per-user fee. I think the per-user licensing is $30. On TechRepublic, we'll be doing a how-to article on how to build one of these with Linux. Now don't tell me you would be against that happy
0 Votes
+ -
LOL...No,you got me there!
linux_for_me 27th May 2006
I guess I can't argue with you on that!

I'm still leary about you advice though. Most users think of a PC as an appliance, like a TV or microwave. They know nothing about how it works, they don't want to know anything about how it works. They just want to turn it on, use it, and turn it off. They will never learn to do the necessary things to properly configure it, so the home system stay compropmised, and business IT depatments are swamped with a lot of other things beside computer security, so that gets looked over too.

It's not right, but its reality.
0 Votes
+ -
Forks
DownRightTired 18th Jun 2007
They should know enough not to put a fork in the microwave.
0 Votes
+ -
overhead
belkorin 30th May 2006
What kind of overhead does this HTTP/FTP scrubber have? How much will it slow down a connection?
0 Votes
+ -
You're right about the software.
Anton Philidor 26th May 2006
And the malware authors know it. Instead of fighting a steady battle against the patch makers, many have switched to a social engineering approach, from what I've read.

I expect that any system can be overcome by users allied with the malware. Protecting software is one thing; protecting users from themselves is something else.
0 Votes
+ -
Worsening the problem
Anton Philidor 26th May 2006
How many users will turn off their AVs because of an instruction from the malware saying "To prevent difficulty with installation, turn off your AV."?
0 Votes
+ -
You would be surprised...
IndianaTux 26th May 2006
I work as a support technician in a medium-sized corporation. You would be surprised at the amount of users who do things just because a pop-up tells them to. Even though they've been coached to call the help desk before clicking on such things. "I figured it would be ok, so I just clicked on it. Then my computer shut down." Then there are the ones who do the same and worse on their home computer, then bring it in asking if we can fix it because they "clicked on a link in an email from someone they didn't know just to see where it would take them..."
0 Votes
+ -
Oh, and, FYI
IndianaTux 26th May 2006
I ran my computer for 2 years without any sort of anti-virus software and never had a single problem. I now run Symantec Corporate version 10, and since I have installed, I find 20-30 pieces of malware each week on my machine. Working in a corporate environment, I definitely see the need for AV software. However, (and I'm surprised at myself for this, because I have typically not agreed with Goerge's views on things in the past) I do have to concede that George does have a point here. I can also say that I've had more problems with spyware/adware since I installed Windows Defender, Adaware SE, and Spybot, than I did before. It's not that I'm seeing them more because the software is there to detect them. It's that my machine slows down more frequently, and I detect more spyware on current scans than I did on the first scans with these apps, many of which claim they are supposed to protect, or "immunize" against new infections.... I'm with you on this one, George.
0 Votes
+ -
umm...
belkorin 30th May 2006
I haven't run without an antivirus since on a clean install of XP Pro I got hit with several viruses within 20 minutes of connecting to the internet and had to format and install all over again. Since then, I've used AVG Free and had no problems with it.

As for spyware/adware, Spybot seems to work, but I don't really know, because I haven't ended up with much since I quit using internet explorer.
0 Votes
+ -
Better solution
NonZealot 30th May 2006
I haven't run without an antivirus since on a clean install of XP Pro I got hit with several viruses within 20 minutes of connecting to the internet and had to format and install all over again.

That is one solution. A better solution is to simply enable the firewall and you will never get hit with any virus that attacks your open ports again. Your AV will only protect you against known viruses. The firewall will completely neutralize any malware that uses open ports to get into your computer. As I've said before, AV is an okay solution, but it isn't the best solution.
0 Votes
+ -
Time to toss out Office?
Robert Crocker 26th May 2006
So George how about that zero day Word exploit? Does that make it equally silly to have Office software on your computer too?

Of course you threw out your IIS software years ago when Code Red and Nimda made the rounds didn't you?

How about Windows when the DCOM bug hosed everyone?

The very fact that most major companies feel the need to invest billions of dollars on anti-virus software at both the desktop and server level along with who knows how much on firewall hardware and software would tend to lead me to believe that Windows by itself is somewhat inadequate.
0 Votes
+ -
Even Linux?
D T Schmitz 26th May 2006
Yes. Even Linux is vulnerable.
It's a fact that can't be refuted.

So, why do AppArmor, AntiVir, F-Prot, chkrootkit and the like exist?

Because we (myself included) occasionally succumb to doing 'stupid things' with our computers at which point the 'ner-do-wells' spring into action.

George, it certainly would be nice if you'd consider sharing directly with your ZDNet readers (vs TechNet) some of the finer details about *how* and *why* you configure your home and office systems.

Thanks
0 Votes
+ -
Run Linux AV as the transparent proxy and virus scanner
georgeou 26th May 2006
I'm recommending that everyone boot AV from their PCs and run their AV on the gateway device. At TechRepublic, we'll start doing an article on how to build a transparent proxy with Linux and run AV on it to scrub HTTP and FTP along with SMTP before it gets to your PC.

I was quite detailed on how I configure my systems and why in the blog. I don't use AV because it slows the PC down and it's like having the bomb squad scan for bombs inside the house. Then to make it worse, they drink your beer and soda and they eat the food in your refrigerator. Then they stink up the bathroom and make a mess of it there.
0 Votes
+ -
exactly
ccrashh2@... 26th May 2006
Which is why I configure a home network almost like the one you describe. I cannot STAND having some bloated piece o' crap like Norton or McAfee clogging up my system. Especially a pain if I am not currently connected to the internet. For instance, if I want to simply play a standalone game, or work on a piece of programming, why the heck do I need to run a process (or, more accurately, a hodge-podge of processes) which aren't required for the work I am doing?

I don't want to see the AV (and the personal FW, and the Spyware blocker, and the this and that....).

It's like having that bomb squad in your house, taking up all the space and eating all your food, when they aren't required.
0 Votes
+ -
They don't just eat your food
georgeou 26th May 2006
They don't just eat your food and drink your cold beer and soda, they make a mess of the house and stink up the bathroom while they're at it. Then when they scan that bomb that was rigged to be a booby trap for the bomb squad as soon as they try their standard routine, do you really want them inside your house?

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix