Monday, October 01, 2007

Feedback and Comments on AV Post

Before proceeding, let me clear one interesting issue of "blog bias." First, does my blog have a bias? The answer is 'yes,' but it is more useful to think of it not as of bias,' but as of 'message.' One of my messages, for example, is that people should log more and that they should analyze their logs. I also carry an inherent bias since I work for a log management vendor.

So, my entry on abandoning the "classic" signature-based anti-virus have generated mainly two types of responses:
  • "What? You've been using AV all this time? Come on, everybody knows it is useless crap"
  • "What? You abandon AV? How about defense in depth?"
Why did I start this from a "blog bias" discussion? Among the comments to my entry, there was this one which seems to imply that I abandoned AV "JUST BECAUSE" my friend had to rebuild a system? Come on, I am not stupid!!! Did I ever say that? I said that this event became my "last drop" rather than the "reason" to stop using signature-based AV. Now, pray tell me, is there somebody else who read my entry as "Anton switched from AV only because his friend rebuilt the system"? That is bias in action!

And, BTW, Savant Protection does bundle a small signature-based AV engine (I think it is ClamAV), but it is not really essential for most of the protections and is probably only used to catch the truly stupid, obvious stuff.

5 comments:

kurt wismer said...

"Among the comments to my entry, there was this one which seems to imply that I abandoned AV "JUST BECAUSE" my friend had to rebuild a system?"

read the post again, it says "after", not "just because"... guess what, your post also says "after" - so if my post is giving the wrong idea, so is yours...

while that single incident was probably not the only thing behind the decision, you made it very clear that failures like that were the basis of your decision...

by the way, thanks for providing a link which makes your connection with savant clear... now no one can accuse you of astroturfing...

Anton Chuvakin said...

Indeed, very true. I made a "personal risk decision" based on my past experience and observations, not based on a single incident, but I did it right after that incident.

I don't think AV is a failure or is not necessary for anybody. I just think that I would FEEL safer with HIPS (which includes crappy AV) rather than with major-brand AV. No more, no less...

Unknown said...

I was going to write it up as Anton having a mid-life crisis... :)

kurt wismer said...

"I just think that I would FEEL safer with HIPS (which includes crappy AV) rather than with major-brand AV."

do you realize you're still framing it like an either/or proposition?...

it implies not only that you think whitelisting will help you, but also that you think blacklisting won't help you - which seems to be based on witnessing blacklisting's failures...

you're free to choose whatever you like, but the way you're presenting things still implies that you weren't expecting blacklists to have instances of failure from the very beginning (as you should have), and that those instances of failure make the blacklist not worth your using it (otherwise you'd complement it rather than replace it outright)...

of course now we know that your replacement has blacklist capabilities too (and therefore needs updates), so in reality you didn't replace blacklisting with whitelisting, you replaced one blacklist with another and added whitelisting - which means what you presented and what you actually did are 2 different things and the thought process you presented isn't nearly as relevant (or accurate)...

Anton Chuvakin said...

>mid-life crisis
Shut up :-) If somebody objects to me saying "feel" in this context, think what objective and useful metrics we have to measure the efficiency of our gear ....

>do you realize
Well, at this point I have to say that you are 100% correct. It never should have been framed as either/or. It is deeply and painfully obvious that a harmonious marriage of whitelisting and blacklisting is the future.

And things seem to be going there naturally anyway...

= McAfee AV + Entercept
= Symantec + Platform Logic
= HIPS vendors + ClamAV or whatever cheap AV

Dr Anton Chuvakin