Friday, September 28, 2007

A Bit More on AV

So, seeing more coverage of AV [in-?]efficiency today (e.g. here as well as all the old stuff here and summarized here) leads me to finally come out of the closet (OMG, I've been in the closet all this time... :-)).

After another one of my friends (who works in security and is obviously pretty darn smart about online risks), "protected" by a major-brand AV, had to rebuild his system, I decided "enough is enough." So, as of a few weeks ago, Symantec AV is gone from my systems, for good.

Time to stop and reflect on this a bit. I've been running AV for a good numbers of years, but not as many as others. Back in good ole days of Win95/98, I was not running anti-virus, mostly relying on my risk avoidance. Then my work PC came with an anti-virus tool and it kinda stayed on. Over all these years, I had exactly 0 (zero) infections on my own machines (apart from viruses that I brought in myself to experiment, of course :-)). However, saying farewell to the most popular security technology is a touching moment, to be sure.

At this point, I am pretty sure about 97.3% :-) of you are getting more and more curious: what is Anton smoking? How can he venture out in the world without any security software on this systems?

Well, I never said that I didn't replace it with anything. I did! I am happy to tell that I replaced the AV with a HIPS-like tool from Savant Protection, which mostly relies on a fancy version of whitelisting to protect the system (details here). As a disclosure, I need to mention that I am on their Advisory Board, but my decision to protect my own systems with it had little to do with it.

First, I installed it just to play with it, but then I realized that I want to run it "in production" due to its many advantages (no updates, no noticeable CPU impact, no silly scans to run, etc) Admittedly, sometimes you will need to respond to a pop-up (in the mode that I run it in!), but it is not a big deal. Feel free to check it out!

So, this post also works as a response to those of you who were saying "stop bitching about AV, you probably run it yourself: it sucks, but it is a must"...


Vess said...

Adding another level of protection, like a HIPS, is a very good idea - if you are intelligent enough to deal correctly with its prompts. However, removing and existing level of protection, like Symantec's product, is a very bad idea.

NAV might not be the best AV product around - fine, use something else instead. But don't remove a protection level just because it has failed once. Using HIPS is good. Using HIPS plus a scanner (both on-access and on-demand), plus a firewall, plus an anti-spyware product, plus backup, plus... is better.

barry said...

actually , i can relate to this decision on replacing an av machanism with a HIPS oriented solution . you see that approach out of more and more companies .

but something that raises a question is the fact that most organizations that move on to this type of solution , usually implement a network based AV to eliminate the SIGNATURE viruses and well-known zoo-viruses, wheras the HIPS usually finds everything else and JAIL's the applications and the OS to a legitimate usage only.

other solutions that i can relate this solution are the cisco's CSA or the ISS BlackICE suites that use a framework for each and every element that needs to be running , and run it in kind of a "jail mode"

if this solution is going on that path , whats the difference ? what does "savant protection" brings to your desktop that makes you choose them ( other than being on their advisory board obcourse )

Anonymous said...

Whitelisting has a lot of inner problems for the users. Problems with software updates, popup windows with user's confirmations... I believe in sandboxing!

Anonymous said...

This article *would've been* somewhat revealing about 4 years ago. Nowadays everybody knows not to rely only on AV but to compliment with additional layers such as firewall, anti-spyware, HIPS, etc. The more layers you can count on, the better protection you have. Sorry to say but if you still think relying on a pure signature based AV will do the trick, you're living in a dream world.

Dr Anton Chuvakin