1. 38

  2. 3

    Will need to read more on this, are we really at the point that windows defender is all you need? Seems like bad advice to turn off all A/V.

    1. 16

      I think it boils down to this: you’re safe (and don’t need AV), or you’re not safe and and AV can’t save you.

      If you’re running evil.jpg.exe attachments and downloading applications from P2P networks or other sketchy sources (or not checking signatures, hashes, certificates), running unpatched software or shit software in general, etcetra, then you’re in trouble and while AV could save you from some, it simultaneously opens up more avenues for attack. And the malware is constantly changing, so windows where they bypass the AV’s heurestics are likely; or you’ve got overzealous AV with too many false positives and you learn to disable it or otherwise work around it to run all the things that could or could not harm you…

      Otherwise, your system is up to date, you check your sources and only use reputable stuff (+ don’t run a lot of unnecessary junk to begin with), then you’re probably not getting malware. You might still be vulnerable to undisclosed zero days, but I’m not convinced AV can actually protect you from them. So you don’t really need AV.

      Unfortunately a lot of people end up being in some sort of middle ground where they can’t verify all the things they receive. That’s a tough place to be, but having a basic AV (that doesn’t open up more vulnerabilities) could save you from trouble. In the end, your best bet is to keep the important stuff on another machine.

      1. 1

        Thanks for the insight, It’s not something that I’ve thought of for a while, whenever I’ve ran a windows machine its just been instinct to stick an A/V on it. Will just stick with the inbuilt stuff next time!

        1. 4

          When I used Windows, we did a combination of HIPS and sandboxing. That was often DefenseWall + SandboxIE. Another one substituted for DefenseWall in many cases. Can’t recall its name. Such measures were better than anti-virus since they prevented the problems the antivirus caused. Also, so little uptake of them that malware authors weren’t targeting bypasses at them. I doubt that changed.

          Oh yeah: don’t forget NoScript and HTTPS Everywhere. NoScript still saves me bandwidth & page load time. Unless I have to twiddle with it to get the right script among 20+. (rolls eyes) (curses site developers)

        2. 1

          Unfortunately a lot of people end up being in some sort of middle ground where they can’t verify all the things they receive. That’s a tough place to be, but having a basic AV (that doesn’t open up more vulnerabilities) could save you from trouble. In the end, your best bet is to keep the important stuff on another machine.

          I think that’s the problem area. Email is such a common attack vector these days and malware attacks are getting more and more sophisticated, with even more technically savvy users being caught. I find that ClamAV mail scanning catches a lot (I host my own email), but it’s still not perfect.

          FWIW, I’ve seen a few organisations move away from third party antivirus solutions towards Microsoft’s offerings over the past year or two. I’m not sure if that’s driven by cost or security though (perhaps both?). I could’ve sworn I saw it on Macs as well as Windows machines but I can’t seem to find any reference to a Microsoft antivirus product for OS X now. Hmm.

        3. 10

          I know you already got some replies that walked in the “no AV” direction, but I want to take it back up a step here – this article suggests sticking to Windows Defender, not turning off all AV.

          Plenty of security folks say Defender is solid, but maybe there’s this perception that since it’s free and bundled, and not playing out the kind of security theater and cross-product advertising that AV vendors tend to, that it’s a lesser option? I mean, Microsoft acquired good antivirus software and its team, and is improving and maintaining it and not turning it into a nightmare like the others.

          I think we, People of the Nerd Forums, may need to keep talking up Defender to get rid of whatever stigma there is. The important takeaway from the article is to turn off crap AV, not all.

          1. [Comment removed by author]

            1. 1

              Signatures in AV nowadays are not only based on hashes of the file. They can also check what API your malware uses in runtime. So, when your malware will get sampled, and if your randomization function only consists of changing the encryption seed in your packer layer, there is high probablility that your sample will still be matched by the same, unchanged, signature.

              Also how many AV engines have you tried? Would you want to show the link to your test on VirusTotal?

          2. 6

            I work in a somewhat AV’s related position and get to see AV’s verdict on many digests each day (Mostly AdWare / PUA). From my experience, Windows Defender is nothing close to good commercial AVs. It simply doesn’t cover as much ground and is often shipping signature for broad campaign quite late if at all. Personnaly, I rather like ESET-nod32 or MalwareBytes engine and they are mostly the one I rely on to have a clue if a file is bad or not.

            My issue with this article is that it doesn’t specify who it targets. I think most people here are more tech savvy than the general populace and have good habits to not download and run random executable. Most people here probably doesn’t even run Windows outside of VMs… Defender is probably a nice default that doesn’t get in the way.

            However, I don’t think I would probably recommend a family computer used by the kids to download free games and used by the parents for financial transaction with Defender alone. Also apply to a corporate network where good AVs can at least pick up on the basic phishing and broad targetting malware.

            1. 3

              So the problem here is that most, by which I mean nearly all, of the AV software out there introduces more vulnerabilities than they patch. They wreak havoc in well written codebases opening holes in the browser and email applications faster than the those applications can close them.

              If you want to make a case for AV you are going to have to show how much value they add that outweighs the swathe of destruction they create while doing so. It’s no longer acceptable for someone to inject themselves into every process on a machine doing who knows what, increasing the attack surface for all of those apps as well as violating the principles that make something like TLS a secure transport.

              The evidence is clear that the majority of the Vendors have been very bad actors. There is little evidence that they provide any real value.

          3. 1

            I guess the main reason he doesn’t recommend turning off Defender is that, for normal people, it’s not even possible :P

            1. 1

              Disable your Software that requires Antivirus*

              1. 1

                Microsoft, fix your operating system quick! People do not know how to deal with security on Windows anymore.