ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Why use a real-time Antivirus?

5 posters

Go down

Why use a real-time Antivirus? Empty Why use a real-time Antivirus?

Post by ssj100 15/2/2011, 05:09

The first thing that came to my mind when I wrote the topic title of this thread was that I should create a series of documentaries on "Why use a...?" Haha. Of course, I recently created a thread called "Why use a third party software firewall?".

Going along the same lines, I would like to hear what others think about this. I know many on this forum and across other forums still use and/or rely (eg. they get better peace of mind) on real-time Antivirus software. To simplify things, my definition of "real-time Antivirus software" is as follows:
Anything that has a black-listing and/or behaviour-blocking component. This includes well known "Antivirus software" like Microsoft Security Essentials, Norton Antivirus, ESET NOD32 Antivirus, avast! Antivirus, Avira AntiVir, Kaspersky Antivirus, F-Secure Antivirus, and also includes other types of software such as Prevx and Mamutu.

For me personally, I remember using Norton Antivirus 2002 (might have been 2001) as my very first real-time Antivirus program. From memory, it came pre-installed on my system. At that stage, I didn't have nearly as much knowledge about Windows computer security as I do now. I then moved to ESET NOD32 Antivirus, and finally to Avira AntiVir.

I think it was around early 2010 when I realised that a real-time Antivirus wasn't required for my security setup/approach. It became even more important to not use a real-time Antivirus when I discovered a conflict between Avira and Sandboxie. At that stage, I had been contemplating only using Avira on-demand. However, even with the Avira guard not installed, and therefore using Avira on-demand only, the conflict still existed. The conflict was conceptually a very serious one, as it essentially resulted in Sandboxie being bypassed (and it wasn't just Avira which caused the conflict - probably all other Antivirus software were also culprits). This made me think very carefully with regards to the actual benefits I was getting from my Antivirus and the known (and unknown) harms that could be potentially inflicted.

Basically I proposed to myself that a real-time Antivirus wasn't necessary because of the following:
1. I ran as a Limited User with SRP enabled. This essentially meant that 100% (or 99.99%?) of real-world malware wouldn't be able to run even if it got on to my system.
2. The use of Sandboxie. This essentially contained all my threat-gates - USB/CD/DVD drives, web browsers, chat messenger programs, games which connect out (eg. Starcraft connecting to Bnet to play online), torrent programs (I no longer use these) etc.
Furthermore, I figured out a convenient method of opening files sandboxed via a sandboxed "explorer.exe". However, becoming more and more security conscious (or paranoid haha), I became concerned with malware which could be executed without having to open the file (eg. just by hovering the mouse cursor over the file). For this issue, I soon worked out a solution; again with the use of Sandboxie - it involved dedicating a folder for all newly introduced files and always opening this folder sandboxed to browse and open files. Deleting files in this folder would be achieved via batch commands. In this way, I would never have to even browse the newly introduced file on my REAL system.

If you fully understand the above, then you'll probably realise that the real-time Antivirus program arguably plays no part in the setup/approach. However, on-demand scanners would still be of great use. For example, all newly introduced files in the dedicated folder (as described above) could be analysed by various on-demand scanners. With regards to downloaded files eg. in the form of an installer, relying on Digital Signatures and/or Hash codes would be better than relying on scanners, although there would be no harm in asking the opinion of scanners. Anyway, the point is that this can be achieved with on-demand scanning, and many of these scanners can be installed and executed sandboxed (thus removing conflict potential as with the Avira and Sandboxie example above).

So that's why I personally don't run a real-time Antivirus (nor do I have any on-demand scanners installed on the REAL system).
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by Sadeghi85 15/2/2011, 06:31

I never liked to have a real-time AV, I consider it a waste of resources. Personally, I prefer virtualization, I've installed Avira & Avast as on-demand in a VM.

Most of the time I download from trusted sources and verify by digital signatures and hashes, very rarely happens that I'd like to download from less known sources, in which case I just scan the file in VM.

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by Rico 15/2/2011, 08:13

Using a relatime AV is not a biggie for me. I consider it to be a safety net, that even though is not really significant, is one that doesn't bother me. The reason being is that modern PCs and a light AV seem to be pretty good together, if it felt like Norton 2005, I would have kicked it off in jiffy without hesitating.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by ssj100 15/2/2011, 08:50

Rico wrote:Using a relatime AV is not a biggie for me. I consider it to be a safety net, that even though is not really significant, is one that doesn't bother me. The reason being is that modern PCs and a light AV seem to be pretty good together, if it felt like Norton 2005, I would have kicked it off in jiffy without hesitating.
Yes, I agree that many real-time Antivirus software nowadays have minimal impact on the system. However, personally, even minimal impact is too much haha. Also, keep in mind the potential for conflict. Now, to be fair and objective, I'm probably harping on far too much about this conflict business. In fact, the Antivirus conflict with Sandboxie was with a Sandboxie Beta version. But regardless, the risk is there and even tzuk admits it.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by Rico 15/2/2011, 09:07

True, but Tzuk kinda recommends having AV actually. Of course I don't need it since I run virtualized all the time and run anything untrusted in isolation, but its good for knowing whether a website is a source of crapware or not before recommending it to others who may not be protected.

I would use VT but unfortuneatley their size limit and upload requirements are just too limiting.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by ssj100 15/2/2011, 09:15

Rico wrote:True, but Tzuk kinda recommends having AV actually.
And so do I, in general. I don't know anyone in real life that I would feel comfortable recommending NOT to run a real-time Antivirus! They simply don't have a good security setup/approach, and the Antivirus is better than nothing.

By the way, last time I asked, tzuk only uses Sandboxie in a full blown Administrator account and nothing else! But I guess he's obliged to say that right? Haha.

Rico wrote:but its good for knowing whether a website is a source of crapware or not before recommending it to others who may not be protected.
Isn't that more of a URL scanner? I suppose more and more "Antivirus" software are integrating those now?
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by Rico 15/2/2011, 09:48

What I meant by tht was in the case of the occasional download where it could be harboring some hidden intentions but also displays anti-VM techniques.

Url scanners are nice to have but are an unecessary burden IMO. AV seems to serve me in the rare situation when a driveby is triggered hence giving me a hint about where I stand.

I dont use things like Clearcloud DNS becuase I dont like restricting my browsing experience. My philosophy is that; if I make my machine an inhospitable barren prison cell for malware, I say bring it on Wink

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by Rico 15/2/2011, 09:54

It must feel great for tzuk that he can use protection that he built and knows how reliable it is instead of relying on some other security companies for protection. Nothing scratches one's back better than their own hand.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by ssj100 15/2/2011, 10:03

Rico wrote:What I meant by tht was in the case of the occasional download where it could be harboring some hidden intentions but also displays anti-VM techniques.
Yes, and that's why I regularly use on-demand scanning before recovering files to be stored more permanently on my REAL system, or before giving out the file to other people. I've got nothing against on-demand scanning!

Typically for me, for files that I store more permanently away, they usually end up on an external hard-drive (USB). I generally access, browse and open these files sandboxed anyway, so in some ways, on-demand scanning isn't crucial (for me).
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by p2u 15/2/2011, 10:31

ssj100 wrote:If you fully understand the above, then you'll probably realise that the real-time Antivirus program arguably plays no part in the setup/approach.
I think anybody who knows something about REAL computer security and REAL attack vectors realizes this, but a real-time Antivirus will be part of the requirements for the mandatory "Computer Health Certificate" Microsoft, Intel and others are cooking up for us. Whether that real-time Antivirus will be compatible with your Sandboxie (which is a million times more secure) will not be an issue. No "Health Certificate" - no Internet access. If the Security Center is "green" all over, you're good to go. Otherwise you will have to solve your "problem".
P.S.: My "Nostradamic" view on it all: Adequate defense isn't enough; for some up there 1) authentication, 2) identification, and 3) widespread auditing are the next steps in solving the "computer security" problem. Traditionally, security solutions should report to the system owner only (that is: to YOU), not to the ISP or the software vendor. The owner of the machine should determine which software is appropriate to run on the system, what songs to listen to, what films to watch, what sites to visit, etc., but instead we will see more and more of the collectivist "approval" model for our computing environment (the one-side love affair called "Trusted computing"). Actually, Microsoft has accomplished this already, since on Vista and up, the owner of YOUR system is not you; it's Microsoft's Trusted Installer. If you try to change that, you may end up without access to the system at all. Antiviruses (only Microsoft's Gold Certified Partners, of course) will play a significant role in the scheme since they have access to litterally everything on your system. Add in-the-cloud "protection" to the equation and you have the perfect reason for running a real-time antivirus. Whether you like that picture or not, whether it's an effective approach to computer security or not, - you will have no choice but to comply.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by Ruhe 15/2/2011, 15:05

It's no unusual behavior, many installation routines need admin rights (even for harmless tasks). Before you install the application you run an on-demand scan on the file. What do you do if the installation file (setup) contains a malicious executable that isn't detected by the used anti-virus software...but after the installation?
Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by ssj100 15/2/2011, 15:16

I think I understand what you're saying Ruhe, but I think this assumes that the user does not check Digital Signatures and Hash codes etc, or that they (regularly) install relatively unknown software on their REAL system.

Happily, these assumptions don't hold true for me.

In the end, I suppose you're looking at this risk-benefit scenario:
Risk: Not having a real-time Antivirus may result in missing unintentionally installed malware. Of course, even having a real-time Antivirus may result in missing it anyway.
Benefits: No risk of conflict, and no slow-downs etc.

For me, I suppose I am a bit bias - I have observed Antivirus software directly conflict with Sandboxie first-hand, while I have never encountered malware unintentionally (in the many years I used a real-time Antivirus and in my current habit of occasionally performing an on-demand full system scan).
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by Sadeghi85 15/2/2011, 21:38

Ruhe wrote:What do you do if the installation file (setup) contains a malicious executable that isn't detected by the used anti-virus software...but after the installation?

I use 7zip to extract all the files from the setup file recursively, then I upload all the files to virustotal and also scan them with on-demand scanners, but it rarely happens that I need to do that.

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by Ruhe 15/2/2011, 22:46

Sadeghi85 wrote:I use 7zip to extract all the files from the setup file recursively
What doesn't work with custom, means self-written, installers.
Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

Why use a real-time Antivirus? Empty Re: Why use a real-time Antivirus?

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum