
Criteria
"11 of 18 criteria it assess"
Sounds kind of loose specification. Could someone point me to a summary of the criteria
Microsoft Security Essentials, Redmond’s free antivirus tool for home users and business with up to ten PCs, can detect just 64 per cent of zero-day threats when running under Windows 7. That low detection rate has cost it the AV-TEST Institute’s seal of approval, a certification it hands out to products that meet 11 of 18 …
No. A zero-day threat is a threat not KNOWN to the produces of defenses. Just because they haven't seen it yet doesn't necessarily mean that they cannot detect and block it. Many security packages contain not only a known-malware scanner but also a range of generic tools that can detect not-yet-known threats. Such tools include heuristic analyzers, behavior blockers, integrity checkers, and so on.
Yes, I am aware that the unwashed masses still think that anti-virus products just look for scan strings (short sequences of bytes from the known malicious programs) but in reality we stopped relying exclusively on that method more than two decades ago. Nowadays the better products use scan strings only to trigger their other, more sophisticated malware detection and identification algorithms.
that AV's can also act as MAC (mandatory access control) tools? Like apparmor, SELinux, TrustedBSD? Given the fact that most of AVs are closed (including this one) and no one knows what algorithms they are using, not transparently configurable as the actual MAC tools and , finally, the frequent "My AV is slowing down my PC!!!" users' complaints, AV's MAC's implementation is poor indeed. Moreover, MAC's implementation of apparmor is an extension of the POSIX permissions system present on the *nix OS's that is still rudimentary on Windows.
Of course not. AV packages are just applications. MACs have to be enforced by the OS (preferably - with hardware support), or they are useless. In addition, MACs enforce confidentiality, while malware tends to be an integrity problem. While a typical MAC system is very robust for protecting higher-classified information from being leaked to lower-ranked users, the integrity problems that the lower-ranked users have tend to move (i.e., infect) the higher-ranked ones even faster than on a typical DAC (discretionary access control) system, where the disaster happens only after the virus manages to infect a high-ranked user.
No, I was talking about much simpler things. Behavior blocking ("why does Excel.exe suddenly want to open cmd.exe for writing?!"), integrity checking ("why the heck did the master boot record change?!"), heuristic analysis (dynamic like in "let's run this program in a sandbox and see if it does anything naughty" or static like "does the structure of this executable file suggest that it is obfuscated and tries to do something naughty when executed?").
I am not sure what you meant with your remark about open source. The only open source AV I know of is pure crap and is clearly made by people who don't have the slightest clue how to design a proper AV product. Or if you meant that I don't really know how AV products work, since I haven't seen their source, then I suggest that you google my name. Trust me, I *have* seen them from the inside and *know* how they work.
Ok, thanks, got it.
Behavior blocking ("why does Excel.exe suddenly want to open cmd.exe for writing?!")
And this is what apparmor does (and SELinux). For Apparmor, in a profile you can allow and disallow execution of certain, or all but certain things. Say, you can block java or everything except java. You can block whichever plugin (inside of firefox) was not being used, so called a "learning mode" ...
My point was that the bare principle of AV is flawed. They are designed, not in the best way, to sew up a huge gap deliberately and/or incompetently left by the OS. There is no point of taking pills if a person (OS) is voluntarily stripping him/herself of the basic immune mechanisms of the body.
Given that of the last dozen or so Windows machines I've disinfected for frinds & family, all but one were running up-to-date copies of MSE, and that several of them were back for the second (or more) round of cleaning, I've no confidence in MSE at all. I started replacing MSE with Avast about a year or so ago and have yet to have one of those machines need cleaning. I'm not saying Avast is invincible, and if it stops doing the job I'll replace it straightaway, but right now it has proven to be much more reliable than MSE.
I've not heard anyone, with the exception of the Linux Loving, MS hating cabal (with whom you must be familiar) say much of note bad about MSE. Personally I think it's much better than AVG, the previous incumbent on my machines.
I also, have to ask - If you're such a fan of Linux, why do you feel the need to slag MS products off all the time?
I've had MSE miss a virus on a friend's PC before - thankfully a "let this program have firewall access?" prompt came up, alerting him.
We submitted the file to one of these online sites, and only 2 of the virus scanners caught it, so I'm not claiming MSE to be amazingly shit either, but that it can miss things is undeniable
But its an imperfect world, and one has to deal with those slag-offable products.
There's only two MS products I've ever enthused about. Excel because ...well, it's brilliant!
And MSE ...because it seemed to be the only antivirus software I could use on an 7-yr-old (XP) laptop with hardly an memmory and still be able to do anything else on the machine. I was impressed. I hope I can go on using it.
Snarky comment: as the magnet of most of the world's mal/virus/nasty ware, you'd think MS would be the world's experts in dealing with it. Why aren't they?
wasn't this the time the windows virus writers started work on flame/stuxnet/duqu variants?
no coincidence then?
no AV product will keep the bad guys out 100% of the time AND keep data 100% secure on the machine with 0% leakage whilst still connected to the internet
Given that most of the attack vectors seem to be through software nothing to do with M$, it's what I'd expect. Also, as a lot of the "paid for" products seem to hold you to ransom after the initial subscription* runs out and deeply embed themselves in so they are hard to root out, it's enough to drive you elsewhere.
*Year 1 is a special deal, we'll tighten the screws for next year!
I found that paying for Kaspersky was the better approach. And I have a Mac, but I prefer evidence over religion.. Kaspersky has been fairly consistent with their quality (measured over many years suffering Windows), and it doesn't lock up machines like other products do. OTOH, I will never in my life buy anything touched by Symantec again.
Personal opinion, of course, and YMMV..
Avast. I've been using it for years and never had an infection and the only false positives I've had have been software I've written myself. The current version does bug you a bit about upgrading to the paid version but just click no thanks.
Alternatively AVG and Avira are also free and have good detection rates.
Kaspersky makes me laugh when it asks ordinary folks -
"ALERT Kaspersky has detected that EXPLORER.EXE is trying to run! Which totally arbitrary and made up security group would you like Kaspersky to assign it to so that it may run appropriately?"
Ermm...........................
As others have said - it's free, it's not resource-hungry and, importantly, it uninstalls cleanly. I've tried many AV packages over the years and many are worse than actually having malware on your PC.
The first line of defence against malware is common sense - the only "malware" I've ever had on a PC in over 20 years is EICAR. Coupled with common sense, MSE will do just fine.
I've been using MSE since it was launched on three netbooks, two laptops and two tower systems at home and never had any issues with malware etc. this on Vista and W7 systems
As someone else commented - it is free, east to install/uninstall and not at all resource hungry unlike previous horrors that I have used in the pasts such as AVG, Norton and MacAfee....
Just use common sense and use other features available in email and browsers as well.. for example.
You know there are a lot of Mac users who've said the same thing about running their systems without AV.
They at least have the advantage of running on an OS that was built with the possibility of having to enforce security considerations in normal use. And a far better track record of not getting infected.
id Sooner use MSE than the bloat ridden, designed to piss off anyone with the smallest sense of what they are doing, costly pile of shite that is Norton and McAfee.
I used Nod32 for a while and it is very good, Nod is also very light, BUT MSE is Free, and I don't do things that are plainly stupid to allow my PC to become infected, yes there is always a chance, but there is always a chance with ANY AV software. you Simply cant argue with something that's better then nothing thats FREE in every sense and very light on the system. Id sooner the whole world used that then people not using anything or installing mcafee 4 years ago and never bothering to renew it because "well I have AV so why do it need to buy it again...
....just as it's now incorporated as standard in Windows 8, removing the need to bother with the likes of AVG/McAfee/Norton/Kaspersky etc.
Is it a few folks are very worried they could be out of a job in a short while?
If you use MSE and are concerned then install EMET3.0 which is specifically designed to fight Zero day stuff.
I run it at max settings for all my machines and it works fine.
http://www.microsoft.com/en-us/download/details.aspx?id=29851
"JUST USE COMMON SENSE."
"I NEVER GET VIRUSES."
This stuff cracks me up. So much modern malware is designed to be undetectable, unless someone is monetizing and trying to get a quick buck by loading your machine with scareware. The amount of times I've heard "I use common sense", and then found spyeye or similar lurking around in the background...
As for active defences, Nod32 is a pretty good tool for corporate environments.
For home use, I recommend just disabling javascript and java on your browser. Run MBAM regularly from a USB pendrive. Ensure your firewall is functional, and keep up to date with patches. Avoid installing Java if you can, and don't use Adobe products. Preferably, do all this in a virtual machine inside your host machine.
I have dropped that from my suite of scanners for cleaning up HDDs.
For around a year now its been virtually useless at detecting anything. I really don't know why folks still recommend it. Even when it was vaguely useful it still wouldn't detect everything on first pass and needed another pass at least to get rid of the rest. Though mop ups with the likes of Combofix were still needed.
Oh you did run at least two passes with MBAM?
I smile when I read folks writing "Oh I just ran MBAM and that seemed to sort it!"
Like hell it has.
@hplasm Why wouldn't they?
Virtually every corporate network out there uses antivirus because nearly everyone uses Windows. Everyone out there uses Windows because the de facto standard for every productivity application written in the last 20 years has been Windows, and rewriting all the programs would cost more than the various headaches Windows causes.
Not saying that it's right or even wise, it's just the way the world is.
Sure most of you are way more tech savvy than me, but I mess about a lot with this stuff and fix computers for friends and family. So this is for the noobs who are reading, who have the time and inclination to set up even a fairly old machine with mostly free software. I'm being Windows specific here.
What I'm running at the moment on a fairly old machine, because it takes very little resources, and a multi-layered approach and is free and not too difficult to use, is Comodo Internet Security. If I can use it then you tech-heads won't have any troubles. Along with the anti-virus, you get a hips and a firewall and a sandbox. You can use it straight out the box/install by setting it to 'Proactive security' in the taskbar icon at the bottom, just right click and select 'configuration'.
See here for instructions and advice:
http://www.techsupportalert.com/content/how-install-comodo-firewall.htm
It really is worth taking the hour or two to read everything there and pretty soon you will have your CIS set up and running like a champ. Once this is done to your liking you can save your config file and then select as before at will, and even use it on other (similar) systems.
The anti-virus isn't bad. It can give some false positives, but I have it set for full heuristic, so to be expected. The HIPS, called Defense+ needs a few changes to get the best out of it, but it works fine out of the box/install as I mentioned. The firewall works a charm too. So it is an all in one integrated package on an old machine with hardly any resource hit for this kind of thing. Maybe I would get better av protection with avast or avira, but the hassle of setting them up is not worth it, they are resource hogs as well compared to what I have now. On new machines they are fine, but on older ones you can tell the difference in a big way. So everything is compatible with a nice easy to read GUI.
I would then chuck on Malwarebytes for a once weekly/every few days scan. And include Hitman Pro in there too.
Malwarebytes is free and fully functional for on-demand scanning. I have the pro version, but just use it on demand.
Hitman Pro is free as well in a similar vein, but if you do find any nasties you will have to activate it and this then starts a 30 day grace period, after which you will have to buy if you want it to still clean. You can still scan with it though, so if your system is clean, wait until you get another nasty... saves a few days that's all.
Another program that some laugh at but has its uses and is free is SAS. SuperAntiSpyware. It really comes to life when you are disinfecting a system that is riddled with crap, but on a clean machine it tends just to pick up tracking cookies and the odd trojan downloader. It is very fast though, which is why I mentioned it. It has picked up things that others have missed, also. Possibly its best feature though is the ability to set your home page only from SAS. This prevents browser hi-jacking. It only supports Internet Explorer, but that is the lowest level of your internet configuration as I understand it. One machine, the person only used FF, but he was still getting hi-jacked because the malware was changing his home page all the time. It's a small feature, but very useful. And make sure to turn off 'Use Proxy Server' or whatever it is in the config of Internet Explorer. This closes down another option for being taken over. Obviously if you don't need to use that feature, as I would assume most don't.
Another option is SpyBot Search and Destroy, but just use the 'Immunization' function, because on the whole it is quite slow and with poor detection rates. Update and Immunize once a month. Then forget about it.
And if you really want to go for it, install PrevX. It has excellent rootkit detection and is free for just scanning. It is super fast and has the benefit of being compatible with your other av. You can run PrevX and Comodo no problems. You might want to put in some exclusions in the config files obviously, but I have never had a problem. PrevX really is a great little second opinion real time scanner. But you can use it on demand or from the shell. Talking of rootkits, make sure you have a copy of Kaspersky TDSS killer. It's free too.
There you go. You're now all tooled up. It hasn't cost you anything and you can run it on a 10 year old laptop without too much penalty.
Now all you need to do is get a good hosts file and run it from HostsXpert and chuck in Homer, after you changed your DNS to Norton DNS or OpenDNS, or even Comodo's DNS. Btw, you get the option to use that when you set CIS up.
But try not to install GeekBuddy. It is a major resource hog that slows your machine way down. I'm not sure if it installs by default these days, but no problem - add/remove programs gets rid of it. Double check with Autoruns to make sure. Or use the Comodo version - Killswitch, another very hand utility to have around.
That's about it.
As for MSSE, it's a decent enough scanner, is free and lightweight to a certain degree. It's better than nothing and when I tend to use it is for technophobes that just want an av on their machine that they can totally forget about and pretend it is not there. EMET is good for system hardening too in this regard because once installed it can be pretty much forgotten. Of course you just set it to a basic level otherwise it is going to cause all kinds of problems that are hard to track down. But even set to the most basic level, I find it works just fine and will protect you against the 0 day exploits that were referenced in this article. Av doesn't really do that - it can help, but no Av is going to pick up more than what MSSE did, not by much anyway.
I'm not one of those people that say, Oh I don't need an Av. I could do without it, sure, but it is another level to your protection as long as it does not interfere with other things. But I'm certainly not one of these people that puts all their eggs in the mythical ANTI-VIRUS-SOLUTION basket either. You need HIPS, Firewall of course and Sandboxing.
God, don't set me off on sandboxing or virtual machines... a mere noob myself in this department, I find that I know more about it than 'some' people that 'know' about computers. But those that say "I don't use AV - Don't need it", tend to be people who are running Sandboxie or VirtualBox or both. But even they can get bitten if they get too complacent.
Sorry for the long post, it was for a noob that was interested. I've learned so much from others on this site, that it's nice to put something back sometimes (other than my overly verbose deranged rants ;-)).
Cheers.