Back to Top

Monday, October 27, 2008

Popular ideas about AV

There was a recent posting on Slashdot asking what reliable, free AV software is out there? It is very interesting to read the comments, since this is a geeky audience. If they get things wrong, what chance does the large population have of getting things right? Also, these are the people most likely to act as an informal "technical support" for family, friends, etc, so them having the right ideas is crucial for the larger populations safety online.

Here are some things I observed:

  • Interestingly there were very few "just use Linux/MacOS" trolls
  • People have no idea about the detection rates, but have a very good idea about performance (or the lack of it). This is understandable since performance is something they experience day in and day out.
  • Vary dangerous: many don't seem to know the difference between on-demand and on-access scanning. Because by itself ClamAV (and its Windows port ClamWin) only offer on-demand scanning (and integration with a few software like Firefox), they associate these with higher performance, not understanding the sever degradation of protection they get in exchange.
  • There is the conception that "a weekly (daily) full scan is enough" (this in association with the previous point of using only on-demand scanning). This again is very dangerous, because when you get to the scan, the damage has probably already been done (any valuable information has been stolen). More importantly, after the malware has run, you probably don't have anything to scan with! (many malware tries to disable AV software by stopping services, kill processes, deleting files/registry entries, etc)
  • There still seems to be a widespread belief that "unless you do something dangerous like downloading illegal software / watching porn, you're safe". This is ignoring the current reality, where legitimate sites (like news sites) get hacked on a regular basis and the malicious code is injected in them.
  • There is very little awareness about the advantages of running as non-administrator.
  • There are some postings from people whose problem seem to be caused by the improper configuration of their software (like machines getting slowed down periodically - which probably means that they have a scheduled scan and they don't know it)
  • There is some misunderstanding about what the capabilities of AV engines are (scanning packed/unpacked executables for example). I don't blame them, the marketing is really confusing on this one (mostly because the marketing people themselves don't understand what they are talking about). And some suites adding a HIPS doesn't help the situation either...
  • Some people seem to be stuck with some antic ideas: "no AV is going to stop Worms. You need a firewall for that". &;lt;sarcasm>Yes, especially these days when most worms spread through network shares / USB sticks / IM / e-mail. I suppose you could use deny all as your single rule in the firewall - that would make things much better.&;lt;/sarcasm>
  • Only zero-day vulnerabilities are important - are you sure that all the PCs you maintain have their patches up to date on OS and any additional application? If not, you just set up yourself for being exploited (its not happening only on the "shady" internet sites)
  • Many people misspell Ad-Aware as Adware. Funny :-)


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.