topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 2:40 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Antivirus-less setup  (Read 14667 times)

apankrat

  • Supporting Member
  • Joined in 2010
  • **
  • Posts: 155
    • View Profile
    • swapped.cc
    • Donate to Member
Antivirus-less setup
« on: September 28, 2012, 02:30 AM »
Does anyone here run their primary machine without a resident (always on) antivirus? Not because of the ignorance, negligence or laziness, but with it being a conscious choice. Simply be careful with installing and running 3rd party code (and have a dedicated VM for testing and trying random stuff).

Just curious if I'm an odd one out :-)


Alex

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #1 on: September 28, 2012, 02:50 AM »
Last I knew on Windows the big problem was ambient Drive-By attacks that involved no user interaction at at all. There was a meme at one point that a Windows Box "busy patching" with no AV would get hacked in a matter of hours.

eleman

  • Spam Killer
  • Supporting Member
  • Joined in 2009
  • **
  • default avatar
  • Posts: 413
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #2 on: September 28, 2012, 02:54 AM »
I do that for maybe 10 years, without the VM, with occasional use of virustotal.

apankrat

  • Supporting Member
  • Joined in 2010
  • **
  • Posts: 155
    • View Profile
    • swapped.cc
    • Donate to Member
Re: Antivirus-less setup
« Reply #3 on: September 28, 2012, 03:03 AM »
@TaoPhoenix - Good point, forgot to mention that all network interfaces are locked down in some form or fashion. Basically, there are few ways to get the machine infected with no interaction - mail, browser and network services. If these are sandboxed, the rest of the machine doesn't really need an always-on AV, does it?

@eleman - Ack, same here wrt virustotal.
Alex

eleman

  • Spam Killer
  • Supporting Member
  • Joined in 2009
  • **
  • default avatar
  • Posts: 413
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #4 on: September 28, 2012, 03:07 AM »
Last I knew on Windows the big problem was ambient Drive-By attacks that involved no user interaction at at all. There was a meme at one point that a Windows Box "busy patching" with no AV would get hacked in a matter of hours.


Usual windows boxes at homes sit behind blank NAT tables of DSL modems. So the chances are not that high even for vanilla windows xp boxes to get infected without a user browsing penis enlargement sites.

Though machines on universities or other places with a direct internet connection or boxes in large LANs would be subject to this criticism.

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,612
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #5 on: September 28, 2012, 03:09 AM »
There was a meme at one point that a Windows Box "busy patching" with no AV would get hacked in a matter of hours
That was for Windows XP without any service pack or update applied. And it would be infected within 18 minutes, on average :o

vlastimil

  • Honorary Member
  • Joined in 2006
  • **
  • Posts: 308
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #6 on: September 28, 2012, 05:16 AM »
I am not running any anti-virus on my main PC and have no (apparent) problems. Once every few years, I install something and let it test the machine and then uninstall it - in most cases, it finds nothing or some false positives.

If you decide to go this way, you MUST keep your system updated or be behind a good, preferably non-standard firewall. Modems usually have firewalls configured to kill any incoming packet, which is fine. If you are not behind a modem, you should probably install a custom firewall - one that is not too popular (which means not a valuable target for hackers).

Also, using a less popular browser used to be good way to avoid infection. But gone are the days when IE dominated, these days IE, FF and Chrome are popular enough to be targeted by hackers. Chrome and FF are at least often updated, so vulnerabilities should not exist for too long. Opera is still probably the safest choice due to its market share...

And of course using common sense when installing/running applications is invaluable.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #7 on: September 28, 2012, 06:47 AM »
Heuristics be damned, even with AV running on full KiLL the first ~50,000 that encounter a new bug/exploit are effectively, completely unprotected. While I am currently still running MSE, before starting that experiment I ran without anything other than common sense and the 80/20 rule.

Security is something that is practiced...not installed.

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #8 on: September 28, 2012, 07:23 AM »
Does anyone here run their primary machine without a resident (always on) antivirus?

what other security measures do you take  (if any) ?

I would say in the last 8 or 9 years, my Anti-Virus has found one 'true'-positive - and even that was a bit of a fail cause it (AV) was completley closed down by the drive-by download that 'installed' the file (that I then manually killed/removed).

Point being,
I think I could and would survive quite well without anti-virus; with windows firewall. I also have Winpatrol pro - I'd keep that, it has been helpful keeping me informed what just installed software is trying to get up to.
Tom

apankrat

  • Supporting Member
  • Joined in 2010
  • **
  • Posts: 155
    • View Profile
    • swapped.cc
    • Donate to Member
Re: Antivirus-less setup
« Reply #9 on: September 28, 2012, 08:29 AM »
what other security measures do you take  (if any) ?

I rarely install anything. Whatever I install, I check the signatures and run it through online multi-scanners. I have all but TCP/IP switched off on all interfaces and I'd test the box now and then with rootkit and antivirus scanners. The reason I decided to bring this subject up is that I had my mail client crash while opening an email. The email was not malicious, but it made me realize that the mail client really needs to be sandboxed or isolated. Similarly, the browser needs to be isolated too, but it's of a lesser importance, because I can usually control where I surf (while with emails I don't control what I receive).

I wish there were an equivalent of chroot jail on Windows, but there's not. So what I ended up doing is setting up the mail client in a VM. It's not the most convenient option, but it's a very simple one.

Does anyone have any experience with Sandboxie or something similar? Sounds right, but not sure how well it works.
Alex

eleman

  • Spam Killer
  • Supporting Member
  • Joined in 2009
  • **
  • default avatar
  • Posts: 413
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #10 on: September 28, 2012, 08:33 AM »
what other security measures do you take  (if any) ?

I wish there were an equivalent of chroot jail on Windows, but there's not. So what I ended up doing is setting up the mail client in a VM. It's not the most convenient option, but it's a very simple one.

Uh, why not simply disable the js, activex, and similar garbage in the mail client? Even using plain text instead of rich text formats is a viable option.

apankrat

  • Supporting Member
  • Joined in 2010
  • **
  • Posts: 155
    • View Profile
    • swapped.cc
    • Donate to Member
Re: Antivirus-less setup
« Reply #11 on: September 28, 2012, 09:24 AM »
Uh, why not simply disable the js, activex, and similar garbage in the mail client? Even using plain text instead of rich text formats is a viable option.

Because a properly crafted email may exploit a vulnerability in the mail client upon arrival, well before it's viewed.
Alex

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Antivirus-less setup
« Reply #12 on: September 28, 2012, 09:32 AM »
I wouldn't run a Windows machine without MSE and EMET. While I'm not likely to catch an infection because of the way my browser is set up[1], I can't see any good reason not to add a bit of extra protection - yes, there's a (in the normal case minimal, IMHO) performance penalty, but it's worth it.

[1]: FireFox without Java, Flash or AdobePDF plugins, with AdBlockPlus + NoScript + Ghostery + Certificate Patrol addons... also, all DNS requests go through DnsCrypt so I'm not getting MITM'ed there either (not a big chance of that happening at home on a wired connection, but still).

I wish there were an equivalent of chroot jail on Windows, but there's not
Chroot isn't all what it's cranked up to be - if there's a local privilege exploit (which you'd also need on Windows to go from LUA->Admin), you're dead anyway. Yeah, it's an extra piece of mitigation and that's always useful, but it's definitely not a catchall.

Does anyone have any experience with Sandboxie or something similar? Sounds right, but not sure how well it works.
Hummm, I'd personally go for a full VM - a bit more bother, but also more thorough isolation from the host. Sandboxie would be fine for testing out non-malicious software without having to clean up your system afterwards, but I wouldn't trust anything but a fullblown VM when security is involved.
- carpe noctem

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #13 on: September 28, 2012, 10:02 AM »
^ kind of on-topic:

do you never look at youtube videos f0dder :tellme:
Tom

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Antivirus-less setup
« Reply #14 on: September 28, 2012, 10:08 AM »
do you never look at youtube videos f0dder :tellme:
A lot are available in html5 video formats. For those that aren't (and other flash content), I consider whether it's worth firing up my Chrome install, which I use for flash-requiring stuff (it also had AdBlockPlus and Ghostery, and of course Chrome's default click-to-play activation of Flash content). If I need browser Java (which is solely for the atrocious NemID crap), I boot up my locked-down linux VM.
- carpe noctem

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #15 on: September 28, 2012, 10:29 AM »
I take reasonable precautions. Under Windows I either run MSE or the free version of Avira, watch where I visit, block scripts, keep everything obsessively updated, and disable known vulnerability risks (java, flash) unless I actually need them for something.

I never had a problem, except once about two years ago when something walked through all the security I had on my system like it wasn't there. I "felt" the machine suddenly get weird and next saw all the drives suddenly start polling. (It's never a good sign when an optical drive suddenly spins up looking for a disk for no good reason.) The HD drive lights started strobing, CPU and RAM usage went to 100%, and taskman showed child processes sprouting all over the place. I hit the killswitch on the network connection and did a hard powerdown before it got too far. But not in time to prevent it from roaching the machine so badly it required a full system restore to get it to reboot afterwards.

Never found out what hit me, although I had a client who got nailed by something very similar the same day..

war_worlds_spielberg_43_x.jpg

So to reinforce Stoic's earlier point about the first 50,000 who get hit by something new, it doesn't ultimately matter if you're one of them. But with hundreds of millions pf PCs in  the world, odds of you being in the first group to get hit are extremely slim. At which point the OS and AV people are on it and you're protected as long as you update regularly.

A good AV scanner's performance hit is negligible and the risks it protects you from are real.

Use one. 8)

« Last Edit: September 28, 2012, 10:36 AM by 40hz »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Antivirus-less setup
« Reply #16 on: September 28, 2012, 11:01 AM »
So to reinforce Stoic's earlier point about the first 50,000 who get hit by something new, it doesn't ultimately matter if you're one of them. But with hundreds of millions pf PCs in  the world, odds of you being in the first group to get hit are extremely slim.
...and if you install EMET, you further reduce the risk of being one of those lucky 50.000. Mitigation, baby, mitigation <3
- carpe noctem

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #17 on: September 28, 2012, 11:09 AM »
^@f - Downloaded and installed. Thx for the heads-up on that. I remember seeing that awhile back in the partner news - and ignoring it. :-[

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #18 on: September 28, 2012, 11:21 AM »
^+1  :D

So to reinforce Stoic's earlier point about the first 50,000 who get hit by something new, it doesn't ultimately matter if you're one of them. But with hundreds of millions pf PCs in  the world, odds of you being in the first group to get hit are extremely slim.
...and if you install EMET, you further reduce the risk of being one of those lucky 50.000. Mitigation, baby, mitigation <3


I gotta toss this EMET thing on top of my to-do list. It does look quite interesting. Any common hiccups to watch/look for in a network sized rollout of this that you know of?

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Antivirus-less setup
« Reply #19 on: September 28, 2012, 11:42 AM »
I gotta toss this EMET thing on top of my to-do list. It does look quite interesting. Any common hiccups to watch/look for in a network sized rollout of this that you know of?
Probably plenty - at least if you have any badly programmed (or übernazi-softwareprotectioncrapped) software installed. If you've got stuff that doesn't like DEP, it's probably gonna break bad on EMET :)

Then again, you can enable mitigations on a per-process basis, so it should be possible to roll out on a network-wide basis, as long as you do some thorough testing of the enabled profiles first.

And of course it's "just" mitigation - some of it has already been broken. It does raise the bar substantially for exploit code, though, and not all exploit writers are going to add EMET penetration on top of already complex exploits, since it's still a minority that runs EMET. So, as things are now, it's a decent extra bit of mitigation :-) (but yes, of course the Metasploit (and the far more sinister people you don't hear about) are playing around.)
- carpe noctem

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #20 on: September 28, 2012, 11:54 AM »
I gotta toss this EMET thing on top of my to-do list. It does look quite interesting. Any common hiccups to watch/look for in a network sized rollout of this that you know of?
Probably plenty - at least if you have any badly programmed (or übernazi-softwareprotectioncrapped) software installed. If you've got stuff that doesn't like DEP, it's probably gonna break bad on EMET :)

Sweet! ...I'm a huge DEP/NX fan - It runs for all programs enterprise wide - So if I can use it as a behavior baseline deployment should be a breeze.

Draco says it's DEP or die period on our office network ... And I'm Draco. ;) :D

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #21 on: September 28, 2012, 12:25 PM »
Draco says it's DEP or die period on our office network

Agree. It's going on. Period. End of discussion. 8)

apankrat

  • Supporting Member
  • Joined in 2010
  • **
  • Posts: 155
    • View Profile
    • swapped.cc
    • Donate to Member
Re: Antivirus-less setup
« Reply #22 on: September 28, 2012, 01:20 PM »
I gotta toss this EMET thing on top of my to-do list. It does look quite interesting. Any common hiccups to watch/look for in a network sized rollout of this that you know of?

Any tech papers on how it works? I'm guessing it's doing some sort of ASLR and perhaps something else?


(edit) Ah, nevermind. Here's the list of what it does -

 emet.png
Alex
« Last Edit: September 28, 2012, 01:32 PM by apankrat »

apankrat

  • Supporting Member
  • Joined in 2010
  • **
  • Posts: 155
    • View Profile
    • swapped.cc
    • Donate to Member
Re: Antivirus-less setup
« Reply #23 on: September 28, 2012, 01:39 PM »
Apparently, EMET 3.5 is available - http://www.microsoft...etails.aspx?id=30424
Alex

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Antivirus-less setup
« Reply #24 on: September 28, 2012, 01:59 PM »
Any tech papers on how it works?

Microsoft has a full KB on on it here. Blog post over at TechNet here. Good basic intro courtesy of Dedoimedo blog here
« Last Edit: September 28, 2012, 02:05 PM by 40hz »