Is Antivirus Software a Waste of Money?

[wraith808]

Not only does common sense not get updated, I've found it is also prone to being disabled very easily. 

-x16wda (July 27, 2014, 07:55 AM)

Common sense isn't so common 

[40hz]

I just got my first call from someone who had gotten dual-bitten by a password logging bot plus (to my amazement) some ransomware.

She was running a (mostly) updated copy of Win7x64 along with MS Security Essentials.

A close check of all her financial and personal logins followed by the creation of some strong new passwords fixed that worry. Fortunately, nothing was tampered with as far as she and we could tell.

The damage done by ransomware encryption was annoying, but less an issue since she had clean and very recent backups of all her critical stuff.

One HD wipe, reformat, and OS/apps/data reinstall and she was back to normal except for some personal inconvenience plus some money spent getting help and buying more powerful commercial antimalware.

Draw from this what conclusions you will.
.

[wraith808]

The conclusion that I think I'm drawing is that I should have long ago switched to the paid version of spybot if I want AV...

[Stoic Joker]

The damage done by ransomware encryption was annoying, but less an issue since she had clean and very recent backups of all her critical stuff.

-40hz (July 27, 2014, 01:06 PM)

I've only ran into that one once during an accountant was checking their personal webmail at work episode. All the stuff on the server was saved using the Previous Versions feature (I really like that one), and all the stuff on the workstation was... hehehe ...Well they won't do that again.

Rule 0: No critical data is ever to be stored on a workstation.

[Tuxman]

Rule 0: No critical data is ever to be stored on a workstation.

-Stoic Joker (July 27, 2014, 10:39 PM)

Precisely. Store it in the Cloud!

[Giampy]

Store it in the Cloud!

-Tuxman (July 28, 2014, 05:40 AM)

Generally speaking, how much do you trust Cloud? I know that even Cloud is (as expected) under attack.

[Tuxman]

I don't trust servers I don't operate myself.

[wraith808]

Store it in the Cloud!

-Tuxman (July 28, 2014, 05:40 AM)

Generally speaking, how much do you trust Cloud? I know that even Cloud is (as expected) under attack.

-Giampy (July 28, 2014, 08:13 AM)

That wasn't a serious statement nor contribution to the thread.

[Tuxman]

I hope "store your critical data on machines you don't own" wasn't serious either...

[Stoic Joker]

Store it in the Cloud!

-Tuxman (July 28, 2014, 05:40 AM)

Generally speaking, how much do you trust Cloud? I know that even Cloud is (as expected) under attack.

-Giampy (July 28, 2014, 08:13 AM)

The Cloud is about as rife with penetration options as Linda Lovelace's entourage ... But I'm guessing he's unaware that I only deal with business/commercial class networks.

[wraith808]

I hope "store your critical data on machines you don't own" wasn't serious either...

-Tuxman (July 28, 2014, 08:28 AM)

He didn't say that.

Rule 0: No critical data is ever to be stored on a workstation.

-Stoic Joker (July 27, 2014, 10:39 PM)

Precisely. Store it in the Cloud!

-Tuxman (July 28, 2014, 05:40 AM)

That's the whole of that exchange.  Which isn't what he was saying, ergo, your response was... either sarcastic or asinine.  Or maybe both.

[Tuxman]

"Not on a workstation" - but ... on servers then?

[tomos]

"Not on a workstation" - but ... on servers then?

-Tuxman (July 28, 2014, 02:57 PM)

did I miss something
or
did you miss this post ... ?

The Cloud is about as rife with penetration options as Linda Lovelace's entourage ... But I'm guessing he's unaware that I only deal with business/commercial class networks.

-Stoic Joker (July 28, 2014, 12:30 PM)

[Tuxman]

Where to store the "critical data" then?

[wraith808]

Where to store the "critical data" then?

-Tuxman (July 28, 2014, 04:04 PM)

Dumb Terminals/Thin Clients connect to your own servers.  That's been a concept for a while...

[40hz]

Dumb Terminals/Thin Clients connect to your own servers.  That's been a concept for a while...

-wraith808 (July 28, 2014, 04:07 PM)

You could also run your own trusted private mesh network with some fellow travellers and keep it all off the public backbone.

It's not enough to just own the servers any more. You also need to own the actual network infrastructure.

[Jibz]

I just got my first call from someone who had gotten dual-bitten by a password logging bot plus (to my amazement) some ransomware.

She was running a (mostly) updated copy of Win7x64 along with MS Security Essentials.

...

Draw from this what conclusions you will.

-40hz (July 27, 2014, 01:06 PM)

The problem is you can't draw any more elaborate conclusions than that MSE did not stop this threat. For all we know, a commercial protection might have been equally useless.

[40hz]

I just got my first call from someone who had gotten dual-bitten by a password logging bot plus (to my amazement) some ransomware.

She was running a (mostly) updated copy of Win7x64 along with MS Security Essentials.

...

Draw from this what conclusions you will.

-40hz (July 27, 2014, 01:06 PM)

The problem is you can't draw any more elaborate conclusions than that MSE did not stop this threat. For all we know, a commercial protection might have been equally useless.

-Jibz (July 29, 2014, 02:22 AM)

Precisely.

To wit: the one and only time I ever got bit was some years back - on a fully protected and updated machine.

I think this is one of those situations where the old adage that "One prayer and a toothbrush is better than a thousand prayers and no toothbrush" applies. It's a more a risk minimization strategy rather than a risk elimination process.

How much additional protection you get going with something other than MSE as your main AV scanner is up for debate. But that's a topic I'm not really qualified (being merely an informed user - and not a bona fide security expert) to get into. About all I have to go on is what I'm seeing on the field. And what I'm seeing is that (lately) more and more stuff seems to be slipping past MSE.



FWIW I'm currently using BitDefender Total Security and Malwarebytes Premium as my two main guard dogs. Weighing in around $100 for that combo, it certainly isn't cheap. But I need to plug laptops into my client's networks. So I can't risk catching an infection - or even worse - spreading one. Most people won't have that concern, or need to be able to demonstrate "a reasonable level of precaution" has been exercised in the event something goes wrong. Your degree of liability can get a little sticky (and expensive) in business situations where finger pointing and blame assignment is the norm however.

If these were just personal machines that would never leave my home, I'd most likely use the freebie versions of the above.

YMMV.

[tomos]

FWIW I removed ransomware from a machine last year - it had the full Avira suite installed. I'm not writing this to knock Avira which I still think is one of the best conservative** anti-virus's out there. I suspect a lot of these things would get past most, if not all anti-viruses. (Maybe 40's combo above would work.)


** by conservative, I mean it errs on the false-positives side

[Stoic Joker]

It's a more a risk minimization strategy rather than a risk elimination process.

-40hz (July 29, 2014, 06:01 AM)

That's definitely an important distinction, as security software is like birth control. Everything is 98% effective...and the last 2% is entirely up to you.

[40hz]

I suspect a lot of these things would get past most, if not all anti-viruses.

-tomos (July 29, 2014, 06:33 AM)

That seems to be the case of late with this new breed of malware.

Especially since it probably came in piggy-backed on a PDF attachment to an e-mail from a trusted sender. Her Acrobat Reader was two generations old. Everything else was fairly up to date except for her JRE which was also a full version back. So those two were the most likely initial attack vectors. At least as far as we could semi-determine (i.e. guess.) She gets a lot of company and client-generated PDF and document attachments with her e-mail.

This is the first time I've actually seen rather than just heard about a case of ransomware. And I hope it's my last. This puppy was a nasty piece of work. We couldn't sanitize her drive. And we used every trick in the book. Inside the machine the drive kept calmly reinfecting itself no matter what was done to it. You could see it spawning new processes in taskman even while the scanners were busily quarantining it. Since this was happening in safe mode, I suspect whatever it ultimately was also had a rooting capability.

Taken out and scrubbed using a non-Windows environment to recover what little data could be recovered rendered it unbootable. Whoever programmed this attack was one savvy and mean SOB, that's for sure.

Thank goodness (in her case) for a well-disciplined backup habit. If she didn't have that, it would have been really bad for her.

[Stoic Joker]

She gets a lot of company and client-generated PDF and document attachments with her e-mail.

-40hz (July 29, 2014, 07:56 AM)

With the popularity of Multi Function Printers these days, many companies are going paperless-er. And it seems like a lot of the people that set these things up always leave the default subject line in the scan to email configuration. Se people being used to accepting 'Xerox/HP/Lexmark/whatever model X created document' for a subject line while dealing with 50-100 of these a day can make it easy as hell to miss a bad one. Especially if the attacker matches up the default naming convention of the manufacturer with their name ... Or picks something inconspicuous and relevant like Invoice, Receipt, or Purchase Order.
This happens mainly because nobody wants to have to stand there in front of the damn thing and type a bunch of anything in on one of those tiny assed touch screens. So default, default, default, and send it is. Every friggin time.

Anytime I have to setup scan to Email on one of these devices - which happens a lot given the business we're in - I change the subject line to something that is relevant to the sending company to avoid having their Emailed scans adding to the problem.

Given the popularity of the technology, and ease of blending in...those things can be a real bitch to spot. And as a card carrying BOFH, it truly pains me to say it ... But it's damn hard to blame the user for missing one of these.

[wraith808]

Given the popularity of the technology, and ease of blending in...those things can be a real bitch to spot. And as a card carrying BOFH, it truly pains me to say it ... But it's damn hard to blame the user for missing one of these.

-Stoic Joker (July 29, 2014, 11:36 AM)

That's the sad thing.  My wife was apologizing about falling for it, and I was saying that they're getting smarter, and it's harder and harder to tell the difference.

[40hz]

Given the popularity of the technology, and ease of blending in...those things can be a real bitch to spot. And as a card carrying BOFH, it truly pains me to say it ... But it's damn hard to blame the user for missing one of these.

-Stoic Joker (July 29, 2014, 11:36 AM)

Agree. This particular client isn't a fool. I've worked with her for about 10 years now. She's actually one of those responsible types who made sure she was tech-saavy above and beyond the requirements of her job. And she was devastated when this thing hit. Especially once she realized just how serious it was. Being a remote-located employee made her especially vulnerable. And being a non-dork, the very first thing she did was assume she herself had done something stupid. (She didn't btw.)

To make it even more interesting, the odds are pretty good that if it actually did come in via an infected attachment (as I suspect it did), the person who sent it to her didn't know it was loaded. Her company passes a lot of attachments back and forth for follow-up work, processing, client contact, etc. Some of it originates in-house. But the rest (60-70%) is generated by their clients. So it could have come from anywhere.

What's disturbing is that their e-mail provider's security didn't twig on it either. Can hardly blame the desktop when it's not showing a blip on the server's scanners, right? Her only warnings were that (a) her machine seemed ever so slightly slower starting up roughly three mornings before everything went south (she manually reboots each morning just to make sure it's "tidy" as she puts it) - and (b) that her scheduled Windows Update check (running daily at midnight and 6:00am) failed to complete two times in a row the day it happened.

This ain't script-kiddie stuff she got hit with. This is definitely the work of pros.

Scary! And just the tip of the iceberg I'm afraid.

[tomos]

Well, the last 'thing' I got here, I dont honestly know what it was - nothing too serious, and I got rid of it fairly quickly and didnt keep a record; (anti-virus missed it; I've installed mbam since).
But what I wanted to say was that it came from an ad. I didnt even have to click anything. And that has happened me before - load a webpage and that's it: wham bam thank you ma'am...

FWIW, after getting rid of the ransomware from a friend's machine (it was the porn/police/blackmail one, not the one that encrypted all data), I removed Java completely from my main machine.

... maybe a more productive approach would be to look at what our anti-virus has stopped ???
In my experience, Avira stopped a couple of things; MSE nothing yet - but I think I've only had one attack since I started using it (probably a couple of years ago now).