AV testing: Is your antivirus app doing its job?

[CWuestefeld]

even legit sites that you'd keep whitelisted might be compromised

-f0dder (July 27, 2015, 02:14 PM)

As the manager of a web development team, this is something that I'm always paying attention to, much to the annoyance of some partners and even customers. You might be surprised how many third parties want us to directly reference js code that lives on somebody else's servers (for example, to show fancy interactive product info from the manufacturer).

My position is that my users have agreed to trust *me*, but they don't even know that they'd be implicitly trusting *you*. I don't have the authority to transfer my users' trust like that, so I simply will not allow your code to run in my site.

We've made a couple of sort-of exceptions. If they'll give us the code to verify ourselves, and host on our own servers, it's much less of an exposure. At least I can still have control over the stuff that I have responsibility for, rather than just abdicating that security consciousness.

[f0dder]

It's more important to avoid (or at least click-to-play) Java + Flash plugins than keeping JS disabled. The diagram it ignores the fact that Chrome has a special and somewhat-safer implementation of Flash, it ignores the smaller amount of malware targeting OSX, it ignores the browser used, and it ignores user behavior.

I do believe OSX has worse security holes than Windows, but given the combination of available malware and user behavior, I don't agree in the short-circuit. And fringe OSes are extremely unlikely to be infected with anything even with javascript turned on.

[f0dder]

even legit sites that you'd keep whitelisted might be compromised

-f0dder (July 27, 2015, 02:14 PM)

As the manager of a web development team, this is something that I'm always paying attention to, much to the annoyance of some partners and even customers. You might be surprised how many third parties want us to directly reference js code that lives on somebody else's servers (for example, to show fancy interactive product info from the manufacturer).

-CWuestefeld (July 27, 2015, 02:51 PM)

I wouldn't be surprised, given I deal with both front- and backend code these days

My position is that my users have agreed to trust *me*, but they don't even know that they'd be implicitly trusting *you*. I don't have the authority to transfer my users' trust like that, so I simply will not allow your code to run in my site.

We've made a couple of sort-of exceptions. If they'll give us the code to verify ourselves, and host on our own servers, it's much less of an exposure. At least I can still have control over the stuff that I have responsibility for, rather than just abdicating that security consciousness.

-CWuestefeld (July 27, 2015, 02:51 PM)

I'm opposed to pulling in just any random external link, but sometimes clients have desires that you just have to be pragmatic about. I don't much mind pulling in stuff from the google CDNs - if they get hacked, things are bad on so many other levels. You do have to consider *where* you pull in stuff, though, as referencing the google CDN serves as a tracking beacon even though you're just grabbing jQuery or Angular.

For most other stuff, I want a local copy, checked into the project's version control system. Better for security, and for project longetivity given how fickle a thing web development is.

[Jibz]

I've been using the MSE + MBAM + EMET combo on all computers for the past couple of years without any issues, but the past couple of days I've had problems on this one machine.

MSE kept hanging, and I cannot figure out what is causing a conflict. So I am trying out alternatives at the moment. This is reminding me how much I hate most AV software, because they all seem to be huge suites that do all kinds of things I would rather have a dedicated separate program do if I need it.