No anti virus product is perfect

[TheWhiteknight]

Off an anti virus blog site so not my words but I agree with the fact that every anti product out their is not perfect the user is definatley a strong part of the equation.Just some pearls of wisdom ! I myself use avast home .....


if you haven't figured this out yet (and apparently most folks haven't) there is no such thing as a perfect anti-virus product... they all fail to stop a virus at one time or another either because the virus is too new, or it spread in ways that the anti-virus couldn't do anything about (network share enumeration, exploits, etc), or a host of other reasons...

for years now i've seen people 'discover' the lack of perfection in their anti-virus and the overwhelming response to this is to jump ship and try a different product... the assumption is that because their anti-virus didn't protect them there must be something wrong with it and they should try and find a better one...

the reality is that no matter what product you use, or even how many you use, your anti-virus product will fail at some point... the fact that it failed to prevent an incident (or 2 or 4 or however many it failed to prevent) does not necessarily mean there's anything wrong with the product - it could be that there's something wrong with the user...

the security of a system is only as strong as it's weakest link and most of the time that link is the computer operator - either s/he takes unnecessary risks, or s/he doesn't keep the anti-virus up to date, or s/he doesn't take any other safe-hex measures, etc . . . there's only so much these products can do to protect someone from themselves...

i'll be blunt - the knee-jerk reaction to blame the anti-virus for failing to prevent a virus incident needs to change... users need to start asking themselves if there was something they could have done to prevent the incident - some security precaution they could have taken, some policy they could have put in place... the anti-virus should not be the sole defence against malware, it should be one of many and it should be the one that acts when all other measures fail to prevent the incident...

and what other measures are those?

   1. the use of a firewall
   2. the closing of network shares and unnecessary ports
   3. keeping up to date with security patches and the migration away from the most often targeted applications (to minimize the impact of patch maintenance failure)
   4. minimizing the amount of outside active content (applications, word documents, excel spreadsheets, etc) that are introduced into the system
   5. turning off unnecessary active content support in your browser
   6. not accepting attachments from strangers
   7. not accepting attachments from legitimate contacts until after verifying that they intended to send it and what it is
   8. the use of strong passwords
   9. the scanning of all incoming material, preferably after a suitable 'cool down' period so that it's novelty doesn't play a part in avoiding detection of any malware that may be present



even after all that, you can still expect a virus/worm/malware incident once in a while... no security is perfect, that's just something we have learn to accept and plan for (i.e. make sure you have a plan for disaster recovery)...

[polonus]

Hello The WhiteKnight,

I agree with you that all AV protection is a protection after the fact. People still look for another solution like an immunizing network solution, but this is still impractical or vulnerable on its own. Educating the end-user is the best policy, because they enable the present situation. For instance there is a safer alternate browser like FF. People have no spyware solutions, they did not install either Adblock or NoScript. Now spyware vendors use drive by installations of their scumware through pop-ups that look a bit like original MS prompts: "Click here to continue" for instance. Crap onto your machine, only YOU are to blame, and because of the n33bs that do this everyday, we have scumware, malware, zombied nets, loose cycles everywhere, and our Internet experience has become one big litany of adverts and crap with a little tiny bit of real information in between. Alas that was my hiccup. I just wanted to say that the situation with software firewalls is likewise.

greets,

polonus

[TheWhiteknight]

Hello polonus

I totally agree ! I use firefox myself and thunderbird .  I was pretty sure it was the same situation with firewall's ! I think if someone really wants to get passed your security they will alway's find a way . Even the most sensible users can get can't out ! I can even speak from experience being cant out  years ago with ms blast worm  .

TheWhiteknight 

[DavidR]

10. In the unlikely event that one does get throgh don't let it inherit administrator privileges by default.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

[polonus]

Hi DavidR,

It goes without saying that going away from default settings, also where trusted zones and user rights (your pointhere) are concerned, actually can contribute enormously to security. Also whenever you do not completely trust a site or the contents have script disabled and pre-link scan with Dr. Web's plug-in scanner or put the url into an online scanner: http://online.drweb.com/
AVX Scipt Wall & Scrip Trap help, and a good system monitoring program like System Safety Monitor. A well patched OS and all latest updates must keep you safe, but alas the only really safe computer is a computer disconnected from the Net.

polonus