Using anti-virus software to keep the elephants away
October 1, 2007 2 Comments
Steve Riley wrote an interesting article recently about why he chooses the trade-off to not run anti-virus (AV) on his own machines, and a follow-up to that after many people asked if this is his general recommendation. His view is very similar to mine, in that if your overall stance is a cautious one and you are taking other suitable precautions against the risk of getting a virus infection (or spyware or some other nasty malware) then you may be just fine running with no AV software. This is how I run my own workstations (both private and business), but in all cases I run as a non-privileged user and will always be aware of the risks anytime I use admin credentials to install something.
As Aaron Margosis points out, running anti-virus software which requires you to be a local administrator to work properly is fairly pointless. You have the rights required to turn off, disable and uninstall your AV, so any malware that gets past your defences can do this too, rendering the AV potentially useless. The same applies of course to running well-written anti-virus which does not require admin rights, but then running as admin anyway.
Recommendations for your business
I recommend to all my clients that they run some form of anti-virus software, as well as ensuring that they are set up to use non-admin user accounts. Ultimately, I can’t totally control their actions and stop them using an administrative account when they don’t need to, and despite my best advice they may inadvertently click on something, download something or otherwise put themselves at unnecessary risk. Anti-malware software adds a valuable layer in their “defence in depth” model. If I had complete control, or could always be on hand at a moment’s notice to answer their questions every time they get a prompt to install something, then they could perhaps loosen this approach. Frankly, for the small cost of a reasonable anti-virus solution, they get more protection, and greater peace of mind.
Using software restriction policies to control what programs people use can help in the fight against malware by attacking the problem from the other end. By using a whitelist, you dictate what applications can be run on your network. To do this you have to make a list of all the ‘good’ programs, which is often easier, shorter and changes less frequently than the anti-malware approach of trying to list all the bad things out there, of which there are probably more, and this is certainly a moving target. However, I still don’t see businesses using whitelisting as a replacement for anti-virus, but as a useful complement in a managed environment.
What about those elephants?
Well, I met a guy on the bus the other day who was very carefully tearing small squares from his newspaper and throwing them out the window. I asked him why he was doing this, to which he replied “to keep away the wild elephants”.
When I pointed out that there are no wild elephants in the UK, he smiled and said “see – it’s working”.
Next time someone tells you that the AV product they use is better than some other one because they have never been infected, remind them of this story and ask how many times they have seen their anti-virus actually stop an infection and give them some kind of warning or log to show for it. In many cases you will find it is none. Thus proving that product X not only stops all known malware, but is equally effective at keeping away the elephants.
|Share this post :|