Using anti-virus software to keep the elephants away

Steve Riley wrote an interesting article recently about why he chooses the trade-off to not run anti-virus (AV) on his own machines, and a follow-up to that after many people asked if this is his general recommendation. His view is very similar to mine, in that if your overall stance is a cautious one and you are taking other suitable precautions against the risk of getting a virus infection (or spyware or some other nasty malware) then you may be just fine running with no AV software. This is how I run my own workstations (both private and business), but in all cases I run as a non-privileged user and will always be aware of the risks anytime I use admin credentials to install something.

As Aaron Margosis points out, running anti-virus software which requires you to be a local administrator to work properly is fairly pointless. You have the rights required to turn off, disable and uninstall your AV, so any malware that gets past your defences can do this too, rendering the AV potentially useless. The same applies of course to running well-written anti-virus which does not require admin rights, but then running as admin anyway.

»Read on to find out why I recommend using anti-virus to keep elephants away»

Whitelisting applications versus Anti-virus

There was an interesting article in The Register yesterday called “the decline of antivirus and the rise of whitelisting“. It discussed the relative merits of using a whitelist to allow only known good programs to run, versus using traditional anti-virus (AV) to let everything run except things you know are bad. The comments to this article also raised a number of valid points, some academic and some based on real-world experience.

The obvious flaw in the traditional AV approach is the difficulty in keeping up with new malicious software rapidly enough to avoid infection. Whitelisting gives you a little more control but still takes substantial effort in a large environment, and is harder to delegate out to a third party without leaving so many loopholes as to render it pointless.

Read more of this post