I hate anti-virus software. I really do hate the stuff. This is not a mere dislike but an actual hatred.
The reason for this is quite simple. In IT security terms any security you deploy needs to do it's job with minimal fuss. Too much fuss and the security system outweighs its usefulness and after many tussles with anti-virus software I have come to the conclusion that AV software is a waste of time.
AV software is still far too reactive. It absolutely must have the latest definition files to have any hope of finding anything bad trying to infect the machine and even with all the heuristics switched on they don't seem to have much luck.
As an example, I do all my web browsing in a sandbox thanks to a nice tool called . This tool allows for a sandbox to be created which will contain any downloads, requested or otherwise, in the sandbox. This means that if a virus gets onto the machine it'll be contained and this exact scenario happened to me not too long ago thanks to a mistyped URL. Examining the contents of the sandbox I saw a very suspicious file which I submitted to The site VirusTotal., results from that site are below.
Only four anti-virus programs all with the latest definitions actually spotted a harmful file. The others would have quite happily allowed the application to run and wreck havoc. Not good at all.
It is my belief that the best security is no longer in anti-virus software but in applications which prevent suspicious activity just like the UAC tools Microsoft are now introducing but this technology needs to go further and it should be possible to have as part of the boot process a system which scans active files to ensure that no changes have happened since the last boot and if required revert or delete those files.
Subscribe to Ramblings of a Sysadmin
Get the latest posts delivered right to your inbox