Is antivirus software really necessary?

[ny9777]

I have question for those who say a av program is not needed. How will you protect you users from going to a infected web site. I have seen this on web designers in my company and with associates of mine.Ex: Say the president of the company wants to check out a porn web site on screwing chickens. He or she goes on and gets popups and redirects and never knows that they are now infected with a bloodhound worm. It is not a stretch to go and put a mass mailer on the same site and you will be a new zombie spewing out email and will not know for hours/days till the bandwidth loss is noticed. Just my 2 bits.

[ss2chef]

Originally posted here by catch
ss2chef: http://www.radium.ncsc.mil/tpep/libr...C1-TR-001.html

"Computer Viruses: Prefvention, Detection, and Treatment" with no mention of using after the fact solutions like AV software.

Straight from the horses mouth. Start with that, if you'd like more resources I'll dig them up for you from the ACM library... but for now I am heading off to lunch.

cheers,

catch

Catch, This is a joke right.

Look at the 1st sentence...

"This publication contains technical observations, opinions, and evidence
prepared for informal exchange among individuals involved with computer
security. The information contained herein represents the views of the
author and is not to be construed as representing an official position of
the National Computer Security Center. "


Your document is neither an actual control document nor written by anyone of any significant military rank.

In fact, it looks to me like nothing more than an OP/ED.

Horses mouth eh?

Keep em coming if you will...

Thanks for the fun!!

[catch]

Look at the location, it was originally intended as the document states, it has since been considered a supplement to the Rainbow Series (which does not otherwise address viruses) and has been used as a foundation for most if not all NCSC and NIST publications regarding virus protection in trusted systems.

Notice the wink after the horse's mouth comment.
If you're going to be a smartass find your own information.

cheers,

catch

[HTRegz]

Originally posted here by ny9777
I have question for those who say a av program is not needed. How will you protect you users from going to a infected web site. I have seen this on web designers in my company and with associates of mine.Ex: Say the president of the company wants to check out a porn web site on screwing chickens. He or she goes on and gets popups and redirects and never knows that they are now infected with a bloodhound worm. It is not a stretch to go and put a mass mailer on the same site and you will be a new zombie spewing out email and will not know for hours/days till the bandwidth loss is noticed. Just my 2 bits.

Hey Hey,

That's more or less the mentality that Raccoon entered with.. However it's the wrong mentality to go with... The first problem, lies with the president of the company browsing to porn sites... There should be an AUP in place that prevents this, if you're a large enough coporatin perhaps software that blocks certain sites (e.g. WebSense)..or perhaps just an IDS in place that picks up key words such as 'porn, sex' etc... in which case you kill his connection then. You have to remember that from the point of view that most of us is arguing, is that you'll have the proper policies in place... Even the president of the company should be committed to following the rules.

Remember you'll never have adequate security without a Top-Down Management commitment. Management has to be supportive of your Security policies, or it's a lost cause to start with, and Viruses are still the least of your concerns. If you're an individual using your computer, you should be on a specific account... not running as admin (like most users do)... You're computer should be fully updated.. etc... and you'll not have these virus problems... As far as the not notice for hours/days.... You're company should never be able to spew out email... and an IRC bot should never be able to connect, you should have proper ACL and firewall policies in place, Prevent access to IRC ports, prevent access to outside port 25 unless the connection comes from your mail server. Again if you have a proper perimiter router and firewall in place, you also won't have to worry about inbound connections to any machines...

Security is a whole setup... not any one single thing... If you are secured properly... that is when AV because unnecessary... Like I said in my last post... if you're lazy or an idiot... you're screwed... but other than that you'll be fine.

Also... just for reference sake, you mentioned the "bloodhound worm"... Know that bloodhound is a very generic name. It is applied to anything that the Norton Heuristic scanner detects (The Heuristic Scanner is called Bloodhound because it sniffs out the problems.. ) -- http://securityresponse.symantec.com...loodhound.html

If you want more on how proper security and handling should avoid any AV problems.... Look around the site... this is a security site, and there's lots about it.

Peace,
HT

[SawPer]

Originally posted here by catch
Seriously, have you even read this thread? It isn't about training your users, it is about using technical architecture that again, enforces roles using finely grained permissions and least privilege as well as using multi-account sessions.

Hey...I'm open to get "converted" if you can convince me.. heh!

The point I was trying to make is you can't ever trust humans; there will always be the human error...
In most companies you have lots of different positions, which require lots of different computer privileges. There are tens of thousands of different viruses circulating around the globe, some lame ones, some very sophisticated ones, using all kinds of different holes and vulnerabilities, and sometimes vulnerabilities that are not even known...
No, it's not only about "training your users", and it's not only about "technical architecture"... it's about everything together. There are many different components, including the "human error" on many different levels...

Sure, if you have your network locked down to 100%, none of the viruses will be successful, I'm just afraid I won't ever be able to reach that 100%.

If you can reach 99%, I would think an A/V solution would make it even more secure.

But again, I'm not trying to argue just to argue against you all who don't believe in A/V solutions, I'm willing to listen and hopefully get convinced if you actually are right!
(Currently convinced an A/V solution is better than no A/V solution though)

Maaan.. we need to give some AP to Raccoon for starting this thread.. looking forward to follow this thread to the end... if there ever will be an end... heh!

[catch]

The real question here isn't which approach is 100% perfect. The question is, is AV software needed. Clearly the answer is "no."

That said I think we should focus on the balance of security and costs between using an AV and not using one. AV software removes some vulnerabilties while adding others. Clearly a low assurance system in a low security environment can benefit quite a bit by removing a good portion of common viral issues without the hassle of a high assurance system policy and training. On the otherhand, using AV software in a higher assurance environment doesn't typically make as much sense and in fact makes less and less sense the higher assurance the system is. The reason is that the higher assurance the simpler a system's security mechanism (TCB) must be and an AV of course just adds complexity.

Again keep in mind the simple fact that Linux users don't run AV software for local users. Why then should you for NT? Linux as a rule doesn't have any fancy security stuff that NT lacks... just a matter that people actually use Linux's security.

cheers,

catch

[SawPer]

Originally posted here by catch
The real question here isn't which approach is 100% perfect. The question is, is AV software needed. Clearly the answer is "no."

That's where I don't agree with you. (yet) If it's not 100% secure, you have to assume there is a small chance a virus could get through...!

Let's make a little scenario here. You have your "99%" secure MS network. A new virus comes out, utilizing an unknown vulnerability, no patch exist against it yet. Some how it enters your network, and compromises one machine...

In that scenario, if you did have or didn't have an A/V solution you would probably get compromised either way. The big difference here though is once the definitions come out for the A/V solution, it will at least hopefully detect that virus at that point, while a company without an A/V solution might not discover the compromised system until way later... with maybe a whole lot more damage done...

[catch]

SawPer, you're applying the same logic to both setups. This is flawed, my method doesn't reduce the risk of acquiring a virus. My approach is to compartmentalize the system in a manner that prevents viruses from inflicting damage or propigating.

Let's make a little scenario here. Why don't you go to an AIX community and tell them that they need to run AV software on their systems and report back your findings. The only reason people run AV software on NT/2k is because you need it on 9x/Me and people seem to think the two systems are similar.

The big difference here though is once the definitions come out for the A/V solution, it will at least hopefully detect that virus at that point, while a company without an A/V solution might not discover the compromised system until way later... with maybe a whole lot more damage done...

"at least hopefully" "might" "maybe" all excellent points. Allow this rebuttal. Running AV software introduces new risk to your system. Running AV software introduces new costs to your system. Running AV software lowers the assurance of your system.

Does the benefit of what it "at least hopefully" "might" "maybe" be able to do outweigh the risk and cost consequences that will happen?

cheers,

catch

[SawPer]

Originally posted here by catch
SawPer, you're applying the same logic to both setups. This is flawed, my method doesn't reduce the risk of acquiring a virus. My approach is to compartmentalize the system in a manner that prevents viruses from inflicting damage or propigating.

I understand what you are saying, but I still don't agree. You are trying to tell me that every single box is so locked down that if a virus actually ends up on one of the boxes, it won't be able to do anything.. ?

With all the tens of thousands viruses, that compromises a system in so many different ways, you are telling me that you have covered all the "holes" to 100%, so not one single virus can get through your "architecture" to cause damage or propagate? That's a pretty bold statement.

It probably makes a big difference depending on what kind of company/environment you have... but at a College where I work for example, I don't see how you possibly could make it that secure without an A/V solution.

[catch]

SawPer... again... would you run an AV on an AIX system?

Why or why not?

cheers,

catch