Is antivirus software really necessary?

Quote:

---

an AV is never NEEDED as the original question posed

---

In the purest sense of that statement you are completely correct. With enough time and knowledge a single computer or a network could be set up so that a virus would not be able to function on the system making the need for AV moot.

Taking the point above the 'need' or 'requirement' for AV is a result of the way the system was set up and administrated rather than an inherant 'need' of the system itself.

Even on a system set up to the standard you describe where AV is not 'needed' it could well be 'required' for insurance cover and to meet other regulations which may state a requirement for AV to be present on a system.
This is not to mention the comfort factor of having AV ,"just in case", as mentioned before.

Quote:

---

In the purest sense of that statement you are completely correct.

---

In every sense this is correct... the only systems that benefit from AVs are those with poor architecture that allows random processes unmitigated access... if a virus can do that, why can't an attacker? The whole system is just ****ed and viruses are the least of your worries... although you'd prolly put them higher up because you get hit with so damned many of them in this case.

Quote:

---

With enough time and knowledge a single computer or a network could be set up so that a virus would not be able to function on the system making the need for AV moot.

---

Or by using common sense and utilizing both roles and a finely grained security infastructure an entire organization can be by a competent infosec team and very simple procedures.

Quote:

---

Even on a system set up to the standard you describe where AV is not 'needed' it could well be 'required' for insurance cover and to meet other regulations which may state a requirement for AV to be present on a system.

---

I can think of no such requirement... the organization I work for is accountable to various ISO, DOD, and MIL standards not to mention privacy and fiscal accountablity standards... and yet we have no AV system. Why? Because none is required... even ISO17799 which specifically mentions virus protection does not require anti-virus software. It merely states that you must have a clearly established and defined method of dealing with viruses. Using sandboxing, multi-account sessions, and least privilege are all acceptable under best practices.

Quote:

---

This is not to mention the comfort factor of having AV ,"just in case", as mentioned before.

---

If running more software (which by definition under DOD-5200.28-STD is a bad idea since you are placing security related software which not only needlessly increases complexity AND falls outside of the systems assurance audit, but also exists outside of the TCB) makes you feel better, that is fine. Doesn't make it the best or most correct solution.

cheers.

catch

Quote:

---

Originally posted here by catch


I can think of no such requirement... the organization I work for is accountable to various ISO, DOD, and MIL standards not to mention privacy and fiscal accountablity standards... and yet we have no AV system. Why? Because none is required... even ISO17799 which specifically mentions virus protection does not require anti-virus software. It merely states that you must have a clearly established and defined method of dealing with viruses. Using sandboxing, multi-account sessions, and least privilege are all acceptable under best practices.


If running more software (which by definition under DOD-5200.28-STD is a bad idea since you are placing security related software which not only needlessly increases complexity AND falls outside of the systems assurance audit, but also exists outside of the TCB) makes you feel better, that is fine. Doesn't make it the best or most correct solution.

---

I can't speak for all agencies but for all of our IA (Information Assurance) enabled devices, a "gold disk" STIG run against a windows based system not using anti-virus will be flagged with a finding and point to the CERT to obtain approriate anti-virus software using the following references:

NSA Guide: Chap. 2, p. 15
DISA FSO NT Addendum: Section 7.4
DODD 8500.1 Para 4.18
DODI 8500.2 DCCS-2, DCSC-1
CJCSM 6510.01 App. A, Enclosure A, Para. 5.b (8)

A waiver can be applied for but our IAO (Information Assurance Officer) has the final call.

This is under the DLA (Defense Logistics Agency) and DLIS (Defense Logistics Information Service)

Very interesting thread.. heh!! :)

I can see both views, but for any kinda person using a computer in a network or on the internet cummunicating in any way with others, you are not depending soley on your own knowledge and the right way of doing things...

Let say you educate all the employees in your company to not ever open mail from "untrusted" sources. ...now you are safe, so safe you don't need any AV??

I wouldn't think so, they cummunicate (in most companies at least.. heh!) with others that you as an admin have no control over at all.. ! If your customer has been compromised, and this customer now is sending for example an infected email or document to you, this "trusted" source could now potentially infect your whole network.. !

I would say in very rare cases, where you don't depend on anybody else, or you are not hooked up to a network, you could safely be without any AV, but other wise it would easily be asking for trouble...

Anyways, just the fact the guy who initially wrote the question was in fact infected with a few viruses already there tells he needs an AV solution! ;)

I didn't even bother reading this thread till now because I thought it was just going to repeat the same old stuff.... But I decided to read the first page and decided to keep reading when Catch got involved because it is often amusing and enlightening.... ;) After three pages we are definitely at the amusing stage as witnessed by the number of hidden posts - Catch put the cat amongst the pigeons again.... <LOL>

By far the most amusing and insightful comment to date is attributable to HT:-

Quote:

---

To spread a virus, you need an idiot...

---

Nice one HT.... I might use that in a sig in the future....

The next statement that catches my eye, (so to speak), is compliments of Shagdevil:-

Quote:

---

The first time I had to sit down and deal with a real bitch of a virus, is the first time I really started learning about the more intricate details about the operation of a PC.

---

I have to absolutely agree here... It reminded me of my first encounter with Stoned in the early 90's, tracking it back to a corporate networking "guru" and nearly getting fired for bringing it to the attention of corporate, (NOTE: The guru was upgrading all 95 offices nationwide with his infected disks - I was the naughty one for bringing it to his attention - They subsequently found out I was right - did I get a letter of apology to go with my letter or reprimand? Nope! Wankers... :rolleyes: ). But Shag is right in many cases... Some of us cut our teeth removing this crap.

For the OP:

Allow me to abstract this in order to clarify the two, (completely at odds), sides you have seen in this debate.

You need to work out you amortization schedule for a morgage you wish to purchase. You don't know how to do it because you only graduated high school. You know that there is a computer program out there for $30 that will allow you to insert the required parameters and it will "spit" out the required information _or_ you can go back to school for a couple of years and do it yourself.

The same applies with Anti-Virus applications. Like the internet program that will calculate your amortization schedule the Anti-Virus is a tool that will do the job for you at a cost. Your alternative is to wait two years until you can attain the knowledge required to complete the task yourself but since you have a house in mind two years is too long - someone else will buy it, which equates to you being infected with a virus. The answer is simple. If you don't already possess the tools to do the job then you must purchase one. If you already have the tools why spend the money....

Hope that clarifies the argument....

Quote:

---

Let say you educate all the employees in your company to not ever open mail from "untrusted" sources. ...now you are safe, so safe you don't need any AV??

---

Seriously, have you even read this thread? It isn't about training your users, it is about using technical architecture that again, enforces roles using finely grained permissions and least privilege as well as using multi-account sessions.

Users can't run viruses, worms, or trojans if they wanted to in this environment.

Why does this make more sense? Again remember, anything a virus can do, an attacker can do as well. It's not like viruses have special abilities to bypass process protections, so if you are relying on an AV, what is protecting you against an attacker, internal or external doing the same actions?

AV software increases the complexity of the system, as stated above doesn't actually resove the underlying security issues, don't resolve new viruses, and require constant upkeep. What is more, many AV tools actually introduce new tools by running at such a low level on the system while allowing any user to have interactive session. How is this different than say... running Apache as root? ;)

AV software is bad... it is only useful on single user systems like Win9x/Me since none of typical security issues associated with running additional, privileged software are not present since the computer lacks the concept of permissions and privileges to begin with.

ss2chef, none of those guidelines require AV software, they merely provide guidelines for what AV software they approve of if you use it. This reasoning is based on the fact that knowledge of role based systems has dramatically increased over the last few years and wasn't considered as tried and true within an NT environment at the time.

DARPA has come out with a few solicitations regarding the failings of AV software and methods for dealing with network worms. In the coming years it will be more and more apaprent that AV tools are ineffective, but also keep in mind that AV organizations are a billion dollar industry... and if there is one thing that companies need to know how to do to survive capitolism is to create a need.

cheers,

catch

Quote:

---

Is antivirus software really necessary?

---

I think it is. You will help prevent u from getting 1 so u don't have a crashed pc.

I agree w/ almost everyperson in this post. From my personal expierence. Have some type of antivirus software.

Quote:

---

I agree w/ almost everyperson in this post. From my personal expierence. Have some type of antivirus software.

---

Which ones don't you agree with? Because about half of them say you don't need it..... ;)

Quote:

---

Originally posted here by catch

ss2chef, none of those guidelines require AV software, they merely provide guidelines for what AV software they approve of if you use it. This reasoning is based on the fact that knowledge of role based systems has dramatically increased over the last few years and wasn't considered as tried and true within an NT environment at the time.

DARPA has come out with a few solicitations regarding the failings of AV software and methods for dealing with network worms. In the coming years it will be more and more apaprent that AV tools are ineffective, but also keep in mind that AV organizations are a billion dollar industry... and if there is one thing that companies need to know how to do to survive capitolism is to create a need.

cheers,

catch

---

While I understand your distinctions...
I feel it is important to note that they are more than just guidelines.
Any suspect SRR (Security Readiness Report) can and often does boil down to
ATO (Authority To Operate) being denied.

When that happens, ones opinion on the merits of AV software matter very little.

From my personal experience , DoD does not consider AV to be an optional
suggestion.

Can you privide any links to actual directive that I can site to my IAO and PMO?
I'm dying to get the AV removal process started.. ;)

ss2chef: http://www.radium.ncsc.mil/tpep/libr...C1-TR-001.html

"Computer Viruses: Prefvention, Detection, and Treatment" with no mention of using after the fact solutions like AV software.

Straight from the horses mouth. ;) Start with that, if you'd like more resources I'll dig them up for you from the ACM library... but for now I am heading off to lunch.

cheers,

catch

I have question for those who say a av program is not needed. How will you protect you users from going to a infected web site. I have seen this on web designers in my company and with associates of mine.Ex: Say the president of the company wants to check out a porn web site on screwing chickens. He or she goes on and gets popups and redirects and never knows that they are now infected with a bloodhound worm. It is not a stretch to go and put a mass mailer on the same site and you will be a new zombie spewing out email and will not know for hours/days till the bandwidth loss is noticed. Just my 2 bits.

Quote:

---

Originally posted here by catch
ss2chef: http://www.radium.ncsc.mil/tpep/libr...C1-TR-001.html

"Computer Viruses: Prefvention, Detection, and Treatment" with no mention of using after the fact solutions like AV software.

Straight from the horses mouth. ;) Start with that, if you'd like more resources I'll dig them up for you from the ACM library... but for now I am heading off to lunch.

cheers,

catch

---

Catch, This is a joke right.

Look at the 1st sentence...

"This publication contains technical observations, opinions, and evidence
prepared for informal exchange among individuals involved with computer
security. The information contained herein represents the views of the
author and is not to be construed as representing an official position of
the National Computer Security Center. "


Your document is neither an actual control document nor written by anyone of any significant military rank.

In fact, it looks to me like nothing more than an OP/ED.

Horses mouth eh?

Keep em coming if you will...

Thanks for the fun!!

Look at the location, it was originally intended as the document states, it has since been considered a supplement to the Rainbow Series (which does not otherwise address viruses) and has been used as a foundation for most if not all NCSC and NIST publications regarding virus protection in trusted systems.

Notice the wink after the horse's mouth comment.
If you're going to be a smartass find your own information.

cheers,

catch

Quote:

---

Originally posted here by ny9777
I have question for those who say a av program is not needed. How will you protect you users from going to a infected web site. I have seen this on web designers in my company and with associates of mine.Ex: Say the president of the company wants to check out a porn web site on screwing chickens. He or she goes on and gets popups and redirects and never knows that they are now infected with a bloodhound worm. It is not a stretch to go and put a mass mailer on the same site and you will be a new zombie spewing out email and will not know for hours/days till the bandwidth loss is noticed. Just my 2 bits.

---

Hey Hey,

That's more or less the mentality that Raccoon entered with.. However it's the wrong mentality to go with... The first problem, lies with the president of the company browsing to porn sites... There should be an AUP in place that prevents this, if you're a large enough coporatin perhaps software that blocks certain sites (e.g. WebSense)..or perhaps just an IDS in place that picks up key words such as 'porn, sex' etc... in which case you kill his connection then. You have to remember that from the point of view that most of us is arguing, is that you'll have the proper policies in place... Even the president of the company should be committed to following the rules.

Remember you'll never have adequate security without a Top-Down Management commitment. Management has to be supportive of your Security policies, or it's a lost cause to start with, and Viruses are still the least of your concerns. If you're an individual using your computer, you should be on a specific account... not running as admin (like most users do)... You're computer should be fully updated.. etc... and you'll not have these virus problems... As far as the not notice for hours/days.... You're company should never be able to spew out email... and an IRC bot should never be able to connect, you should have proper ACL and firewall policies in place, Prevent access to IRC ports, prevent access to outside port 25 unless the connection comes from your mail server. Again if you have a proper perimiter router and firewall in place, you also won't have to worry about inbound connections to any machines...

Security is a whole setup... not any one single thing... If you are secured properly... that is when AV because unnecessary... Like I said in my last post... if you're lazy or an idiot... you're screwed... but other than that you'll be fine.

Also... just for reference sake, you mentioned the "bloodhound worm"... Know that bloodhound is a very generic name. It is applied to anything that the Norton Heuristic scanner detects (The Heuristic Scanner is called Bloodhound because it sniffs out the problems.. ) -- http://securityresponse.symantec.com...loodhound.html

If you want more on how proper security and handling should avoid any AV problems.... Look around the site... this is a security site, and there's lots about it.

Peace,
HT

Quote:

---

Originally posted here by catch
Seriously, have you even read this thread? It isn't about training your users, it is about using technical architecture that again, enforces roles using finely grained permissions and least privilege as well as using multi-account sessions.

---

Hey...I'm open to get "converted" if you can convince me.. heh! ;)

The point I was trying to make is you can't ever trust humans; there will always be the human error...
In most companies you have lots of different positions, which require lots of different computer privileges. There are tens of thousands of different viruses circulating around the globe, some lame ones, some very sophisticated ones, using all kinds of different holes and vulnerabilities, and sometimes vulnerabilities that are not even known...
No, it's not only about "training your users", and it's not only about "technical architecture"... it's about everything together. There are many different components, including the "human error" on many different levels...

Sure, if you have your network locked down to 100%, none of the viruses will be successful, I'm just afraid I won't ever be able to reach that 100%.

If you can reach 99%, I would think an A/V solution would make it even more secure.

But again, I'm not trying to argue just to argue against you all who don't believe in A/V solutions, I'm willing to listen and hopefully get convinced if you actually are right! :)
(Currently convinced an A/V solution is better than no A/V solution though)

Maaan.. we need to give some AP to Raccoon for starting this thread.. looking forward to follow this thread to the end... if there ever will be an end... heh! ;)

The real question here isn't which approach is 100% perfect. The question is, is AV software needed. Clearly the answer is "no."

That said I think we should focus on the balance of security and costs between using an AV and not using one. AV software removes some vulnerabilties while adding others. Clearly a low assurance system in a low security environment can benefit quite a bit by removing a good portion of common viral issues without the hassle of a high assurance system policy and training. On the otherhand, using AV software in a higher assurance environment doesn't typically make as much sense and in fact makes less and less sense the higher assurance the system is. The reason is that the higher assurance the simpler a system's security mechanism (TCB) must be and an AV of course just adds complexity.

Again keep in mind the simple fact that Linux users don't run AV software for local users. Why then should you for NT? Linux as a rule doesn't have any fancy security stuff that NT lacks... just a matter that people actually use Linux's security. ;)

cheers,

catch

Quote:

---

Originally posted here by catch
The real question here isn't which approach is 100% perfect. The question is, is AV software needed. Clearly the answer is "no."

---

That's where I don't agree with you. (yet) If it's not 100% secure, you have to assume there is a small chance a virus could get through...!

Let's make a little scenario here. You have your "99%" secure MS network. A new virus comes out, utilizing an unknown vulnerability, no patch exist against it yet. Some how it enters your network, and compromises one machine...

In that scenario, if you did have or didn't have an A/V solution you would probably get compromised either way. The big difference here though is once the definitions come out for the A/V solution, it will at least hopefully detect that virus at that point, while a company without an A/V solution might not discover the compromised system until way later... with maybe a whole lot more damage done...

SawPer, you're applying the same logic to both setups. This is flawed, my method doesn't reduce the risk of acquiring a virus. My approach is to compartmentalize the system in a manner that prevents viruses from inflicting damage or propigating.

Let's make a little scenario here. Why don't you go to an AIX community and tell them that they need to run AV software on their systems and report back your findings. The only reason people run AV software on NT/2k is because you need it on 9x/Me and people seem to think the two systems are similar.

Quote:

---

The big difference here though is once the definitions come out for the A/V solution, it will at least hopefully detect that virus at that point, while a company without an A/V solution might not discover the compromised system until way later... with maybe a whole lot more damage done...

---

"at least hopefully" "might" "maybe" all excellent points. Allow this rebuttal. Running AV software introduces new risk to your system. Running AV software introduces new costs to your system. Running AV software lowers the assurance of your system.

Does the benefit of what it "at least hopefully" "might" "maybe" be able to do outweigh the risk and cost consequences that will happen?

cheers,

catch

Quote:

---

Originally posted here by catch
SawPer, you're applying the same logic to both setups. This is flawed, my method doesn't reduce the risk of acquiring a virus. My approach is to compartmentalize the system in a manner that prevents viruses from inflicting damage or propigating.

---

I understand what you are saying, but I still don't agree. You are trying to tell me that every single box is so locked down that if a virus actually ends up on one of the boxes, it won't be able to do anything.. ?

With all the tens of thousands viruses, that compromises a system in so many different ways, you are telling me that you have covered all the "holes" to 100%, so not one single virus can get through your "architecture" to cause damage or propagate? That's a pretty bold statement.

It probably makes a big difference depending on what kind of company/environment you have... but at a College where I work for example, I don't see how you possibly could make it that secure without an A/V solution.

SawPer... again... would you run an AV on an AIX system?

Why or why not?

cheers,

catch

Catch,

Ok, will answer your question, and hopefully you will answer my last question? :)

Don't know what AIX is, but assume it is some sort of UNIX system?
From your reasoning it sounds like you are trying to say UNIX is secure, NT/2000 can be as secure too, if you configure it right.

I think that is almost a little too simple comparison. Windows is a much bigger target than UNIX is. Way more viruses for Windows. However, if Windows didn't exist, and UNIX was the biggest one out there, I would imagine all the virus writers concentrating all their effort on UNIX instead of Windows, and they would most surely come up with a whole bunch of successful viruses for UNIX as well.

So "why not"? I guess because there are hardly any viruses for UNIX. UNIX is just not a big target.

I think AV..all depends on the enviroment.

We had a consultant come in with an infected laptop...it wasnt the AV that stopped the virus...it was my security settings..as the machine tried (and failed) to access network shares.

Because the consultant...wasnt an "Authenticated user" none of the shares were available and I was alerted by failures in my security logs.

Anyway...some enviroments you need to scan every machine, email file...then there are others where email is only scanned....depending on the users.

Some users like to visit inappropriate sites, download anything they can...open every damn piece of email...and there are the more cautious ones.

Patch your machines, remove the "Everyone Group", filter mail at the server, teach your users,...call them in on their internet habits and warn them...etc

No viruses for a couple of years...still have it running though...

It was handy when we got Nimda through an unpatched machine and it found an open share (user created..everyone full control :rolleyes: ) The AV helped isolate and then rid the beast...from a central point.

Just my .02 cdn

MLF

Quote:

---

From your reasoning it sounds like you are trying to say UNIX is secure, NT/2000 can be as secure too, if you configure it right.

---

You're new here, so you have no idea how funny this is. ;)

Quote:

---

So "why not"? I guess because there are hardly any viruses for UNIX. UNIX is just not a big target.

---

But suffice to say, this doesn't make UN*X 100% secure against viruses... so why not run an AV?

Psst. I am answering your question, but I find that if I just tell someone somehing they didn't know, it tends to never stick, better toask a few questions and then draw a parallel. :)

cheers,

catch

Quote:

---

Originally posted here by catch
You're new here, so you have no idea how funny this is. ;)

---

Well.. yeah, kinda new I guess, but no, what's so funny, have to fill me in on that one.. heh!? :)

Quote:

---

But suffice to say, this doesn't make UN*X 100% secure against viruses... so why not run an AV?

---

The only UNIX box I have, I don't mess with much, it's a Big-IP load balancer. It does its thing, and it would never be used as a "workstation".
The difference would be, again, much more viruses directed against Windows, and in my case, nobody uses UNIX as a "workstation". Under these circumstances I don't see a need for A/V for UNIX, but I do for Windows.

And your answer?! :P

Quote:

---

Originally posted here by morganlefay
It was handy when we got Nimda through an unpatched machine and it found an open share (user created..everyone full control :rolleyes: ) The AV helped isolate and then rid the beast...from a central point.

Just my .02 cdn

MLF

---

That's exactly in the line I'm thinking. Unless you have it so tied down, nobody can hardly do anything, not even giving any room for the "human error", you do need an A/V solution to make up for the small percentage a virus can enter your network.

If you have it really secure and all, but no A/V to detect a virus, MLF could have gone forever with a virus without knowing it, and it could have caused some damage and maybe even propagation...

Quote:

---

Well.. yeah, kinda new I guess, but no, what's so funny, have to fill me in on that one.. heh!?

---

I am arguably the biggst advocate of NT security on this site. I freely and frequently state that that NT security is superior to UN*X security. People like to take one of two aruments back:

1. Counting exploits.
2. Claiming exotic configurations and major architectual modifications in UN*X/Linux should be just considered the norm.

Do to this fact, I've stopped arguing the point for a while now... still unny that you'd think I meant UN*X to be more secure. My point was in fact that AV solutions for UN*X (excluding proxying services) essentially don't exist. Odd considering that the NT security is in fact superior to UN*X at the commercial level (**** all this lab stuff).

So why is AV not needed on UN*X? Even the argument that less viruses efect UN*X... well no AV software, wouldn't every virus that does exist effectively be a 0-day since no AV countermeasures exist?

As I stated before, in low assurance environments, AV is a good thing... but once you lock the systems down to providing exactly the rights your users require... which in my experience has NEVER included things like creating new shares by the way. ;)

Normal users in a higher assurance environment should not ever be allowed to make changes to their system without going through proper change control channels. In fact at my work, every single desktop system is set up in the exact same manner, and users are only allowed to modify their profiles.

Many of the client applications can only be launched as reduced privilege processes, permissions are tightly controlled, again with the point of only allowing users access to the applications they need as defined by their role and to the internal data as defined by that same role definition.

This is the real problem, most security teams have no clue what their users need, and how to effectively support business needs... consequently to avoid calls to to tech support they give their users way too much rope. This would be a low assurance environment, and prime for AV controls.

Now Saw, back to your questions:

Quote:

---

You are trying to tell me that every single box is so locked down that if a virus actually ends up on one of the boxes, it won't be able to do anything.. ?

---

Yup, as I said above, every single user system is configured in the same manner. Centralized configuration control, it's a good thing. And then user accounts are restricted via permissions ad user right assignments that only meet the role requirements.

Quote:

---

With all the tens of thousands viruses, that compromises a system in so many different ways, you are telling me that you have covered all the "holes" to 100%, so not one single virus can get through your "architecture" to cause damage or propagate? That's a pretty bold statement.

---

The number of viruses makes no difference, and I never said that it will prevent every single virus ever from causing harm. I said it will outright stop most and dramatically limit the damage possible by others. To the point where the costs saved by an AV are less than the cost of using one plus the new vulnerabilities introduced by the AV itself.
Security isn't about being 100% safe, it is about cost avoidance.

Quote:

---

It probably makes a big difference depending on what kind of company/environment you have... but at a College where I work for example, I don't see how you possibly could make it that secure without an A/V solution.

---

And would you consider your environment to be a low or high assurance one? ;)

cheers,

catch

Quote:

---

And would you consider your environment to be a low or high assurance one?

---

I believe that is a key statement. It all depends on the environment. Certainly in a single user scenario Win9x/ME you would consider AV, if only because the OS does not give you the controls you would otherwise need.

Having said that I know a number of people who do not use any AV. Basically they have no need for one, as their equipment is physically secure, and they are only using it as a glorified word processor/accounting machine. As there is no connectivity, there really isn't a vector by which they could be infected.

Quote:

---

Normal users in a higher assurance environment should not ever be allowed to make changes to their system without going through proper change control channels. In fact at my work, every single desktop system is set up in the exact same manner, and users are only allowed to modify their profiles.

---

Exactly!, although over here they can change the screen resolution as that is a health & safety legal requirement. This can be a pain when they select a combo ouside of the vid card/monitor capabilities.

Quote:

---

To the point where the costs saved by an AV are less than the cost of using one plus the new vulnerabilities introduced by the AV itself

---

Whilst I can see this point, I personally put more emphasis on potential instability and resource wasting, which have been what I have personally experienced.

catch has already mentioned special cases such as proxies and mailservers. The only other one I would tentatively suggest is the "sheep dip". This is a machine used to scan media etc. that are brought into the environment. Typically, lecture rooms, conference rooms, training rooms etc................almost by definition, these are low assurance environments, and physically somewhat insecure.

I must admit that I find AV useful for identifying stuff, so you only have to do the new ones by hand...........but I guess that is just me being lazy :p

Here is a little (true) story that may amuse.

It was January 2000 and I am called to look at a friend's kid's machine. A German box about 4 years old with the Thunderbyte AV package (anyone remember that?). This AV had not been updated since the box was bought. Turned out it was doing a background scan and finding Y2K file dates that it could not understand, it tried to "clean" them, couldn't so deleted them :D

That was the only "true" Y2K problem I encountered. The amusing thing was that this box was not at risk, and did not need an AV................the only problem it ever had was from an AV product :D

Microsoft will release antivirus protection for PC's soon, so it means that antivirus is nessesery.
Simple saide every one need some kind of protection and question is just "HOW MUCH?".


http://www.betanews.com/article/MS_t...ore/1115998818

http://www.microsoft.com/windows/onecare/default.mspx

Quote:

---

Microsoft will release antivirus protection for PC's soon, so it means that antivirus is nessesery.

---

Is that meant, in the same vain as, you have a windows opperating system. Therefore you have to need Microsoft office?

Bollocks.................................I can't be assed, to argue, any further.

Hmmm,

Just looks like more marketing hype to me. Remember back in the old days when you had McAfee, Norton and Thunderbyte, MS and IBM both supplied AV products. This is long before the internet as we know it today, so there wasn't the multi-billion$ industry that there is today.

M$ and IBM dropped off the radar, and now it looks as if Microsoft are getting back into the market.

In a way, I think that they are flying in the face of what catch has been saying..............bringing in third party/more complex solutions.

Hey catch what do you think?..............a dumbing down exercise?

If people will pay for it, why not sell it? Remember, it has very little to do with need. Go to a grocery store sometime and see how many things that they sell which you not only don't need but are outright bad for you.

cheers,

catch

i personally don't use any AV at all. i have been using comps for many years and i know when i have a virus or spyware. also i don't download a lot of executables except from trusted sources. the only things i use to worry about were spyware/malware but ever since firefox came out theres really no need ATM for spybot/ad-aware even. they will find a way around that of course if they already haven't. but of course i share my computer and others who use it cry about certain pictures not being able to be viewed so they use IE which totally defeats the whole FF security i wanted to begin with. ;\

Quote:

---

Originally posted here by catch
If people will pay for it, why not sell it? Remember, it has very little to do with need. Go to a grocery store sometime and see how many things that they sell which you not only don't need but are outright bad for you.

cheers,

catch

---

To make a ridiculous analogy even more so.....

You are right, I don't need to purchase bug spray but with West Nile Virus going on around here, I am VERY glad I have it when I need it...!!

So it is your argument that everything for sale is good to have?

Seriously, how obtuse can you possible be ss2chef?

cheers,

catch

Regarding Mario tinto and his credentials. I did a search for that alias in the military police archives.

Mario Tinto is an Engineering Specialist in the Trusted Computer Systems Department at the
Aerospace Corporation. Prior to this position, he had an outstanding career at the NSA, a leader in the Common Criteria development, a lead evaluator and standards developer and a technical resource that was used to solve hard problems.

His name is plastered all over a slew of PDF's in the acknowledgements.

He's with the NCSC and NSA over a decade with one... etc

Quote:

---

the only things I use to worry about were spyware/malware but ever since firefox came out theres really no need ATM for spybot/ad-aware even. they will find a way around that of course if they already haven't. but of course i share my computer and others who use it cry about certain pictures not being able to be viewed so they use IE which totally defeats the whole FF security i wanted to begin with.

---

Reduced assurances are not what I had in mind, more like high assurance. "How do we get “warm fuzzies” about the security of a system?" ~ Mario Tinto “warm fuzzies” that's great.... a favorite movie.

Add, add, add (that's all I see on the TV/"pop security""Yes men""Dullards") from what I've been taught it typically takes, takes, takes more from security than adding to it (the TV lies).

GOD has spoken on current hour flawed assumptions.
"Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems." ~ http://www.nsa.gov/selinux/papers/inevit-abs.cfm (these are the commercials I'd rather being viewing)

A simpler system is more secure then a complicated one, and every TOS design PDF I've read has barked this basic security principal, so I take it to be logically correct, and since I have no desire to reinvent a "wheel" made in the 70's-80's, I accept that principle as being tried and true, logically and mathematically sound advice.


But I have Megadethblaring in my ears and I've had a few shots and some Killian's.

Quote:

---

Originally posted here by catch
So it is your argument that everything for sale is good to have?

Seriously, how obtuse can you possible be ss2chef?

cheers,

catch

---

hehe um no.... I do however like to use bug spray when I am operating around bugs.
Please re-read, maybe this time with your glasses on...

Bottom line here is I have never had a problem with your thoughts on AV and need.

Your blanket statement about DoD not having AV policy in place is wrong and bordering on
naive. You presented a DoD affiliated persons opinion on the value of AV which does nothing to support your claim.

If you are going to puff out your chest and list YOUR affiliations, okay you did so.
Now, I'm calling your claim BS as I live with the DoD AV policy EVERY DAY!!!!!

Perhaps you need to reread my posts again... the use of AV on DoD systems is based on the level of assurance. High assurance systems have no AV, lower assurance systems do... I've stated this repeatedly... apparently you work in a low assrance environment.

And um... what affiliations did I puff my chest out about?

cheers,

catch

Quote:

---

Originally posted here by catch
I am arguably the biggst advocate of NT security on this site. I freely and frequently state that that NT security is superior to UN*X security.

---

Sorry... yeah, that is kinda funny.. hehe! ;)

Quote:

---

The number of viruses makes no difference, and I never said that it will prevent every single virus ever from causing harm. I said it will outright stop most and dramatically limit the damage possible by others. To the point where the costs saved by an AV are less than the cost of using one plus the new vulnerabilities introduced by the AV itself.
Security isn't about being 100% safe, it is about cost avoidance.

And would you consider your environment to be a low or high assurance one? ;)

---

Okay, I guess we have reached the point were we both understand each other, and how it all depends on the different environments.
It all depends on how you define "High Assurance" I guess...
I may not have as "High Assurance" as you, but we are still required to have it as secure as we can, with all the student information and stuff, HR and Payroll etc...
But like in my wife's case for example, working for the military, they have a very high security policy. Workstations are tightly locked down, but they still have an A/V solution in place.
So in my case, I wouldn't agree to your last statement. There are cases when security IS about being "100%" safe and cost comes secondary.

Also if you can't prevent every single virus, how then do you know for sure you don't have a virus? Maybe you have a virus that might not be very destructive and detectable by general network monitoring tools and stuff, but would easily be detected by an A/V solution?

Just my last thoughts. I'm guessing netiher of us will change, we both have different environments and both work well. However it was nice to dive in to some deeper thoughts and share different views on something so "basic" at first thought.. heh!

Thanks Catch for staying in here through this whole discussion! :)

Quote:

---

There are cases when security IS about being "100%" safe and cost comes secondary.

---

Even at the most secure military installations cost still is king... you never want to spend more money in protection than the likely losses incurred by disclosure, alteration or destruction. Otherwise the protection is more damaging than compromise would be. :)

Quote:

---

Also if you can't prevent every single virus, how then do you know for sure you don't have a virus? Maybe you have a virus that might not be very destructive and detectable by general network monitoring tools and stuff, but would easily be detected by an A/V solution?

---

If the virus is incurring a loss via unauthorized propagation, data destruction, or otherwise... it should be detectable by the security systems in place. These security systems however are overkill for most systems, hence they use AV instead. If the virus is causing no damage at all, why worry about it? This system I am on now has a few hundred viruses on it, all of them inactive... should I lose sleep over this? Should I spend money "fixing" it?

(To close, the Windows NT line (NT4, 2k, XP, 2003) has security capabilities not only equal to many of the following systems, but in many cases actually exceeding them.)

A partial list of systems that rarely, if ever (many have no AV available) run AV software:

Linux
OpenBSD
FreeBSD
Solaris
HP-UX
AIX
QNX
Pitbull
STOP
AS/400

The question was: "Is antivirus software really necessary?"

cheers,

catch

Doesn't it all really just come down to "Need"? If I have a system with no connection out side the box, and no way for media to be inserted, then I do not "need" AV.

If I have some sort of connection to the outside world, where viruses/worms/trojans are a possiblity, it would make sense to have protective measures. This could be in the form of IDSs, firewalls, malware removers, security team and antivirus. Another item to think about is, what is the system used for? what is it connected to? Is the machine reloaded after each use (image)?

So, I think it all comes down to:

A) Is it possible for the machine to be infected?
B) If infected, will it compromise - Production, Information Security or System Performance
c) If a virus can cause a problem, take the proper measures to protect and remove it
D) Whatever the proper measure is, use it.

This seems to make sense to me. It's kind of like the idea of 'least need'. Don't over kill the system with protective software if it isn't needed. But at the sametime, don't neglect the possibility of system/data damage. It's a balance that is deffinantly worth thinking about.

-The Rat.