How to Pick Your Antivirus

Spread the love

I get asked this question a lot.  “What antivirus program should I use?”  It’s also probably the question I dread the most, in large part because if I recommend something and someone gets infected anyway, it’s suddenly my fault.  So before I provide any semblance of an answer, I want to start off by making something very clear.

All antivirus software sucks.

Yeah, all of it.  Even what I run, which is currently ESET NOD32 (which, despite its name, also comes in a 64-bit version), has some really severe limitations based on how it works.  I run it at home because historically, it’s pretty solid, doesn’t break many things, and fits what I need.  But I’ve run up against it in a penetration test and got past it.  The question invariably comes around: Then why run it?

Ultimately, think of a military base.  It has guards, regular patrols, people who look for things out of the ordinary.  They fend off a lot of possible problems.  But they don’t catch everything.  They’re trained to catch what they know about, what they’ve been trained on.  They often won’t catch someone doing something entirely new.

And that’s how AV works.  AV is fundamentally reactive.  It can only work on what it’s seen before.  Something new, something that the company has never seen, has a good chance of going right by it.  It happens all the time.  But the military doesn’t end the patrols simply because the SEALs or Delta Force can get through, and you shouldn’t stop using AV simply because the newest and best might get through.  What AV is good at catching is the low-hanging fruit, the common stuff that we still see on a regular basis.  Someone still opens an old document with the Melissa virus, someone tries to infect a system with a version of Zeus from a year ago.  These are things that AV is good at catching, and there’s an awful lot of of it.  It’s not going to catch the things that are written a few days ago by a group that rakes in $2 million a year and can afford to buy a copy of every AV program out there (often with someone else’s credit card) and run it locally to test.  Some recent numbers suggest that the average time it takes AV companies to find web-based malware is about 20 days.  It’s kind of scary, but the fact is that most of these stick around a lot longer than 20 days, and the older stuff can be caught.  And that is why we keep running AV.

So on to the recommendations.  I don’t recommend McAfee or Symantec.  It’s not that they’re not good enough–they can be, if you know how to configure them.  But they’re largely configured to meet the business needs of their biggest customers, and those two fight it out for the lion’s share of the market, meaning that their default configurations aren’t usually the best available.  It’s not that they have bad technology; it’s that the default configurations aren’t good enough for the real world.  The same goes for the other larger competitors such as Trend-Micro and Sophos.  Enter the smaller competitors.

I’ve used a lot of AV over the years.  I mentioned that I use ESET now, largely because they have a consistent track record of being among the better companies.  BitDefender and Kaspersky are others that are worth looking into because they compete on how well they work, not on how well they integrate (read: what they don’t break).  I don’t advise WebRoot because they have failed so many AV tests that I wouldn’t mention them if they weren’t so horrible.  Microsoft’s solution is also on a downward slope over the last year or so.

But what about a year from now?  Here’s what I do.  I check out AV Comparatives and AV Test, two sites that do a decent and regular job of evaluating most of the AV products out there.  I do this every few months to see who trends over the course of a year or more.  Companies can tweak their engines to catch the malware du jour.  But that tweaking may work for only a few months, and down to the bottom of the list they go.  Similarly, one company may slip for a time and then catch back up to its usual position.

Whatever you buy, consider strongly getting the full security package, which usually includes a firewall and some form of intrusion detection/prevention.  This monitors traffic in and out of your system to help ensure that only trusted programs are sending or listening for traffic.  It can be annoying at first, but it usually only takes a few days for most of the programs you know should be talking to the Internet to get listed.  If you see something weird, block it.  A friend once saw something like ‘ae827ffcbd384.exe’ trying to connect to the Internet because his firewall saw something it didn’t expect.  His AV missed it, but the firewall saw the outbound traffic and flagged it.  That’s how he learned he was infected.  This is a great example of security layers coming into play: one layer missed it and another caught it.

But whatever you choose, be aware that no AV solution replaces smart computer use.  Poor use habits will still get you infected.  (Proper use habits can also get you infected, but there’s a much smaller chance.)

  • Keep your software up to date.  This includes more than Windows and even Adobe patching.  You have to keep everything up to date.  Go get something like Secunia PSI to check what you have installed against their version and vulnerability database.  Patch everything that you can.  Remove the software that you don’t use, especially if you can get away with not using Java.  (I know there are those who need Java–I do, too, for the SANS webcasts.)
  • Watch the sites that you go to.  Generally speaking, the major sites are fine, but even and the Tri-Lateral Commission site have been hacked.  Watch for odd behavior and perform scans using emergency discs once in a while as this helps catch things that may hide from normal AV operations.  (And no, you can’t trust porn sites.  Some of them are run by some very unethical people.)
  • Don’t open unexpected e-mail.  You have no idea how often this happens.  If you do open it in, say, Gmail, it’s probably not immediately infecting anything, but if it’s spam or a phishing attempt, by all means, report it.  But better safe than sorry–delete it to begin with.

These few steps–plus a decent AV program–go a long way toward protecting you.  Ultimately, the best solution is application white-listing, but that’s still really hard for corporations to put into effect, leaving end-users mostly waving their arms in frustration.  I don’t do it yet, so don’t feel bad.  But at some point, we’re going to have to do it.  When something even vaguely reasonable comes about to do it, I’ll be sure to let you know.

Leave a Reply

Your email address will not be published. Required fields are marked *