I’ve often heard it said on Linux forums that it can’t hurt to run Linux anti-virus just in case a Linux virus does get released into “the wild.” I also see that almost all Windows users I know run anti-virus and/or anti-spyware programs.
Am I naive in asking “Why?”
On the Linux front, yes, a Linux virus could get released into “the wild” at some point. Let’s say that happened on July 1 some year. Do you really think that on July 1 the Linux users with anti-virus will be more protected than the Linux users without anti-virus? The virus definitions would be updated on that day and enforced before the virus could do any damage? And if the definitions are updated on July 2 or July 3, couldn’t the Linux users without anti-virus just install the anti-virus within minutes? What extra protection does Linux anti-virus offer you? As for Linux anti-virus supposedly preventing you from forwarding viruses onto Windows users, how about just not forwarding people attachments you yourself did not create?
More importantly, does anti-virus or anti-spyware really do anything in Windows? I don’t use Windows regularly at home any more, but the few times I have booted into it, I haven’t contracted noticeable malware. And I do use Windows regularly at work, and I don’t have any malware either there, even without anti-malware programs running.
Nevertheless, I have a lot of friends and family members who continue to get viruses and spyware on their systems with noticeable slowdown, mysterious processes running, programs that won’t uninstall or shut down. Do these people have anti-*** running with the latest definitions updated? Hell, yes.
So my question to security experts out there (I am not one): does anti-*** software, particularly in Windows, do anything practical to prevent malware? Or does it just suck up more system resources? As far as I can tell, it’s better to not have anti-*** installed and just set up Windows with a limited user account than to have someone run as administrator and have all these useless anti-*** programs running and giving her a false sense of security.
How does the senate vote?
In short, Yes, Anti-XXXX software does do something. It is called active-protection, or real-time protection.
For example, see AVG Anti-Virus (www.free.grisoft.com). This is a non-resource-intensive, straightforward, free solution. It actively protects against mal/spyware and viruses. For example, say I download a torrented, cracked version of AnyDVD that happens to be infected. As soon as I browse the folder with the downloaded content, AVG pops up and says (paraphrased) “CRAPWARE DETECTED. CLEAN?” When you click YES, it moved the bad files to a quarantine area for inspection (by the user, if necessary), and deletion.
Active protection.
I think good surfing habit is more important than any Anti-xxx software. I have the same experiences as you are as most of my friends who got virus also have Anti-xxx install on their system.
And in my opinion, the ‘active protection’ is only as good as the person who use the machine. I have had a friend who override active protection and install the virus onto their system.
Anti-*** work only well if updated daily. If not updated daily they are pretty useless on new outbreaks but can still protect the PC from older variants.
Thus when working in Windows , it is important to install an Anti-*** software. But no anti-*** solution is required in Linux.
I’d like to start off by stating that I am most definitely not a security expert, I just hope that doesn’t prevent me from taking part in this discussion.
I think Edmund is correct in describing what kind of protection anti-anything brings, however that doesn’t make it the right tool for the job.
The reasons as to why are discussed in an interesting article I read a while ago entitled “The Six Dumbest Ideas in Computer Security” by Marcus Ranum. The problem with anti-anything is that those tools enumerate badness, which basically means you define what is bad (read the article itself for a more detailed explanation).
Instead wouldn’t it make a lot more sense to define what is good? Start off with a policy of “Default Deny”, no program is to be trusted until the user explicitly states so and should always run within a sandboxed environment.
Lets take the example brought forward by Edmund. In this case the user downloads a program which should be able to play DVDs. That’s what any reasonable user expects it to do. Should this program be able to access local files? Should it be able to delete local files? Should it be able to communicate over the network? The answer to most of these questions would be no, all it needs to do is access the DVD drive and display the movie.
I’m not saying that anti-anything couldn’t assist the user in making these decisions, it could be very useful to find out whether a program you download is trustworthy but anti-anything 1) should never be considered the holy grail in computer security 2) doesn’t offer much in the terms of actual defense.
This should also provide an answer to your questions ubuntucat. What I’d personally welcome to GNU/Linux is a user-friendly and efficient method of sandboxing applications and supplying privileges to individual applications.
Yep, I couldn’t stand running Windows without anti-XXX. Either that or I would setup a seperate partition for program files and make it so I have to enter a password every time I enter it. Just like in Ubuntu.
I read somewhere that within 40 minutes of a Windows computer running it is likely for it to be attacked. That’s pretty sad.
“And in my opinion, the ‘active protection’ is only as good as the person who use the machine.” That about sums it up, I think. Thanks for the input. Next time I run into a Windows user who insists on having anti-virus, I’ll suggest AVG.
I think AV software is a must for Windows. I’ll give you a personal example of how an end user doing nothing wrong can get into trouble without it.
I was at a University with a broadband internet connection; very coomon. It was accessed through an intranet, on ethernet. Very common. No login required, just physical location.
I was comming back for summer school and didn’t have AV setup on my computer. I plugged it in, booted up, and went to run Windows Update, as I couldn’t do it from home (dial up was too painful). After about five minutes I started to get Windows Messenger pop ups. So I disable the Windows mesesenger service, which should have been done before, but had never bothered me. Then I start to get pop ups for singles in my area. Then natural male enhancement. I think you can see where this is going. All I have done is plugged in and gone to Windows Update, I haven’t gone and gotten warez, I haven’t gone and looked at pr0n, I haven’t installed anything untrustworthy, and I’m getting odd behavior.
I figure it’s a virus, download my school’s AV, and it finds me infested. It immediately quarenteens about 20 files, removes five viruses and there are two suspect files it can’t clean. Sadly, one of them is a Windows file.
A few hours of googling, downloading, installing specific virus removal tools and patching later, my system was fine again. But Windows 2000 default security was insufficient to protect me; worms already present on the network slipped in and infected me without failure on my part (other than not having AV).
I also use AVG on Windows. And it has a Linux version too, which I think is cool, though frankly pointless.
As for Malware, the best thing to do is simply not to go to untrusted sites. In fact, I’ve been running Spybot, Search and Destory, which locks your registry. Well, I got tricked into allowing malware to enter the registry. It was only as good as I was at detecting it. So while I think these have their use in cleaning a system once someone has been uncareful, they don’t do as much as they claim to protect you. However, I find it disturbing that any program that wants can modify my registry by default anwyay, so I still keep SS&D installed to lock it down, just as a personal preference.
In regards to the Linux side, viruses are inherently stupid due to the way the Linux security model is setup. There is no feasible way, at present, to get a file to your computer, have it already have execute and write permission for any user and then run on its own. But for the sake of argument, let’s say some fiendishly clever person figures out how to do this. Your point is valid, any linux AV out there would be unprepared to handle this.
The only exception I can think of would be for something like a mail server. It would be wortwhile to be able to scan for this, so that your network does not end up flooded with spam from infected computers; this is kind of an “ounce of prevention” situation.
Did you get infected while running as administrator? I’ve never had any malware in Windows when running as limited user.
Though, in all fairness, the “Run as…” feature doesn’t successfully install Windows Updates. You have to be logged in as administrator to install those.
Ugh, but running as a limited user in XP is a nightmare. I know about security, I’m knowledgeable on that, and I should and do know better, but I run as an administrator in XP. The limited user account is just so poorly implemented that it’s not worth it to use it. I backup my system regularly with an image-based backup, and I figure if I get compromised (which is unlikely, I do have A/V, A/S, firewall, noscript on Firefox, I’m careful, etc. etc.) I can just restore from that. It’s less of a hassle than trying to work with the damn LUA.
Oh, I know running as limited user in XP is a nightmare. I’m just saying it’s a pretty effective guard against most of the malware designed for XP.
I’ll second the vote for AVG, it also scans email and you can right click a file individually and scan it.
(My wife insists on using XP because the colours on Gnome’s version of Freecell are not quite right…I have given up the argument….)
Oh, and this made me smile, regarding the lack of Linux viruses (virii?)
http://charlieharvey.org.uk/writings/why_linux_viruses_are_fairly_uncommon.txt