Jump to content
Tuts 4 You

Why NOT to use antivirus?


Recommended Posts

Why NOT to use antivirus? EDIT-> ...why not to install AV or not to use resident AV...

1.) Many AVs consider packed executables to be viruses (tons of false positives)

2.) Most of Hack Tools are blocked or deleted y default. Why? Thee are not viruses!?

3.) AVs has some critical false positives, Kaspersky AV had some.

4.) AV kills PCs performance.

5.) I'm tired of making endless exclusion list

What than?

1) Limited User Account

2) decent firewall with HIPS(Comodo v3*/Outpost v2008*/Online Armor Firewall/Jetico Personal Firewall v2* or v1*)

*all additional security options enabled

3) simple antivirus - ClamAV, Comodo AV(don't mix Comodo AV it with Comodo v3 it has integrate one)

4) monitor apps with proces explorer, autoruns

5) protect registry with Spybot(also beta signatures) and SpywareBlaster

6) make spyware/rootkit scans (Spybot, online virus scanners Kaspersky, FSecure)

7) in Vista you there is UAC(not anyone likes it)

EDIT 8) DEP

------------------

Correct me...

EDIT

1) Run Virtual machines(TiGa)

Edited by 0000007a
Link to comment

Why TO use antivirus?

One day, without antivirus software, you will come upon a strange packed file.

You will even say: "geez, what a strange packed file".

The strange packed file won't want to unpack in a VM so you will try it on your real system.

After a few minutes, you'll realize that it wasn't really a packed by a packer.

Congratulations, you've caught a virus.

If you don't have a resident AV, you'll probably find out only after a few reboots or your bi-annual scan.

The morale of the story:

If something COULD contain a virus, don't trust an AV or your guts, run it in a VM instead.

It's the safest way.

TiGa

Link to comment

@TiGa

VM i agree for suspicious files, harvesting viruses but we don't use VM for every file

i don't want to run network hacking tools from VM, it does not always work properly... and performance impact again...

any file could contain viri

imho resident av = crap

i doubt that you can easily bypass good HIPS

there are about 6 online multi AV filescanners to scan suspicious files, why to install only 1AV

anyway i 5cr#w#d should be ...why not to install AV or not to use resident AV...

Edited by 0000007a
Link to comment
cond0lence

4.) Level down the heuristic or process priority and use the common extensions setting, you will see it has not that huge impact.

@0000007a: Learn enough about virii/spyware, understand how they work or

how they can penetrate a system and you don't need a local installed.

Surely, its takes a bit time when you want test files inside a sandbox/VM,

but I think you are more flexible as a simple restricted acc,

because its just better locked up and you also can build a VM with a installed AV. :P

VMs are really perfect, because it helps to analyse a complete break-out.

Link to comment
4.) Level down the heuristic or process priority and use the common extensions setting, you will see it has not that huge impact.

@0000007a: Learn enough about virii/spyware, understand how they work or

how they can penetrate a system and you don't need a local installed.

Surely, its takes a bit time when you want test files inside a sandbox/VM,

but I think you are more flexible as a simple restricted acc,

because its just better locked up and you also can build a VM with a installed AV. :P

VMs are really perfect, because it helps to analyse a complete break-out.

what if the virus gets out of the VM?

Cheap pc with nothing and not networked FTW! lol

Link to comment

6. I'm worse than most virii, there isn't an virus that kills my comp better than me..

7. Nothing is more fun than to find that DDOS deamon you've contracted whilst searching for some dubious entertainment and have some fun with it's custom packer.. And then bring it to it's knees.

:)

Link to comment

1. if you use norton or today not old version of kav. then its your fault and your are lame.

2. good av lets you configure yourself. to check only on run. even injected dll has to run.

3. lame av like norton etc check all. you enter dir, list it and it checks all files, considers imprec as viriee aka hack tool(lol)

4. you are reverser so do you need something that eats ram like hell, and slow downs your pc? me not! thats why i dont have any.

5. if you are lamer even best av isnt enough.

Link to comment
what if the virus gets out of the VM?

If I saw a virus a break out of the VM, I would be so happy.

It would mean that A) Somebody finally achieved to make a virus that breaks out of a VM and B) I'd have material to write a f-ing great paper.

Too bad that those things are only an urban legend...

I'd even say the opposite, virus that are VM-aware often don't activate themselves in a VM.

Cheap pc with nothing and not networked FTW! lol

That's my definition of a VM.

1. Virus scanners bitch at clean packed files and welcome packed viruses.

What crappy AV are you using?

And you are still using it even though you know it's a piece of crap?

The first and main cause of catching a virus will always remain human stupidity.

AV or not.

TiGa

Link to comment
The first and main cause of catching a virus will always remain human stupidity.

AV or not.

Agreed. i don't use any and i don't need one.

Edited by STN
Link to comment
what if the virus gets out of the VM?

If I saw a virus a break out of the VM, I would be so happy.

It would mean that A) Somebody finally achieved to make a virus that breaks out of a VM and B) I'd have material to write a f-ing great paper.

Too bad that those things are only an urban legend...

I'd even say the opposite, virus that are VM-aware often don't activate themselves in a VM.

Cheap pc with nothing and not networked FTW! lol

That's my definition of a VM.

1. Virus scanners bitch at clean packed files and welcome packed viruses.

What crappy AV are you using?

And you are still using it even though you know it's a piece of crap?

The first and main cause of catching a virus will always remain human stupidity.

AV or not.

TiGa

I don't use an AV.

What is a good VM software?

Link to comment
Second i think is VirtualBox(free)

Here you go:

If you are interested in using VirtualBox -- either for private or business use --, you have the choice between two versions:

* The full VirtualBox package is available in binary (executable) form free of charge from the Downloads page. This version is free for personal use and evaluation under the terms of the VirtualBox Personal Use and Evaluation License.

If, instead, you wish to purchase licenses for enterprise use and/or enterprise support for VirtualBox, please do not hesitate to contact innotek.

* The VirtualBox Open Source Edition (OSE) is the one that has been released under the GPL and comes with complete source code. It is functionally equivalent to the full VirtualBox package, except for a few features that primarily target enterprise customers. This gives us a chance to generate revenue to fund further development of VirtualBox.

aNtrObS

Link to comment

Im going to try "VMWare Player- player is free but it can not create VM so it is possible to make it online at http://www.easyvmx.com/"

Which is fine for debugging malware I assume?

Is there anything special I need to do or know before debugging malware on a VM?

I guess auto detect cd drive doesn't work? It isn't detecting my cdrom drive.

Edited by high6
Link to comment
what if the virus gets out of the VM?

If I saw a virus a break out of the VM, I would be so happy.

It would mean that A) Somebody finally achieved to make a virus that breaks out of a VM and B) I'd have material to write a f-ing great paper.

Too bad that those things are only an urban legend...

I'd even say the opposite, virus that are VM-aware often don't activate themselves in a VM.

But isnt this already possible ???

I remember these articles on german it news portal heise.de:

http://www.heise.de/security/news/meldung/108810

http://www.heise.de/security/news/meldung/109027

This are the original (english) security bulletins which the articles refer to:

http://lists.vmware.com/pipermail/security...008/000017.html

http://lists.vmware.com/pipermail/security...008/000018.html

Link to comment
But isnt this already possible ???

From another thread:

Don't ever use their own internal directory sharing or whatever they call it.

VMWare could be insecure there.

From the links you posted:

NOTE: Installing the new hosted release or ESX patches will not

remediate the issue. The VMware Tools packages will need

to be updated on each Windows-based guest followed by a

reboot of the guest system.

They fixed the security hole a few days after it was discovered.

VMWare is a commercial product with paying customers.

They have more pressure to fix their bugs than the companies that offer only a free product.

In order to exploit this vulnerability, the VMware system must have

at least one folder shared. Two things must happen for a folder to

be shared. 1) Shared folders must be enabled, and 2) a folder must

be selected from the host system to be shared. No folders are shared

by default in any version of our products, which means this

vulnerability is not exploitable by default. Workstation 6.x,

Player 2.x, and ACE 2.x have shared folders disabled by default.

It always sounded to me like an half-baked idea so I never used it.

It looked bad to me because this type of sharing remains active even if ALL the network capabilities of the VM are supposed to be disabled.

So the morale of the story:

If you like to use the Host-Guest directory sharing feature, be sure that you have updated your version of VMWare.

A real breakout would be a virus or malware walking out by itself, not using a feature that opens all the doors for it.

TiGa

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...