The author is really kind of all over the place in this piece which for me really serves to reduce its impact. Clearly they had a strong need to vent, somewhat warranted, but they are casting a very wide net of aspersions.
There are a lot of issues with the industry around antivirus/security vendors. It is a very gross industry for a lot of different reasons, but the trying to tie that into how Google is evil and also tech journalism is corrupt and unfit makes the author come across so much weaker.
I’m also a little confused as to why the author, already unhappy with the free version of the product, decided to pony up for the paid version in the first place.
Semi-related: AV software plays a huge role in the security ecosystem and it’s value is unmistakable in that context but it is worth considering how we get there. The way AV software is sold and marketed is generally some of the slimiest, especially the non-big name stuff. We all benefit from the very wide net they cast in a collective sense but from the end-user perspective, especially as a technically savvy user, the cost seems outweighed by the benefit. Personally I’m of the mind that if anything is questionable I’ll run it through virustotal on-demand and make a judgement from their but also if I’m wondering that deeply enough I’m just as inclined not to touch something potentially volatile. This doesn’t work for a layperson but the stuff built in to windows is honestly more than enough for a casual user. If things have progressed beyond that, they need professional help anyways.
There is this class of tech outlets for "advanced" computer users (the kind which comes with CDs and USB drives full of "useful" software) which is pure snake oil marketing material.
The truth is, that with the right behaviour you probably don't need any AV product. Don't click on weird links, use adblockers, don't open weird documents especially when they come via mail, keep your OS and software up to date, etc.
For all the other stuff (zero days) AV software won't help you and in fact AV software will often even increase the attack surface of your system (remote code execution via AV-buffer overflow is not a rare thing to happen).
On my Windows machines I am not using AV software since roughly a decade and I have not had a single issue. Telling people that they can click around carefree if only they have an AV software installed is irresponsible IMO. AV software is not a substitute for education.
I do check (e.g. wireshark) my traffic regularily. Granted, there could still be some genius malware that I will never notice because it cloaks so well and hides itself so well that I lack the resources to find it. But so far I had no evidence for it and my systems are more stable than those of beginners with AV software
> I am genuinely curious: how do you know that you do not have an issue?
I haven't used an AV since before Microsoft Defender. I don't even remember. I had no need and considered them a scam, but I'm aware that lots of people are literally helpless against them.
That out of the way, I did catch a few things occasionally, but not even once a rare. Before there were SSDs it was actually really easy to spot when your system behaved differently, simply because the system started acting differently.
I'm sure, or hope, you remember times before the were SSDs. Things took time to load. Windows took time to pop up. One could hear his harddrive doing it's work.
And that's how I spotted a virus I've caught from * microsoft.com, somehow, I don't know. Suddenly the system's timing was complete off. Things took a quarter second more longer to load, irregular hardware accesses, etc.
So I took a look into the task manager (TM) and noted that there was a program that sounded "off". It didn't feel like it belonged there. I had a rough instinct about what's running in the background in a normal system, so that definitely helped.
I even got rid of it manually and because I can type pretty fast I'm going to share the rest of this story. ^_^
It was actually pretty easy. Killing the process in the TM made it restart again automatically, so I've went out seeking the file in question. If my memory serves me right it was pretty easy, using the TM itself.
Sadly there's no great hacking story behind this. Accessing the executable in question wasn't possible while it was running, so I've made a command line ready to rename the file when I've killed it. That was pretty much all it took and after a few attempts I've nailed it.
Deleted it from the harddisk and that's the end of it.
So ... you can notice based on the timing of things happening on your computer. When they feel off, then there's a good chance something's unusual. Same goes for your computer temperature and fans spinning.
When you notice that your fans are spinning up more often, or your internet is suddenly slower, then you should check if there's something wrong with your system.
There are tons* of data points one can use to assess if the system is acting normally, you just have to notice them. :D
I am a security professional and use all kinds of fancy security products in a 100+k IP deployment. They do not do any magical stuff but the alternative is to write your own product.
In a home setting, I do not see how manually analyzing the network logs can help (not to mention that most of the traffic is encrypted). You then have integrity checks on files, IOCs you need to check your files against etc.
Basically this means you have to rewrite an EDR from scratch.
Fancy security products are not always a way to check a box in an audit it also means using a product that you otherwise would need to either write, or put together from many pieces.
Just look at wazuh (open source EDR+) and when you go past the intro you ht some hard walls (especially with updating IOCs from external sources).
Security is really hard, but doing it yourself is really, really hardest.
> The truth is, that with the right behaviour you probably don't need any AV product.
I'm sceptical. Conventional cybersecurity wisdom is to take a serious approach to both keeping nasties out of your systems, and limiting the damage that may arise if/when nasties make their way in.
(I'm using nasties to cover everything from infected files to unauthorised SSH sessions.)
> For all the other stuff (zero days) AV software won't help you
That doesn't sound right. Trivially, AV will help you against all malware that the AV is able to protect against. If you always do a perfect job at keeping that stuff out of your systems, then sure, AV adds no value, but I wouldn't assume that the premise holds.
> AV software will often even increase the attack surface of your system
True, and this is especially troubling considering AV code tends to run with high privileges, but that doesn't show that AV generally does more harm than good. The balance presumably depends on the quality of the AV you're using.
> AV software is not a substitute for education.
No one is suggesting that it is, they're saying it's a useful additional measure for some systems.
Yup, that is sort of true. However, I would not recommend to go unprotected to my friends.
I reckon there are some terrible AVs, some that should not exist anymore.
Yet, an AV can be taught to stop a zero day faster than an OS update. If you happen to step over a zero day, an AV software will find the file's signature faster than you restarting your computer to install the update, whether you have Windows, Linux or macOS. Windows Defender is just dumb, regarding to features and performance.
My selection criteria is to not trust anything outside of Virus Bulletin's VB100 and AV TEST's certification. These are independent reviewers.
For Windows users I'd happily recommend using Windows Defender. Much more important than AV is IMO reading email headers, not activating macros, having a working adblocker.
I've learned to stay away from any and all security software and recommend against it to friends and family. Even open source projects have a tendency to sell out to shady characters and spammers without warning. The industry is fully corrupt as far as I can tell.
> Personally I’m of the mind that if anything is questionable I’ll run it through virustotal on-demand and make a judgement from their but also if I’m wondering that deeply enough I’m just as inclined not to touch something potentially volatile.
The problem is that you're not accounting for ads, which have been used often enough as distribution networks for zero-day exploits, and other forms of drive-by infection. A virus scanner can't help against the zero-days itself, but the payloads are usually the same generic bullshit that will be picked up.
Anti-malware software is almost universally terrible. My advice is to use the one that comes with Windows (aka Windows Defender). It's not perfect but it's the least worst option.
Whatever you do, don't use McAfee. And definitely don't use some other random software you found online no matter what the reviews say. This type of software is always incredibly invasive. There is almost zero reason to give this much power over your system to another third party.
AVs and other "security products" massively increase attack surface (sometimes by literally disabling protections that the OS itself has, but usually by just being buggy and insecure in itself and doing things in obviously bad and insecure ways to be faster) and have been leveraged in so many attacks now that it's truly remarkable that there is zero change in how people think about it.
I removed Avira antivirus from my grandma low spec laptop and switched to the builtin Windows one. My suspicious was that it was constantly scanning the HDD and running a bunch of processes that overworked the laptop limited capacities.
Boot to Firefox was improved by at least 30 seconds, navigating the file explorer felt much smoother and security was probably improved as well.
For home users, I don't see any reasons to use a third party antivirus nowadays.
I don't think I've worked somewhere that doesn't use McAfee. The worst was Honeywell, they had every single McAffee product ever installed and it made the machines unusable (SWE's were allowed to apply for 70 day temporary exceptions, so we could actually work instead of just watching the anti-virus/whatever break things.)
McAfee also has a partnership with Verizon where they'll convince whoever is paying the bill to install software on the router that terminates SSL connections for you and forces you through their proxy (this requires installing their root CA cert, so yeah they've even managed to get into iPhones despite the AppStore.)
RKHunter doesn't look so bad but malware is such a non-issue on Linux if you stay away from wordpress and npm so I don't even bother.
Yes I used Bitdefender for awhile, which was fine, and then they started installing stuff like VPN clients and weird browser extensions. I literally paid for it too, but not anymore. Total shady bullshit.
> As if to emphasize the cultural differences between America and Romania, Bitdefender’s website reportedly prevents people from canceling auto-renew. To quote one user’s reaction,
!?
A great many US products and services have similar approachs. Think ISPs, gyms, the NYT, etc.
I agree the behaviour is scummy, but no need single out Romania for it.
There is a difference between a contractual agreement to use a service for a period of time and just pulling money out without such a contract or any other form of consent. That is to say: one is legal in the US and the other is not.
I'm sure NYT and Bitdefender both have "the contract auto-renews unless explicitly cancelled" in their terms. The only place NYT allows you to cancel online is California, because of relatively recent regulation. Elsewhere you need to contact their retention department.
I'm really not seeing the difference between their actions.
The press isn't going to devote more money to an article than they expect article will make them back in profit. You'll never see the depth that's being asked for, unless there's some existing scandal that might draw reader attention.
This is totally untrue for reputable publications like Wired or Ars Technica. The editors may shut something down that isn't interesting, but the writers aren't making decisions based on profitability.
If people want good journalism, get it from a good publication with real editorial firewalls and standards. If you're reading blogs, you're going to get blogs.
There exists no news publication where costs are not a consideration. No one is going to give people an unlimited budget for an article few people will read.
They have an option of not writing about something rather than doing the bare minimum for clicks. There's no reason we shouldn't expect better and criticise outlets for advertising crappy solutions without a real review. Calling out such outlets is great. Same with articles about the security VPNs give you.
I haven't used antivirus software in over a decade. I consider them to be viruses themselves. Most of them are written by ex-hackers. My solution is to use Linux and to only download files I trust.
And if you must run windows for some specific program then run it on Linux in VirtualBox and only run that program. When finished with the program (tax software and other related for me) shut down VirtualBox. Keep snapshots and backups of your work from VirtualBox and you will most likely have no problems.
That works for those of us with a bit of knowledge. Unfortunately it is hard for those who don't have time to, or don't want to, build that experience. How do they know what can and can't be trusted? Many bad downloads should be obvious to even a half-wit (and I'm not above unsympathetically sniggering when someone I know falls for them) but many are more clever, or difficult to avoid once you've fallen in to the trap.
> use Linux
That won't protect the inexperienced user from everything, by any measure.
This is not surprising because the dynamics at play here is that antivirus software is just boring, people prefer to review the newest shiny GPUs, CPUs and other gear, but few want to deal with boring stuff. Therefore antivirus companies typically select the media outlets and pay them regularly for ads and reviews. Therefore it's quite rare for a tech review site to run a big story on how bad antivirus software is, unless they do something extremely bad like Avast last year.
Most third-party antiviruses cause more problems than viruses do in my experience.
They tend to hook into system calls and slow down the computer in hard to diagnose ways. Sometimes they don't implement the hooks correctly and cause subtle bugs on top of the slowdown.
I only use built in ones (such as Windows defender) which at least have the pushback of some other teams that own the APIs that are intercepted and tend to strike a better balance.
Have you tried Nod32? I have been using them for more than 10 years and never had a problem. It has quarantined couple of questionable files, but I had no problem restoring it within the app. Whitelisting those files though took some effort. :/
Thanks for sharing.I found a lot of interesting information here. A really good post, very thankful and hopeful that you will write many more posts like this one.
https://www.myloweslife.life/
There are a lot of issues with the industry around antivirus/security vendors. It is a very gross industry for a lot of different reasons, but the trying to tie that into how Google is evil and also tech journalism is corrupt and unfit makes the author come across so much weaker.
I’m also a little confused as to why the author, already unhappy with the free version of the product, decided to pony up for the paid version in the first place.
Semi-related: AV software plays a huge role in the security ecosystem and it’s value is unmistakable in that context but it is worth considering how we get there. The way AV software is sold and marketed is generally some of the slimiest, especially the non-big name stuff. We all benefit from the very wide net they cast in a collective sense but from the end-user perspective, especially as a technically savvy user, the cost seems outweighed by the benefit. Personally I’m of the mind that if anything is questionable I’ll run it through virustotal on-demand and make a judgement from their but also if I’m wondering that deeply enough I’m just as inclined not to touch something potentially volatile. This doesn’t work for a layperson but the stuff built in to windows is honestly more than enough for a casual user. If things have progressed beyond that, they need professional help anyways.
The truth is, that with the right behaviour you probably don't need any AV product. Don't click on weird links, use adblockers, don't open weird documents especially when they come via mail, keep your OS and software up to date, etc.
For all the other stuff (zero days) AV software won't help you and in fact AV software will often even increase the attack surface of your system (remote code execution via AV-buffer overflow is not a rare thing to happen).
On my Windows machines I am not using AV software since roughly a decade and I have not had a single issue. Telling people that they can click around carefree if only they have an AV software installed is irresponsible IMO. AV software is not a substitute for education.
You may have been infected by a botnet and your machine may be doing things without you knowing.
It is possible of course to have some countermeasures (integrity checks, baseline checks) but this is hard work.
I haven't used an AV since before Microsoft Defender. I don't even remember. I had no need and considered them a scam, but I'm aware that lots of people are literally helpless against them.
That out of the way, I did catch a few things occasionally, but not even once a rare. Before there were SSDs it was actually really easy to spot when your system behaved differently, simply because the system started acting differently.
I'm sure, or hope, you remember times before the were SSDs. Things took time to load. Windows took time to pop up. One could hear his harddrive doing it's work.
And that's how I spotted a virus I've caught from * microsoft.com, somehow, I don't know. Suddenly the system's timing was complete off. Things took a quarter second more longer to load, irregular hardware accesses, etc.
So I took a look into the task manager (TM) and noted that there was a program that sounded "off". It didn't feel like it belonged there. I had a rough instinct about what's running in the background in a normal system, so that definitely helped.
I even got rid of it manually and because I can type pretty fast I'm going to share the rest of this story. ^_^
It was actually pretty easy. Killing the process in the TM made it restart again automatically, so I've went out seeking the file in question. If my memory serves me right it was pretty easy, using the TM itself.
Sadly there's no great hacking story behind this. Accessing the executable in question wasn't possible while it was running, so I've made a command line ready to rename the file when I've killed it. That was pretty much all it took and after a few attempts I've nailed it.
Deleted it from the harddisk and that's the end of it.
So ... you can notice based on the timing of things happening on your computer. When they feel off, then there's a good chance something's unusual. Same goes for your computer temperature and fans spinning.
When you notice that your fans are spinning up more often, or your internet is suddenly slower, then you should check if there's something wrong with your system.
There are tons* of data points one can use to assess if the system is acting normally, you just have to notice them. :D
Obviously, it's one of those things that is rarely done by the people who use fancy security products.
.. because it’s hard
E.g.: Botnet traffic is often “strange” and easy to recognize
In a home setting, I do not see how manually analyzing the network logs can help (not to mention that most of the traffic is encrypted). You then have integrity checks on files, IOCs you need to check your files against etc.
Basically this means you have to rewrite an EDR from scratch.
Fancy security products are not always a way to check a box in an audit it also means using a product that you otherwise would need to either write, or put together from many pieces.
Just look at wazuh (open source EDR+) and when you go past the intro you ht some hard walls (especially with updating IOCs from external sources).
Security is really hard, but doing it yourself is really, really hardest.
At home, OS and software updates combined with network monitoring should be sufficient for the more common threat models.
One needs to draw a line somewhere.
EDRs are complex and often fail to protect business systems when professionally managed. I do not believe it's worth wasting time on that at home.
I'm sceptical. Conventional cybersecurity wisdom is to take a serious approach to both keeping nasties out of your systems, and limiting the damage that may arise if/when nasties make their way in.
(I'm using nasties to cover everything from infected files to unauthorised SSH sessions.)
> For all the other stuff (zero days) AV software won't help you
That doesn't sound right. Trivially, AV will help you against all malware that the AV is able to protect against. If you always do a perfect job at keeping that stuff out of your systems, then sure, AV adds no value, but I wouldn't assume that the premise holds.
> AV software will often even increase the attack surface of your system
True, and this is especially troubling considering AV code tends to run with high privileges, but that doesn't show that AV generally does more harm than good. The balance presumably depends on the quality of the AV you're using.
> AV software is not a substitute for education.
No one is suggesting that it is, they're saying it's a useful additional measure for some systems.
Yup, that is sort of true. However, I would not recommend to go unprotected to my friends.
I reckon there are some terrible AVs, some that should not exist anymore.
Yet, an AV can be taught to stop a zero day faster than an OS update. If you happen to step over a zero day, an AV software will find the file's signature faster than you restarting your computer to install the update, whether you have Windows, Linux or macOS. Windows Defender is just dumb, regarding to features and performance.
My selection criteria is to not trust anything outside of Virus Bulletin's VB100 and AV TEST's certification. These are independent reviewers.
The problem is that you're not accounting for ads, which have been used often enough as distribution networks for zero-day exploits, and other forms of drive-by infection. A virus scanner can't help against the zero-days itself, but the payloads are usually the same generic bullshit that will be picked up.
Whatever you do, don't use McAfee. And definitely don't use some other random software you found online no matter what the reviews say. This type of software is always incredibly invasive. There is almost zero reason to give this much power over your system to another third party.
AVs and other "security products" massively increase attack surface (sometimes by literally disabling protections that the OS itself has, but usually by just being buggy and insecure in itself and doing things in obviously bad and insecure ways to be faster) and have been leveraged in so many attacks now that it's truly remarkable that there is zero change in how people think about it.
Boot to Firefox was improved by at least 30 seconds, navigating the file explorer felt much smoother and security was probably improved as well.
For home users, I don't see any reasons to use a third party antivirus nowadays.
RKHunter doesn't look so bad but malware is such a non-issue on Linux if you stay away from wordpress and npm so I don't even bother.
!?
A great many US products and services have similar approachs. Think ISPs, gyms, the NYT, etc.
I agree the behaviour is scummy, but no need single out Romania for it.
I'm really not seeing the difference between their actions.
If people want good journalism, get it from a good publication with real editorial firewalls and standards. If you're reading blogs, you're going to get blogs.
That works for those of us with a bit of knowledge. Unfortunately it is hard for those who don't have time to, or don't want to, build that experience. How do they know what can and can't be trusted? Many bad downloads should be obvious to even a half-wit (and I'm not above unsympathetically sniggering when someone I know falls for them) but many are more clever, or difficult to avoid once you've fallen in to the trap.
> use Linux
That won't protect the inexperienced user from everything, by any measure.
They tend to hook into system calls and slow down the computer in hard to diagnose ways. Sometimes they don't implement the hooks correctly and cause subtle bugs on top of the slowdown.
I only use built in ones (such as Windows defender) which at least have the pushback of some other teams that own the APIs that are intercepted and tend to strike a better balance.