Recently, I read a nice post (Spanish only) published by Sergio Hernando on anti-virus software. After reading it, I decided to go on and write my own personal opinions on security and anti-virus software. In this particular case, although unusual, I disagree — most of the time, I can’t agree more with Sergio — with some of the points he made in this post 😉
The last time I used an anti-virus software was more than ten years ago, and the last virus that infected one of my computers was called Omicron. In fact, my computer got infected due to a MS-DOS floppy that somebody copied for me that was already infected. In those days, it was pretty common to exchange floppy disks between friends.
I don’t like anti-virus software, at least in their current form, and I think I’m not the only one ( and ). I think I don’t need one anymore — and so does Jim Allchin ().
Personally, I find anti-virus software to be:
Most of the anti-virus products I have ever used try to attach to the operating system itself — either the kernel, file system driver, disk driver, etc. — which makes the system slower, or crash-prone and unstable or all at the same time They are pretty much reactive beings.
I think reactiveness in isolation does not lead to a secure system. In real life, I tend to have a healthy diet, make some exercise, have enough sleep, etc., so that I can stay away of becoming ill or sick. That is, I’m being proactive: instead of waiting to become ill or sick, then going to the doctor, I do take actions, actions aimed at keeping me on the safe side.
There is a small joke that I think reflects the problems I see with anti-virus software:
– I think I’m ill, Doctor
– You suffer of Smith Sindrome
– What’s that?
– We don’t know yet, Mr. Smith
Most anti-virus products are reactive. Most of them include really good and ingenious engines that are able to even debug suspicious code in order to guess whether it is good or bad to run it. The problem is, however, that the user has little or no way to influence that decision — and it would be probably a bad idea to do so, since there are a lot of people out there that aren’t trained enough to decide by themselves.
Right now, anti-virus software is totally useless against new forms of malware, like Blue Pill (). To me, the resources (time and money) of running an anti-virus can be wisely used to do other things, which I find far from perfect but more effective.
Some people I know think that having an anti-virus software is all they need to keep their computers safe and clean from malware. They think that, as long they have an anti-virus software installed churning all of they available CPU cycles, it is safe to browse malicious sites, click on any banner, download dubious software, or open an e-mail message even when the sender is totally unknown or the subject is written in a language they don’t understand.
Whoever thinks this way is quite frankly wrong. And what’s worse, I don’t like the fact that anti-virus manufacturers (yes, I think they manufacture software, instead of handcrafting or designing it) don’t try to stop this insane advertising. I don’t take flu shot and expect being healthy forever. Things don’t work this way: medicines aren’t perfect and doctors, from time to time, make mistakes. You need to be wiser, smarter. You need to be proactive.
Anti-virus software is like a vaccine: it can’t only fight, and eventually defeat, known threats. It tries to defeat unknown threats by using heuristics and even IA, but it is far from perfect and sometimes can’t detect or defeat new kinds of malware that haven’t been properly analyzed. In fact, there a new breeds of malware that can’t be detected, even less be defeated, by current anti-virus products . It the same way in real life: does H5N1 sound familiar?
These are the advices, rules, mantras and habits that have helped me staying secure for a very long time:
Use a (more) secure platform.
I personally like to use little-used, little-known, secure, well-designed platforms. That leaves me out with GNU/Linux, FreeBSD, OpenBSD, NetBSD, Solaris and, at some extent, Mac OS X. They are far from perfect — there is no completely software at all, by the way — but they do a really decent job.
I consider the rest of them to be either insecure (i.e., Windows) or so unknown and/or obscure to me that I don’t feel confident enough to install, configure or run them in a secure and safe way (i.e., BeOS, QNX, etc.).
Use a safe(r) browser.
Or the safest browser that you can find. I mean, stay away from Internet Explorer. It is insecure, doesn’t comply with standards and it is a privative, closed-source software —it’s difficult to audit software whose source code is closed away from you.
Be proactive, not only reactive.
Keep yourself up-to-date, well-informed by subscribing to security mailing lists, like SANS, CERT, vendor-driven mailing lists, Kriptópolis, una-al-día, etc., so that you stay aware of new exploits and vulnerabilities, their consequences and how to fix or overcome them if possible.
Talk to other people, to colleagues, to friends and share experiences and knowledge (right know, sharing knowledge is not yet illegal), read books and learn from your own experience and from others’ experience.
Also, be prudent and use your common sense (it comes by default in you, so it is free).
Keep your system up-to-date.
Updating production systems, particularly if you run a lot of them or they run critical software, is not an easy task. From time to time, security updates break things, change functionality or create problems. They aren’t supposed to behave this way, but software is not perfect. You should know 🙂 That’s when auto-updating software comes to rescue, doesn’t it?
That doesn’t mean you should run stupid, automated auto-updating software, like Windows Update. For me, I find that letting any sort of automated, clueless system, other than me, deciding what to update and when to do it is, at least, crazy. Current auto-updating software doesn’t have sense of risk since it doesn’t fully understand the system it’s running on. The risk of rendering your daughter’s game-playing PC useless is completely different — and probably lower — than the risk of rendering your working/corporate PC useless because of a broken security patch. However, auto-updating software will probably make sense for a game-playing PC or a PC used to sporadically surfing the Web. Knowing if auto-updating software makes sense or not is tricky business. What is worse: Having an un-patched system running several Trojan horses at the same time, or a patched, but broken system?
So my personal advice is: before applying a fix, make a backup of the system and, if you can, deploy the fix on a canary or test system before you do that on production or critical (like your laptop with invoices and your whole digital life) systems.
Use a real firewall.
But please, really use a real firewall. One that is powerful enough to to filter both incoming and outgoing traffic, like the IPTables (GNU/Linux) or PF (FreeBSD and OpenBSD).
For example, I can’t think of any machine of mine sending traffic to any of the following ports: SMTP, NetBIOS, CIFS, BGP, etc. I know that it is easy to defeat that kind of blocking by using HTTP tunneling, but that’s another story.
Ask yourself the following questions three times in a row before installing software.
Can I do fine without this software? Was I thinking of installing this software cause it is super-cool?
If my answer to any of these questions is yes, then I don’t install that particular piece or software, or do it on a test machine (like a virtual machine). This is my first level of filtering.
Do I know who wrote the software? Do I know where the software came from? Do I know why the author wrote the software? Is anybody else using that software? Do I have the right to access, read and modify the source code of the program?
This is my second level of filtering. I don’t like running closed-source software for a couple of reasons: I can’t debug it easily in case it doesn’t work as expected, which is a hassle to me and, second, if it is insecure or has a defect, I can’t fix it or, more commonly, find someone else to fix it for me.
If I ever need to install suspicious or untrusted software, I usually start up a virtual machine and install the software on it just for testing. In fact, I very rarely do run Windows but if I ever have to do it, I always use a virtual machine. Once I end my session, I undo all the changes (unless I can’t afford to do it by risking losing data or configuration changes).
Capture network traffic from time to time.
This allows me to check my expectations. I know my computers should never ever send NetBIOS or SMTP traffic. If they ever do, I know something is wrong. Maybe some component is misconfigured, or maybe something else has been installed that is triggering this behavior.
Knowing how your systems should behave and how they behave is really helpful. Not only for security, but for reliable systems. Also, I’m not the only one doing it ().
Although Java is not insecure by itself, I usually find it pretty annoying. I usually enable it specifically for some Web sites that require it or lose functionality I like or depend on..
Sorry, Sun. No pun intended.
Don’t ever open e-mails from a sender you don’t know about.
My father told me this when I was a child:
Don’t talk to strangers!
My mother told me this when I was a child:
Never open the door if you don’t recognize the guy on the other side.
My mom’s advice was extremely restrictive. Should I have followed it, I think I would have never allowed the gas or cable technician to get into my house in order to check or fix broken things. So, I would rephrase that to:
Never let anyone in your house unless you invited or expected him.
I apply this mantra in the real life as well to my e-mail messages: “I never ever open an e-mail message from someone I don’t expect to talk to me”. Of course I can be deceived by some viruses which cloak themselves or pretend to be a friend of mine — typically those that send themselves to recipients of someone else’s address book.
Additionally, e-mail based Spam and viruses are usually one-shot only: if I ever discard a mail message, either on purpose or by accident, which is important, from someone that I don’t know about, he or she will probably try to get in contact with me again by either resending the message or by finding a different communication channel.
These are, of course, my personal opinions. They might or might not make sense or apply to you 🙂