> Readers considering antivirus software should also be aware that such software – ironically – presents a risk just by its very nature.
My stepfather went to a grey power meeting (a kind of seniors meetup) and the speaker of the day terrified everyone there with talk of viruses.
When I next saw him he proudly told me no longer had any fear of viruses - in fact he had installed 7 different anti-virus products just to be safe. When I asked him where he had found them, he told me he simply googled for them (or maybe yahoo-ed back then) and downloaded them straight off the interweb. I simply could not persuade him that that was not a wise strategy.
There is a 62 year old man in Germany who went and got 217 Covid vaccines in the span of 29 months.[1] Covid was probably afraid to catch him.
Funny how with Germany's extensive paperwork bureaucracy where every little detail must be recorded and tracked, the healthcare workers couldn't catch this guy earlier.
> Funny how with Germany's extensive paperwork bureaucracy where every little detail must be recorded and tracked, the healthcare workers couldn't catch this guy earlier.
It's precisely because of this extensive paper-based bureaucracy such things happen, not despite of it.
German bureaucracy is a complete and utter mess. By and large, it's a self-perpetuating end in itself that doesn't serve any purpose other than keeping itself (and the people and organisations involved in it) alive.
Which is more, due to the Germany aversion towards digitization and digital processes (with a misconceived notion of privacy commonly known as "data protection" in Germany often used as an excuse) the data recorded by those bureaucratic processes basically is stored in a gargantuan pile of paper nobody is able to make sense of.
My favourite example of the self-perpetuating nature of German bureaucracy is the story of the chinese tourist who, asking for directions in some administrative building, got mistaken for a refugee.
It took more than a month, including placement in a refugee centre, before the administrative wheel stopped turning and it was realised that he was, in fact, only a tourist visiting Germany.
Privacy and lack of digitization is big in Germany. There no central vaccination database or similar. You can have an "Impfpass" (vaccination pass) which is a piece of paper with stamps and signatures for your vaccinations. But no one would bat an eye if you "lost" it.
Germany made a lot of mistakes over COVID. There were several cases of testing center scams where people reported more tests than they actually administered. No proof required. There is not a lot of bureaucracy surrounding vaccinations at least not from a patients point of view. So if you forgot or lost your vaccination pass you could probably just get another shot especially if you’re older/at risk.
Not sure why you arw being downvoted, the testing center scams are estimated to have cost more than a billion euros [^1]
and from the experiences I had, the people that ran them, and their sheer abundance, this number is probably a very conservative number, and it doesn't include yet all the ones that operated on the brink of scamminess. There wasn't a need to completely and obviously fake the numbers to funnel a lot of public money into your pockets, often without providing any tangible benefit (no qualified personnel, unreliable tests, inadequate execution).
Way into 2021 many streets in the city I live in had one improvised testing center next to the other, mostly ran by people without any medical qualification, using tutorials from the internet and a process almost designed for corruption, where setting up a test center was a state-funded get-rich-quick scheme for quite a while.
Very rarely do I defend the last government of Germany, but the strategy was to give centers a good margin and low bureaucratic hurdle to maximize the number of testing centers and ensure that everyone can get tested everywhere. Given the seriousness and uncertainty of the situation
at the time, I think that was a good call.
And there was required documentation, it was just not checked at the time. Once the situation settled down, the state started clawing back fraudulent claims.
> There is not a lot of bureaucracy surrounding vaccinations at least not from a patients point of view. So if you forgot or lost your vaccination pass you could probably just get another shot especially if you’re older/at risk.
That was by design, to facilitate and speed-up the vaccination process, and in the context, there was nothing wrong with that approach to keep the population safe and the country running.
The problem is more that nobody wants to be changing policy as they won’t see a benefit and they will get blamed. Get hit by ransomware (which your AV wouldn’t detect), you get blamed for removing AV and you’re after a new job.
Our password policy still demands periodic changes despite ncsc/microsoft/etc advice saying not to do that, because who wants to take the risk of changing policy.
> You probably need it because your corporate IT department wrote a policy that says you must have it.
I think the causes are deeper. At the end of the thread you will probably find some horribly outdated "best practices" and some big consulting firm that is paid $$$ to security-audit your company. The IT department are just the poor buggers that need to do whatever is needed to get that audit, although they may well know that much of it is theater.
Someone in a SOC2 meeting started making a fuss about us needing virus scanners on our Amazon Linux EC2 instances. I don’t think that got very far but… Just… Stop.
That’s absolutely a thing. It’s usually under the broader category of anti-malware. Why is the web server suddenly mining bitcoin?
Edit: Source: have been through a few SOC 2 audits, enough to understand why they ask for most of the things in there. My personal thoughts on the matter aside, modern audits spend a lot more time on other malware than viruses.
Seriously, that’s a legit plan. If you use GuardDuty, you can have it trigger EBS volume scans to look for malware if it sees strange behavior. I spun up an EC2 instance and ran an nmap port scan on another server and a bitcoin daemon. It caught both of those, triggered scans, and reported its findings.
I’m heading down that road instead of running a traditional on-OS process.
The agents take more resources than the services on some of my machines, which is lunacy if you ask me, but we have to check those audit boxes and the security team isn’t very capable…err…creative.
I was a platform engineer before I was officially a security engineer. I’m very protective of our happy little servers and try to find ways to avoid installing awfulness on them.
2 weeks ago new junior developer joined our company.
He was really pissed that our company does not give out admin access to developers. And raised this problem in big company wide meeting and called our IT team ridiculous and told developers know how to handle computers.
Week later IT team did company wide phishing test. Same new junior failed this test.
Yes, even if rules are ridiculous. These rules help.
I can see how it’s annoying to have to submit some kind of IT request every time you, as a developer, need sudo to install something. It may “help” but there is a non negligible cost to the company to source all those requests. The risk/reward in productivity vs falling for an actual, successful phishing attempt is probably a no brainer for most companies.
> He was really pissed that our company does not give out admin access to developers
I’d be annoyed too (I often work on Windows and services); fortunately it is possible to grant people local admin access scope to their own machines and treat their OS install as fungible cattle (e.g. Boot-from-VHD derived from a common image with preinstalled software, so if anything goes wrong they can be back-to-normal in under 60 seconds; and give people (non-admin) access to VDI for reliable access to Office/Email/SharePoint, especially if devs use Linux as a daily-driver but the rest of your org runs Windows).
At the very least, people can just install a VM with admin rights in there - and what’s the difference between that and a physical machine?
Actually there is special admin account, but you have to enter credentials manually after you click "use admin access" or whatever it is called in windows.
He wanted 100% admin account all the time.
If you complain 100 ppl meeting that it is annoying to install Spotify and you fail most obvious phishing test then I would not give him that local admin access.
Was it a serious phishing test trying to trick people into using a fake auth portal? Or just don't click on this link test?
Because those second ones where an email tricks you into clicking a link are a bad because they do two things. Firstly, they propagate the idea that you can click a link and the world ends. which rarely happens these days. Your corporate IT dept should have some network level controls on malware attachments and embedded scripts in HTML emails. And secondly, it breeds distrust from anyone with critical thinking in the motivations of the IT department.
Yeah but only because you shouldn't call it dumb in a company wide meeting just after you join. It is dumb, and thankfully I've never worked anywhere that denied admin access to engineers.
OK before you black and white nerds lose your minds, in some settings, like a startup, engineers are admins... but in general:
Engineers should definitely not have "admin" access. They should have least privs for the systems and services they need access to...
Dont be this either. It will end badly when you, in a stressed late night stupor, blow up your "admin" access... be smart- you honestly want least privs for your own protection!
We're talking about admin access to your own machine. Local admin. Not root access to servers.
I can't say I have ever "blown up my admin access", whatever that means. Especially not late at night because I am in bed. And even if I did, so what? I have backups. Just means I lose half a day restoring my laptop.
The problem is that most people cannot tell the difference between a scam and a legitimate app.
For example, my father wanted to watch some YouTube videos offline. He naively Googled " YouTube video download." The result was obvious: most of the links were scams. When you work on dev every day, your first option will be to search for open-source or a well-trusted source and distrust a scammy-looking website that promises you many things.
After that experience, I started to see the value of Apple's App Store.
Sadly, the chain of trust provided by the App Store is ruled by one company.
I wonder why the industry couldn't agree on a single standard or method to do different chain of trust checks. For example, if all email clients adopt a sender identity check (like GPG), then spam and phishing will be extremely easy to eliminate.
Suppose applications have a sort of group approval. In that case, the OS can warn you before trying to install or run a scammy app. (something like Apple's notarization + user vote, but without the control of a single entity).
Is that a bad idea? What will be the flaws?
You just need the built-in Defender if you don't tread uncharted waters. On the other hand, even if you just stick to OS App Stores and popular github repos, you can still get infected without an antivirus. There are malware in Windows Store.
Depends what you mean by "tread uncharted waters". In my experience just browsing the web in Chrome is totally fine even on torrent sites (at least mainstream ones).
Chrome vulnerabilities at this point are far too valuable to use indiscriminately. They'll be sold on the grey market to be used against journalists in the middle east or whatever.
Even downloading films from bittorrent and playing them in VLC seems to be safe too, even though I would have thought that was an obvious attack vector. Maybe the social aspect if bittorrent helps a bit there.
I think the most likely ways to get infected these days are by falling for fake download sites, and maybe cracked games, though I don't play those so I'm not sure.
I installed Malwarebytes (somewhat recommended by this article) to do a one time scan on my Mac. It required me to install a service that would run always as a superuser, and would not uninstall completely.
I wrote to them, and got no response.
Why is that needed for a on-demand scanner? Why should I trust malwarebytes?
By “effectively removed” do you mean literally and completely removed? I work in consulting and “effectively” gets used as a weasel word for “not really but you’ll never know the difference”.
I recall looking into the details and feeling satisfied that the launch agent / daemon / helper was completely removed. But I did not perform a systematic examination of all file system state associated with the install.
My point was to advise readers that there is an Uninstall option; just dragging the app to the trash is not enough.
If OP has comments about specific droppings being left around, maybe in /private/var or wherever, would like to learn about it.
For those unfamiliar with the recesses of macOS, there's a venerable tool called Etrecheck that is helpful for sussing out Mac config affecting security and performance.
Even past the pedantic that widows defender is antivirus software, the link justifying not using an alternative rates it as 54th out of 74
So the same experts the author relies on to defend the Defender have a much higher opinion of the alternatives
(and Defender is very slow, why do you not care about the "average user" using average hardware enough to suggest he avoids the pains of slow computers)
And recommendations in the end without real time protection is just ridiculous, so with all that I'd not rely on the author's opinion re anything security
Microsoft make a no-install malware scanner (The Microsoft Safety Scanner) [0]. It's very slow if you do a full HD scan, and will often report finding an issue with a file while scanning that isn't actually an issue if you let the scan complete.
Depends on mood. With windows now stock antivirus engine is enough! On Linux never required. If you are not surfing porn and visiting few old sites and just keep an eye as well not required!
Perhaps a better question to ask: why, in 2024, is it still possible that running a random app infects an operating system?
Don't we have cpu's with a whole set of hardware features to limit what <insert executable here> can or can't do? Don't we have OSes with fine grained permissions, VM's, capabilities, etc, etc? Weren't these things figured out like, in the late 70's?
> Don't we have OSes with fine grained permissions
No, we really don’t. We have OS’s with the tools to give us fine grained permissions, but at the end of the day on a desktop OS, any program you run can do any damn thing to any other damn thing owned by the same user. Look to phones for security boundaries that make sense in a post-1970s world, but not any shipping desktop OS.
Because security isn't perfect and attackers need only one mistake. There were some early computers built with security in mind, yet their cost and performance were impractical for most uses.
There is also the problem of everyone having different needs, so permission profiles must vary widely. OS builders cannot assume anything about the limits of their use.
Finally users can be the weak link. They may not understand the risks of what the screen is asking them when prompted.
But seriously, when I had my work laptop and therefore didn't have adblock enabled, I was very surprised at what kind of sites had very... let's say questional ads. There are a lot of tech sites like Baeldung that have very shady looking ads.
In the final report on the Irish health services ransomware incident, AV did pick up early signs of the attack but they were not further acted upon - there is value to enterprise AV, provided you back it up with enterprise incident response...
For home use, sure, just use defender and be careful, like the article says and you'll mostly be fine.
I appreciate a website devoted to documenting the privacy nightmare and helping people with settings, but this is just bad advice. I work in the incident response field; yes, you need A/V.
Hopefully things have improved, but back in 2014 Joxean Koret held a quite interesting presentation[1][2] on how a large number of AV engines had serious flaws, including privilege escalations and remote exploits.
I consider uBlock Origin to be my primary "antivirus" software, though having had some infections back in the DOS days and some scares later, it feels wrong running without anything else.
Oh, not all AV is created equal and even with the good ones, sure, they're fallible. But there are still many, many incidents where people get exploited by basic malware that most AV would stop. I would not actively recommend _against_ AV.
My stepfather went to a grey power meeting (a kind of seniors meetup) and the speaker of the day terrified everyone there with talk of viruses.
When I next saw him he proudly told me no longer had any fear of viruses - in fact he had installed 7 different anti-virus products just to be safe. When I asked him where he had found them, he told me he simply googled for them (or maybe yahoo-ed back then) and downloaded them straight off the interweb. I simply could not persuade him that that was not a wise strategy.