I have not used AV software for years because it reactive and always behind. I have used a whitelisting product to protect my systems for the past five years. It is proactive and I've had zero infections since I switched over.

To test the effectiveness of whitelisting, I've placed a Windows NT4 server directly on the Internet with a secure policy. The whitelisting software stops all of the malicious payloads that appear on the system from buffer overflows. When I test the payloads against the leading AV solutions, many times they fail to recognize the payload.

Disclaimer: I am the founder and CTO of CoreTrace Corp, a whitelisting vendor

It's nice to see an article highlighting how security practitioners are protecting their systems without AV. But, what about the "non-security" users? Should they be forced to continue using AV if it's not effective?

I'd propose that it's time for advanced endpoint security protection to get out to the general users as well.

(my take here: http://www.exultium.com/blog/2009/6/24/experts-dropping-av-now-what.html)

Existing AV product is basically: detection, disinfection or deleting and then recovering.

As malware or virus came up at anytime, the detection may fail. For example, before June 22 in this year, a new malware attacks network and leading to an emergency update by Microsoft. (see http://www.threatexpert.com ] This was new to AV detection.

For determination, there is a virus definition which would compare with signature. But that signature may not be uniquely defined. Both false positive or negative can occur.

Hence, standard AV products may only give some false sense of security.

New strategy should be used to protect machines from malware. The simpliest way is deleting all according to an attack model or normal behavior model. However, the co-operative intrusion is still a problem. If sandbox and AV installed together, there would be a conflict between two.

The use of AV software has its place and in my opinion needs to remain on 95 % of machines used daily. I say this because even those of us who consider ourselves "experts" at cyber crime and cyber security at times miss things. It is always nice ot have that security tape to go back to and find what you missed so you can secure it.

but... AV software is exactly that a reactive measure after the fact.

You want you computer secure, dont download stuff. Simple concept yet everyone does it. (I known systems can get hacked and blah blah blah but most intrusions are because someone opened the door)

In a time when everyone has a computer and it plays a role intregral to your home/person users do exactly what they would not do out of common sense. Whens the last time you went to a store look at a fancy box and then decided Ill just inject the contents intravenously?

Or some guy shows up at your front door that you dont know and you say come on in and feel free to roam around?

We do that with downloads and then we need the AV to come in and bounce the intruder out or counteract the drug we stuck in our veins.

AV software is not dead but it only a medicine/bandaid that if used properly will stop stuff from getting worse but is never going to stop users from making idiotic moves

Look at some of the things the security expert chooses to live without rather than install and use AV:

-- RealPlayer (forget about listening/viewing many if not most video or audio files -- because the same objections lodged against RealPlayer fit Windows Media Player -- which many security mavens also hate)

-- Adobe Flash (forget about viewing things like weather radar loops or any kinds of webconferences)

-- Adobe Acrobat/Acrobat Reader (forget about reading most documents posted to the Web, especially legal documents)

Can you imagine a modern business office existing without any of these things? I can't.

I manage the AV for a network of 10,000+ desktops. I see over a hundred incidences of detected viruses a day that all come from accessing the World Wide Web. Sure I could mandate that users disable JavaScript, Flash, and Adobe PDF. But I then tomorrow I'd be sending out resumes looking for my next job because no ones web pages were working.

I've used free AV for a long time and it seemed to work great, however, have recently discovered virtualization as a solution to PC protection. You simply don't let the viruses to get to your real system. There is a very easy to use and free solution out there called Returnil - http://www.returnilvirtualsystem.com. I've used this program now for a year or so and have to say that it has saved me butt many times.

Bill,

A timely article. I am part of a research group, the Information Risk Executive Council, and we have just finished up a look at which controls (using that term in the ISO 2700X / NIST 800-53 sense) contribute most to good security outcomes.

Malware protections are one of the weakest, and--more pertinent to the discussion here--have severe diminishing returns beyond a moderate level of "maturity". In other words, you probably want a basic level of AV going, but you need other methods rather than worrying about the latest, "best", and most up-to-date AV in order to be secure.

Here's a bit more info:
http://irec.wordpress.com/2009/06/25/3-reasons-to-ask-whether-anti-virus-controls-are-worthwhile/

OK, this appears to be some type a trend trying to occur. And it is a bad one in my opinion.

Yes, AV is reactive but until there are other compensating controls, you are nuts not to have something protecting you from what is known. This type of advice is the type that make it to CEOs/CIOs where they think they can maintain their current security posture AND save money not having AV.

To me, this is like the whole DMZ without borders moment. Thank god that idea was flushed due to reality smacking us in the face.

Finally, be careful what you state about this...IDS/IPS/HIDS all utilize signature based logic. When you cast doubt on one in a class, all others must soon follow. Use your brain and not your wallet here.