Off-topic: disappointed by the antivirus industry

One of my kids managed to get infected with a particularly sneaky Facebook Trojan: a link from a friend (probably also infected) pointed to a web page with a video that required installation of a newer version of the Flash player … which was actually the first part of the Trojan. It quickly downloaded a few more components and made itself cozy deep within Windows XP.

Before you start telling me that kids would click anything … we had “a few” not so very pleasant discussion after previous infections and they know not to open anything or click on something that looks strange. Unfortunately the update-happy industry has conditioned them to constant prompts to upgrade one or another component and the request to upgrade the Flash player was obviously too legitimate-looking.

Of course the workstations have anti-virus software which served me very well in the past. It identified the malware and claimed it had been quarantined. WRONG. Repeated scans with the same software always found the malware and claimed it has been cleaned. WRONG. On-line scanner from the same vendor identified a different malware and “removed” it. WRONG.

The worst part of the experience was a total lack of in-depth information that I became used to in the past (for example, the names of the infected files) as well as the claim that this is a “low threat” malware (which is why I was not alerted when the infection happened … if the anti-virus software tells you you’ve got low-threat infection and it has been cleaned, you don’t start panicking).

The only anti-virus package that really helped me was coming from an unbelievable source: Microsoft. Its monthly anti-malware program correctly identified four different Trojan components and pointed me to Microsoft’s anti-virus online solution, which contained all the information I needed, including the list of infected files that it could not remove. A safe-mode reboot, manual cleanup and a few more scans solved the problem.

After this experience, I’m left wondering. In the past, people claimed you should use anti-virus software from an independent source, and now it looks those sources are worse than Microsoft. Should I really give up and go for a one-vendor solution? Or should I reformat all the workstations in house and move to Fedora :). What are your experiences?

12 comments:

  1. Yes, go one-vendor :

    Apple!

    ReplyDelete
  2. Anti-Virus is a joke these days. I feel your pain. I wouldn't recommend going all MS because they are responsible for many of the loopholes that allow malware in. However, most AV is very ineffective. I think an appr0ach more along the lines of Cisco CSA is going to have to be adopted by av vendors. As far as AV goes, it seems that a lot of people are recommending Nod32 from Eset.

    ReplyDelete
  3. My advice is to surf the world wild web in a browser which runs in a Linux virtual machine (for paranoiacs: from read-only LiveCD iso). This approach is very effective and requires minimum migration effort because all the existing MS-PC infrastructure remains untouched, only a program like VirtualBox is added. On the modern computers you usually won't feel serious performance degradation.

    ReplyDelete
  4. The best thing you can do is run as a standard user. Then escalate your privleges only when you need to, this can be done in the same session without logging out. Microsoft has been recomending this for years yet, users continue to run as administrator. Thus why Vista has UAC, it is a virtual buffer for an administrator user, the UAC is a confirmation that you would like to elevate your priviliges. As a standard user you would not get any UAC prompts only password login prompts to esalate your privliges. I have found that Microsoft Forefront with Windows Defender, and most importantly users running as standard user, and not administators has helped elimite 99.8% of our malware, virus support calls.

    ReplyDelete
  5. I've found Comodo BOClean to be quite good... althogh nothing is perfect of course..

    http://www.comodo.com/boclean/boclean.html

    ReplyDelete
  6. Sure migrate to Ubuntu, Fedora, or whatever you enjoy working with if you don't have to run software built only for Microsoft platforms.

    ReplyDelete
  7. The experince of your kids was the same as a highly qualified IT professional that I know.
    What has saved my bacon, because I also have click happy kids is OpenDNS. Better than any AV product. Would vote it five pineapples.....

    ReplyDelete
  8. @everyone: Thank you for your comments. It's nice to see I am not the only one disappointed by AV vendors and you gave me a few very interesting hints.

    @justin: This is exactly what I would enforce in the enterprise network. However, I decided to retreat from the constant complaints from the kids (maybe it was not a good idea :).

    @Red pineapple: I was using OpenDNS on my Fedora Linux (I had problems with IOS resolving AAAA records), but it was not very reliable (at least from my location), so I was forced to go back to the ISP's DNS. And BTW, I almost fell for a very similar trick myself (only my inherent laziness prevented me from installing "Adobe Flash Player Version 9" :).

    ReplyDelete
  9. OpenDNS: We have two big ISPs in this neck of the Kalahari, Verizon and IS.
    With Verizon it is great but with IS it sucks! :-(

    ReplyDelete
  10. Ubuntu/Fedora, any desktop Linux, would be way better.

    You also get middle-click paste, I have no idea how anyone stands working on routers without it!

    ReplyDelete
  11. I am using the kaspersky and it is woking like nothing. I think you should try it once.

    ReplyDelete
  12. I agree with what PacketU said above. I have had great success with NOD32 from ESET. I also believe that the answer lies with something similar to Cisco's CSA for the home user. I am surprised that no vendor has stepped up to offer a solution like this.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.