Delete your antivirus software...says Ex-Firefox developer

[nlinecomputers]

It gets good blocked results on AV-Comparatives. It also has a high false positive.

https://chart.av-comparatives.org/chart1.php#

 

[ComputerRepairTech]

It gets good blocked results on AV-Comparatives. It also has a high false positive.

https://chart.av-comparatives.org/chart1.php#

yeah but anytime you see an av jump up in the real world protection tests without jumping in the file detection tests you know they are pulling some sonar like methods then the false positives come in flying and thats av-comparatives false positives which only use popular programs to begin with so you know its far worse.

 

[red12049]

How many new computers do you see without a paid AV? as far as I know they still coming with packaged deals. Also general malware is not really something AV companies focus on but in terms of best antivirus its never going to be windows defender...certainly wont mcafee either though =P

I see lots of them... In my neck of the woods, lots have never even been set up, and lots have expired. But they're still there, keeping Defender turned off.

Since "general malware" is what most of my customers come in with, why would I recommend an AV that does nothing, or nearly so, to prevent infection?

If the customer has a working, legitimate AV, I leave it in place. If not, I set up Defender. The best AV is the one between the customer's ears.

Rick

Rick

 

[ComputerRepairTech]

I see lots of them... In my neck of the woods, lots have never even been set up, and lots have expired. But they're still there, keeping Defender turned off.

Since "general malware" is what most of my customers come in with, why would I recommend an AV that does nothing, or nearly so, to prevent infection?

If the customer has a working, legitimate AV, I leave it in place. If not, I set up Defender. The best AV is the one between the customer's ears.

Rick

Rick

Recently? Not a whole lot aside from ransomware so I suppose for ransomware =P I dunno how good malware bytes 3.0 has that covered though so maybe just defender and malware bytes would be more than fine. Subject will have to be revisited if they ever start making decent rootkits but they seem pretty content with ransomware for now.

 

[NviGate Systems]

We are facing a new shift in security, where although viruses are still an active threat, they are not the ones causing the most issue. It's malware and other style exploits (Social Engineering Exploits) that really are coming to light.

I've seen customers that have fully patched system running AV that is supposed to detect malware but fails to do anything about it. Had a customer recently with WebRoot and he was full of SearchProtect, Conduit etc.

I've talked till I was blue in the face with my boss and fellow tech who raves about WebRoot, but I have said that "jack of all trades, master of none" is what we have in AV today. For viruses, perfect. For malware, I've found only the Premium Subscription of Malwarebytes has consistently protected a machine. It intercepts downloads, webpages loading.

I always tell my clients that an antivirus is just that, anti virus. All the rest is icing on the cake with no real value.

Idunno. Sometimes it seems a waste of time and money trying to educate folks. Just keep making money of removals. If they can't get smart, maybe they never will. :/

 

[NJW]

Maybe it's because Mozilla never could fix the SSL errors with some anti-virus programs?

Surely fault lies with the AV vendor? Firefox brings its own certificate store, but other browsers use the Windows certificates. If the AV vendor only installs its man-in-the-middle certificate in Windows, how is Firefox supposed to know it's there?

 

[red12049]

Recently? Not a whole lot aside from ransomware so I suppose for ransomware =P I dunno how good malware bytes 3.0 has that covered though so maybe just defender and malware bytes would be more than fine. Subject will have to be revisited if they ever start making decent rootkits but they seem pretty content with ransomware for now.

when rootkits were "popular", how many did you remove from systems with perfectly functioning AV? For me, a whole lot of them. If an AV can't even do that with consistency, why would I recommend such a program?

I've got machines in shop now that are riddled with stuff. Yet, if I run a full scan with whatever AV they have installed, it will come up with nothing, other than cookies, which it counts as a success. Please.

I know all the reason "why." I've made those excuses to my customers. I'm tired of it. I've been doing this as a business since 1995, when viruses were spread by "sneaker net" on 5.25 floppies. Are you seriously telling me that in 22 years, no one could come up with better protection than what we currently have? So, Defender it is, and kudos to Microsoft for at least trying.

Rick

 

[ComputerRepairTech]

when rootkits were "popular", how many did you remove from systems with perfectly functioning AV? For me, a whole lot of them. If an AV can't even do that with consistency, why would I recommend such a program?

I've got machines in shop now that are riddled with stuff. Yet, if I run a full scan with whatever AV they have installed, it will come up with nothing, other than cookies, which it counts as a success. Please.

I know all the reason "why." I've made those excuses to my customers. I'm tired of it. I've been doing this as a business since 1995, when viruses were spread by "sneaker net" on 5.25 floppies. Are you seriously telling me that in 22 years, no one could come up with better protection than what we currently have? So, Defender it is, and kudos to Microsoft for at least trying.

Rick

Take zero access as thats probably the biggest and best example. How many bitdefender / kaspersky protected devices did you remove the infection from? Not too many i'd imagine but even the ones that did get compromised the actual downloaded additions were almost always stopped. You know what didn't stop any? windows defender, in fact zero access crushed windows defender and microsoft security essentials in such a way that it used it to disable downloads on the machine. what was the method again? they symlinked one of the folders.

Edit: As for microsoft trying, we saw what microsoft trying looked like when tdss was causing systems to bluescreen after a windows update and they were on it for a while like white on rice. I haven't seen them try like that in a while.

 

[gadgetfixup]

Surely fault lies with the AV vendor? Firefox brings its own certificate store, but other browsers use the Windows certificates. If the AV vendor only installs its man-in-the-middle certificate in Windows, how is Firefox supposed to know it's there?

Kaspersky doesn't install man in the middle certificate but makes it available as a fix for browsers that don't use Windows certificate. I believe you confirmed my argument rather than rebut it. FF should do just like all other browsers rather than try to reinvent the wheel and cause problems security companies must repair to please their clients. Surely if an AV works with IE and Chrome it should work with FireFox. Of course we know that isn't always the case and Firefox has done nothing to solve the problem for more than a year that I know its existed.

 

[nlinecomputers]

Kaspersky doesn't install man in the middle certificate but makes it available as a fix for browsers that don't use Windows certificate. I believe you confirmed my argument rather than rebut it. FF should do just like all other browsers rather than try to reinvent the wheel and cause problems security companies must repair to please their clients. Surely if an AV works with IE and Chrome it should work with FireFox. Of course we know that isn't always the case and Firefox has done nothing to solve the problem for more than a year that I know its existed.

Methinks you don't understand what Man in the Middle means. Kaspersky most certainly puts itself in as a go-between your browser and the website in order to filter it. In order to do that for SSL connections, it has to make the connection for you using the correct SSL certificate for that website and it makes an SSL connection to you using ITS certificate. That IMO defeats the whole purpose of SSL.

 

[gadgetfixup]

Methinks you don't understand what Man in the Middle means. Kaspersky most certainly puts itself in as a go-between your browser and the website in order to filter it. In order to do that for SSL connections, it has to make the connection for you using the correct SSL certificate for that website and it makes an SSL connection to you using ITS certificate. That IMO defeats the whole purpose of SSL.

I know what MiTM means. Kaspersky requires you to add sites to their Safe Money settings to grant Kaspersky permission to bypass that website's SSL and use their own. I've never seen a single user open those settings and/or find websites manually added by any users giving Kaspersky permission to bypass an SSL. So unless Kaspersky has changed something in the last 6 months I think you're mistaken about Kaspersky automatically bypassing or jumping in the SSL paths. I'll do some testing this week to check if anything has changed with the latest version of KIS and SSL certs.

 

[NJW]

Kaspersky requires you to ... grant Kaspersky permission to bypass that website's SSL and use their own.

And how do you think they do that? The only way to inspect what's going through a TLS connection is by becoming an intermediary between client and server – a man in the middle. Now, it's quite possible that Windows has a certificate chain that covers the Kaspersky cert. but Firefox doesn't. This is a Good Thing, imo. You know, convenience vs. security.

 

[red12049]

Take zero access as thats probably the biggest and best example. How many bitdefender / kaspersky protected devices did you remove the infection from? Not too many i'd imagine but even the ones that did get compromised the actual downloaded additions were almost always stopped. You know what didn't stop any? windows defender, in fact zero access crushed windows defender and microsoft security essentials in such a way that it used it to disable downloads on the machine. what was the method again? they symlinked one of the folders.

Edit: As for microsoft trying, we saw what microsoft trying looked like when tdss was causing systems to bluescreen after a windows update and they were on it for a while like white on rice. I haven't seen them try like that in a while.

I doubt that very many of my customers have heard of Bitdefender/Kaspersky, although that last is now being sold by Best buy, so seeing it a bit more.

And, to be honest, the fact that they "sort of" did a decent job of stopping a rootkit,but you still need additional software for other protection, pretty much makes my point.

Why hasn't Malwarebytes, or Norton made a decent, comprehensive product that actually works? Instead, we get shitty firewalls that do nothing but break the internet whenever they feel like it, "Web" protection that pops up a warning SOME of the time, and annoys the user ALL of the time, and so on.

Screw them all. I won't recommend a one of them. If someone makes an actual working product that provides reasonable protection against most threats, I'll be happy to demo it. If it works, I'll sing it's praises to the treetops. Util then, screw 'em. Can you imagine buying a car and finding out that you needed to buy extra parts from outside manufacturers just to have that car perform it's transportation function safely? Somehow, I don't think that would go over well.

Rick

 

[gadgetfixup]

I did some testing with KIS 2017 this evening and they did change the behavior of scanning SSL from something you manually had to add to now it's enabled by default. Which does enable MiTM for scanning traffic in SSL connections by default. I understand their reasoning and believe it's valid. If you don't understand their reasoning or believe it's invalid, it's just 3 mouse clicks to disable it and rely on the original SSL connection without https traffic scanning. There are more than a couple reasons why you should consider leaving the MiTM enabled.

1. Nefarious MiTMs on SSL connections have existed for more than a decade. MD5 was comprised back in 2004, yet has been used by millions of websites and recognized by browsers until rather recently as SSL secured.

2. Because a connection is secure doesn't guarantee the content through that connection isn't dangerous. Plenty of malware is distributed through SSL connections circumventing AV software that doesn't scan SSL traffic.

3. With Google's recent algo change promoting websites with SSL, even free porn sites today are all switching to SSL connections. You really believe your A/V shouldn't be scanning traffic from free porn sites? Because it's coming down a SSL pipe, it has to be good???

4. SHA-1 and SHA-2 were developed and are products of the NSA. They have the ability to reproduce all levels of security certificates to intercept and/or inject any SSL network traffic without notice or warning to the source or data recipient. That's cool if you trust the NSA to behave responsibly.

So if your idea of security is to put trust in SSL there's probably no sense in subscribing or recommending AV products because in the very near future practically every website will be running SSL to keep their Google ranking. Personally I don't know how anyone can believe a SSL connection doesn't need the traffic scanned just like an unsecured connection. My frustration with FF was it not using Windows certs and causing extra steps and frustration for many AV sellers (not just Kaspersky sellers) to make the browser work with AV software that believes SSL traffic is just as important to scan as non-SSL traffic. Firefox didn't need to run any of us all through these extra hoops.

 

[ComputerRepairTech]

And, to be honest, the fact that they "sort of" did a decent job of stopping a rootkit,but you still need additional software for other protection, pretty much makes my point.

Why hasn't Malwarebytes, or Norton made a decent, comprehensive product that actually works? Instead, we get shitty firewalls that do nothing but break the internet whenever they feel like it, "Web" protection that pops up a warning SOME of the time, and annoys the user ALL of the time, and so on.

Its their job as the developer of the rootkit to prevent detection and they were very very good at it. They have the advantage in that they can keep testing and testing until they make one that isn't detected and then they release it and then the av companies have to update their definitions.

I agree on the firewall bit, back in the day there were some benefits but these days honestly its just more annoying than its worth.

 

[ComputerRepairTech]

I did some testing with KIS 2017 this evening and they did change the behavior of scanning SSL from something you manually had to add to now it's enabled by default. Which does enable MiTM for scanning traffic in SSL connections by default. I understand their reasoning and believe it's valid. If you don't understand their reasoning or believe it's invalid, it's just 3 mouse clicks to disable it and rely on the original SSL connection without https traffic scanning. There are more than a couple reasons why you should consider leaving the MiTM enabled.

1. Nefarious MiTMs on SSL connections have existed for more than a decade. MD5 was comprised back in 2004, yet has been used by millions of websites and recognized by browsers until rather recently as SSL secured.

2. Because a connection is secure doesn't guarantee the content through that connection isn't dangerous. Plenty of malware is distributed through SSL connections circumventing AV software that doesn't scan SSL traffic.

3. With Google's recent algo change promoting websites with SSL, even free porn sites today are all switching to SSL connections. You really believe your A/V shouldn't be scanning traffic from free porn sites? Because it's coming down a SSL pipe, it has to be good???

4. SHA-1 and SHA-2 were developed and are products of the NSA. They have the ability to reproduce all levels of security certificates to intercept and/or inject any SSL network traffic without notice or warning to the source or data recipient. That's cool if you trust the NSA to behave responsibly.

So if your idea of security is to put trust in SSL there's probably no sense in subscribing or recommending AV products because in the very near future practically every website will be running SSL to keep their Google ranking. Personally I don't know how anyone can believe a SSL connection doesn't need the traffic scanned just like an unsecured connection. My frustration with FF was it not using Windows certs and causing extra steps and frustration for many AV sellers (not just Kaspersky sellers) to make the browser work with AV software that believes SSL traffic is just as important to scan as non-SSL traffic. Firefox didn't need to run any of us all through these extra hoops.

I believe you are putting too much value in traffic scanning. Once the data is on the machine the AV should kick in and handle it. The more I think about it i'm not really sure I understand the point of SSL scanning aside from content filtering. (Edit: I mean aside from like a network security device)

 

[nlinecomputers]

I believe you are putting too much value in traffic scanning. Once the data is on the machine the AV should kick in and handle it. The more I think about it i'm not really sure I understand the point of SSL scanning aside from content filtering. (Edit: I mean aside from like a network security device)

I agree. The data has to be decrypted in order to be displayed on the screen. At that point, after it exits the SSL tunnel, you can scan the content for bad stuff. There is NO need to hijack the tunnel.

 

[Your PCMD]

You cant get a virus or malware if your not on the interwebs.

And remember, 640K of memory is more than enough for anyone.