Alternatives to anti-virus for keeping oneself safe

Antivirus is more dangerous in that it parses complex attacker-controlled data in a highly privileged context. This is a recipe for privilege escalation exploits. As a result, sophisticated attackers can often abuse antivirus programs to gain SYSTEM privileges. This is not a rare occurrence or one that is only a problem for enemies of a powerful government. AV software is riddled with privilege escalation vulnerabilities. A quick look at the severity of the vulnerabilities in the CVE list for any popular piece of software will give at least a little insight into the scope of the problem.

Consider your threat model

It is necessary to understand your own threat model. One person's situation might dictate that AV is harmful, while another person's situation might dictate that it is beneficial. Being able to understand the risks that apply to you, and the adversaries which you have is vital to being able to make any security-related decisions, especially ones such as this which are not necessarily black and white.

AV may be beneficial in situations where:

  • The computer is used by someone who can be easily fooled into installing malware.

  • The computer will be handling user-submitted data which may be redistributed to others.

  • You download a lot of untrustworthy programs, such as warez.

AV may be harmful in situations where:

  • Your adversary is at least moderately sophisticated or is targeting you in particular.

  • You are the sole user of your computer and do not download unsigned programs.

  • You keep your software up to date and are not expecting people to burn 0days on you.

Your threat model is what determines whether or not you should use AV software. My personal suggestion, assuming you are not going to download random dolphin screensavers and you keep your software up to date, is that you may want to use a simple, default program such as Windows Defender, and only use it when you explicitly need to. Each time you ask it to scan the hard drive, you are putting all your faith into it to not be compromised by any specially-crafted malware it may stumble upon. If instead you use it when targeting specific programs that you download before you execute them, you reduce the risks considerably.

Enforce code signing

It would be preferable if you did not need to download untrusted software and instead use trusted, signed executables from official sources only. This is especially important for files that wish to be run as Administrator, as those have the most potential for doing damage to your installation. Make sure they are signed! Never assume that your own will power is sufficient to prevent you from making mistakes when running a new program. This is what trojan developers rely on!

In order to further reduce the chance of accidentally running an unsigned or untrustworthy executable, you can configure your security policy such that unsigned executables cannot be run. This will ensure that any malware will need to have a valid signature, signed by a trusted CA. While it is obviously possible to get a malicious file signed, it is far more difficult, and will tend to be more of an issue if you are a specific target and not just an opportunistic victim.

If you further restrict the policy such that only executables signed by Microsoft themselves (and not just a CA which Microsoft trusts), you can effectively eliminate any possibility of infection from a trojan. The only way to get a program to execute in that case would be to exploit a 0day in the operating system, or compromise Microsoft's internal signing keys (those are both in the realm of capabilities for advanced state-sponsored actors). This can help prevent the rare (but not non-existent) cases where malicious code slips into the repositories of a trusted developer.

System hardening

On systems before Windows 10, you can use the Enhanced Mitigation Experience Toolkit (EMET) to enhance the system's security without increasing attack surface area significantly, though note that EMET will not be receiving updates for much longer. EMET works by injecting processes with code that hardens them against exploitation, increasing the chances that an exploit attempt will cause the targeted application to crash rather than be successfully exploited. If you are on Windows 10, most of these security features will be natively present. This makes it the most secure Windows release yet, despite the potentially problematic privacy issues it may have.

You can also disable unnecessary services (especially networking services, such as those exploited by EternalBlue), use AppLocker, and read the security guides provided by Microsoft to allow yourself to further improve the security of your system. The topic of system hardening is vast.


This is more opinion than fact, but the answer is a definite "Maybe!"

Let's narrow our scope to Windows for a moment, since it's the biggest Anti-Virus market around.

Windows Defender (the default Microsoft AV) is pretty good; Windows Defender does protect against most (but not all!) threats. But here's the thing—no AV protects against all threats. You still have to fall back on common sense and some other protections.

  • Last year we saw Kaspersky's File Upload feature being abused by Russian government hackers and while that's a threat actor few people would be victims of, it's still happening.

  • This year, we saw some AVs actually messing up Windows updates that patched for Meltdown and Spectre.

This kinda nonsense 'probably' won't come from Windows Defender, since they can test their OS with their AV and ensure everything works (hopefully!).

Using Windows Defender isn't an end-all solution though, you should still:

  1. BACKUP, BACKUP, and did I forget to tell you to BACK UP! Ransomware is still pretty common, and having a good backup strategy is the only true way to avoid being a victim. Back up to an offsite location, and one with versioning—I use Dropbox! Do this properly so that the ransomware doesn't encrypt your backups as well.

  2. Ensure your software is up to date, and don't install too much garbage. The more apps on your machine the more likely one of them will muck up. Refresh Windows the instant you get your laptop, remove all the bloatware, and ensure everything you download is on auto-update—also not downloading software from dodgy vendors is a good start.

  3. Use NoScript/Ad Blocker for your browser, crypto-miners that operate on Javascript don't make as much money as you'd expect, but they're still around.

  4. EMET would be good, and so to Windows Defender.

  5. Did I mention backup!

  6. Use a non-administrator user as your default—create a separate non-Admin user, and use that for daily use.

To be absolutely safe though—disconnect your computer from the internet, and hide in a cave! :)


As someone that works against AV's often, I can say that they all kind of suck. A lot of things depend on the level of security vs comfortably that you can live without.

Knowledge is power The first tool I would recommend , is education. Knowing what sites you go to is a big helper. Avoid untrusted sites. This includes streaming sites and torrenting. OS patching is a must, keep up to date on the latest threats, Disable flash. The problem I had with forcing organizations to use noscript and such, was that users would eventually just click enable all.

Use a save state VM As an alternative, I like having a VM handy to test in for files . You can keep a large part of your OS in a VM. I worked in a network that we all worked in VMs and when they acted up , click restore and done.

Deepfreeze I used deepfreeze on our university many years ago and it was excellent. You can just set it and your OS will revert back to it's original state every time. I launched petya worm and let it encrypt the disk and restarted the machine and nothing . Excellent tool!

Separate networks At home I keep separate networks for "guests" . They can bring in their stuff and I don't have to worry about it getting to my part of the network.

Have a more secure O.S I really don't like using Windows because I feel it executes everything at the drop of a hat. This obviously isn't perfect by any means, because OSX and Linux are hacked all the time, but I feel that having something that you can control is nice. You can disable macros and still get code execution from some of the exploits out there.

I will add more as they come to mind.

Ultimately, nothing is perfect. but these things can help.

Tags:

Antivirus

Virus

Malware

Related

Why would PayPal send messages from another domain? Wget and Python Requests fail to validate SSL certificates, but browsers don't show any warnings How would disabling IPv6 make a server any more secure? Is there any point in setting the secure cookie flag for HSTS websites? What is the best protocol for an organisation to make phone calls to clients, where the client is required to verify their identity? Why are two CSRF tokens (hidden field and cookie) necessary to mitigate CSRF attacks? What's the point in hashing phone numbers? Why is Math.random() not designed to be cryptographically secure? Create backup Yubikey with identical PGP keys How do you prevent sending cookie data over HTTP the first time? Is it safe to check password against the HIBP Pwned Passwords API during account registration? Did I just get DNS Hijacked?

Recent Posts