116

I have read a lot of articles that talk about how using an AV is less safe than not having one for more intermediate PC users who are careful with what they click and download.

For example, here are a couple of articles:

I have also read that when an AV automatically scans an executable file you just downloaded, the hacker could potentially abuse a vulnerability in the AV scan and get it to execute without you ever running it. On top of that, you still have to put some trust in the AV which has kernel access to your PC and intercepts network traffic for you and possibly even gathers data about things you don't know.

So I was wondering what would be some better ways I could keep my PC safe without relying on some heavy, automatic AV software? I can think of a few things so far (but would doing these things actually be safer than having an AV?):

  • Using extensions like AdBlock and NoScript/ScriptSafe so malicious code can't secretly execute.
  • Monitoring the network traffic on your PC now and then to check for anything suspicious.
  • Using a tool like AutoRuns every week to check for suspicious start-up entries.
Anders
  • 65,052
  • 24
  • 180
  • 218
delacroix
  • 1,033
  • 2
  • 7
  • 8
  • EMET may be a good idea. – forest Mar 26 '18 at 01:52
  • @forest Thank you, apparently those features are already enabled by default on Win10. – delacroix Mar 26 '18 at 02:29
  • The majority of them are, yes. I believe some others can be enabled via registry settings. – forest Mar 26 '18 at 02:30
  • 35
    Do not use AdBlock if you want to be safe and don't want to be spied on. Use uBlock Origin instead. – RubbelDieKatz Mar 26 '18 at 09:14
  • 6
    @RubbelDieKatz Why is AdBlock bad? – Rekovni Mar 26 '18 at 10:50
  • 40
    @Rekovni It's not necessarily bad, however uBlock Origin is better. AdBlock Plus used to whitelist specific ads by default and is owned by an advertisement company afaik. I don't know much about the AdBlock extension. I've been using uBlock Origin with Poper Blocker for years now and rarely see advertisements. Also, uBlock Origin is more memory efficient than most other blockers. – RubbelDieKatz Mar 26 '18 at 11:13
  • 2
    Your second two points: "Monitoring the network traffic" and "Using a tool like AutoRuns every week" - won't help you keep safe, as these will only raise suspicion once you have already been infected. These are also manual processes - that take time - so will tend to be "put off" or forgotten about entirely. – MrWhite Mar 26 '18 at 14:26
  • 8
    I've been going the "nothing" approach for the last 5 years without _noticing_ any compromisation. Of course, absence of evidence is not evidence of absence. Running Windows 7 with everything but the bare minimum necessary to keep the computer running removed via NTLite. No unecessary services, no programs that I don't trust 100% or of which I know the author. Browser scripts disabled, no such stuff as shockwave installed. To all appearances (for what it's worth) this works "just fine", and the computer is approx. 30% faster overall than a computer with AV software. – Damon Mar 26 '18 at 19:45
  • 7
    @Damon 30% faster? What sort of benchmarks have you run to determine this value? – flith Mar 28 '18 at 08:22
  • 1
    @Rekovni also ublock is open source :) – Sudip Bhandari Mar 28 '18 at 11:46
  • 3
    @Damon 30% faster? You're kidding me right? That would mean that any AV, or in your argument, also all the services running on the PC would have to average out at a little over 23% resource usage at all times. Lets take a look at this Windows 7 machine I am on right now: CPU usage is hopping between 0% and 1% close to 6GB (approx 75% of my RAM) is available for use, disk access is negligible. Where do you get your numbers? – Baldrickk Mar 29 '18 at 10:50
  • 2
    @Baldrickk: That is a false conclusion. AV does indeed suck up CPU all the time, but not more than maybe 3-4% or so worth of load. It does _however_ consume very, very significant time by scanning images upon loading them, adding extra indirections on more or less every halfway important API function (to _very_ non-trivial functions which do some "extra checks" as well as run heuristics on combinations of syscalls and whatnot) and effectively disabling memory optimizations much like executable packers do. Plus, wiretapping all IP traffic, plus, plus, plus. I can compare identical hardware... – Damon Mar 29 '18 at 18:48
  • ... here on my desk (no AV, no unnecessary services) and over at my father's (who is 75, so doing acrobatics without "safety net" is not his thing) -- standard setup, standard services, and AV -- , and sure enough there is a very noticeable difference in virtually everything you do, which is about "a third" faster on the bare bones machine. It might be 27% or 31% difference, don't nail me down on an exact percentage. But it sure is something in that ballpark. – Damon Mar 29 '18 at 18:50
  • @Damon so you have benchmarks then? it's not down to disk fragmentation or anything like that? Or by "scanning images on loading them" do you mean putting the memory card from your camera into your PC? – Baldrickk Apr 03 '18 at 13:34
  • @Baldrickk I've measured a speedup of 1:30 min compared to 4 min in the full rebuild of a somewhat larger software project when toggling between AV turned on and off. – aventurin Nov 22 '18 at 20:04
  • @aventurin Was it a proper test, flushing caches in between use? Although an AV can certainly slow down IO by hooking so many common functions, 1:30 to 4 minutes seems a bit excessive. Either the AV is astronomically slow, or something else is making your AVless test faster. – forest Jun 26 '19 at 06:59

10 Answers10

131

Antivirus is more dangerous in that it parses complex attacker-controlled data in a highly privileged context. This is a recipe for privilege escalation exploits. As a result, sophisticated attackers can often abuse antivirus programs to gain SYSTEM privileges. This is not a rare occurrence or one that is only a problem for enemies of a powerful government. AV software is riddled with privilege escalation vulnerabilities. A quick look at the severity of the vulnerabilities in the CVE list for any popular piece of software will give at least a little insight into the scope of the problem.

Consider your threat model

It is necessary to understand your own threat model. One person's situation might dictate that AV is harmful, while another person's situation might dictate that it is beneficial. Being able to understand the risks that apply to you, and the adversaries which you have is vital to being able to make any security-related decisions, especially ones such as this which are not necessarily black and white.

AV may be beneficial in situations where:

  • The computer is used by someone who can be easily fooled into installing malware.

  • The computer will be handling user-submitted data which may be redistributed to others.

  • You download a lot of untrustworthy programs, such as warez.

AV may be harmful in situations where:

  • Your adversary is at least moderately sophisticated or is targeting you in particular.

  • You are the sole user of your computer and do not download unsigned programs.

  • You keep your software up to date and are not expecting people to burn 0days on you.

Your threat model is what determines whether or not you should use AV software. My personal suggestion, assuming you are not going to download random dolphin screensavers and you keep your software up to date, is that you may want to use a simple, default program such as Windows Defender, and only use it when you explicitly need to. Each time you ask it to scan the hard drive, you are putting all your faith into it to not be compromised by any specially-crafted malware it may stumble upon. If instead you use it when targeting specific programs that you download before you execute them, you reduce the risks considerably.

Enforce code signing

It would be preferable if you did not need to download untrusted software and instead use trusted, signed executables from official sources only. This is especially important for files that wish to be run as Administrator, as those have the most potential for doing damage to your installation. Make sure they are signed! Never assume that your own will power is sufficient to prevent you from making mistakes when running a new program. This is what trojan developers rely on!

In order to further reduce the chance of accidentally running an unsigned or untrustworthy executable, you can configure your security policy such that unsigned executables cannot be run. This will ensure that any malware will need to have a valid signature, signed by a trusted CA. While it is obviously possible to get a malicious file signed, it is far more difficult, and will tend to be more of an issue if you are a specific target and not just an opportunistic victim.

If you further restrict the policy such that only executables signed by Microsoft themselves (and not just a CA which Microsoft trusts), you can effectively eliminate any possibility of infection from a trojan. The only way to get a program to execute in that case would be to exploit a 0day in the operating system, or compromise Microsoft's internal signing keys (those are both in the realm of capabilities for advanced state-sponsored actors). This can help prevent the rare (but not non-existent) cases where malicious code slips into the repositories of a trusted developer.

System hardening

On systems before Windows 10, you can use the Enhanced Mitigation Experience Toolkit (EMET) to enhance the system's security without increasing attack surface area significantly, though note that EMET will not be receiving updates for much longer. EMET works by injecting processes with code that hardens them against exploitation, increasing the chances that an exploit attempt will cause the targeted application to crash rather than be successfully exploited. If you are on Windows 10, most of these security features will be natively present. This makes it the most secure Windows release yet, despite the potentially problematic privacy issues it may have.

You can also disable unnecessary services (especially networking services, such as those exploited by EternalBlue), use AppLocker, and read the security guides provided by Microsoft to allow yourself to further improve the security of your system. The topic of system hardening is vast.

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
forest
  • 65,613
  • 20
  • 208
  • 262
  • 2
    Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/75197/discussion-on-answer-by-forest-alternatives-to-anti-virus-for-keeping-oneself-sa). – Rory Alsop Mar 28 '18 at 15:08
  • 1
    Another issue with AV software is that to monitor encrypted web communications they basically perform a MITM attack against the browser, and often they do this quite poorly, so that the resulting connection is far weaker than the original one. – Tgr Mar 30 '18 at 15:29
  • 3
    As an aside, for power users it's worth considering using virtual machines to isolate different use cases. For example, I have three VMs I use regularly: one for normal work (no AV installed), one for testing untrusted software (uses online AV to scan files before execution) and one with a local AV program that is used to run scans of the other two. – Jules Mar 31 '18 at 15:43
19

This is more opinion than fact, but the answer is a definite "Maybe!"

Let's narrow our scope to Windows for a moment, since it's the biggest Anti-Virus market around.

Windows Defender (the default Microsoft AV) is pretty good; Windows Defender does protect against most (but not all!) threats. But here's the thing—no AV protects against all threats. You still have to fall back on common sense and some other protections.

This kinda nonsense 'probably' won't come from Windows Defender, since they can test their OS with their AV and ensure everything works (hopefully!).

Using Windows Defender isn't an end-all solution though, you should still:

  1. BACKUP, BACKUP, and did I forget to tell you to BACK UP! Ransomware is still pretty common, and having a good backup strategy is the only true way to avoid being a victim. Back up to an offsite location, and one with versioning—I use Dropbox! Do this properly so that the ransomware doesn't encrypt your backups as well.

  2. Ensure your software is up to date, and don't install too much garbage. The more apps on your machine the more likely one of them will muck up. Refresh Windows the instant you get your laptop, remove all the bloatware, and ensure everything you download is on auto-update—also not downloading software from dodgy vendors is a good start.

  3. Use NoScript/Ad Blocker for your browser, crypto-miners that operate on Javascript don't make as much money as you'd expect, but they're still around.

  4. EMET would be good, and so to Windows Defender.

  5. Did I mention backup!

  6. Use a non-administrator user as your default—create a separate non-Admin user, and use that for daily use.

To be absolutely safe though—disconnect your computer from the internet, and hide in a cave! :)

Bergi
  • 281
  • 2
  • 10
keithRozario
  • 3,631
  • 2
  • 12
  • 25
  • 2
    Crypto-miners are relatively benign compared to other issues that can occur with Javascript, such as how high-precision timers unintentionally allowed taking advantage of Meltdown. – JAB Mar 26 '18 at 17:28
  • @JAB And that is why people should disable JIT! Without JIT, the only way to get a high-precision timer is to use the relevant APIs, which some browsers have now made more granular. With JIT, a high-speed loop in machine code can run to get timing information. Though I believe there are still multiple ways to get high-precision timing using some CSS quirks... – forest Mar 27 '18 at 02:50
  • "since it's the biggest Anti-Virus market around" ! Of course, you need a machine gun in the lounge and a gallon of coke when all your doors and windows are broken and you don't do anything about the core problem. – dan Apr 25 '18 at 06:58
12

As someone that works against AV's often, I can say that they all kind of suck. A lot of things depend on the level of security vs comfortably that you can live without.

Knowledge is power The first tool I would recommend , is education. Knowing what sites you go to is a big helper. Avoid untrusted sites. This includes streaming sites and torrenting. OS patching is a must, keep up to date on the latest threats, Disable flash. The problem I had with forcing organizations to use noscript and such, was that users would eventually just click enable all.

Use a save state VM As an alternative, I like having a VM handy to test in for files . You can keep a large part of your OS in a VM. I worked in a network that we all worked in VMs and when they acted up , click restore and done.

Deepfreeze I used deepfreeze on our university many years ago and it was excellent. You can just set it and your OS will revert back to it's original state every time. I launched petya worm and let it encrypt the disk and restarted the machine and nothing . Excellent tool!

Separate networks At home I keep separate networks for "guests" . They can bring in their stuff and I don't have to worry about it getting to my part of the network.

Have a more secure O.S I really don't like using Windows because I feel it executes everything at the drop of a hat. This obviously isn't perfect by any means, because OSX and Linux are hacked all the time, but I feel that having something that you can control is nice. You can disable macros and still get code execution from some of the exploits out there.

I will add more as they come to mind.

Ultimately, nothing is perfect. but these things can help.

LUser
  • 836
  • 6
  • 12
  • 4
    It should be noted that for users using Linux for security, it is beneficial to take the time to enable and configure SELinux or similar MAC policies. – timuzhti Mar 30 '18 at 05:05
  • 1
    @Alpha3031 having been bi#$_&slaped by SeLinux a few times in my life, I think this is a good idea. – LUser Mar 30 '18 at 05:08
  • **Great answer**! I won't write my own :(. For the § "Have a more secure OS" I would have put it on position 2, just after "Knowledge is power", and give it a title of "Choose your OS". Too many users consider they have no freedom at this level, this is just plain wrong and a sheep behaviour. There is a full scale of OSes which permit to achieve a **much bigger security improvment** than any anti-virus. – dan Apr 25 '18 at 06:09
  • 1
    I would add: **Don't run as admin all the day** for the same reason you don't run in your appartment 24 hours a day with a loaded gun, an unlocked hand grenade and the red light blinking. If you don't run as an admin on your OS, you won't be able to install many crapware and most notably any ransomware will only encrypt your personnal files and not your other users files and not the system ones. Any damage will be limited, often to 0. – dan Apr 25 '18 at 06:17
  • 1
    @danielAzuelos "dont run admin all day and bloatware" . This is why I like Linux. I choose what goes in it. If there is bloatware, it's because I put it there. Also, I like that I only for a few things need to use admin privs. – LUser Apr 25 '18 at 06:31
  • You can do the same on Windows and MacOS X (Don't run admin all day). – dan Apr 25 '18 at 06:51
6

Antivirus is fine - its "what we have"

Just don't expect it to protect you from everything - nothing will. Otherwise if you want to protect yourself without AV you are going to have to jump through quite a few hoops to harden your machine.

  1. Application whitelisting
  2. Check OS patches
  3. Disable macros DDE
  4. Regular patching of all applications on your system
  5. Have a feed for each of your applications tied into CVEs
  6. Sysmon with a trimed down configuration
  7. Seperate your desktop from trusted and untrusted. Browser sessions and email in a VM for example with no access to another that say contains bank details. Tear down the untrusted VM after each sessions
McMatty
  • 3,232
  • 1
  • 8
  • 16
  • 3
    Although your suggestions are good, you don't really answer the question as to whether or not AV is or can be harmful. "Is fine" is not much of an answer. – forest Mar 26 '18 at 06:14
  • Question was on alternatives to AV - not if its a good or bad control – McMatty Mar 26 '18 at 08:16
  • 4
    @forest that's not the question – schroeder Mar 26 '18 at 08:49
  • The question starts with talking about how AV is less safe, and wanting to find alternatives. I must have been reading too much into the question. – forest Mar 27 '18 at 01:47
3

I agree with using Windows' Defender, but I think despite what you've read, a good (read: highly-rated by reputable sources) AV-program is the safe way to go. Along with the advice that's been given (apart from the cave-dwelling), I think adding SpyBot to your arsenal is a good idea. https://www.safer-networking.org/private/compare/ It won't conflict with any AV-program and will add to system security. You can get the free version, which has some limitations, in order to check it out. But, if you feel you want more features, you can buy the Home or Professional version. FYI, the Free version has to be updated manually. The pay versions do it automagically. SpyBot immunizes your system https://www.safer-networking.org/features/immunization/ as well as scans for and fixes malware and rootkits.

As for the Backup, Backup, Backup, etc., I would also recommend setting Restore Points whenever you make a significant change to your system.

I've yet to be hit with malware (of course now I've jinxed myself) after being online since dial-up was the rage. I wasn't careful about backing up data back then, but after a few fried HDDs, I've learned my lesson.

And last, have a secure firewall, which I'm sure is something you've already done, but I felt I should mention it.

I don't have as much experience as forest, but after 20+ years I've managed to steer clear of malware by following what I've suggested.

2

An AV is just one of many layers of security that anyone using Windows should deploy. The user has only to keep in mind that there is no such thing as a 100% effective anti-virus, and it's not a silver bullet.
Regarding compromising an anti-virus software, it's extremely rare for it to happen, and most of the time news like that are just FUD, you even quoted Daily Mail, which is just trash by any standard.

It's way more likely a system is compromised because an AV is not installed, than because the AV itself was compromised.
You should only be worried about your AV being compromised if you're against a sovereign nation, and if that's the case you've already lost.

Informat
  • 29
  • 1
  • 2
    `it's extremely rare for it to happen` No, it's not. – forest Mar 28 '18 at 02:03
  • I agree it is rare, forest, can you back up your statement that you're correct and he is wrong? Id say it's one of the rarest forms of gaining privilege code execution of all forms in existence. I don't think you could be more wrong. In my opinion the most common way would be simple malware downloads that naive users download and install themselves. – FreeSoftwareServers Mar 29 '18 at 01:35
  • If your processor can support running AV without it skipping a Beat then absolutely I think you should be using AV. I only used to NOT run AV when I had an underpowered PC. – FreeSoftwareServers Mar 29 '18 at 01:37
  • 1
    @FreeSoftwareServers One of the rarest forms of privesc? What? AV software is written _terribly_. It is overwhelmingly easier to exploit than, say, exploiting the kernel, which itself is not exceedingly rare. Just look at the CVE lists or the vendor-specific advisories. – forest Mar 29 '18 at 08:37
  • @forrest all AV seems a broad statement and i asked for something to back up your statement – FreeSoftwareServers Mar 30 '18 at 17:28
  • 2
    @FreeSoftwareServers Here's an example for [Avast](https://www.cvedetails.com/vulnerability-list/vendor_id-6567/Avast.html), an already reputable AV vendor. This site isn't even close to thorough, and this is for just one product. How about [AVG](https://www.cvedetails.com/vulnerability-list/vendor_id-5639/AVG.html)? [Sophos](https://www.cvedetails.com/vulnerability-list/vendor_id-2047/Sophos.html)? [ClamAV](https://www.cvedetails.com/vulnerability-list/vendor_id-8871/Clamav.html)? [Avira](https://www.cvedetails.com/vulnerability-list/vendor_id-3336/Avira.html)? How many more do you need? – forest Mar 31 '18 at 02:44
1

All of the following interchangeable possibilities may lower the chance to get virus infected in the first place.

  • Always update and upgrade your OS and apps.
  • Use a Firewall.
  • No internet.
  • No USB.
  • An Unix (-based) OS (mac OS or a Linux distribution).
  • A regularly updated, highly developed internet browser (Chrome or Edge).
leymannx
  • 111
  • 4
  • How is Opera more secure than Chrome or Firefox? – delacroix Mar 28 '18 at 18:49
  • @delacroix - Browser extensions as attack vector. The lesser popular the browser the lesser someone tries to put its malware on there. – leymannx Mar 28 '18 at 19:01
  • Opera is not more secure than Chrome (though just about anything is more secure than Firefox). In fact, Chrome and Edge are the most secure browsers out there. Chrome uses _extensive_ sandboxing and privilege separation and has a very, very dedicated security team, and Edge makes use of Windows-specific features such as security-oriented virtualization for security. I would recommend that you _only_ use Chrome or Edge (with Chrome being preferred, if only because its core is open source). – forest Mar 29 '18 at 01:30
  • @forest - What makes Firefox less secure than any other browser? – leymannx Mar 29 '18 at 06:01
  • @leymannx Oh I could go on about that for ages. It uses jemalloc (at least on Linux) which reduces the effectiveness of ASLR. It lacks sandboxing (and its current attempt at "sandboxing" is pretty sad, having very coarse-grained policies). It is multithreaded, not multiprocess (though it is trying to support multiprocess, it's still highly buggy). The code itself is low quality, being full of bad casts (whereas, say, Chromium makes all bad casts fatal in order to implement CFI). It does not sandbox the GPU and, if I recall, the developers said they would never sandbox the GPU... – forest Mar 29 '18 at 06:03
  • It does not separate the page content (the DOM tree, JS, etc) from the process displaying the tab. It is full of undefined behavior (whereas Chromium is regularly compiled with UBSAN), some of which can be made easily exploitable. It uses XUL in its interface which is basically privileged JavaScript. The ESR version only fixes critical security bugs, intentionally leaving "moderate" bugs in the code. It has truly ancient extant bugs, many security-related and 7 years old or older (for example its SIGTERM handling on Linux, and the bug involving image tags and HTTP auth). – forest Mar 29 '18 at 06:06
  • A neat analysis of its memory management was [put on Phrack](http://phrack.org/issues/69/14.html). It hasn't yet fixed the `file://` vulnerability from months ago which allows proxy bypass (Tor Project had to rip that code out of the browser to even make it workable). They used to manually vet all extensions with a thorough security audit before permitting them, but have recently done away with that and do automated static analysis (leading to several malicious plugins being accepted). The only thing FF is good at is having a slow rate of development, which makes forking it simpler (e.g. TBB). – forest Mar 29 '18 at 06:10
0

option 1) you may consider migrating as many machines possible to Linux. If that is not possible, then atleast migrate few critical machines to linux.

option 2) If on some machines you may have to Windows only, then you may deploy linux as hostOS and then use rdesktop to login into a thin Windows client machines; or you may use windows VM for some tasks and for the rest of tasks use Linux host.

option 3) on the machines on which neither option 1 or 2 is possible, then deploy Windows machine with all the above approaches as explained in other answers.

zaxebo1
  • 101
0

Today an anti-virus can be pretty much more complex than in the past and it can cover quite a large spectrum of things like:

  • file antivirus
  • e-mail protection
  • network protection
  • applications launch control
  • firewall policies
  • web policies – restricting and logging user activity
  • password management
  • data encryption
  • process exploration
  • management console for all the above

I personally don't use an anti-virus (but I recommend all average user to use one) because I work with a lot of files and tools that will trigger alerts, but in order to do that, in theory the above should be covered in alternate manners.

[Files]

Knowing your own files is very important in an OS. It was very simple in the past - up to the XP era many ended up knowing if a file must exist or not inside the OS folders. Now things are more complex and OSes can have hundreds of thousands of files that are impossible to manually tack. So we will have to use alternate tools to detect unauthorized changes. There are tools that can do that and trigger alters if a target file is changed. Securing OS and other critical files like that works. Any unauthorized change can generate an alter or even an alter + the possibility of undoing that action.

[E-mail]

E-mail protection can be more user-related in the sense that user awareness is more important than any security tool when it comes to e-mails. If users are trained not to click links and open attachments from un-trusted sources, that part is covered way better that with filtering tools that will let a lot of dangerous content get through anyway. Of course denying dangerous extensions by default via e-mail system helps a lot too. My conclusion here is simple: user training is more important than e-mail filtering.

[Network]

On the network side there are many tools that can do monitoring, intrusion detection, shared access detection. These tools will not protect against very advanced attack that use vulnerabilities. This is a problem that a good anti-virus will cover but it's hard to cover otherwise. I would rather let an anti-virus manage this part if possible.

[Applications]

It is relatively easy even now-days to control what runs and what does not on a computer. Starting with basics like UAC and ending up with tools that control and monitor what a program can do if launched, you can cover this aspect pretty well.

[Firewall]

operating systems have their own Firewall so you may as well use that one. Although anti-virus software may control it easier via it's own policies, it's practically the same thing: if you make a good configuration, it's fine in both cases: if made in the OS firewall or if made in the anti-virus firewall.

[Web]

This is an area where anti-virus software can help a lot; a good anti-virus has already black-listed databases, has live scanning possibilities of filtering websites while they load. To cover this without any anti-virus capabilities it can be pretty hard and time consuming. I don't think any normal user will keep blacklists configured on its browser. And as browsers have lots of vulnerabilities and exploits this is one part I'd rather let an anti-virus cover. Training helps cover this part otherwise, just like in the case of e-mail. No opening of pages outside strictly known and needed ones, no problem. For a large site like g00gle to have problems it's highly improbable.

[Password Management] This is not something mandatory and it can be covered in dozens of ways anyway, so it's not really an important aspect, but some anti-virus solutions can cover it also.

[Encryption]

Encrypting sensitive data can be extremely important in many situations and some anti-virus solutions offer support for this. But it is not a problem, now-days OS'es can do it and very good general use tools like TrueCrypt and VeraCrypt can do it both at container level and at system level.

[Processes]

Good anti-virus solutions will have good process monitoring and immediately spot anomalies and bad process behavior. But there are tools that can cover this aspect too. Even the old process explorer may be enough to spot a bad process that you can then terminate.

[C&C]

Now assuming you have covered most of the above, it may also be important to be able to centralize everything. Do you do that ? It is certainly possible. Controlling things separately may prove difficult and time consuming. I use a modified advanced file manager to centralize command and control of every aspect of the above. I can launch anything needed directly from it without using the operating system's own UI or features. The shell works even if the OS UI or OS' own shell is down. This makes it good and viable in case something goes wrong with part of the OS.

Depending on the specific case/situation, you may want to use some or even all the above.

Overmind
  • 8,829
  • 3
  • 19
  • 28
-2

You are very right about the limitations and possible increased risks of anti virus software. Not only is it the single biggest software component on a computer that contributes to slow I/O causing over all sluggishness, but the concept of building an increasingly huge database of all malware is flawed since it is always at best playing catch up after malware is released and discovered.

It should also be mentioned that antivirus software primarily scans I/O to prevent any malicious software from being transferred to or from permanent storage. Antivirus software does not scan network connections or other non file I/O sources of software exploits. An exploit can come in over a network connection, exploit some running software, and now have code executing on the system. This code can then disable the antivirus software and then proceed to install itself on the system.

Your web browser is an immensely large and complicated piece of software, and given its extensive use it is probably the biggest attack vector for users who don't download random software, even if plugins are not being used. Unfortunately there are really only four choices of code bases for a current standards compliant browsers. Microsoft's Internet Explorer, Microsoft's Edge, open source Mozilla or Gecko based browsers (Firefox and many others), and open source WebKit / Blink browsers (Konqueror, Safari, Chromium). Opera couldn't keep up with Javascript and switched to using Blink as their rendering engine.

If Javascript wasn't a big enough attack surface and security issue already, a new kind of Javascript called WebAssembly is being added to FireFox now. Consider disabling it in FireFox like this: go to about:config then set javascript.options.wasm = false.

Others have mentioned using a firewall or not enabling unnecessary system services, so I'll mention other things.

edit: There are different types of attacks. Some attacks are directed against a target, and others are generic attacks meant to target a large number of systems. Some security measures are excellent for protecting against generic attacks but do little to thwart a directed attack. Other methods protect against generic attacks and protect against typical directed attacks, but fail to protect against a direct attack from an attacker who is willing to analyze your specific configuration and spend the time to figure out how to attack it. As a general rule, smaller the code base and the greater the emphasis on security during application development will reduce the number of security vulnerabilities in a program. If a program is open source, and if it is popular, then a larger number of vulnerabilities will be discovered and eventually reported or made public. This reduces the over all number of security vulnerabilities in the program, but in most cases increases the risk of using the program since vulnerabilities are discovered and known by the public so much more frequently. On the other hand, the decreased number of vulnerabilities in the program due to its popularity and patching means that someone who deliberately searches the code to discover new vulnerabilities will have less success. In summary, if a vulnerability exists but isn't known by anyone, it remains harmless until it is discovered. So there are pros and cons to increased popularity and bug discovery in software.

Lying about application versions: This one is rarely talked about. Often, in order to successfully exploit a vulnerability, the exact version of the program and the operating system must be known. Unfortunately your web browser reports its exact version as well as the operating system that it is on every time you connect to a site. Consider changing the UserAgent in your browser and any other application that reveals too much information about itself.

Use your operating system's user level security. Run your browser in a limited user account that is not an administrator account and preferably different than your regular user account. This alone provides more security than any antivirus software. Keep in mind that how well this works depends on your operating system. On Windows, even a restricted program running with other windows on your session can monitor all keyboard input except for specialized full screen system password entry windows. Clients on *nix using the X Window system can monitor keyboard input as well.

Make sure DEP and ASLR are enabled. Windows may not enable DEP (non executable memory) for non Windows programs in order to prevent crashes due to compatibility problems. Enable DEP for everything and exempt crashing programs as needed. WehnTrust can be used to add ASLR to Windows NT5 versions (https://archive.codeplex.com/?p=wehntrust the installer buried in there).

Use an obscure operating system. Windows, OS X, and Linux have gotten rather popular. There are still alternatives like BSD and Solaris. If you configure your browser or other applications to lie about their operating system, an attacker may attempt to exploit your application and have it result in a crash instead of working. Edit: As is wrote above, it depends on the situation. Around 2004, the number of security vulnerabilities discovered in Linux vastly increased compared to BSD, and prior to this time the number of vulnerabilities discovered was similar. I believe this is due to the growing increase in popularity of Linux compared to BSD. Both BSD and Linux probably contain a large number of vulnerabilities, but BSD appears to be much more secure due to its lack of popularity resulting in far fewer vulnerabilities being publicly discovered. According to the DEF CON 25 - Ilja van Sprundel presentation, analyzing the BSD kernel source revealed a number of vulnerabilities. I still stand by what I said, that running an obscure operating system is more secure. However, if you are the target of a directed attack where someone is willing to spend a lot of their time analyzing your obscure configuration then you are less secure!

Don't overlook embedded systems! Your wifi chip has a CPU and firmware! Your antivirus software can do nothing to prevent embedded systems from being attacked by malware. Wifi chipsets have their own CPUs and firmware and they can be attacked remotely. In the summer of 2017 at Defcon they demonstrated a remote buffer overflow exploit in Broadcom wifi chipsets! The demonstration didn't go beyond changing a function call in the Broadcom firmware and making it send an "owned" packet out, but such an exploit allows complete takeover of the wifi chipset firmware. Broadcom is used in many smart phones and Apple products! Someone can DMA your system memory and send the data back using a channel outside of the normal wifi spectrum. They can also write to your RAM and install a root kit while bypassing everything. They could also write directly to your computer's system management mode memory. Since the SMM memory can be locked off by the chipset (except for when the CPU is in SMM) no memory scan can even detect it. It doesn't matter how many security programs you have or how many VMs your computer has. This is a direct attack to ring 0/-1/-2!!! There is no antivirus or other software out there that can detect such an attack. It is not much harder for someone who is familiar with development for an embedded system to write malware for it than it is on a regular computer operating system.

edit: I see a lot of negative response to my answer, but remember that the original question is about an alternative to anti-virus, and any knowledgeable IT security person knows how ineffective down right useless anti-virus can be at times. So some of my suggestions like using an obscure operating system are really doing the same thing that anti-virus does, which is making virus writers modify their malware to to get around the anti-virus software. I'm offering a somewhat ineffective security solutions in place of database based anti-virus software, which even less effective!

Alex Cannon
  • 402
  • 2
  • 7
  • 4
    -1 for "Use an obscure operating system". Many obscure systems, like IRIX and HP-UX, are unbelievably insecure. Compare this to Windows which has probably the most statically analyzed (large, complex) kernel in existence, or Linux which is completely open source and regularly audited. The latest DEF CON had a talk that explained just how horrible some of the BSDs are, and Solaris' security is really not great (though Zones are an amazing security feature). – forest Mar 29 '18 at 08:40
  • 1
    Also, hiding the browser version is _completely useless_. Not only is it trivial to detect the real version by using any number of fingerprinting techniques (HTML5 feature detection, for example), but attacks like AnC have shown that you can't even hide the memory layout of the process. – forest Mar 29 '18 at 08:41
  • Well that is a fair point. But there is a difference between the estimated number of vulnerabilities and discovered & reported vulnerabilities. BSD has far fewer discovered & reported vulnerabilities compared to Linux. I'll edit my answer to reflect this. Even if lying about a program version can be defeated, it certainly doesn't harm anything. – Alex Cannon Mar 29 '18 at 15:33
  • Using an obscure operating system being less secure against a directed attack is a fair point which has now been addressed, but why the down votes? – Alex Cannon Mar 29 '18 at 23:37
  • Additionally, despite having fewer _reported_ vulnerabilities, many BSD-derived operating systems (there is no one "BSD" anymore) are written less securely. The fact that fewer bug reports come out for them simply means less eyes are on the code. FreeBSD uses jemalloc globally, NetBSD has a horrific networking stack, DragonflyBSD only recently added NX support to the kernel (!), and even OpenBSD is not great (in terms of code quality at least). In terms of exploitable bugs per 10k lines of code, I would say that Linux and Windows have far fewer than any of the BSDs. – forest Mar 30 '18 at 02:29
  • 2
    You're giving security advice for NT 5? I'd say that if someone's using NT 5, the first thing they should do is pick an OS didn't End of Life over 10 years ago. – Patrick M Mar 30 '18 at 05:48
  • Regarding your recent edit, using an obscure operating system does not necessarily make the job for malware authors much harder, especially since there are so many platform-independent languages in common use. All it does is make it trivial for malware authors to exploit the operating system. – forest Nov 23 '18 at 03:33