Experts only: time to ditch the antivirus?

It's definitely not the right move for the average computer user, but some security experts claim they have found better security by disabling the AV and relying on other controls and behaviors.

To the average IT security practitioner, the idea of disabling antivirus on new machines might seem blasphemous. After all, weren't we all told in IT Security 101 that everyone needs AV to keep the malware and data thieves at bay?

Perhaps, but for some who moved beyond IT Security 101 eons ago, AV is more than simply obsolete. It's an obstacle to a more perfect defense. And so they've chosen to disable it.

Among those who feel that way is David Litchfield, a leading database security expert who has authored such books as "Oracle Forensics," the "Oracle Hacker's Handbook," the "Database Hacker's Handbook" and "SQL Server Security." [Related: Researcher Finds New Way to Hack Oracle Database]

Like the media players and toolbars he also chooses to disable, such as Real Player, Adobe Acrobat/Flash and toolbars from Google and Yahoo, Litchfield simply doesn't trust the AV programs out there.

"As an experienced security guy, I have no faith in most of the AV packages out there because they're completely reactive, offer little advance protection, massively increase the attack surface and have a long history of vulnerable ActiveX controls," Litchfield says. "I've never used AV software and I've never once been infected with a virus."

For Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, it's not simply a matter of distrusting AV. It's just that security practitioners who have been in the game as long as he has have found better controls that make AV obsolete.

"I don't use AV on most of my systems, and most high-level security types use only limited AV," he said.

Mogull believes AV is quite useful at the e-mail gateway/provider level, and he does have AV on a Windows XP VM (virtual machine) left over from his last job. But there's no AV to be found on his Mac, or on his Vista VM. He points out that he uses "a lot" of other controls that provide him with adequate security, including limited Web browsing, maximum security in the browser, e-mail filtering and other lock-downs on the system.

All that said, Litchfield and Mogull agree this isn't something the security novice should be doing. "Knowing what is and what isn't safe to do on a computer is 90 percent of the battle," Litchfield said.

Ken Pfeil, executive director and head of information security for the Americas Region at financial services company WestLB AG, said he can see both sides of the argument.

"Litchfield is right in a lot of respects. AV and personal firewalls are pretty much useless unless you are the average end user," he said. However, he also noted that "It still doesn't matter when it comes down to policy in the corporate world because you can't effectively enforce two different sets of standards." In other words, in the enterprise setting, it's AV for everyone. And Pfeil thinks that's okay, noting that even experienced race car drivers wear their seatbelt even though the odds are slim that an accident will happen on their way to the store.

Zach Lanier, senior network security analyst at Harvard Business School, noted the debate over AV effectiveness isn't new, but the past few years have been increasingly difficult for traditional approaches to malware protection. Most of the current AV options lag behind in updates, have detection engines that are trivial to bypass, and sometimes are themselves vulnerable, he said. He also considers himself savvy enough to skip antivirus on his own systems in favor of other security options like sandboxing and mandatory access control.

But Lanier echoed the point that in the larger environment, AV remains a necessary weapon in the security arsenal.

"While I support efforts to scrutinize the efficacy of AV and fix it, it's what we've got to work with right now, and I'd be remiss not to utilize antivirus/antimalware as a tool in my arsenal to help protect non-tech-savvy end users," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags AVantivirus

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Brenner

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts