11 November 2007

Throw off your mental chains

The first person to link to my blog was Steve Riley, who gets paid to "do security". It was nice of him to mention my AUTORUN.INF hack, even if he didn't recommend it (for reasons I didn't quite gather).

Anyway, while flicking through the archives of Steve's blog, I found this article which questions the whole need for anti-virus software. Yesss!

Having steered a corporate network through three major software generations over the last 17 years, without spending a penny on anti-virus software in that time, I can confirm that you don't need anti-virus software. Not just on your own PC, gentle technically-aware reader; not on your users' PCs, either.

We currently have 1800 PCs, all running XP SP2, with all users having administrator privileges, allowed to install more or less any software they want, allowed to visit most Web sites (except for a few which we've specifically blacklisted for hosting malware), and we have not had a single report that any user has lost a single byte of data to a virus, in all that time, going right back to DOS 3.3 and Digital Pathworks.

Steve tries to suggest that this approach may not be for everybody, although I suspect he's just trying to sound like he's being less radical than he is - kind of like those non-religious people who can't actually bring themselves to say that they're atheists (this is a simile, please don't write in about it). He has hit the nail on the head: if your anti-virus software doesn't ever detect anything, what use is it? Other bloggers tip-toeing around this subject, but not quite ready to fully admit their apostasy in public, are Adam Vero (who, I suspect, has become a non-believer, but - probably correctly - doesn't think his customers are ready for such a drastic step), and Aaron Margosis, who has a "lite" approach (he suggests you don't need an anti-virus if your users don't have administrator privileges).

To me, installing anti-virus software because you're afraid of viruses, is like hiring a retired, but very dumb, police officer to stand guard in your home 24/7 because you're afraid of burglars. Every time any member of your family tries to move from one room to another, they get asked for ID. No ID, no place at the dinner table. And because your oldest kid's name is "Lexy" (geddit?), she gets extra-special treatment: a strip-search every morning when she gets up, to make sure she didn't get converted into a burglar during the night.

I wouldn't object so much, if viruses were even 1% as terrible things as people make out. I know users who would rather have a sudden, unrecoverable, scrape-the-platters hard drive crash, than the idea that any form of worm, virus, or trojan is on their PC. Strange, since pretty much the worst a virus can do is trash all your data (yes yes, I know it could e-mail your grocery list to some randomly-selected guy in Latvia), which is the same thing, and oh yes, modern viruses don't do that. In fact they don't do very much damage to their "host" PC; if they did, rather less that 25% of the world's PCs would be in botnets, because their owners would have noticed and done something about it.

The only bits of malware to have caused significant disruption to our network were the "MS-Blast" and "Sasser" worms. And guess what? Because they exploited a vulnerability in Microsoft's DLLs, anti-virus software didn't work (except, perhaps, to clean them up, which in any case was a one-line registry entry). People flooded to their anti-virus vendor's site, to be told "get the security patches from Microsoft". You paid the cop every day for a year, but he couldn't protect you from a burglar who wore a very small mask.

Talking of disk crashes: we change between 3% and 5% of our PC hard drives every year. We try to get to at least half of them before they die (by monitoring certain disk-related system events), but we know that of the 1800 PCs on our network, about 35 will experience sudden and irreversible disk death. We don't worry too much, because our users keep all their important data (by definition) on network drives. But if users do want to keep data locally, the backups which they make (!) are also useful protection against the day when the evil mega-virus makes the inter-species crossover (the one from "Hollywood" or "the marketing department of anti-virus companies" to "the real world").

So, put up the built-in Windows firewall (just in case the next exploit worm gets on to your Intranet), run some daily checks of the key parts of the registry (I'll write up how we do this, one day), submit suspicious files to VirusTotal (on average, after a week, one-third of the virus engines used by that site still don't detect any given virus, in my experience), build your PCs with a separate disk partition which you can boot to clean up malware in the main partition, and above all, stop worrying. You will get some viruses, worms, and trojans on your network, and they won't kill you. In fact, chances are you already do have several bits of malware anyway, because you're trusting that dumb cop to protect you, and he can't recognise 1/3 of the burglars.


  1. Hello,
    As a laymen and someone with a small purse(the prices for virusscanners are for me a lot of money): my request is tell me what the key parts of the registry are, which I have to check; can you give an example of a suspicious file you once send; and when you say build your pc with a seperate disk partition(still on the same disk?) which you can boot, you meean dual boot?

  2. I'd start by looking at the registry locations which a product like HijackThis checks. That covers most of the auto-running stuff.

    Suspicious files? With 1800 PCs on the network, we get them daily. Today we got a Trojan which we hadn't seen before. About 6 of the 30+ scanners at VirusTotal detected it; the others (including Norton, Symantec, and Trend) didn't. But in a week or so they will.

    As for the disk partitioning: it's worth having a separate partition into which you can copy a mini-Windows installation and then boot so that your main configuration is "under general anaesthetic". You can also do this by building a bootable CD, but the advantage of doing it directly to the hard disk is that you can often effect a complete repair from a distance. You have to be at home manipulating the OS loader files, though.

  3. Thank you, Nick for this interesting blog! I do not use anti/virus software also. But I think this is only possible as the browsers have been made very safe and are blocking malware from the web.
    Yours faithfully,

  4. Wolfgang, don't be too optimistic. Our users are currently collecting a couple of drive-by viruses per week. Some of them exploit security holes (we are slow to push out patches, because often they break things badly), and some just trick people into executing the right piece of Javascript.

    The best way we've identified to stay relatively safe from trojans etc, is to restrict yourself to major sites. Unfortunately our users have professional reasons to visit sites all over Russia, Ukraine, etc, and there's a lot of drive-bys there.

    I strongly suggest you get hold of a copy of Rootkit Revealer and see if it turns up anything. (BTW, based on what we've seen in the last couple of weeks, some malware seems to be trying to fight back against RKR too!)

  5. My senior comp never installed av software I thought he just didn't care.

    After reading your post, I would say, if it doesn't crash the pc or destroy the data, then there's no point worrying if that av software told me the keygen I use to steal software is a virus.

    Also, I agree on the fact that it's useless to perform av scan on the system daily.

  6. Well written article.