Antivirus in 2017: Why? Which? How?
Teach anyone how to find an efficient and free Anti-malware product within 20 minutes by sending them this article. (July ’17 Edition)
This is a skill I promise will serve you for years to come. I aim to teach how to fish for free rather than tell you which fish is fresh at today’s market.
About the Author
Andrew Douma is a vendor-neutral IT Security Professional. He performs professional audits, penetration tests, and risk assessments. He designs secure networks and engineers high-assurance systems in the Cloud.
You can connect with him on GoodReads, LinkedIn, Medium, and Twitter.
More stories by Andrew
Buying a professional penetration testing laptop| Evaluating QubesOS as a Penetration Testing Platform | Finding the right exploit code | Penetration Testers’ Guide to Windows 10 Privacy & Security | Full Disk Encryption with VeraCrypt | Hacker to Security Pro! On the Shoulders of #InfoSec Giants | Securing an Android Phone or Tablet (LineageOS) | Password (IN)SANITY: Intelligent Password Policy & Best Practices | Security Architecture Patterns I & Patterns II
Can you bypass my Antivirus?
Antivirus products rely on detecting a “signature” inside of all your files — a string of text with a malware authors’ name or the file hashes being that of a known malicious executable.
Trained penetration testers (and cyber criminals) can bypass most anti-malware solutions with ease. With more effort, those super expensive Next Generation Firewalls (NGFW) we configure for Enterprise clients are no match either.
Changing the signature is often enough to prevent detection. More and more malware we come across has a unique signature for every machine it infects. Why Pirating software is so high-risk!
Are Antivirus programs useless?
NO! The Internet would improve if everyone had an adequate Antivirus product installed on every device.
The continued expansion of Botnets, delivering Denial of Service (DoS), Banker Trojans and Ransomware payloads, should be proof enough.
The fact remains: Antivirus software protects you against 90% of malware known to humankind — up to the point you last updated it!
For enterprises:
In an Enterprise environment, a secure operating system (OS) baseline & whitelisting offers greater performance and security.
“Antivirus does some useful things, but in reality it is more like a canary in the coal mine. It is worse than that. It’s like we are standing around the dead canary saying: Thank god it inhaled all the poisonous gas! — Darren Bilby
Hire a qualified professional if your Threat Model requires a higher level of assurance. One with the hands-on technical skills to audit the solutions that collectively provide the Defense in depth your Threat Model requires.
For consumers, it is often cheaper and easier to just buy a new laptop than hiring a security professional or applying a secure baseline.
Remember, Antivirus cannot protect you against:
- Social engineering attacks against users with no security awareness.
- New threats unless these are based on patterns already known.
- Exploits and bypasses targeting the Antivirus product itself.
Certainly, the effectiveness of a particular Antivirus product changes over time. Good and bad guys are pushing the boundaries of what we can do with our hardware every day. Companies go out of business or are bought up for their brand value alone. Malware analysts leave for greener pastures.
Antivirus comparison. Which is best for…?
You can find an initial comparison on Wikipedia. Despite it providing an introduction to the type of features you can expect, it does not answer any questions like:
- Which Antivirus is best for Windows 10?
- Which Antivirus is best for MacOS?
- What about my iOS or Android phone?
- Should I install Antivirus on my tablet?
- Which works best for my Gaming PC?
- My SmartTV? Chromebook?
This is where professional Antivirus testing labs come in.
OPSWAT Certified Application Vendors
OPSWAT is a for-profit software company that provides solutions to manage and secure IT infrastructure (United States). They test Antivirus software to ensure their detection rates, false alarm response times, and ability to work with other security applications is up to snuff.
Any program with the OPSWAT Gold certification has passed all their criteria.
You can find a list of OPSWAT certified products here.
AV-Comparatives.org
AV-Comparatives is an independent organization that checks whether security software lives up to its promises (Austria). They do so with scientifically sound testing methods and one of the largest malware sample collections worldwide.
Certification by AV-Comparatives provides a general approval, but their Real-World Protection Test is more comprehensive and replicates common scenarios that most of us experience when using a computer with an Internet connection.
Any program with the AV-Comparatives Advanced+ certification has performed well in all of their tests.
You can find a list of recent test results here.
AV-Test.org
Similarly, AV-Test is an IT security service provider focused on anti-virus research (Germany).
Though a smaller fish in the pond of Antivirus testing labs, I appreciate that they factor in the usability of the security software itself, as I am sure you will as well. They test fewer products and perform tests less frequently than the other labs.
You can find their recommendations for Windows and Android here.
(click on a relevant filter)
Trying on an Antivirus for size
The first Antivirus you try out may not be the one you stick with.
Some are poorly written and have a reputation for consuming a lot of memory or hogging the CPU. On-access or full system scans perform inefficient read/write operations — a common bottleneck for systems without a Solid State Drive (SSD).
Some come bundled with Host Intrusion Prevention (HIPS) functionality, that tries to check if code about to run is malicious in nature, or ask for your approval to connect to the Internet. Not all may be to your liking.
For example, I opted to uninstall Avira once I realized it does not allow me to exclude files and folders from its scan. A pity, as it did well against a set of recently-leaked exploit kits I keep around.
If you are ever annoyed by your Antivirus software, uninstall it, come back to this article and pick another option.
Antivirus configuration tips
Whichever Antivirus software you decide to try, be mindful of these tips during installation and configuration:
- Make sure you download it from the official website!
- Some free Antivirus programs out there will offer to set your homepage to Yahoo! Deselect these “generous” offers.
- Go into the Antivirus’ Settings/Preferences and use your best judgment! You can’t go wrong.
- Disable any features that keep you “safe” online. They often do the exact opposite by installing Man-in-The-Middle (MiTM) browser plugins.
- Enable automatic updating of your Antivirus, preferably every hour.
- Turn on-access scans on. Configure a weekly scan at a time you are unlikely using your computer.
- Run a full scan of your device.
Free Antivirus recommendations
I evaluated several Antivirus products on Windows, MacOS, Android, iOS and Linux. This July 2017 advice will have become outdated by September 2017 (so check back then!).
Windows
Upgrade to the latest version of Windows 10. Windows Defender is getting more effective! Always install OS updates.
If you are tech-savvy enough to backup important files first, run the most recent version of /r/TronScript, a free and open-source script that automates the process of disinfecting and cleaning up Windows systems.
Then install any high scoring scanner such as Avast / Avira / AVG — though I’ve found those can be a bit pushy about buying their ‘premium’ version.
Enterprise (security) providers Sophos and Cisco offer free versions of their endpoint protection products for home use.
Install the multi-AV-engine based tool HerdProtect for periodic checks. Using multiple engines does increase the false positive rate.
MacOS
Try out Avast and if that does not suit you, install Sophos. Keep Malware Bytes around for periodic checks. Avira gave me a lot of grief about paying for their product.
Do not forget to check out the free security tools by Patrick Wardle (Objective-See) and Kristov Atlas (OSX-Config-Check).
Premium features provided by LittleSnitch and LittleFlocker are useful, though I recommend the more user-friendly Hands Off! — which combines the functionality of both.
Android Tablets/Phones
Always install Android updates, because your provider might never push those, consider flashing older devices with CopperheadOS or LineageOS.
Install AhnLab (Google Play) or AVG (Google Play). Sophos also has a free option for home use (Google Play).
iOS Tablets/Phones
Always install iOS updates. Install Sophos (Apple Store) or Avira (Apple Store).
Linux
Whether you are running Linux as a Desktop, scan incoming attachments on a Mail server, or scan user uploads on any Web server…
I recommend adopting a multi-AV-engine approach, like multi-av or the Linux Malware Detect project.
Pay close attention to the output from Lynis the open-source auditing tool. Apply OS updates daily and keep a watchful eye on OpenSSL vulnerabilities.
Internet of Things (IoT) / SmartTV
Vendors are moving into the IoT market with Antivirus-equipped wireless routers. I doubt if these are capable of delivering on the stated promises.
Just keep your devices up to date, it’s not that scary:
- My SmartTV connects to my local network and automatically installs updates. It even comes with a built-in virus scanner.
- Check the support section of your router manufacturer’s website for new firmware. The make & model is on your router. They’ll have a PDF manual to guide you through the process.
Paid Antivirus recommendation
I am upgrading Malware Bytes from an honorable mention to my recommendation. [July ’17] Their solution runs on macOS/Windows and for free on Android.
Alternatively, I’d place your trust in ESET. In my experience, their products are capable and very resource efficient. A multi-device license is reasonably priced and covers Win/Mac/Droid devices. Their Antivirus for Linux is not included.
However their software engineering team is not without fault: remote root MacOS bug, trivial to exploit ESET AntiVirus. ESET was one of two vendors to quickly block the EternalBlue attack technique used in WannaCry and not just its payload signature.
Do you have any advice? Corrections or additions?
Please do not hesitate to reply! Feel free to share your experiences, advice, and questions in private or through the comments section.
Click the ♡ to recommend this article.