EH-Net

http://www.wired.com/wiredenterprise/2012/03/antivirus

Wired released an article a few days ago regarding anti-virus and its usefulness.  In it, a few infosec guys said they don't use it.  Since then, there's been a lot of chatter in my Twitter feed about it and it seems to have shifted from the perspective of an infosec person using it or not, to the perspective of whether or not to use it in an enterprise.  I've seen a lot of arguments...

Using it:
- Pros: It does stop some malware
- Cons: It doesn't stop everything

Not using it:
- Cons: Machine is completely vulnerable, doesn't even have the benefits of the vendor definitions that will block some malware.
- Pros - ...?

Most of the arguments for not using it seem to be playing devils advocate and are looking for data to prove one way or the other.  But one thing I've noticed is that I haven't seen is a "pro" argument for not using it, and the only thing I can think of is that you gain some CPU cycles back.  I remember awhile back when AV really used to bog down a machine depending on the vendor, but it's gotten a lot better since then and can run quite idle in the background.  Am I missing something else?

In the past few years working in IT in a corporate environment, I cant really remember to many incidents where AV was triggered. our IDS sometimes alerted us to file downloads, or other things, but rarely if ever have I seen av in the corporate realm find malware.

just a note, at home, i always use free av/am.

I think if more products such as Bit9's Global Software Registry solution come out, the less you will need a full time AV on a client.  If you can successfully whitelist the environment then you will prevent almost any malware from running.  Until someone can learn to fool MD5 checkers.  Not saying no AV is required but moving your AV detection to the gateway should prevent much of the stuff from entering.  The whitelisting will prevent any unknown software from running on the clients.  The nice thing about GSR is that it makes much of the work categorizing your software environment much easier.  Currently with the AV products, you are required to do a lot of logging and analysis before you can start blocking.  Bit9 has already done the work and vetted thousands of software packages.

Sorry if this sounds like a plug, but this was one of the few things I saw on the RSA expo floor last week that gave me hope.  I don't even think they used "APT" in any of their promotional material.

I thought the article was interesting, but not the "hey I'm doing to ditch my AV now too" kind of interesting. To keep the same argument, but change the setting a bit, "I never wear a condom because I'm really careful who I fsck, and besides condoms aren't 100% anyway". Sounds a bit thin to me...  :-\

I think Av is like anything in security not 100% secure but another layer so its good to have it in place. I think its better to have it in place and maybe need it than not have it your IDS fails or something get past or whatever and you dont have any other protection.

If you don't have AV you (or your help desk) will get eaten alive by nuisance viruses.  They will cover many of the script kiddies out there.  However, in a very targeted attack, you are right, AV is probably only one layer of defense and should not be counted on exclusively.

This. It's a simple cost/benefit analysis. If $50/year in licensing saves hours upon hours of labor (not to mention the costs associated with dealing with something more serious than irritated users), it's a very straight-forward decision.