OT: AV / Security Software as a malware vector

Yahoo Archive
1
Interesting article...thanks.

I was never been a big fan of anti-virus on the servers.
I believe more in limiting access & being careful.

I have however just gotten used to thinking it is needed for client workstations.
Also, I can't remember which application, but I do know portions would not work if the user wasn't the local admin. (maybe it was Solidworks)?
So AV has been running on most clients forever.
Even so I know of at least two cases were users were infected with zero day exploits anyway.
2
Hey Guys,
For years I've recommended that my customers not run Antivirus Software on their server, it has performance downsides and it provides little to no protection. Most antivirus software is reactive to known viruses only and does very little to prevent zero day exploits which are mostly what you'll be faced with.

I've maintained that educating your employees does a lot more for your security than putting a crazy AV / Security piece of software on every machine you own.
Restricting access to only admins to the server and ensuring that employees do not have admin privileges on their machine seems to do a pretty good job.

Recently I saw this article from a member of Project Zero that seems to confirm some of my fears. Antivirus and Security Tools are made to run with the maximum privilege in your system. They are there to protect / to be bouncers and as such they run with administrative / root privilege. The issue is though that these software systems are written by other flawed developers just like you and I and they are (as most software is) full if security flaws.

Now if you have a security flaw in Word.... you may get an infection but word runs with the privilege of the logged in user, and if you made sure your employees are not running as admin, the damage can (most of the time) be contained or mitigated. However since AV runs with admin privilege any attack coming in from that vector will inherently have the same level of access.

Anyways I know its off-topic I just found it interesting, and I am wondering what everyone else thinks?



Jose C Gomez
Software Engineer


T: 904.469.1524 mobile

Quis custodiet ipsos custodes?
3

Jose we pretty much run exactly the way you described.


Only admins have access to servers, no employees are admins, not even local. We also run a very, very advanced firewall that 9/10 times will stop any threat from even entering our network. Security is one of those things that you should always tighten up as much as possible because if ever a good enough reasons arises to loosen it you can, however, if its too relaxed and something gets through thats when you are in trouble. So we always take the approach to lock it up immediately and if access is needed its on a one off basis. AV is one of those things we really only use to scan USB and real time threats. As far as actually viruses and what not, I'd be impressed for one to get through if your admins and employees are set up correctly. Also avoid that NSFW content on reddit helps too :)