On Mon, 20 Dec 2004, Suresh Ramasubramanian wrote:
er, so having no firewall or antivirus software on your home broadband connection with an XP box hooked onto it would be just as safe as an XP box having $software_fw and frontended by $hw_firewall that at least does NAT and a bit of packet filtering on the side?
No, that's not what I said. The infection rate among all computers is abysmal. It just happens to be higher among computers with AV and/or firewalls. AV/Firewalls don't seem to be making people safer from trojans, spyware, adware, etc. So perhaps we need to look for other ways to improve things. Why does it it happen? I don't have the answers. Are AV and firewalls too hard for the average user to install and maintain? Many of them are improperly configured, mis-installed, mis-managed, etc? Does a false sense of protection make things worse? Do people with AV/firewalls engage in riskier behaivor because they think they are protected? Do people without AV/firewalls tend to install less software of all types (good, bad and the ugly)? Do people without AV/firewalls take other protective measures, e.g. disable unused services, patch more frequently, don't use the administrator account, don't use Windows (e.g. Mac, Unix, etc)? Do AV/firewalls miss the infection vector used by trojans, spyware, adware? Commercial AV vendors have only recently started adding other forms of malware protection to their products. Most trojans, spyware and adware is installed by the user. Through social engineering the user is encourage to click on every button. A user managed firewall's effectiveness is limited by the user managing it. Do people buy AV/firewalls after they were already infected, but never properly cure the original infection? Essentially every brand-name computer with a copy of Microsoft Windows sold in the USA includes at least a 90-day AV product. Are there fewer infections during the first 90 days? Is it darwin, and only the strong computers of any type survive. Do computers without AV/firewalls die faster when infected, and are either cured or disappear; while computers with AV/firewalls tend to linger when infected without being cured. It seems to be very difficult to convince people with AV/firewalls that their computer could be infected. They tend to try to deny it much longer.
I'd be interested in seeing the study you're quoting ..
I'd encourage researchers and grad students to look into it. Security vendors are quick to sell new pills, but where are the studies that show their products' safety and effectiveness in the real world? If you are proposing all OEM's or broadband vendors include AV and firewall with their products, show me the study that shows it makes a difference.