There have been a couple of threads lately, one on LifeHacker, one on Ask Metafilter, about whether it’s necessary to use anti-virus software. The comments in both are a very clear indication on how far we have to go in educating users on the real danger of malware. It would appear the average user is operating under assumptions that might have been true 8 years ago. Now, it’s just a recipe for disaster.
The erroneous assumptions are that:
1) Viruses are noisy/easily visible and
2) Viruses are caused by actively bad behavior
To quote What the Geek from the LifeHacker thread,
I have a business client whose website was giving people a trojan for a while because it got hacked – and guess what? if you didn’t have an AV running, you’d never know that it happened. It would just sit on your computer sending your data off to who knows where silently. Just because it doesn’t give you a big skull and crossbones on the screen doesn’t mean it isn’t there.
This really sums up the situation for me – an innocent user was hacked, and might never have known it, as it was silent. It’s like the difference between the demos we give of an “average scary virus” now versus the ones we gave 10 years ago. Back then, the demos were all skulls and message-boxes and file corruption and deletion. Very spooky, very visual and very loud. Now the scary demos are effectively silent. The malware can come in without any user interaction, and you’d never know it was there without specific tools to show you what changes it’s making behind-the-scenes. Off goes your credit card number and your private documents, without you being the wiser.
And this is not something that just happens in the “bad parts” of the internet. Think of the most innocuous content on the internet. Pictures of cute and fluffy animals would certainly qualify, right? At the end of last year, CuteOverload fell victim to a hacking that delivered trojans to its unsuspecting readers. And major sites are supposed to be safe, right? How about the Superbowl website hack from the beginning of last year?
One point that I think needs bringing up specifically is the question of whether to use “on-access” scanning, or if “on-demand” is enough. As Dwroth succinctly put it in the LifeHacker thread:
All time (active protection) = good for the public, but overkill for the geek.
Turning off on-access scanning has never been a great idea, but now it could be a catastrophically bad idea. We’ve already discussed how one’s level of geekiness does not figure into one’s susceptibility to viruses which don’t require human interaction. Personally, if there’s a virus trying to get onto my computer, I’d really rather find out immediately before any changes could be made to my system rather than some time tomorrow or later this week.
A few minutes is plenty of time for malware to transmit my most sensitive data, why give it hours?
April 29th, 2008 at 10:57
But if you disable javascript in your browser then you can’t be hurt by a hacked web site. In my opinion, running with javascript on is just another bad behavior, like opening unknown email attachments.
The classic bad behavior is the person who runs an AV who says “oh, it’s ok, I can open this email because I run an AV!” Good luck with that one.
April 29th, 2008 at 10:59
While you are entirely correct about how must of a necessity AV software is, a lot of people just can’t stomach the cost in dollars and system resources.
April 30th, 2008 at 16:11
K – That might keep you safe from the javascript threats, but there are a world of other kinds of malware that spread without user intervention or javascript.
That’s a good point: All the security in the world will not help if you willingly let the burglar in the front door.
Nathan – Is it more palatable to deal with the cost of having your identity stolen? Are the lost cycles due to being a spam-proxy or having constant pop-up ads preferable to the lost cycles due to security software?