Most anti-virus software is unnecessary, almost useless and can significantly decrease the performance of your machine. I worked at one company that provided its employees with really powerful desktop machines (Xeon CPU with 24 cores, 64GB of RAM, two SSDs in hardware RAID). Per my estimate the cost of such desktops had to be around $6K-$8K. But they installed a CA anti-virus software on them. And just like that the desktop turned from a performance beast to a snail. On most operations it was even slower than my middle of the road personal laptop. The anti-virus interfered with everything: disk, network, processes. The machine can be loaded at most at 3-4%, because the anti-virus service was consuming a single core up to 100% and didn't let anything else to run. Needless to say, it never found any viruses on my machine.
My employer, large accountancy firm does this. They use Symantec Endpoint Protection and our high-end (which aren't really that high-end) laptops are dog slow. My personal 7 year old i7 Sandy Bridge almost outruns these Skylake/Haswell notebooks.
They configured Symantec also to scan files by every modification _and_ access. If something happens a lot during compilation it is disk I/O with a lot of small files.
Not to mention they staple additional anti-malware solutions like CA Carbonblack, Microsoft EMET and Avecto Defendpoint on top of it. Probably every Windows API call is hooked multiple times. Horrible is it.
Not only that -- but they increase the attack surface. Since all non-OEM antivirus are essentially using undocumented APIs and hooks into the kernel they have been exploited due to flaws in them.
My company has Windows Defender (which does a fine job by itself), McAfee, and CyberArk EP (which AFAIK, just does exe vetting on-demand).
I start my laptop up and it uses 50% of it's 32GB of RAM (not cache!) from a cold boot. Granted there are some IIS services and whatnot dev tools running but still.
Plus the kernel just hangs every other day for a couple minutes. Yay!
At my last job they also used McAfee in addition to Defender but I found a way to uninstall it. And the local IT guy gave me a pass when his management console said mine was unprotected.
While I agree in principle, most such platforms can avoid serious performance degradation with correct configuration. There's a lot of incentive for these things to come very aggressive out of the box -- after all, who wants to spend millions of dollars on software and then never even notice it? It's in the AV vendor's interest to make itself known and initially to overalarm. This also gives them some plausible deniability in the case that something does get through: they can just blame the guy who turned off $PerfObliteratingScan83 in the enterprise's profile. :)
Every enterprise deploying such software is expected to pare back the behavior to accommodate their specific risk profile, and in particular, to ensure that any high-performance tooling or internal software is exempted from most types of real-time protection. This is obviously much easier said than done in the real world, but it doesn't have to be an all-or-nothing proposition.
How can a 24 core machine dedicating 1 core to AV block 95% of CPU? How can a process on one core block a process on another core? Was it locking all the files other processes accessed?
And nevertheless we are forced to put an endpoint on all machines for compliancy reasons. The security/privacy beancounters at our larger customers demand it.
> The following weeks and months seemed to offer little excitement – the Kaspersky software worked essentially as well or as badly as Windows Defender.
Well, since Microsoft offered free AV and then bundled with Windows, I'v never looked back and felt kind of relieved I don't have to install 3rd party AV. Defender just doesn't get in the way.
I trust Microsoft to do the right thing more than other AV vendors that put Value substracted features: ads, disturbing, user-hostile notifications, performance degrading bling-bling (toolbars...) etc.
If I really want to check some file, i'll let VirusTotal.com scan it via every AV product they are aware of.
I used to swear by BitDefender Free as it was incredibly lightweight and offered good protection according to reviews. And then they dropped the “feature” on me and installed their own certificate to scan SSL traffic with absolutely no prior warning. I just realized it when sites with self-signed certs suddenly looked good because of the BitDefender CA certificate was in the middle.
I stopped taking any software’s reputation for granted.
The problem I have with the Microsoft bundled AV is that it's really slow and seems single threaded. I had to add most of my project directories as exceptions because building projects took 4-5 times longer when the AV was enabled for those files.
My biggest gripe is how hard they deliberately make it to disable. Amd even when I finally can, whatever settings I used may well have changed when MS updates. And when they do update, it gets re-enabled.
One of many instances where MS takes the "I know best" approach. You want to write a good anti-malware program, try not behaving like malware.
The reason they make it hard to remove is (1) otherwise malware could easily disable it and (2) must people should not be trusted with such decision anyway.
Norton sucks and is pretty much objectively malware, but there's one key difference: because win defender is bundled with my OS (and the security updates I have to install, it can change itself, re-enable itself, etc. Malware can still disable it with admin, they just make it hard for a user with admin. The operating system can only do so much to save a user from himself. Maybe some sort of developer mode, a la android?
I don't believe it's single threaded - I recently upgrade to a i9-9900k, and as one does when one has a new PC, I've been watching my CPU usage and heat - for the first bit Windows Defender seems to be single threaded, but after a time it kicks into high gear, pins all my cores, and my machine turns into a space heater.
This is my main gripe with it aswell, got a fast nvme ssd and yet everything slows down to a crawl since the av needs to seemingly triple check files every time they're accessed
Still surprised there isn't an open source AV and Firewall combo for Windows that competes heavily, and still can offer a pro version for people who want to support the project.
Haha. It's a really naive attitude.
The moment you have to deal with "average users" posting support issues as they'll be drawn to flies to your "free AV". You'll be either wanting to (a) kill yourself (b) charge everyone and remove the free download
That kind of product usually involves millions of dollars to create and support, and you're competing against very large entrenched players, so there's not much point unless you just like starting companies.
> To be on the safe side, you can disable the relevant function in Kaspersky's software: Click the cogwheel icon in the bottom left corner of the main window, then click Additional/Network. Finally, uncheck the "Inject script into web traffic to interact with web pages" option under "Traffic processing".
So it wasn't exactly hidden, it was just a bad solution that could be disable deep-down some menu (but not hidden, as it was in the apropiate options).
"Hidden" might refer to the fact that people won't know that the setting creates a (now) version-specific, persistent UUID that potentially compromises web safety.
Yes, and even the article doesn't say it was hidden. It has been just a feature that wasn't thoroughly thought when created, had a very bad side-effect, but it wasn't hidden.
> PSA reminder they got caught scanning computers for specific documents at the behest of the Russians
No, not exactly. In reality the software worked as intended and sampled an unidentified program that it considered malicious. It just so happened to be a piece of NSA malware contained on a NSA employee's computer (who re-enabled KAV on his machine after infecting it with a fake Office activator). The US government needed a quick scapegoat and thus they picked the spooky russian company instead of their own employee.
I'm impressed the Kaspersky is going to these lengths to remove the means for the US government to baselessly criticize simply because they originate from a country that the US loathes.
Furthermore, the fact that the Russian government is seemingly okay with this simply adds to everything the Russian government is doing to nullify any of the attempts the US is making to accuse them with unproven lies.
One of these days, I hope that the US government loses it's grip on the planet, so that they have to play fair, instead of simply doing whatever they want because they're the de facto singular superpower in terms of military power and intelligence capabilities.
I don't know if there ever was.. The old advice of 'Be sensible and don't open stupid files or visit stupid websites or follow phishing links' should solve most potential problems.
Especially with windows defender, which really has few cons (it'll take up resources sometimes), it seems like a "better to have a condom and not need it" sort of situation.
To avoid getting infected by low end attackers? They still exist.
The idea you can avoid getting infected by not opening suspect files is naive and generally comes from someone who hasn't tried to hack a system (even their own or a sandbox).
