Alternatives to anti-virus for keeping oneself safe

Question

I have read a lot of articles that talk about how using an AV is less safe than not having one for more intermediate PC users who are careful with what they click and download.

For example, here are a couple of articles:

• https://antivirus.comodo.com/blog/computer-safety/a-new-attack-that-turns-antivirus-software-into-malware/

• http://www.dailymail.co.uk/sciencetech/article-3574724/Is-antivirus-software-putting-risk-Programs-offer-lower-levels-security-browsers.html

I have also read that when an AV automatically scans an executable file you just downloaded, the hacker could potentially abuse a vulnerability in the AV scan and get it to execute without you ever running it. On top of that, you still have to put some trust in the AV which has kernel access to your PC and intercepts network traffic for you and possibly even gathers data about things you don't know.

So I was wondering what would be some better ways I could keep my PC safe without relying on some heavy, automatic AV software? I can think of a few things so far (but would doing these things actually be safer than having an AV?):

• Using extensions like AdBlock and NoScript/ScriptSafe so malicious code can't secretly execute.
• Monitoring the network traffic on your PC now and then to check for anything suspicious.
• Using a tool like AutoRuns every week to check for suspicious start-up entries.

Answer 1

Antivirus is more dangerous in that it parses complex attacker-controlled data in a highly privileged context. This is a recipe for privilege escalation exploits. As a result, sophisticated attackers can often abuse antivirus programs to gain SYSTEM privileges. This is not a rare occurrence or one that is only a problem for enemies of a powerful government. AV software is riddled with privilege escalation vulnerabilities. A quick look at the severity of the vulnerabilities in the CVE list for any popular piece of software will give at least a little insight into the scope of the problem.

Consider your threat model

It is necessary to understand your own threat model. One person's situation might dictate that AV is harmful, while another person's situation might dictate that it is beneficial. Being able to understand the risks that apply to you, and the adversaries which you have is vital to being able to make any security-related decisions, especially ones such as this which are not necessarily black and white.

AV may be beneficial in situations where:

• The computer is used by someone who can be easily fooled into installing malware.

• The computer will be handling user-submitted data which may be redistributed to others.

• You download a lot of untrustworthy programs, such as warez.

AV may be harmful in situations where:

• Your adversary is at least moderately sophisticated or is targeting you in particular.

• You are the sole user of your computer and do not download unsigned programs.

• You keep your software up to date and are not expecting people to burn 0days on you.

Your threat model is what determines whether or not you should use AV software. My personal suggestion, assuming you are not going to download random dolphin screensavers and you keep your software up to date, is that you may want to use a simple, default program such as Windows Defender, and only use it when you explicitly need to. Each time you ask it to scan the hard drive, you are putting all your faith into it to not be compromised by any specially-crafted malware it may stumble upon. If instead you use it when targeting specific programs that you download before you execute them, you reduce the risks considerably.

Enforce code signing

It would be preferable if you did not need to download untrusted software and instead use trusted, signed executables from official sources only. This is especially important for files that wish to be run as Administrator, as those have the most potential for doing damage to your installation. Make sure they are signed! Never assume that your own will power is sufficient to prevent you from making mistakes when running a new program. This is what trojan developers rely on!

In order to further reduce the chance of accidentally running an unsigned or untrustworthy executable, you can configure your security policy such that unsigned executables cannot be run. This will ensure that any malware will need to have a valid signature, signed by a trusted CA. While it is obviously possible to get a malicious file signed, it is far more difficult, and will tend to be more of an issue if you are a specific target and not just an opportunistic victim.

If you further restrict the policy such that only executables signed by Microsoft themselves (and not just a CA which Microsoft trusts), you can effectively eliminate any possibility of infection from a trojan. The only way to get a program to execute in that case would be to exploit a 0day in the operating system, or compromise Microsoft's internal signing keys (those are both in the realm of capabilities for advanced state-sponsored actors). This can help prevent the rare (but not non-existent) cases where malicious code slips into the repositories of a trusted developer.

System hardening

On systems before Windows 10, you can use the Enhanced Mitigation Experience Toolkit (EMET) to enhance the system's security without increasing attack surface area significantly, though note that EMET will not be receiving updates for much longer. EMET works by injecting processes with code that hardens them against exploitation, increasing the chances that an exploit attempt will cause the targeted application to crash rather than be successfully exploited. If you are on Windows 10, most of these security features will be natively present. This makes it the most secure Windows release yet, despite the potentially problematic privacy issues it may have.

You can also disable unnecessary services (especially networking services, such as those exploited by EternalBlue), use AppLocker, and read the security guides provided by Microsoft to allow yourself to further improve the security of your system. The topic of system hardening is vast.

Answer 2

This is more opinion than fact, but the answer is a definite "Maybe!"

Let's narrow our scope to Windows for a moment, since it's the biggest Anti-Virus market around.

Windows Defender (the default Microsoft AV) is pretty good; Windows Defender does protect against most (but not all!) threats. But here's the thing—no AV protects against all threats. You still have to fall back on common sense and some other protections.

• Last year we saw Kaspersky's File Upload feature being abused by Russian government hackers and while that's a threat actor few people would be victims of, it's still happening.

• This year, we saw some AVs actually messing up Windows updates that patched for Meltdown and Spectre.

This kinda nonsense 'probably' won't come from Windows Defender, since they can test their OS with their AV and ensure everything works (hopefully!).

Using Windows Defender isn't an end-all solution though, you should still:

1. BACKUP, BACKUP, and did I forget to tell you to BACK UP! Ransomware is still pretty common, and having a good backup strategy is the only true way to avoid being a victim. Back up to an offsite location, and one with versioning—I use Dropbox! Do this properly so that the ransomware doesn't encrypt your backups as well.

2. Ensure your software is up to date, and don't install too much garbage. The more apps on your machine the more likely one of them will muck up. Refresh Windows the instant you get your laptop, remove all the bloatware, and ensure everything you download is on auto-update—also not downloading software from dodgy vendors is a good start.

3. Use NoScript/Ad Blocker for your browser, crypto-miners that operate on Javascript don't make as much money as you'd expect, but they're still around.

4. EMET would be good, and so to Windows Defender.

5. Did I mention backup!

6. Use a non-administrator user as your default—create a separate non-Admin user, and use that for daily use.

To be absolutely safe though—disconnect your computer from the internet, and hide in a cave! :)

Answer 3

As someone that works against AV's often, I can say that they all kind of suck. A lot of things depend on the level of security vs comfortably that you can live without.

Knowledge is power The first tool I would recommend , is education. Knowing what sites you go to is a big helper. Avoid untrusted sites. This includes streaming sites and torrenting. OS patching is a must, keep up to date on the latest threats, Disable flash. The problem I had with forcing organizations to use noscript and such, was that users would eventually just click enable all.

Use a save state VM As an alternative, I like having a VM handy to test in for files . You can keep a large part of your OS in a VM. I worked in a network that we all worked in VMs and when they acted up , click restore and done.

Deepfreeze I used deepfreeze on our university many years ago and it was excellent. You can just set it and your OS will revert back to it's original state every time. I launched petya worm and let it encrypt the disk and restarted the machine and nothing . Excellent tool!

Separate networks At home I keep separate networks for "guests" . They can bring in their stuff and I don't have to worry about it getting to my part of the network.

Have a more secure O.S I really don't like using Windows because I feel it executes everything at the drop of a hat. This obviously isn't perfect by any means, because OSX and Linux are hacked all the time, but I feel that having something that you can control is nice. You can disable macros and still get code execution from some of the exploits out there.

I will add more as they come to mind.

Ultimately, nothing is perfect. but these things can help.

Answer 4

Antivirus is fine - its "what we have"

Just don't expect it to protect you from everything - nothing will. Otherwise if you want to protect yourself without AV you are going to have to jump through quite a few hoops to harden your machine.

1. Application whitelisting
2. Check OS patches
3. Disable macros DDE
4. Regular patching of all applications on your system
5. Have a feed for each of your applications tied into CVEs
6. Sysmon with a trimed down configuration
7. Seperate your desktop from trusted and untrusted. Browser sessions and email in a VM for example with no access to another that say contains bank details. Tear down the untrusted VM after each sessions

Answer 5

I agree with using Windows' Defender, but I think despite what you've read, a good (read: highly-rated by reputable sources) AV-program is the safe way to go. Along with the advice that's been given (apart from the cave-dwelling), I think adding SpyBot to your arsenal is a good idea. https://www.safer-networking.org/private/compare/ It won't conflict with any AV-program and will add to system security. You can get the free version, which has some limitations, in order to check it out. But, if you feel you want more features, you can buy the Home or Professional version. FYI, the Free version has to be updated manually. The pay versions do it automagically. SpyBot immunizes your system https://www.safer-networking.org/features/immunization/ as well as scans for and fixes malware and rootkits.

As for the Backup, Backup, Backup, etc., I would also recommend setting Restore Points whenever you make a significant change to your system.

I've yet to be hit with malware (of course now I've jinxed myself) after being online since dial-up was the rage. I wasn't careful about backing up data back then, but after a few fried HDDs, I've learned my lesson.

And last, have a secure firewall, which I'm sure is something you've already done, but I felt I should mention it.

I don't have as much experience as forest, but after 20+ years I've managed to steer clear of malware by following what I've suggested.

Answer 6

An AV is just one of many layers of security that anyone using Windows should deploy. The user has only to keep in mind that there is no such thing as a 100% effective anti-virus, and it's not a silver bullet.
Regarding compromising an anti-virus software, it's extremely rare for it to happen, and most of the time news like that are just FUD, you even quoted Daily Mail, which is just trash by any standard.

It's way more likely a system is compromised because an AV is not installed, than because the AV itself was compromised.
You should only be worried about your AV being compromised if you're against a sovereign nation, and if that's the case you've already lost.

Answer 7

All of the following interchangeable possibilities may lower the chance to get virus infected in the first place.

• Always update and upgrade your OS and apps.
• Use a Firewall.
• No internet.
• No USB.
• An Unix (-based) OS (mac OS or a Linux distribution).
• A regularly updated, highly developed internet browser (Chrome or Edge).

Answer 8

option 1) you may consider migrating as many machines possible to Linux. If that is not possible, then atleast migrate few critical machines to linux.

option 2) If on some machines you may have to Windows only, then you may deploy linux as hostOS and then use rdesktop to login into a thin Windows client machines; or you may use windows VM for some tasks and for the rest of tasks use Linux host.

option 3) on the machines on which neither option 1 or 2 is possible, then deploy Windows machine with all the above approaches as explained in other answers.

Answer 9

Today an anti-virus can be pretty much more complex than in the past and it can cover quite a large spectrum of things like:

• file antivirus
• e-mail protection
• network protection
• applications launch control
• firewall policies
• web policies – restricting and logging user activity
• password management
• data encryption
• process exploration
• management console for all the above

I personally don't use an anti-virus (but I recommend all average user to use one) because I work with a lot of files and tools that will trigger alerts, but in order to do that, in theory the above should be covered in alternate manners.

[Files]

Knowing your own files is very important in an OS. It was very simple in the past - up to the XP era many ended up knowing if a file must exist or not inside the OS folders. Now things are more complex and OSes can have hundreds of thousands of files that are impossible to manually tack. So we will have to use alternate tools to detect unauthorized changes. There are tools that can do that and trigger alters if a target file is changed. Securing OS and other critical files like that works. Any unauthorized change can generate an alter or even an alter + the possibility of undoing that action.

[E-mail]

E-mail protection can be more user-related in the sense that user awareness is more important than any security tool when it comes to e-mails. If users are trained not to click links and open attachments from un-trusted sources, that part is covered way better that with filtering tools that will let a lot of dangerous content get through anyway. Of course denying dangerous extensions by default via e-mail system helps a lot too. My conclusion here is simple: user training is more important than e-mail filtering.

[Network]

On the network side there are many tools that can do monitoring, intrusion detection, shared access detection. These tools will not protect against very advanced attack that use vulnerabilities. This is a problem that a good anti-virus will cover but it's hard to cover otherwise. I would rather let an anti-virus manage this part if possible.

[Applications]

It is relatively easy even now-days to control what runs and what does not on a computer. Starting with basics like UAC and ending up with tools that control and monitor what a program can do if launched, you can cover this aspect pretty well.

[Firewall]

operating systems have their own Firewall so you may as well use that one. Although anti-virus software may control it easier via it's own policies, it's practically the same thing: if you make a good configuration, it's fine in both cases: if made in the OS firewall or if made in the anti-virus firewall.

[Web]

This is an area where anti-virus software can help a lot; a good anti-virus has already black-listed databases, has live scanning possibilities of filtering websites while they load. To cover this without any anti-virus capabilities it can be pretty hard and time consuming. I don't think any normal user will keep blacklists configured on its browser. And as browsers have lots of vulnerabilities and exploits this is one part I'd rather let an anti-virus cover. Training helps cover this part otherwise, just like in the case of e-mail. No opening of pages outside strictly known and needed ones, no problem. For a large site like g00gle to have problems it's highly improbable.

[Password Management] This is not something mandatory and it can be covered in dozens of ways anyway, so it's not really an important aspect, but some anti-virus solutions can cover it also.

[Encryption]

Encrypting sensitive data can be extremely important in many situations and some anti-virus solutions offer support for this. But it is not a problem, now-days OS'es can do it and very good general use tools like TrueCrypt and VeraCrypt can do it both at container level and at system level.

[Processes]

Good anti-virus solutions will have good process monitoring and immediately spot anomalies and bad process behavior. But there are tools that can cover this aspect too. Even the old process explorer may be enough to spot a bad process that you can then terminate.

[C&C]

Now assuming you have covered most of the above, it may also be important to be able to centralize everything. Do you do that ? It is certainly possible. Controlling things separately may prove difficult and time consuming. I use a modified advanced file manager to centralize command and control of every aspect of the above. I can launch anything needed directly from it without using the operating system's own UI or features. The shell works even if the OS UI or OS' own shell is down. This makes it good and viable in case something goes wrong with part of the OS.

Depending on the specific case/situation, you may want to use some or even all the above.

Answer 10

You are very right about the limitations and possible increased risks of anti virus software. Not only is it the single biggest software component on a computer that contributes to slow I/O causing over all sluggishness, but the concept of building an increasingly huge database of all malware is flawed since it is always at best playing catch up after malware is released and discovered.

It should also be mentioned that antivirus software primarily scans I/O to prevent any malicious software from being transferred to or from permanent storage. Antivirus software does not scan network connections or other non file I/O sources of software exploits. An exploit can come in over a network connection, exploit some running software, and now have code executing on the system. This code can then disable the antivirus software and then proceed to install itself on the system.

Your web browser is an immensely large and complicated piece of software, and given its extensive use it is probably the biggest attack vector for users who don't download random software, even if plugins are not being used. Unfortunately there are really only four choices of code bases for a current standards compliant browsers. Microsoft's Internet Explorer, Microsoft's Edge, open source Mozilla or Gecko based browsers (Firefox and many others), and open source WebKit / Blink browsers (Konqueror, Safari, Chromium). Opera couldn't keep up with Javascript and switched to using Blink as their rendering engine.

If Javascript wasn't a big enough attack surface and security issue already, a new kind of Javascript called WebAssembly is being added to FireFox now. Consider disabling it in FireFox like this: go to about:config then set javascript.options.wasm = false.

Others have mentioned using a firewall or not enabling unnecessary system services, so I'll mention other things.

edit: There are different types of attacks. Some attacks are directed against a target, and others are generic attacks meant to target a large number of systems. Some security measures are excellent for protecting against generic attacks but do little to thwart a directed attack. Other methods protect against generic attacks and protect against typical directed attacks, but fail to protect against a direct attack from an attacker who is willing to analyze your specific configuration and spend the time to figure out how to attack it. As a general rule, smaller the code base and the greater the emphasis on security during application development will reduce the number of security vulnerabilities in a program. If a program is open source, and if it is popular, then a larger number of vulnerabilities will be discovered and eventually reported or made public. This reduces the over all number of security vulnerabilities in the program, but in most cases increases the risk of using the program since vulnerabilities are discovered and known by the public so much more frequently. On the other hand, the decreased number of vulnerabilities in the program due to its popularity and patching means that someone who deliberately searches the code to discover new vulnerabilities will have less success. In summary, if a vulnerability exists but isn't known by anyone, it remains harmless until it is discovered. So there are pros and cons to increased popularity and bug discovery in software.

Lying about application versions: This one is rarely talked about. Often, in order to successfully exploit a vulnerability, the exact version of the program and the operating system must be known. Unfortunately your web browser reports its exact version as well as the operating system that it is on every time you connect to a site. Consider changing the UserAgent in your browser and any other application that reveals too much information about itself.

Use your operating system's user level security. Run your browser in a limited user account that is not an administrator account and preferably different than your regular user account. This alone provides more security than any antivirus software. Keep in mind that how well this works depends on your operating system. On Windows, even a restricted program running with other windows on your session can monitor all keyboard input except for specialized full screen system password entry windows. Clients on *nix using the X Window system can monitor keyboard input as well.

Make sure DEP and ASLR are enabled. Windows may not enable DEP (non executable memory) for non Windows programs in order to prevent crashes due to compatibility problems. Enable DEP for everything and exempt crashing programs as needed. WehnTrust can be used to add ASLR to Windows NT5 versions (https://archive.codeplex.com/?p=wehntrust the installer buried in there).

Use an obscure operating system. Windows, OS X, and Linux have gotten rather popular. There are still alternatives like BSD and Solaris. If you configure your browser or other applications to lie about their operating system, an attacker may attempt to exploit your application and have it result in a crash instead of working. Edit: As is wrote above, it depends on the situation. Around 2004, the number of security vulnerabilities discovered in Linux vastly increased compared to BSD, and prior to this time the number of vulnerabilities discovered was similar. I believe this is due to the growing increase in popularity of Linux compared to BSD. Both BSD and Linux probably contain a large number of vulnerabilities, but BSD appears to be much more secure due to its lack of popularity resulting in far fewer vulnerabilities being publicly discovered. According to the DEF CON 25 - Ilja van Sprundel presentation, analyzing the BSD kernel source revealed a number of vulnerabilities. I still stand by what I said, that running an obscure operating system is more secure. However, if you are the target of a directed attack where someone is willing to spend a lot of their time analyzing your obscure configuration then you are less secure!

Don't overlook embedded systems! Your wifi chip has a CPU and firmware! Your antivirus software can do nothing to prevent embedded systems from being attacked by malware. Wifi chipsets have their own CPUs and firmware and they can be attacked remotely. In the summer of 2017 at Defcon they demonstrated a remote buffer overflow exploit in Broadcom wifi chipsets! The demonstration didn't go beyond changing a function call in the Broadcom firmware and making it send an "owned" packet out, but such an exploit allows complete takeover of the wifi chipset firmware. Broadcom is used in many smart phones and Apple products! Someone can DMA your system memory and send the data back using a channel outside of the normal wifi spectrum. They can also write to your RAM and install a root kit while bypassing everything. They could also write directly to your computer's system management mode memory. Since the SMM memory can be locked off by the chipset (except for when the CPU is in SMM) no memory scan can even detect it. It doesn't matter how many security programs you have or how many VMs your computer has. This is a direct attack to ring 0/-1/-2!!! There is no antivirus or other software out there that can detect such an attack. It is not much harder for someone who is familiar with development for an embedded system to write malware for it than it is on a regular computer operating system.

edit: I see a lot of negative response to my answer, but remember that the original question is about an alternative to anti-virus, and any knowledgeable IT security person knows how ineffective down right useless anti-virus can be at times. So some of my suggestions like using an obscure operating system are really doing the same thing that anti-virus does, which is making virus writers modify their malware to to get around the anti-virus software. I'm offering a somewhat ineffective security solutions in place of database based anti-virus software, which even less effective!