An AV can detect trouble even before trying to run a harmful program. Doing a scan (file\folder\disk) or simply opening a folder is enough to detect malware. These scenarios reduces the risk of the user making mistakes even more (down to 0, I’d say).
AV scanning is also important for files in transit state.
For example, you download a file and burn it to CD directly and send that CD to a friend.
The downloaded files were never executed so D+ never really evaluated them. However AV scanned them as soon as you downloaded them. This way you keep others safe from malicious files (in case they for some reason don’t run antivirus software).
An AV is important because people do not know when to allow an alert or not as Defense+ pops up for too many software.
Of course, if we know that the files are safe, we can simply allow them, but then why do we need any security software.
We could simply surf safe, keep system patched and install only safe applications.
I would take a simple example to illustrate the difficulty faced by users: Suppose a friend of mine gives me a software on a pen drive. If the USB drive is infected Defense+ will catch the virus but if the USB drive is clean, Defense+ will still pop up for the software.
This is why an AV is important to facilitate users and determine whether there is malware or not.
AV blacklisting heuristic can potentially notify the users about applications that should not manually added to safe files.
Blacklisting detection for kernel drivers still provides valuable info for safety assessments but whitelisting provide more guarantees whereas when in doubt D+ could allow users to prevent the driver loading.
In general AV enforce the assumption if not detected it may be safe whereas whitelisting can confirm if a file it is not malicious.
Although a blacklisting AVs alone with default allow approach can encourage novices to rely on unsafe practices and install whatever they find on the Internet apparently persuading them to believe that security it would be not their responsibility but an AV responsibility alone.
If there was a much larger whitelist then D+ would only alert you for actions that need your attention.
Sorry, I’m not with the whole 5 million signature thing… I think the work would have been better spent on a whitelist…
I agree that whitelisting provide better security than blacklisting alone. Anyway in case an application is not whitelisted D+ behavioral heuristic also contributes to the color coded alerts Severity levels whereas CIMA could potentially outline behaviors without having the users run an application.
The approach provided by CIS use blacklisting, whitelisting and default deny and thus provide a way for the users to be involved about their security although this is something many users were persuaded to deem unnecessary for many years lured by blacklisting only approaches believing that a single click was all the effort they needed to be secure.
Nobody has an innate security knowledge and there is much to security which could be learned using D+ alone (w/o whitelisting and blacklisting) whereas when users are willing to learn they would be able to score their security practices themselves making use of security softwares as tools and not as butlers.
The AV is good since it removes the risk of human errors… If the AV pops Iam almost confident that almost all the users will click remove/quarantine… If the HIPS pops some will still just click allow without reading… =/
There are people failing to see why D+ pops several times for one application.
I don’t belive those even read the alerts… For these users A AV might be a handy extra layer… =)
I would like to add Microsoft findings when researching how users deal with and react tp UAC. It turns out that more than two alerts in a session, with session being anything between a couple of minutes until many hours, users start to get annoyed. Hence Microsoft changed the UAC for Windows 7 approximately reducing the alert by some 30 %.
2) In the unlikely event of a user allowing a malware that is known to the AV, the AV can detect it.
I have had the unlucky event a couple of years ago where I downloaded a file from ZD Net that turned out to be spyware infected even though ZD Net told it was freeware. Sometimes you simply bump into a mistake by a trusted source.
Yep UAC could annoy but UAC prompts were design to annoy.
UAC prompts usually provide only information that an application feature need admin privileges and continually ask each time you need that specific feature.
I guess even ZD Net used an AV to check that file for spyware. Even the practice of relying on trusted sources can have some drawbacks although reducing many risks cannot address all of them. A reasonable way to address more risks is to make efficient use of multiple layer of protections and continually improve security policies and awareness.
There is no absolute recipe and each user ought to search for the one wich provide them acceptable tradeoff between security and ease.
You have the AV for the same reasons you put good locks on the door and still have a burglar alarm. Multiple levels of threat prevention and detection. Even if by some clever chance one of the detection or prevention levels is compromised, chances are very high the others will alert you to the threat before damage is done.
Melihs comment in the last post, confirms i think, that Comodo intends to introduce a behavior blocker for sure in version 4. Melih states “you need both” ( a behavior analyzer and a hips). I wholeheartedly agree as the Behavior side of things helps with usability as well as security.
Thus in some cases there are legitimate apps leveraging on Security critical behaviors (D+ red alerts = High Severity) although these types of behavior/actions could be also abused by malwares whereas in cases no legitimate app is likely to use a specific Security critical behavior D+ security consideration explicitly mention it is a behavior used by malware along with a Red alert (Red alert + explicit mention that “Defense+ Malware heuristic analysis has detected a possible malware behavior” in security considerations)
CIS behavior analyzer score security related behaviors with a three grade severity level (yellow, orange and red) indeed is more fine grained than malicious/not malicious paradigm that is usually carried by means of blacklisting and whitelisting.