Mastodawn

Mario Felaco Dec 28, 2022

SwiftOnSecurity

Asked by @ajsnonsense: Should I use Norton or move to Defender?

This is one of those questions that can be answered in an edgy way historically 1, turns out to be simple in practice 2, and at broad scale is very complex 3.

1.) Those out of practice will tell you Defender sucks. But it doesn't anymore. Ignore them.
2.) Those talking practically will say absolutely use Defender. Make sure you're on the latest Windows build with Tamper protection enabled and your "Win10 privacy tool" didn't unknowingly disable half the protection features through ignorant choices, and you have a super-powerful solution for free. And they are right. That's what I do.
3.) Defender for home users is great, but intractably could do more because it is cuffed by the requirements it work perfectly without much user input across a billion devices, and that attackers will always test against it even if it can adapt quickly via cloud. [I AM TALKING CONSUMER ONLY THIS DOES NOT APPLY TO DEFENDER ATP OR CUSTOMIZED ENTERPRISE STUFF LIKE ASR GROUP POLICY]
Some third-party vendors have their own very novel and more noisy approaches to try to differentiate themselves from this free offering. I won't get in that here.

tl;dr I would not use anything bundled in a computer, I use Defender, but also do not discount unique approaches others can bring to the table – and if you make an informed choice, I support that.

This is the kind of thing you can't say in 280 characters.

SwiftOnSecurity Dec 28, 2022

The fact is you can reasonably run a modern Windows system without any antivirus at all. Normal user operations just browsing the web have never been safer.
But when you start having users unfamiliar with Windows quirks opening email attachments, getting redirected to sites because they don't have an adblocker, tricked into fake updates.

That's where antivirus saves your ass. It can monitor for failure and respond to it. It acts as a partial backstop to many other layers failing. That SHOULD be its job. If antivirus ever gets a legitimate detection, that is a huge series of failures to make it to your box.

It's easy to be edgy on this topic. Nuance appears pudgy.

SwiftOnSecurity Dec 28, 2022

Even in my hopefully measured response, people I respect can disagree based on their experience and value weights.

I could easily run my personal Windows boxes with no antivirus at all. I'd be fine. I know how this stuff happens, and my target profile for 0days.

I run antivirus anyway. That's my choice. It's informed by what I've seen. And my own mistakes along the way. I was a teen in the halcyon days of XP where you could artisan layer on numerable products to protect yourself.

Browser blast doors like Sandboxie, HIPS change alerting like Comodo, anti-exploit shims like EMET, and a plethora of antivirus vendors.

I don't know how to communicate this better without an extended speech presentation.

SwiftOnSecurity Dec 28, 2022

In my experience - the most important denominator of infection is not a product you buy, it is the behavior you act. Knowing what's not worth the risk. When you're being lead on to perform weird actions. Where you're desperate for solutions so you throw caution to the wind and even disable AV like when using pirated software.

That is the real difference and you cannot possibly spend enough money to ask your computer not to do what you tell it to.

SwiftOnSecurity Dec 28, 2022

I could impromptu give an hour+ presentation on how complex "What antivirus should I use" actually is.

The answer is Defender [for consumers, ATP whole other discussion not negative just way more points] is fine and stop downloading Office2013 activation crack torrents.

But it's also true some vendors have interesting approaches and if you like it, you can pay them. Everybody being on Defender is a single point of failure and attack. Monocultures are a terrible result.

Frank Barton Dec 28, 2022

@SwiftOnSecurity also comes down to how you are going to react when something happens… and it will happen
I have kids, (and in-laws) and I need something that reports back to me so that I can be alerted when something happens, and know what my response should be.
I will be honest, I haven’t looked at the consumer defender offering in a while, so I don’t know if that specific needs has been filled.
Would I be comfortable using defender myself? Sure
Am I comfortable being responsible for computers that I don’t normally touch using defender… that’s a different question

Graham Sutherland / Polynomial Dec 28, 2022

@SwiftOnSecurity there's also a question of cost on ATP licensing in M365 enterprise environments, but I can't say I've checked what the EDR market competitors are charging.

SusanBradley/SBSDiva/PatchLady Dec 28, 2022

@SwiftOnSecurity "cheap Windows and cheap Office". ggggaaaa don't get me started.....

ianbobmorris Dec 28, 2022

@SwiftOnSecurity i use Eset internet security because norton did magic internet money things

@SwiftOnSecurity In reality, quite a lot of the security risk users take on either doesn’t or shouldn’t have anything to do with their behavior. Apart from software defects, quite a lot of it is software that’s insecure by design or that takes a “default allow” security posture, which in large part is a holdover from bygone days when we thought everything could be trusted. I only blame end-user behavior when they actively defeat the security meant to protect them from harm.

Andrei Kucharavy Dec 28, 2022

@deriamis @SwiftOnSecurity tbh, it’s less “everything can be trusted” and more “let’s be as permissive as possible to minimize incompatibilities with whatever user stack could possibly be and whatever the user is doing”

@andrei_chiffa @SwiftOnSecurity IMO, that’s a distinction without a difference. Much if not all of the reason for current permissive design is past permissive design. There’s a paper I read on it somewhere, written quite some time ago. I’ll be damned if I can remember the title or the author, though.

Andrei Kucharavy Dec 28, 2022

@deriamis @SwiftOnSecurity

It makes no functional difference for people having to deal with it now, but it does for people looking at how to prevent it in the future, given that assumptions of devs motivations is rather different.

@andrei_chiffa @SwiftOnSecurity I view software engineering as a continuous human enterprise, so to me, statements about past behavior and future motivations aren’t separate things. To me, the only difference between past and future behavior is experience. So yeah, I think we’re saying similar things from wildly different perspectives.

Ján Trenčanský Dec 28, 2022

@SwiftOnSecurity My shameful secret is I work for a 3rd-party AV vendor and I still use Defender on my home PC. I know how things work and it's there only to save me from being dumb. On the other hand I've installed and configured our AV for my parents, but that's because they can benefit from me knowing how to configure it and me knowing how they use a computer so I can put in the time and effort to have it setup for their needs. Not everybody has that luxury.

Also some replies here, oh boy. Consumer product is the keyword people.

Mark Vos Dec 28, 2022

@SwiftOnSecurity Exactly. Information Security is a people problem first. Then concern ourselves with business and technology controls.

@SwiftOnSecurity yeah.

Tho there is no reason to use 3rd party AV + Windows when Linux exist unless you want to do some malware analysis in a VM or on airgapped bare metal...

OFC if people run everything as root, they'll also fuck up every distro, but those people should not be allowed to touch or use anything more complex than a light switch or touchtone phone.

@kkarhan @SwiftOnSecurity https://xkcd.com/1200/

The operating system matters little. The threat model and the defensive implementation is everything.

Authorization

xkcd

@j @SwiftOnSecurity I don't expect anyone to ever be able to get the machine unlocked...

John Breen Dec 28, 2022

@SwiftOnSecurity To be fair "weird actions" to you and me can seem "reasonable", thus the lure of these schemes. For example, a few years ago a friend had clicked on a button on a web page ad that said "your clock might be wrong - install this plugin !". The plugin was nasty malware. "why would you click on that ?", I asked. But then I realized, most people don't have this spider-sense that says "no, that's insane - NTP man".

SusanBradley/SBSDiva/PatchLady Dec 28, 2022

@SwiftOnSecurity This "it's the behavior not the OS" is the argument people give me for why they can still use Windows XP in 2022.

SwiftOnSecurity Dec 28, 2022

@susanbradley Entirely fair point, yeah you can take it to extremes where you do not understand the successive hardening. And I remember the "I'm staying on 32bjt WinXP days." Happy to hear more thoughts.

SusanBradley/SBSDiva/PatchLady Dec 28, 2022

@SwiftOnSecurity I wish our redmond overlords would make it a tad easier by being more exact about what older platforms are vulnerable for but that would take resources away from supported premises platforms like... oh... Exchange 2019 or centered menus in windows 11. Just because you haven't been hit by X doesn't mean you aren't vulnerable to X

Steve Syfuhs Dec 28, 2022

@susanbradley @SwiftOnSecurity not for nothing, but we're generally pretty clear about this. vCurrent has best of breed protections.

SusanBradley/SBSDiva/PatchLady Dec 28, 2022

@SteveSyfuhs @SwiftOnSecurity With my deepest respect, for consumers you need to be better. This is where there is a fail. For e5 absolutely. For Windows 11 Home or where their hardware can't run it, I need more ammo for the masses.

Steve Syfuhs Dec 28, 2022

@susanbradley @SwiftOnSecurity and I should clarify: to that end all versions of *supported* OS get patches so vulnerabilities are *mitigated*.

New whatsits that bolt on fundamentally new protections are vNext/vCurrent.

If it meets our criteria for moderate->critical, we'll patch it.

SusanBradley/SBSDiva/PatchLady Dec 28, 2022

@SteveSyfuhs @SwiftOnSecurity Exchange - which is a patching beast unto itself needs to be much easier patched and not quite so much of an advertisement for online email lately

SusanBradley/SBSDiva/PatchLady Dec 28, 2022

@SteveSyfuhs @SwiftOnSecurity btw I wasn't talking about supported OS I was indeed talking about out of support OSs where there isn't an obvious info about being vulnerable. On October 14, 2025 we are going to have a LOT of people on an unpatched OS.

Steve Syfuhs Dec 28, 2022

@susanbradley @SwiftOnSecurity fair enough. But at the same time we're talking five years to a decade. After a certain point we're talking maintenance (5y), security maintenance (10y), and then notta (>10y). If folks don't start their planning until 10yr+1m then they're in a pretty bad spot.

SusanBradley/SBSDiva/PatchLady Dec 28, 2022

@SteveSyfuhs @SwiftOnSecurity Home users and sohos I need help in October of 2025. These are folks that will never get the uber cool stuff in an E5 and thus the "you need a tpm chip and buy a new computer" is really hard to convince. Then the next layer up is the SMBs. Don't think enterprise here, it's the folks that employ a lot of people but aren't always thrilled about subscriptions (me for example I HATE PAYING WHAT I HAVE TO PAY FOR ADOBE on an annual basis)

ianbobmorris Dec 28, 2022

@SwiftOnSecurity i stopped pirating software and computer games long time ago because it was not worth the risk

@SwiftOnSecurity any 3rd party AV on Windows worsens it's security btw.

Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ Dec 28, 2022

@kkarhan @SwiftOnSecurity AVs are just horrible in terms of security. They are huge unauditable codebases that themselves make active use of exploits. They also insert unaudited kernel-mode code for privileged actions as part of their intended purpose.

@PeterCxy @SwiftOnSecurity EXACTLY!

If one doesn't trust #Microsoft's integrated #Antivirus in #Windows, then one shouldn't trust their #Govware at all...

@PeterCxy @SwiftOnSecurity whereas I can understand people using i.e. #eset on #linux for their #mailserver|s and #fileserver|s...

They are still #BinaryBlobs but at least they ain't so "fucky wucky" by using undocumented shit and act as #malware...

niconiconi Dec 28, 2022

@PeterCxy @kkarhan @SwiftOnSecurity You know an anti-virus program is dodgy when it scares the hell out of Raymond Chen at Microsoft. https://devblogs.microsoft.com/oldnewthing/20211229-00/?p=106061

I pointed out to the customer liaison that what the customer is trying to do is very suspicious and looks like a virus. The customer liaison explained that it’s quite the opposite: The customer is a major anti-virus software vendor! The customer has important functionality in their product that that they have built based on this technique of remote code injection, and they cannot afford to give it up at this point.

Okay, now I’m scared.

You can't copy code with memcpy; code is more complicated than that

There's more to code than just instructions.

The Old New Thing

@niconiconi @PeterCxy @SwiftOnSecurity and you should...

Resuna Dec 28, 2022

@niconiconi @PeterCxy @SwiftOnSecurity @kkarhan This makes my old hack of using setjmp and longjmp to implement threads look portable.

Graham Sutherland / Polynomial Dec 28, 2022

@kkarhan @SwiftOnSecurity that take lacks nuance. 3rd party AV certainly adds attack surface, particularly in terms of local privilege escalation. but it doesn't inherently "reduce security". it's a trade-off which strongly depends on whether the extra features of the AV product (above and beyond what Defender offers) are useful to you. evaluating the risk of additional LPE bugs is essentially impossible in any rigorous quantitative sense.

@gsuberland @SwiftOnSecurity in most cases, I'd argue against it [unless you want to audit and/or exploit said AV software as entry vector] and recommend to just migrate away from Windows instead...

Graham Sutherland / Polynomial Dec 28, 2022

@kkarhan @SwiftOnSecurity you can certainly build an informed opinion based on the history of vulnerabilities in the product, in terms of both severity and handling competence, but that's never a guarantee and there's no hard rule.

I'm of the opinion that Defender + adblock is sufficient for general home use, partly because Defender works well enough but also because your average consumer has no idea how to interpret and assess prior product vulnerabilities.

Graham Sutherland / Polynomial Dec 28, 2022

@kkarhan @SwiftOnSecurity this isn't just random loosely-formed opinion, either. I'm saying this as someone who has professionally performed security reviews (binapp assessments, kernel driver assessments, source code reviews) on AV/EDR products and found/published vulnerabilities in commercial security products.

@gsuberland @SwiftOnSecurity yeah, but in my experience as sysadmin having to deal with #TechIlliterates constantly, migrating people to #Ubuntu LTS is just faster and easier...

@gsuberland @SwiftOnSecurity IMHO 3rd party #AV is just #ValueRemoving rentseeking on #Windows.

An #AV on a #Linux machine [i.e. #Fileserver and/or #Mailserver] however makes sense...

Graham Sutherland / Polynomial Dec 28, 2022

@kkarhan @SwiftOnSecurity I'm strongly opposed to "just use Linux!" as a general response to these issues. There are rare cases where it makes sense, but most of the time it's a failure to prioritise users' needs and almost always for nebulous reasons of "better security" that aren't delivered in practice.

Dan Dec 28, 2022

@SwiftOnSecurity
Yup. Anti-virus is meant to protect me at my dumbest moments. Which will always happen.

Ophitoxaemia Dec 28, 2022

@SwiftOnSecurity I quit anti-virus on Windows in the late 90's when I tried to get rid of them by canceling the credit card and still got charged on the new one. When I complained they told me they had a special arrangement with the anti-virus company where they could continue to charge canceled card numbers on a new number, I've been out from that BS since

Ophitoxaemia Dec 28, 2022

@SwiftOnSecurity I didn't need anti-virus then because there was an easy way to destroy every virus and I saw anti-virus as a virus on its own. Not true now?

Casual Observer Dec 28, 2022

@SwiftOnSecurity Taking local admin privs away from those that don't need them also helps reduce virus outbreaks.

AGTMADCAT 🇬🇧🇺🇸🇺🇦🇹🇼🇵🇸Dec 28, 2022

@clankgy1 @SwiftOnSecurity It's a *lot* of work to get an environment to a place where that won't consume a massive fraction of your support resources, though.

Casual Observer Dec 28, 2022

@AGTMADCAT @SwiftOnSecurity Agreed. And what is interesting to me at least is that the people that claim to need local admin rights the most are the ones most likely to get phished, surf questionable sites (mostly porn), and engage in other shenanigans.

Can't speak for others, but local admin rights became an huge organizational political battle.

(but one worth fighting)

Ankit Pati Dec 28, 2022

@clankgy1 @AGTMADCAT @SwiftOnSecurity At a place that shall go unnamed, corp IT locked down developer laptops with Windows without local admin, and all the devs who needed to Get Stuff Done™ did it on personal laptops and desktops running #Linux.

In corp IT’s defence, though, their actions actually increased the security posture of the organisation by getting devs to use Linux!

AGTMADCAT 🇬🇧🇺🇸🇺🇦🇹🇼🇵🇸Dec 28, 2022

@ankitpati @clankgy1 @SwiftOnSecurity They may or may not have increased the security posture, but they definitely made it unauditable! One core goal of good IT should be not doing anything that pushes users to reach for weird workarounds. If you're going to stop them from doing something, you should be providing them with a superior alternative whenever possible.

Ankit Pati Dec 28, 2022

@AGTMADCAT @clankgy1 @SwiftOnSecurity Yes, the “increased security” part was tongue-in-cheek. Auditability beats security, in my opinion. It’s better to know that you’ve been breached than assume you’ve not been.

> …whenever possible…
Yeah, no. You have to make it possible. Or developers will either:

1. Route around it,

or,

2. The good ones will leave, and you’ll be left with those who want to leave but can’t.

I’ve seen both happen. I’ve done both.

AGTMADCAT 🇬🇧🇺🇸🇺🇦🇹🇼🇵🇸Dec 28, 2022

@ankitpati @clankgy1 @SwiftOnSecurity Eh, sometimes you have to deal with contractual or legal constraints - "Customer data cannot be accessed from outside the United States" isn't something you can necessarily provide a workaround for. In those sorts of situations, the answer just has to be "no" and you have to enforce it. Thankfully, those sorts of situations are quite uncommon! And if you've built up a good reputation of not saying no when it's not absolutely necessary, your users are more likely to comply when you have to.

DrJekyll Dec 28, 2022

@ankitpati @clankgy1 @AGTMADCAT @SwiftOnSecurity OK, I chuckled.

There are plenty of folks who do better with local admin powers, and who should just be allowed to run Linux.
🥂

☁️Dec 28, 2022

@SwiftOnSecurity yeah I've done this for a long while with lots of periodic "grab an antivirus, do a full ass invasive scan" after too long in the high seas for whatever. but i wouldn't recommend it. it's a lot better than days of yore when sub7 or winnuke would ruin your day so easily.

still not optimal but much more possible.

@SwiftOnSecurity in ICS/OT we remove the ability to browse the web or do things like opening email.

Olav Dec 28, 2022

@SwiftOnSecurity last job (before I went out on disability), part of my job was 'component engineer', meaning I spent some amount of time on Chinese websites looking for commodities like pin headers. Defender + AdBlock and no problems.

The company had Norton but I stopped using it in one of it's more bloaty phases

parenTessaLation Dec 28, 2022

@SwiftOnSecurity ...and security obstructionism theatre is an easy trap to fall into here, especially when dealing with people in vocations outside infosec...

@SwiftOnSecurity can you list a few recommendations on which features one should make sure their "win10 privacy tool" didn't disable?