This statement surprised me! I am guessing your well protected behind a high end (example . Cisco) firewall or something of the likes and not just a $40 router with built in firewall, and the computer never moves to other networks, to only have a single layer of defense outside of the PC itself?
it's a D-Link DIR-655. was ~$100 when I purchased it. this computer never moves to other networks. my laptop does, but it doesn't have a firewall either. It is usually booted into linux but I make no distinction.
I agree that lots of security and protection software out there do eat up resources badly like Norton and McAfee.
It's not IMO a matter of eating them up badly, it's that I don't see the point in having them installed to waste CPU cycles and whatnot.
I guess we all have our preferences as to how well or less protected we chose to be and the risks associated with lesser lines of defense.
If you ask me, there are more risks associated with being "secure". The fact is that for the most part anti-malware/spyware programs can only detect known malicious software and it's variants. It's either that, or you get flagged with false positives about everything. For a time, Mcafee flagged any program that contained the string "Software\Microsoft\Windows\CurrentVersion\Run" as malware. I know because one of my tools was flagged by the product. And yet, I just had to reverse that string in the code and use A function to reverse it and there was no flag. If circumventing the protection is that simple for virus authors, what is the point?
The big issue I have is that a lot of users tend to "let their guard down" or aren't as suspicious of somewhat strange activity, under the guise that "well I have a AV program/firewall whatever, so I am invincible". Or even better, people will have anti-malware and firewall programs installed, and when they try to run a program will actually listen to the "instructions" for that program that "oh I guarantee this isn't a virus, just allow everything". Which defeats the purpose; my point is, it doesn't matter what security solution a person is using, the weak spot is the user.
Consider the typical scenario for malware installation- a trojan horse.
First, the person will have to download the program.
In order to be infected, either they download it from an untrusted source, or a trusted source is compromised. The latter is
very unlikely. The former is the situation most often encountered. How to combat? Don't download from untrusted sources.
Second, the person will have to execute the program. At this point, an AV will "alert" the user if it suspects it to be malware. But, if you ask me, the user had already made the fatal mistake of downloading it in the first place. Anti-virus and anti-malware is not preventative, it is only employed when things are already going downhill. And what if that trojan horse isn't detected? new malware is created all the time, often infecting hundreds of thousands machines before even a single AV vendor catches wind of it. Because the AV doesn't flip out, the user will take this as a "certificate of authenticity" the virus scan says it's clean, so it
must not have evil intentions, or be infected.
the term "infected" is another interesting barrier. A skilled person can easily see the difference between an infected PC and one that isn't infected; but how do you detect this through software? How do you know what is bad and what is good? It's all through hueristics and blacklists, if the program deals with these specific locations and whatnot. But the thing is that plenty of totally legitimate software follows those same rules. One person's Anti-virus, for example, flagged BCSearch, my search program, as malicious. after doing some digging, the only reason it did that was because I used a specific API function in a certain way. I didn't use it wrong. I didn't use it badly. For whatever reason, the AV decided that any program that uses API function X in this specific pattern is evil. But the thing is, not only does legitimate, uninfected software use it that way, but surely there are plenty of malicious applications that don't, so what good is the detection logic there?
The fact is, that trying to detect and properly eliminate viruses is practically in the realm of face recognition and other "fuzzy logic" problems. Face recognition has come along, but it still requires the guiding hand of a person who can recognize faces. The difference is that all people are innately born with the "built-in" ability to recognize faces. Not all people can properly "guide" a malware program when it balls up, and the fact is that such mistakes are inevitable purely as a result of the way they work.
For the most part, the same applies for firewalls. Firewalls don't so much detect bad actions as they simply detect outgoing connections. This makes sense, but if something is making a outgoing connection that isn't supposed to, you've already lost. the program is already on the computer, and if the author knows what they are doing they have full access to the machine to simply disable that software firewall or insert the appropriate configuration information to let it through, meaning no alert and to the user, no problems. Incoming is no longer an issue as even the cheapest router these days has a good firewall. And outgoing is a non-issue because by the time it get's to the point where a software firewall would detect it, there is a good chance the malicious program has simply added itself and gave it access to the external network anyway, so a software firewalls functionality depends solely on the diligence of the malware author. Not a metric I trust.
Additionally: What would port probing do?
Instead of installing a firewall, you should be making sure that you don't have listening connections. Unless you happen to be running a server of some kind, you should have any at all; and if you do, you should make sure that incoming connections are properly authenticated. Using a software firewall as a protection against that is just covering the true problem, which is that you have unsecured, unauthenticated ports listening for incoming connections and responding to them.
For example: let's say somebody has a SSH server. the port will be listening. Clients connect, and give authentication details before they are allowed further access.
The only way a "port probing" by a experienced hacker would get into the system would be if the SSH server is outdated (and they use a known exploit or vulnerability) or there is another misconfiguration. Both of those are the responsibility of the person running the server, and keeping them updated to prevent exploitation of the system is practically their job.
The typical malware application either tries to connect to another machine on the internet to communicate and get information on what other trojans to download, or it wants to open a listening port so that it's "master" can tell it what to do. In either case, if you ask me, the game is "over" since you have the trojan in the first place; and as I noted, the way hueristics work means that you cannot 100% rely on an AV program, but it gives a lot of people the feeling that they are "invincible" so people are more likely to run programs that they would find questionable under the assumption that "if it's bad, my AV will know" and then take the AV not flagging it as malicious as a sign that it is perfectly safe. The fact that AV programs mark files as "clean" or "infected" when neither can be determined with absolute certainty via software may seem like a nitpick but it doesn't help peoples assumptions about the infallibility of AV software.
Anyway, anecdotally, the only time I've had an AV installed is years ago when I first connected to the internet (2005 or therabouts I think it was, and with windows 98 no less) and more recently after I was infected with virut, in order to prevent my old files from reinfecting me. "ah ha!" you say, so you got infected because you weren't using a AV!" Well, no- you see, it wasn't until
after I was infected that the virus even registered with most AVs. Afterwards I got a new PC that ran Vista and now 7 which pretty much made most Malware obsolete, in that I still get prompted for administrator access. No malware that can do anything dangerous can function without admin access, so I only dole that out when I trust the program, or am prepared to do a check with process explorer to make sure it's not doing anything that can be construed as malicious. The only problem I've had so far has been as a result of doing the former but not doing the latter. And it was one instance that was quickly rectified when I discovered it.
