>>http://www.cnn.com/2013/03/16/opinion/schneier-internet-surveillance/index.html
>
>Thanks for posting Al, good article. I have always liked Schneier's writings and have all his books.
>
>I was thinking of posting a security related thread about AV and personal firewall software: I have always used anti-virus software up to about a year ago when it was obvious that new malware is being invented far faster than any AV company can keep up with. But more than this, I have never in 25+ years been infected with any virus or worm that I know of (or can remember). Also, I think I have perhaps only seen AV catch +/-10 infected files sent to me or downloaded by me in all that time and none of them would I have run or opened (e.g. spam mail). Is this an unusually low detection and infection rate or the norm amongst computer users who are somewhat aware of the dangers and just use their common sense? I therefore stopped using AV software altogether.

IME that's an extremely low rate of incoming malware. It suggests you have good border security.


>The next thing is that I always used a personal firewall to catch not only incoming traffic but outbound requests as well (I used Eset, Zone Alarm and Comodo). However, I think I have only used a few programs that I wanted to stop from accessing the internet and the rest I all allow. Now with Windows 7 and Windows 8 the OS makes so many different requests to the outside world that one has no clue anymore what they all do or want. So you end up allowing it because denying it usually results in something not working anymore. Even when I load Outlook the first thing it does is request to connect to MS in the US, Redmond. Why? And if you deny this then it cannot continue to send or receive your email ! So you end up allowing it (or choose another email client which is another mission).
>
>Furthermore, there are so many security researchers that if there was something truly underhanded going on with a major software package I suspect we would all hear the uproar very soon. So much of the OS sends traffic encrypted so you can’t see what’s going on easily plus if you want Windows Update to works then in that encrypted traffic it could send who knows what data back home. So I am thinking of dropping the use of a personal firewall for outbound traffic and just using the Windows outbound firewall.

I reached pretty much the same conclusion about outbound traffic long ago. If I'm concerned about a particular piece of software I temporarily turn on logging on my hardware firewall.

>In other words; the infection / detection rate is very low plus the complexity and variety of calls the OS and other apps makes to the outside world is so high (and unknown as to purpose) that you let it all out. I am curious to hear other opinion on AV and firewall, efficacy and current usage?
>
>Side note - I often read people saying they use AV product XYZ and that its really good. But how would you know? How much malware is it catching? Or is it not catching anything and hence you assume you are safe? Or is it catching a lot which then begs the question why are you being exposed to so much malware :)

Very few people are in a position to objectively say AV package X is better than Y. There are researchers who regularly test them against baskets of malware that have been collected "in the wild" and often against PoC exploits that are likely to soon be weaponized.

In my recent experience most infections are caused by browsing compromised/infected web sites. Some of the payloads are stealth rootkits such as ZeroAccess and TDSS and are all but impossible for end users to detect, let alone remove. The average user can only really tell if the computer is acting "normally".