To be blunt: I refused to install any kind of antivirus or personal firewall software on most of my computers (but see Update 1/1/2012, below.) This included a Windows XP Home system that was used by my children as a web surfing / email / game system. I suffered zero infections during this time. (The only time I ever suffered a malware infection was before, when I did rely on Norton Antivirus to protect the kids' computer.)
Why do I refuse to use these
massively popular widely-used products? Simple. I am convinced that in my case, they may cause more harm than good, and that they foster a false sense of security - leading some users to engage in riskier behavior.
Further, antivirus software is almost always behind the curve - by definition, the antivirus people are playing catch-up with the malware writers. It's a good living for them, but I choose not to contribute to it.
As a software developer, I cannot afford any downtime due to buggy software, and yes - antivirus software has bugs. Not long ago, one major antivirus package ran amok, causing widespread damage by deleting harmless user data and programs.
Think about it: antivirus software has to intercept many system functions, monitor, detect and deter malicious activity - even if the software is flawless, which it isn't, it will slow your computer, and consume memory and other system resources. And let's not forget that you must now pay a recurring fee in order to feel safe - it all adds up to one big steaming pile of bullshit.
I have little patience for it. You may feel differently. And of course, some people are unable to protect themselves, and need whatever protection they can get.
I recommend Microsoft Security Essentials (MSSE) and MalwareBytes' Anti Malware FREE edition. Why? Because they're both freely available, and seem to behave well on most systems. Both offer a low-impact path to reasonable protection when combined with common-sense defensive behavior–therefore, my objections (bloated 'solutions' being worse than the problem) are no longer valid for most situations./>
How can you live without antivirus software?
Here are the things I've learned over the years:
- Note: Some of the following items apply only to Windows XP. Windows Vista and Windows 7 offer additional security enhancements that may make the suggested tactic irrelevant.
- Learn how to tell if your computer is running unnecessary software: this means you must learn how to tell what belongs on your computer, what should be running: download and learn to use the holy trinity: Autoruns, Process Explorer, and RootKit Revealer, all available free from Sysinternals (now owned by Microsoft). They're extremely high quality, and they are absolutely essential tools.
- Your computer isn't a toaster. If you want to pretend that it is, I expect that you will have a lot of trouble with it. If you own and use a computer, you really ought to learn some of this stuff. It's not that difficult. If you don't want to be bothered, find someone local who really knows about Windows, and pay him or her to help you. In the long run, it's cheaper and more satisfying than paying Symantec or some other company a subscription fee in exchange for partial 'protection'.
- Install a quality hardware firewall between your internet connection and the rest of your network. Ensure that all incoming ports are blocked. This is one exception to my "no personal firewalls" rule - if I traveled a lot, or used public WiFi hotspots, I'd probably install the simplest, most robust software firewall I could get my hands on - but it would not be something bloated like Norton Internet Security. Try Kerio Personal Firewall (I've not used it in a while, so I don't know if it's still lean and mean.) See this page for recommendations.
- Run as a non-admin user most of the time. This is known as Least User Access, or LUA. Windows users typically log in with full administrative privileges (at least, in versions up to XP and Server 2003) - exposing those users to severe security risks.
I log in as an administrator only when necessary to change system configuration or install trusted software. The added hassle actually reminds me that I need to think before I make a change to my system, or install some random software I just downloaded from the 'web.
- Use good judgment in deciding to install software, visit a web site, or open an email.
- Periodically run a free, online virus scanner - check your system every once in a while to see if you have an infection.
- Download and use Ad-Aware or Spybot S&D (or better yet, use both) from time to time - like just after installing a new bit of software on your machine, or just after your kids have visited the latest MySpace or ringtone site.
Web Browser or Email specific guidelines
- Think before you open that email! Your email software should be able to tell you, before you open the email, if the email is bogus. I look at the following bits:
- Size, attachment, recipient (TO) address, subject, sender (FROM) address
- If the sender or recipient looks strange, I don't open the message in my email client - I take steps to view the message's raw source (the technique varies depending on the email software) and look for telltale signs of malware. (This is worthy of its own discussion.)
- Not sure about a web site? Check before visiting - go to www.stopbadware.org and see if the site is a reported malware site. Or, you can visit SiteAdvisor.com and see what it has to say about the site.
- Configure Internet Explorer to use the highest level of security for normal internet browsing (set the 'Internet Zone' is to maximum security) - this will break many web sites that rely on advanced features of Internet Explorer, but this is the price you have to pay - I get around that by manually adding selected, trusted sites (the few critical sites that I really need to visit using Internet Explorer) to the "Trusted Sites Zone"
- Keep Internet Explorer and Outlook or Outlook Express (or whatever email client you use) up-to-date with the latest patches.
- Configure Outlook / Outlook Express to read all emails in plain text by default
- Disable the "preview panel" if you must read email in HTML (rich text) format - the preview panel (combined with un-patched or improperly-configured systems) is one of the most dangerous features of Outlook or Outlook Express, and if you receive a malicious email, it can infect your computer just by appearing in the preview panel.
- If you want to use the preview panel, or view HTML mails, set Outlook Express to display emails as plain text by default. Check the email information (sender, to:, etc.) before viewing it as HTML. Don't view suspicious emails (especially those having attachments) in HTML format... Just delete the damn things.
- Configure Outlook / Outlook Express to use the 'Restricted Sites' zone
- Use the latest FireFox or Mozilla browser as the default browser (thus avoiding Internet Explorer most of the time)
- Use Mozilla Thunderbird or other email reader as your default email reader.
Aaron Margosis of Microsoft agrees that it's critical to run as a non-administrative user. And my experience proves that it is possible to live, and live comfortably, without the aid of antivirus software.
On our web site
- SysTrayScan Utility - what are those icons in your system tray?