Why geeks don't like to run AV

By John Viega
November 19, 2008 | Comments: 1

There are way too many security products and companies, and there are far too few good ones. If I see a good product, I will actually run it. But, as a typical geek, I don't really run too much that's actually protecting me.

Before this week, there were only a few IT security solutions I used with any sort of frequency in the past five years:


  1. ssh, the ubiquitous remote login utility.

  2. SMTPS and S-IMAP, protocol extensions for SMTP and IMAP to allow my mail client to talk to my email server with authentication and data security.

  3. RSA tokens and HID badges, as work required.

  4. I do use some anti-spam stuff (including SpamAssassin) but none of it has been very helpful-- For some accounts I have, I get so much spam that I still have to sort through hundreds a day. For all other addresses, I get basically no spam, and the anti-spam tools just mark a few things that I probably wanted to see, and hide them for me in a junk folder.

  5. I use SiteAdvisor when I'm not sure about the reputation of a web site, when I'm looking to use some software from it. I would have the plug-in installed, but there's no public plugin available for my browser/platform combo (even though I know first hand that there is one for Safari on OS X). So what I do is go to siteadvisor.com and look up site reports manually. Don't try to switch me to Firefox, I try it every year or so, and still don't like it. I trust SiteAdvisor because I used to own its development--I know how it works, and I know it is well done.

  6. I've been forced to run god-awful VPN software at work (usually the crappy Cisco client).

On Monday, I added a new item to the pile, a free tool for monitoring my home network that impressed me enough that I'm going to use it. At the end of this post I'll plug this new free tool I found, as I think other people will be interested.

Anyway, six things is all I can come up with. Here are some prominent things that I don't run:


  1. Firewalls. I'd consider these important in many enterprise contexts, because people typically leave lots of vulnerable services on machines that are directly accessible to a lot of people. But in my home environment, my cable modem and wireless router both are capable of NAT, meaning my computers are not directly accessible. The only things people on the outside can see are the things they would see anyway, because my machines are initiating the connections. On my personal server, we just don't expose ports we don't want hit. When I used to run my own firewall, I tried a number of things, but primarily used OpenBSD's PF.

  2. Anti-virus. Even though I owned development for McAfee's anti-virus technology, I did not run it at all the entire time I was there, even out of company loyalty. I did run a process NAMED the same as our AV that just fork()ed and slept, so that their VPN client would let me on their network.

  3. Personal firewalls. Too spammy.

  4. Virtualization for compartmentalizing stuff (e.g., GreenBorder and Returnil). Maybe someday, but right now, this stuff causes me too much effort (moving crap between virtual containers) to be worth the benefit.

  5. Any other consumer security product.


Note that I'm largely ignoring the question of "what I'd run if I owned enterprise IT", -- maybe I'll cover some other time. I only detailed enterprise things that got pushed down on me as an end user.

Let's look in a bit more detail at the "whys" for all of these technology decisions. A lot of the technology I use is authentication technology, which solves a critical need (people knowing who they're dealing with, or what machines they're logged into). And, except for some setup and some password typing, all of these things work seamlessly. Heck, particularly with applications that remember my passwords for me, it's seamless enough that I forgot that I of course use password security on pretty much any app that hits the network, like instant messaging, twitter (I'm viega), Facebook and so on. And, when there's authentication, encryption should be free and totally transparent, whether offered via SSL, or something else.

I don't like stuff that gets in the way of my doing what I want to do. That sounds like I'm going against my best interests. But, with something like a personal firewall that gives me pop-ups every 5 minutes, I would end up LESS secure because after the first 20 times it is wrong, I stop reading, and start clicking "yes" to everything. But I still would feel like I was being secure. Instead, I live with a reasonable sense of paranoia. Most people turn off the personal firewall, and quickly lose the paranoia.

I do want to use host security technologies (particularly, anti-virus which is now just a general term for something that detects malware), because I do realize that, even with me being highly vigilant, there are plenty of ways I can get hosed, including exploits, and malware bundled with legitimate software.

But, I haven't been able to bring myself to run commercial anti-virus products. The conventional wisdom there is right--they don't catch very much, and they tend to slow down machines.

When you look at the average, non-technical user, they probably should be running AV, because it is pretty unobtrusive, it does catch some things (even if it's not many), and they don't have the same sense of what the real risks are as I do. But, many technical people are like me. We're only going to use security technology if it's easy to use and works pretty well, unless forced to do so by our bosses. That leaves many geeks more vulnerable than they expect. But I know plenty of people who didn't install AV even after an infection, because they thought the price was too high... they'd rather do a very occasional cleanup.

The security technology I'm adding to my repertoire enables me to monitor my network in a way I never could before. When debugging network protocols, I'd use Wireshark (formerly ethereal) to collect and review network traffic, but there's no way I would use Wireshark to do general network monitoring. It's just way too much work to see what's going on across my network.

But, then I saw the announcement for Netwitness Investigator.

This tool gives me the first good reason to run Windows I've had since MacOS X came out. It gives me an easy way to see what's happening on my network. I mean that literally, I can see the web pages people are browsing, along with images they're loading. I can see the videos they're playing. Staring at hex to figure out what what's on the wire is way too much work, but when you can see things at a high level, it's all of a sudden easy and fun.

From a security perspective, this allows me to monitor how my network is being used (I did have to install WinPCAP first). Primarily, I'm interested in a non-draconian way to monitor what my kids are doing on the internet, without host-level lockdowns they could always figure out how to disable. Plus, I like open wireless, because it makes it far easier to have guests come over. But I do want to make sure that other people aren't leeching. Well, with NetWitness, I can easily drill down and look at only those network sessions from particular machines or IPs. In fact, there are a ton of ways to slice how you look at network traffic. Their search interface is by far the most easy to use and useful thing I've seen on a security product. I won't be able to do it justice, but I encourage you to spend a few minutes looking at their video on Youtube.


You might also be interested in:

1 Comment

You're a fool to not run a FW, even if you're behind the NAT of your wireless router and cable modem. Should your machine become partially compromised, or get hijacked by a trojan, your unwillingness to prevent outbound traffic makes you like a drunken college coed who thinks no birth control is necessary because they got a vasectomy. The spread of VD occurs because people like you think your invulnerable and only resposible for yourself.

News Topics

Recommended for You

Got a Question?