Sunday, July 27, 2008

why anti-av is absurd

in point of fact, both anti-av and pro-av are absurd... i'll explain why in a moment...

given my comments about dancho danchev's anti-av leanings in my previous post, i anticipate there will be a number of people thinking (though not necessarily bothering to say it to my face) that i'm the polar opposite - fanatically pro-av... indeed, this has already happened in the past as there are those who wonder about my sanity, consider me an av extremist, and think i belong on the list of the 6 dumbest people in IT security (an homage to ranum's largely ill-conceived 6 dumbest ideas in IT security)...

let me ask you something, though... does it make sense to be pro-hammer? how about anti-screwdriver? would you sit on the fence about a tape measure?

av, even if we accept the retarded interpretation of the term (somewhat more forgivable from average joe public since s/he has an excuse for not knowing better) as just known-malware scanning, is just a tool - no more and no less... it's a tool that is remarkably good at a narrowly defined set of tasks: detecting known-malware for the purposes of prevention, and connecting known-malware incidents that aren't prevented to expert knowledge of the malware in question (by identifying the malware) for the purposes of diagnosis...

being anti-av is like being anti-hammer or anti-screwdriver (and likewise for being pro-av, pro-hammer, pro-screwdriver)... it's a tool (not a religion or a political party), and there are times when it's the appropriate tool to use... those who would completely drop it in favour of some other supposedly superior technology, those who would complain that they relied on av and it let them down, are the very people who never learned the lesson about how when all you have is a hammer, everything looks like a nail... known-malware scanning is a tool, whitelisting is a tool, sandboxing is a tool, behaviour blocking is a tool, heuristic analysis is a tool, etc, and i use and advise on the use of most all of them - security practitioners better than anyone should understand the importance of having a well equipped security toolbox with a variety of tools for a variety of jobs... only the naive would think that the entire malware problem could be comparable to just hammering nails and thus require just one tool...

and since i do make use of all 3 preventative paradigms, it's hard to imagine how i could simply be pro-av... i'm pro-knowledge - i think people should know their tools, what they can do and what they can't, and know the problem so that they can choose and use the tools appropriately... it's really a shame when people commit the anti-malware equivalent of trying to hammer screws into wood, and not nearly as funny...

2 comments:

John said...

Hey Kurt,

FWIW I don't think you are one of the 6 dumbest people in IT, there are at least a dozen people that are dumber than you =)

kurt wismer said...

awesome... that's good to know..