Anti-virus wars start up again (Its time to party like its the 1999)

[Virus Guy]

What a joke.

I thought that big corps were getting wise to the fallacy of AV
protection 5 years ago. Seems they were only getting dumber if today
they're shelling out for $1 million+ contracts for AV garbage-ware.

Because as we all know, AV products today are really good at telling you
that your system got hacked - a few weeks ago.

----------------------------

http://news.techeye.net/security/anti-virus-wars-start-up-again

Anti-virus wars start up again
Its time to party like its the 1999
27 Jan 2012 09:16

It is starting to look like the anti-virus wars are starting up again.

For those who came in late, the 1990s were a time where AV companies
were engaged in hand-bag warfare which was as ruthless as it was
entertaining. It was a time when there was a lot of competition in the
marketplace and hacks were taken to secret briefings to explain why the
other side were such rubbish. It was a time when you used to get press
releases like "McAfee has asked Dr Solomon's Software to reduce the
virus detection rate of Dr Solomon's product because McAfee is unable to
keep up with the volume of viruses, and can't achieve the same level of
virus detection."

These days it has been comparatively quiet. Network Associates which
famously slagged off Dr Solomon during a staff barbecue, is now McAfee
again and part of Intel. It seems that only Kaspersky has managed to
retain the bile which was a trademark of those times.

Still, imagine our surprise, when Reuters ran a story this morning where
McAfee rejected a claim that several large corporate customers had
recently switched over to using products from rival Symantec. Needless
to say the comment came from Symantec Chief Financial Officer James Beer
who claimed that his outfit was taking share in the anti-virus software
market away from McAfee, which was bought by Intel.

====================
http://www.reuters.com/article/2012/01/26/us-mcafee-symantec-idUSTRE80P23S20120126

Intel bought McAfee in a $7.7 billion deal meant to spur growth at the
world's top chipmaker and also help it better protect its products from
hackers. Investors are still waiting to see whether that bet will yield
results.

McAfee laid off about 3 percent of its workers, or about 250 employees,
in December.
====================

This was vintage 1990s stuff, and once upon a time we would have said
"yeah right" and probably ignored it. This was mostly because Beer
declined to identify who the customers were.

But now McAfee Senior Vice President for Finance and Accounting Edward
Hayden has struck back saying that the claim was false. He pointed out
that his company had booked a record amount of business in its December
quarter, signed its biggest deal ever and closed more sales over $1
million than it had in any single period.

He said he was "not aware of any major account" that lost to Symantec
during the quarter.

Again, all unprovable stuff and vintage "he said, we say" stuff from
1997. Would the vice president of finance know if he had lost any major
customers anyway?

 

[FromTheRafters]

What a joke.

I thought that big corps were getting wise to the fallacy of AV
protection 5 years ago. Seems they were only getting dumber if today
they're shelling out for $1 million+ contracts for AV garbage-ware.

Because as we all know, AV products today are really good at telling you
that your system got hacked - a few weeks ago.

AV is still useful for preventative (albeit reactive) protection against
most *viruses*. As for hacks and general malware it seems to have taken
more of a removal after-the-fact role as viruses become less prevalent.
IMO this has led to them being more of an enabling influence on those
bad behaviors that users always tend toward.

It's the damned marketing schemes that are a joke.

[...]

 

[Bear]

What a joke.

I thought that big corps were getting wise to the fallacy of AV
protection 5 years ago. Seems they were only getting dumber if today
they're shelling out for $1 million+ contracts for AV garbage-ware.

Because as we all know, AV products today are really good at telling you
that your system got hacked - a few weeks ago.

AV is still useful for preventative (albeit reactive) protection against
most *viruses*. As for hacks and general malware it seems to have taken
more of a removal after-the-fact role as viruses become less prevalent.
IMO this has led to them being more of an enabling influence on those
bad behaviors that users always tend toward.

It's the damned marketing schemes that are a joke.

[...]

Yes, things shifted re-markedly a while back. As a result, I shifted my
strategies from reaction to recovery.

I make a factory (with MS Upates) and pristine image and use the
pristine image. As time goes on and enough MS Updates have happened or I
decide to make a permanent change to my system I reload the pristine
image make the updates and changes and re=image that which becomes the
new pristine image and keep the old one as a backup. I continue this
approach but only keep the two latest images (the factory clean image is
permanent.

The pristine image is the factory image with all MS and other updates
and all of your data and programs. Every now and then, I load the
factory image and load the new MS updates and re-image that.

This insures, as well as can be, that you always have a clean system.
This means you keep at least three images. If you run into malware
re-actively, simply re-load your most current pristine image. Such takes
30 minutes or less - usually much less time than it takes to react
properly to malware.

IMO, most discussion about how to deal with malware is made moot with
this approach. This doesn't mean prevention attempts aren't important!

 

[FromTheRafters]

What a joke.

I thought that big corps were getting wise to the fallacy of AV
protection 5 years ago. Seems they were only getting dumber if today
they're shelling out for $1 million+ contracts for AV garbage-ware.

Because as we all know, AV products today are really good at telling you
that your system got hacked - a few weeks ago.

AV is still useful for preventative (albeit reactive) protection against
most *viruses*. As for hacks and general malware it seems to have taken
more of a removal after-the-fact role as viruses become less prevalent.
IMO this has led to them being more of an enabling influence on those
bad behaviors that users always tend toward.

It's the damned marketing schemes that are a joke.

[...]

Yes, things shifted re-markedly a while back. As a result, I shifted my
strategies from reaction to recovery.

I make a factory (with MS Upates) and pristine image and use the
pristine image. As time goes on and enough MS Updates have happened or I
decide to make a permanent change to my system I reload the pristine
image make the updates and changes and re=image that which becomes the
new pristine image and keep the old one as a backup. I continue this
approach but only keep the two latest images (the factory clean image is
permanent.

The pristine image is the factory image with all MS and other updates
and all of your data and programs. Every now and then, I load the
factory image and load the new MS updates and re-image that.

This insures, as well as can be, that you always have a clean system.
This means you keep at least three images. If you run into malware
re-actively, simply re-load your most current pristine image. Such takes
30 minutes or less - usually much less time than it takes to react
properly to malware.

IMO, most discussion about how to deal with malware is made moot with
this approach. This doesn't mean prevention attempts aren't important!

IMO, disaster recovery should take a back seat to prevention. The reason
being that some types of malware can hose your recovery scheme. That is,
all but the original pristine image as laid out in your stated scheme
are at risk - even updates of that original pristine image are
susceptible to corruption.

Everyone should have disaster recovery plans for the kind of disasters
that cannot be outright prevented. These just *happen* - they don't lurk
and data diddle for months before being discovered and pose a threat to
even your off-site backups.

Backup/restore/recovery schemes are for disaster recovery and general
security (risk reduction) and not an antimalware or antivirus scheme
which are IMO *supposed to be* preventative in nature.

First, prevent infestation of malware as best you can, then treat what
*will still* get through (there are no 100% effective detectors) as a
disaster and hope that your disaster recovery plan wasn't infiltrated.

 

[kurt wismer]

Virus Guy wrote:
What a joke.
I thought that big corps were getting wise to the fallacy of AV
protection 5 years ago. Seems they were only getting dumber if today
they're shelling out for $1 million+ contracts for AV garbage-ware.
Because as we all know, AV products today are really good at telling you
that your system got hacked - a few weeks ago.
AV is still useful for preventative (albeit reactive) protection against
most *viruses*. As for hacks and general malware it seems to have taken
more of a removal after-the-fact role as viruses become less prevalent..
IMO this has led to them being more of an enabling influence on those
bad behaviors that users always tend toward.
It's the damned marketing schemes that are a joke.
[...]

Yes, things shifted re-markedly a while back. As a result, I shifted my
strategies from reaction to recovery.

I make a factory (with MS Upates) and pristine image and use the
pristine image. As time goes on and enough MS Updates have happened or I
decide to make a permanent change to my system I reload the pristine
image make the updates and changes and re=image that which becomes the
new pristine image and keep the old one as a backup. I continue this
approach but only keep the two latest images (the factory clean image is
permanent.

The pristine image is the factory image with all MS and other updates
and all of your data and programs. Every now and then, I load the
factory image and load the new MS updates and re-image that.

This insures, as well as can be, that you always have a clean system.
This means you keep at least three images. If you run into malware
re-actively, simply re-load your most current pristine image. Such takes
30 minutes or less - usually much less time than it takes to react
properly to malware.

IMO, most discussion about how to deal with malware is made moot with
this approach. This doesn't mean prevention attempts aren't important!

IMO, disaster recovery should take a back seat to prevention. The reason
being that some types of malware can hose your recovery scheme. That is,
all but the original pristine image as laid out in your stated scheme
are at risk - even updates of that original pristine image are
susceptible to corruption.

Everyone should have disaster recovery plans for the kind of disasters
that cannot be outright prevented. These just *happen* - they don't lurk
and data diddle for months before being discovered and pose a threat to
even your off-site backups.

Backup/restore/recovery schemes are for disaster recovery and general
security (risk reduction) and not an antimalware or antivirus scheme
which are IMO *supposed to be* preventative in nature.

First, prevent infestation of malware as best you can, then treat what
*will still* get through (there are no 100% effective detectors) as a
disaster and hope that your disaster recovery plan wasn't infiltrated.

the first step is prevention, certainly agree with you there. if you
can prevent going through the following cycle at the first stage,
that's a lot of effort you don't have to expend.

next is detection of preventative failures, because no prevention can
ever be perfect.

next is diagnosis of what you failed to prevent, because you need to
know everything it did in order to know what steps need to be taken in
recovery. you also need to know where it came from if you're going to
involve the authorities as well as what files to send to vendors so
they can improve their products. you also need to know how the
compromise was able to succeed for when you re-evaluate your defenses.

next is reporting to authorities, because if nothing is done about the
person responsible for the compromise they will most likely continue.
home users may not consider this a meaningful step, since their
individual losses aren't likely to be enough to warrant the
authorities' time, but their compromise could be part of something
much bigger. of course for enterprises, reporting to authorities
becomes much more meaningful. additionally, reporting to authorities
can include reporting malware samples to vendors. this has meaningful
benefits to all sectors.

after that is recovery (don't want to do it before reporting to
authorities as you may be compromising opportunities to gain valuable
intelligence about the person or people involved, or lose access to
the malware samples). with the kinds of malware out there these days,
recovery can easily extend beyond the confines of your hard drive, so
while good backups and/or drive images are a must, they are only the
beginning.

finally there's re-evaluation of your defenses, because there may be
improvements you can make so that prevention will work even better the
next time.

this is a feedback loop that has the potential to make prevention
incrementally better with each iteration, as well as taking select
attackers out of the equation in the future. making prevention better
with each iteration is important because you don't want to expose the
same vulnerabilities to attackers over and over again - you'll just
get pwned the same way over and over again.

there once was this concept of the PDR triad (prevention, detection,
recovery), but laziness has turned that into something that is done on
automatic, without thought or rigor, and without any of the implicit
steps that lead to improvements - that's why i expand it out to
explicitly list those steps.

 

[Bear]

Virus Guy wrote:
What a joke.

I thought that big corps were getting wise to the fallacy of AV
protection 5 years ago. Seems they were only getting dumber if today
they're shelling out for $1 million+ contracts for AV garbage-ware.

Because as we all know, AV products today are really good at telling
you
that your system got hacked - a few weeks ago.

AV is still useful for preventative (albeit reactive) protection against
most *viruses*. As for hacks and general malware it seems to have taken
more of a removal after-the-fact role as viruses become less prevalent.
IMO this has led to them being more of an enabling influence on those
bad behaviors that users always tend toward.

It's the damned marketing schemes that are a joke.

[...]

Yes, things shifted re-markedly a while back. As a result, I shifted my
strategies from reaction to recovery.

I make a factory (with MS Upates) and pristine image and use the
pristine image. As time goes on and enough MS Updates have happened or I
decide to make a permanent change to my system I reload the pristine
image make the updates and changes and re=image that which becomes the
new pristine image and keep the old one as a backup. I continue this
approach but only keep the two latest images (the factory clean image is
permanent.

The pristine image is the factory image with all MS and other updates
and all of your data and programs. Every now and then, I load the
factory image and load the new MS updates and re-image that.

This insures, as well as can be, that you always have a clean system.
This means you keep at least three images. If you run into malware
re-actively, simply re-load your most current pristine image. Such takes
30 minutes or less - usually much less time than it takes to react
properly to malware.

IMO, most discussion about how to deal with malware is made moot with
this approach. This doesn't mean prevention attempts aren't important!

IMO, disaster recovery should take a back seat to prevention. The reason
being that some types of malware can hose your recovery scheme. That is,
all but the original pristine image as laid out in your stated scheme
are at risk - even updates of that original pristine image are
susceptible to corruption.

I think images should be made first, not after and most people can do
this much easier than trying to clean their computer which is iffy. As
for the Pristine images becoming corrupt is a possibility which /is/ the
reason for keeping a factory image with MS updates, though your pristine
images are made from your factory image and no surfing/use time is on
them which makes it more unlikely - thus the name pristine. Your factory
recovery disks or a factory image stored on your computer is nice - but
MS updates can mount up to the point of days to add them though that
/is/ the last recourse.

Everyone should have disaster recovery plans for the kind of disasters
that cannot be outright prevented. These just *happen* - they don't lurk
and data diddle for months before being discovered and pose a threat to
even your off-site backups.

Very true.

Backup/restore/recovery schemes are for disaster recovery and general
security (risk reduction) and not an antimalware or antivirus scheme
which are IMO *supposed to be* preventative in nature.

I list a myriad of reasons for maintaining images, on my website = hard
drive crashes etc. You can't depend on prevention. There is no silver
bullet. This ideology is wrong IMO but prevalent among mostly techs or
very experienced users. It might be good for them/us, but not average users.

First, prevent infestation of malware as best you can, then treat what
*will still* get through (there are no 100% effective detectors) as a
disaster and hope that your disaster recovery plan wasn't infiltrated.

NO! First make your images. Then prevent as best you can. If you get
infected and unless you are an expert at cleaning malware or want to pay
one, reload your image. Self-sufficient.

Even experts (I know this as fact) miss malware and /think/ they got it all.

 

[Bear]

the first step is prevention, certainly agree with you there. if you
can prevent going through the following cycle at the first stage,
that's a lot of effort you don't have to expend.

This is wrong. What are you going to do? Wait till you are infected than
make an image? First make your recovery plan before you go out into the
wild. Then work on prevention.

 

[Bear]

next is diagnosis of what you failed to prevent, because you need to
know everything it did in order to know what steps need to be taken in
recovery. you also need to know where it came from if you're going to
involve the authorities as well as what files to send to vendors so
they can improve their products. you also need to know how the
compromise was able to succeed for when you re-evaluate your defenses.

This takes hours and more in many cases. Most average users will never
be able to do such. Your advice may work for expert users but they are
few and far between. It takes less than 30 minutes to restore a clean image.

 

[Bear]

after that is recovery (don't want to do it before reporting to
authorities as you may be compromising opportunities to gain valuable
intelligence about the person or people involved, or lose access to
the malware samples). with the kinds of malware out there these days,
recovery can easily extend beyond the confines of your hard drive, so
while good backups and/or drive images are a must, they are only the
beginning.

So you are going to recover from factory images or media? Because you
haven't made your recovery images yet.

 

[kurt wismer]

posts:

maybe, in future, you could read my posts all the way through and let
them sink in a bit before you replied. that way you wouldn't need to
reply multiple times to the same post, and i wouldn't have to try and
piece your thoughts back together into a cohesive whole.

This is wrong. What are you going to do? Wait till you are infected than
make an image? First make your recovery plan before you go out into the
wild. Then work on prevention.

if i tell you to first drive to your parents house and then nail shut
the doors and windows, i would normally think it goes without saying
that you must first acquire a car, a hammer, and some nails.

however, since i was critical of leaving other steps in the
traditional PDR triad as implicit, i suppose it's only fitting that
"prepare" be made explicit too. so the 0th step is to prepare for your
next malware encounter. now my hexad is a septad.

This takes hours and more in many cases. Most average users will never
be able to do such. Your advice may work for expert users but they are
few and far between. It takes less than 30 minutes to restore a clean image.

in the same vein, one could also say it takes less than 30 minutes to
destroy information that could have:
a) warned the victim that his bank account was in jeopardy
b) informed the victim wich vulnerable subsystem needed to be patched,
reconfigured, or disabled in order to prevent getting compromised by
similar malware in the future
c) identified which cloud-based email needed to be deleted to avoid
accidentally re-compromising the machine with the exact same malware
in the future

is this really the lesson you want to teach people? from my
perspective, this is precisely the thoughtless, lazy, half-arsed
approach i complained about before. simply restoring an image just
sets you up to get pwned again in exactly the same way. the best proof
of learning from your mistakes is to change direction - if you keep
doing the same thing you keep making the same mistake. pretending
there's an easy answer (just restore a clean image!) breeds laziness
and complacency and gives people a false sense of security.

now i realize that there are limits to what people are capable of, but
i never said they had to do it alone. they can get help if they need
to. they can also cut corners, but the more thorough their knowledge
of how their prevention failed this time, the better equipped they'll
be to improve it and not fail the next time.

So you are going to recover from factory images or media? Because you
haven't made your recovery images yet.

yes, yes, recovery needs preparations. guess what - so does
prevention, so does detection, so does diagnosis, etc. making images
is an implementation detail, just like updating anti-virus software,
preparing a whitelist, generating a behavioural baseline for installed
software, collecting file integrity information, and so on and so
forth. you raised an important point (in your single-minded sort of
way) about the importance of preparedness, but you don't have to keep
banging that drum.

 

[Bear]

posts:

maybe, in future, you could read my posts all the way through and
let them sink in a bit before you replied. that way you wouldn't need
to reply multiple times to the same post, and i wouldn't have to try
and piece your thoughts back together into a cohesive whole.

It's how I chose to do it this time.

if i tell you to first drive to your parents house and then nail
shut the doors and windows, i would normally think it goes without
saying that you must first acquire a car, a hammer, and some nails.

however, since i was critical of leaving other steps in the
traditional PDR triad as implicit, i suppose it's only fitting that
"prepare" be made explicit too. so the 0th step is to prepare for
your next malware encounter. now my hexad is a septad.

Outstanding...though I was making a point that getting recovery ready
first was the most important thing. You said otherwise.

in the same vein, one could also say it takes less than 30 minutes
to destroy information that could have: a) warned the victim that his
bank account was in jeopardy b) informed the victim wich vulnerable
subsystem needed to be patched, reconfigured, or disabled in order to
prevent getting compromised by similar malware in the future c)
identified which cloud-based email needed to be deleted to avoid
accidentally re-compromising the machine with the exact same malware
in the future

is this really the lesson you want to teach people? from my
perspective, this is precisely the thoughtless, lazy, half-arsed
approach i complained about before. simply restoring an image just
sets you up to get pwned again in exactly the same way. the best
proof of learning from your mistakes is to change direction - if you
keep doing the same thing you keep making the same mistake.
pretending there's an easy answer (just restore a clean image!)
breeds laziness and complacency and gives people a false sense of
security.

My post was not a comprehensive assessment of the issues. It is simple
one two three. In my comprehensive security plan on my website, I
explain that if a system becomes infected...image it. Then recover. You
can then take all the time you want and have all the records you need.
You know this right? You are making assumptions that are incorrect to
suit your debate.

now i realize that there are limits to what people are capable of,
but i never said they had to do it alone. they can get help if they
need to. they can also cut corners, but the more thorough their
knowledge of how their prevention failed this time, the better
equipped they'll be to improve it and not fail the next time.

The neighborhood or family computer "expert" is rarely capable of expert
help especially when it come to malware removal. Malware removal
requires such expertise or you are simply pissing in the wind. I speak
to the average user and relate to him what I think is the best approach
for him to take. If you are an expert user, you don't need any advise
how to manage your systems.

yes, yes, recovery needs preparations. guess what - so does
prevention, so does detection, so does diagnosis, etc. making images
is an implementation detail, just like updating anti-virus software,
preparing a whitelist, generating a behavioural baseline for
installed software, collecting file integrity information, and so on
and so forth. you raised an important point (in your single-minded
sort of way) about the importance of preparedness, but you don't have
to keep banging that drum.

Of course it does...but you jumped into the discussion bypassing the
most important first step deliberately and supposedly authoritatively
after I had said recover preparation was the most important first
step...and your reply basically said it was not. It is why I pointed the
issue out.

It's ok though...I understand that sometimes it's hard not to get
personal in these groups.

 

[FromTheRafters]

Bear wrote:
[...]

I think images should be made first, not after and most people can do
this much easier than trying to clean their computer which is iffy.

I guess I wasn't clear. My take on this is that images should be taken
apart and aside from any malware considerations. Even if malware didn't
exist at all, users should still have a backup and restore scheme in play.

Then, we move on to the malware arena. Prevention is first and foremost,
it *will* fail at some point so some kind of recovery plan next,
followed by the restore plan. Some people will restore and update rather
than recover because restoring an image is often easier than trying to
recover straight to the state the computer was in just before the
infestation.

People should not rely on their images to protect them from malware
infestation and the corruption that might ensue. The reason being that
it does not address the problem at all, but addresses disasters like
harddrive crashes or errant satellites crashing into your house or
business quite well.

[...]

 

[kurt wismer]

On 1/28/2012 1:27 PM, kurt wismer wrote: [snip - since you borked the quote attribution anyways]
if i tell you to first drive to your parents house and then nail
shut the doors and windows, i would normally think it goes without
saying that you must first acquire a car, a hammer, and some nails.

however, since i was critical of leaving other steps in the
traditional PDR triad as implicit, i suppose it's only fitting that
"prepare" be made explicit too. so the 0th step is to prepare for
your next malware encounter. now my hexad is a septad.

Outstanding...though I was making a point that getting recovery ready
first was the most important thing. You said otherwise.

that may have been what you meant, but that's not how it came across.
even in this reply you seem to present a recovery-centric over-all
approach.

the phrase "an ounce of prevention is worth a pound of cure" didn't
become a famous idiom for nothing.

[snip]

My post was not a comprehensive assessment of the issues. It is simple
one two three. In my comprehensive security plan on my website, I
explain that if a system becomes infected...image it. Then recover. You
can then take all the time you want and have all the records you need.
You know this right? You are making assumptions that are incorrect to
suit your debate.

what i know is that if you restore to a pre-infected, vulnerable state
you're likely to get pwned again while you "take all the time you
want" to perform the diagnosis.

what i know is that without additional measures to prevent compromise
you just recovered from you are essentially putting the system into an
'about to be infected' state.

what i know is that you can't take those additional measures until
*AFTER* you perform diagnosis.

what i know is that restoring before involving the authorities tips
your hand to the attackers and gives them an opportunity to cover
their tracks before an investigation can even begin.

what i know is that good strategies can be rendered moot by bad
tactics.

what i know is that when someone says something like dealing with
malware can be easy or simple, they're selling the reader a false bill
of goods.

The neighborhood or family computer "expert" is rarely capable of expert
help especially when it come to malware removal.

and who said anything about getting help from them?

[snip]

Of course it does...but you jumped into the discussion bypassing the
most important first step deliberately and supposedly authoritatively
after I had said recover preparation was the most important first
step...and your reply basically said it was not. It is why I pointed the
issue out.

go back and re-read what you wrote. you didn't portray it as recovery
preparation, you portrayed it as the entire process of dealing with
malware, and only threw in an off-hand mention to prevention at the
very end (with no mention of detection, no means of improving or
learning from past mistakes, etc).

FromTheRafters was right in the sense that when you encounter malware,
the first thing you want to try to do is prevention. yes you need to
make preparations but that is something that should already be in
place, not something you do when you encounter malware.

furthermore, there's more to preparations than just recovery
preparations - every stage potentially requires preparations, but you
only mention recovery. is it any wonder your statements haven't been
interpreted the way you're trying to spin them now?

 

[Dustin]

What a joke.

I thought that big corps were getting wise to the fallacy of AV
protection 5 years ago. Seems they were only getting dumber if today
they're shelling out for $1 million+ contracts for AV garbage-ware.

Because as we all know, AV products today are really good at telling
you that your system got hacked - a few weeks ago.

viruses are hacking now?

 

[Bear]

viruses are hacking now?

You know what he means!

 

[kurt wismer]

viruses are hacking now?

most malware these days is non-viral. since non-viral malware doesn't
spread on its own, there is an actual person behind the scenes
directing the attack (to varying degrees of precision).

(not that i'd call breaking into systems "hacking", though, but i know
many others do)

 

[Dustin]

On 1/28/2012 7:51 AM, FromTheRafters wrote:
Virus Guy wrote:
What a joke.

I thought that big corps were getting wise to the fallacy of AV
protection 5 years ago. Seems they were only getting dumber if
today they're shelling out for $1 million+ contracts for AV
garbage-ware.

Because as we all know, AV products today are really good at
telling you
that your system got hacked - a few weeks ago.

AV is still useful for preventative (albeit reactive) protection
against most *viruses*. As for hacks and general malware it seems
to have taken more of a removal after-the-fact role as viruses
become less prevalent. IMO this has led to them being more of an
enabling influence on those bad behaviors that users always tend
toward.

It's the damned marketing schemes that are a joke.

[...]

Yes, things shifted re-markedly a while back. As a result, I
shifted my strategies from reaction to recovery.

I make a factory (with MS Upates) and pristine image and use the
pristine image. As time goes on and enough MS Updates have happened
or I decide to make a permanent change to my system I reload the
pristine image make the updates and changes and re=image that which
becomes the new pristine image and keep the old one as a backup. I
continue this approach but only keep the two latest images (the
factory clean image is permanent.

The pristine image is the factory image with all MS and other
updates and all of your data and programs. Every now and then, I
load the factory image and load the new MS updates and re-image
that.

This insures, as well as can be, that you always have a clean
system. This means you keep at least three images. If you run into
malware re-actively, simply re-load your most current pristine
image. Such takes 30 minutes or less - usually much less time than
it takes to react properly to malware.

IMO, most discussion about how to deal with malware is made moot
with this approach. This doesn't mean prevention attempts aren't
important!

IMO, disaster recovery should take a back seat to prevention. The
reason being that some types of malware can hose your recovery
scheme. That is, all but the original pristine image as laid out in
your stated scheme are at risk - even updates of that original
pristine image are susceptible to corruption.

I think images should be made first, not after and most people can do
this much easier than trying to clean their computer which is iffy.
As for the Pristine images becoming corrupt is a possibility which
/is/ the reason for keeping a factory image with MS updates, though
your pristine images are made from your factory image and no
surfing/use time is on them which makes it more unlikely - thus the
name pristine. Your factory recovery disks or a factory image stored
on your computer is nice - but MS updates can mount up to the point
of days to add them though that /is/ the last recourse.

Everyone should have disaster recovery plans for the kind of
disasters that cannot be outright prevented. These just *happen* -
they don't lurk and data diddle for months before being discovered
and pose a threat to even your off-site backups.

Very true.

Backup/restore/recovery schemes are for disaster recovery and
general security (risk reduction) and not an antimalware or
antivirus scheme which are IMO *supposed to be* preventative in
nature.

I list a myriad of reasons for maintaining images, on my website =
hard drive crashes etc. You can't depend on prevention. There is no
silver bullet. This ideology is wrong IMO but prevalent among mostly
techs or very experienced users. It might be good for them/us, but
not average users.

First, prevent infestation of malware as best you can, then treat
what *will still* get through (there are no 100% effective
detectors) as a disaster and hope that your disaster recovery plan
wasn't infiltrated.

NO! First make your images. Then prevent as best you can. If you get
infected and unless you are an expert at cleaning malware or want to
pay one, reload your image. Self-sufficient.

Without knowing what infected you or how.. that image is going to get
0wned again. You accomplish nothing by doing this aside from giving the
user a very false sense that they are safe again. Very unprofessional and
irresponsible. Various individuals have tried to explain this but you
smugly dismiss them.

 

[Bear Bottoms]

Without knowing what infected you or how.. that image is going to get
0wned again. You accomplish nothing by doing this aside from giving
the user a very false sense that they are safe again. Very
unprofessional and irresponsible. Various individuals have tried to
explain this but you smugly dismiss them.

With an image of the infected system, all information is there to do with
as you will. Nothing is lost. You are simply wrong.

 

[FromTheRafters]

With an image of the infected system, all information is there to do with
as you will. Nothing is lost. You are simply wrong.

Are you suggesting that an image of the infected drive is the same
*forensically* as having the actual 'still infected' drive to examine is?

 

[FromTheRafters]

"Worst case scenario" - I love quotes from Star Trek!

"It's life, Jim but not as we know it".