Ask ExeTools: Best Antivirus & AntiMalware 2017

[SKiLLa]

All the major hacks and Advanced Persistent Threats (APT) stats show that AV solutions don't work; sure it might flag a really really well-known malware family in your mailbox or dubious website; but any 0day variant will - by definition - not be detected; even heuristics won't help much for bigger campaigns (malware developers test as well you know )

It's also shockingly easy to take any random well known malware family and make it undetectable; it's even - probably the easiest - part of the OSCE exam.

Then add the fact that for performance reasons it will not even detect really old malware anymore and performance-impact is still noticable; I can't recommend ANY (locally installed) antivirus/malware solution to start with.

Even very expensive enterprise ones still have false positives and true negatives and thus using AV-solutions can actually give a false sense of security; you're not as secure as you think your are.

Have it on the mailserver doesn't really hurt; but for local stuff, just do your updates, use a restricted account and the OS built-in firewall (assuming recent OSes, not talking WinXP here). For playing with untrusted downloads just use a VM with optionally Sandboxie within that VM and rollback to your snapshot afterwards, just to be sure.

For non-tech savy people / "end users", just scare them to death to never ever click any fake updates, download or bill they got sent by e-mail and install the AV that got first place in a big AV test for this Quarter (like: best effort for the given moment).

[chants]

It is a famous "cat and mouse" game as you always have to stay current. Yes you can always wrap something and make it undetectable but the importance of staying current is an issue.

I always go with Windows Defender, a properly configured router, and care when running strange binaries by sandboxing/VM. Yes the random malware that infects legitimate sites like the one that occurred recently in CCleaner right after Avast, an antivirus company acquired it, is hilariously ironic in this case but its not so common that it cannot be dealt with as a one off.

The problem with AV, is its hard to measure future detection rates. And we don't care about the past so much here. The question on detection rate, is if some arbitrary malware comes out, how long it would take before that particular AV detects it or if not what % will it achieve. So we are left with our own empirical evidence and feelings and some configurability on top of a black box engine which we indeed can do nothing but speculate about.

Most of the malware nonsense is just fun and games anyway and questionable beyond at a big enterprise or for a sysadmin maintaining a lot of computers, or for really naïve users who would never be able to do a self repair.

It is only interesting if we are talking about BIOS hacking, and hypervisor chips and what the real racketeers hiding behind agencies are up to. Then well, really, someone probably already "owns yours box" especially if you browse this forum. And since they can physically break in and enter with almost no effort, unless you are going to design an unhackable chipset, you probably won't even be able to guard a new purchase past a week. But if anyone manages to beat the big crooks, it would be interesting. But its non trivial and would require a huge amount of work. And you are not getting much help from big hardware business these days who are largely trying to lock up their corners of the financial markets by complying and bending over backwards to the nearest government power structure. But the AV companies stay out of here too. And the hardware companies have dumped firmwares containing extremely sophisticated monitoring and harassment packages and keep their lips shut.