I know that recently I’ve been spending a lot of time talking about Windows antivirus. Often, I am quite disappointed at the effectiveness of most antivirus tools. Many security researchers, and my own research on the subject, estimate antivirus to be effective less than half of the time. That said, I still believe that antivirus deserves a place on all systems and I wanted to take a moment to describe the way that I implement antivirus on many of the Windows machines in my life.
Let me start by saying first, that I have very few Windows machines left in my life. Most of those machines that I still use on a day-to-day basis are virtual machines used for very specific research and testing purposes. I use a pretty basic approach for antivirus on these systems, as they are not usually exposed to general use, uncontrolled traffic or un-trusted networks.
However, there are still a few holdout machines that I either use or support for friends and family. On these devices, most of which are Windows, I have begun to use a new approach for antivirus implementation. Thus far, I have been impressed by the solution and the effectiveness of keeping the machines relatively virus free and operating smoothly. So, how do I do it? Well, for starters, I use two different antivirus products. First, I install Clam AV for Windows and configure it for real-time protection. Clam is free software and so far I have been very impressed with its performance. One of the nicest things about the clam solution is that it has a fairly light system footprint and doesn’t seem to bog down the system even while it performs real-time protection. Next, I install the Comodo firewall and antivirus solution. This solution is pretty nice. It includes, not only antivirus, but also a pretty effective and useful firewall. This software is also free for noncommercial use. On the Comodo antivirus, I remove real-time protection and instead, schedule a full antivirus scan every night while my family member is sleeping.
By combining two different antivirus products, one in real time and the other for periodic ongoing scanning, I seem to have been able to reduce my service call infection rates by about 50%. From an attacker standpoint, a piece of malware would need to be able to evade both products in order to maintain a presence on the system longer than 24 hours. While such an attack is surely plausible, it simply is not the threat pattern that my family’s home personal use machines face. By combining two different products and leveraging each of them in a slightly different way, I have been able to increase the effective defense for my users.
As always, your mileage and paranoia may vary. Certainly, I am not endorsing either of these products. You should choose whatever antivirus products you feel most comfortable with. I simply used these examples as free solutions in a way to illustrate this approach. Thanks for reading, and be careful out there.