When Having More = Less?

[MidnightCowboy]

Statistics of course are great fun and often need to viewed in this manner
Anything other than 1+1=2 is so open to manipulation and any internet research will throw up opposite data for the same products if you search for long enough

This led me to think back to what I used to see when servicing customers and attempting to guide them through their concerns about PC security. Confusion in this area is highly understandable as security vendors are just like politicians. It's quite possible for an ardent supporter of party “A” to attend a party “B” meeting and emerge fully converted!

Further thinking about this issue led me to make another conclusion and I was wondering if anyone else can identify with this?

I already discounted from my recollections that group of people who just switch on and surf irrespective. For them there is no solution, only hope and even this is minimal. From the others I came to the conclusion that collectively, more issues were caused by the security programs themselves than would have been by the exposure risk to malware without them. Furthermore, I surmised that adding more programs increased this risk without improving protection. I reasoned this might involve several factors. First, even with a reasonable knowledge of Windows, managing multiple security programs is time consuming and stressful. This naturally develops a tendency to skip though numerous alerts carelessly instead of concentrating on a smaller number effectively. Allied to this is a self generated belief of invulnerability (safety in numbers) and a natural human receptiveness to hype.

The logic of it went something like this:

System + Windows firewall + AV = stress risk “2” and threat risk/protection level “5” (out of ten) with possible vulnerabilities to zero day malware and “leaky” installations.

System + third party firewall with HIPS + AV + antispyware + antikeylogger + behaviour blocker or anti-executable = stress risk “9” and threat risk “1” (nothing is perfect or impregnable).

IMO the results of such a high level of stress (except for ardent security software enthusiasts) is likely to humanly engineer this protection level down to nearer “7” or lower.

Considering the addition of no maintenance items like DNS filters, NoScript and WOT will eradicate many threats before an AV even comes into play also led me to believe those people who said they switched to MSE and have never been infected are likely telling the truth. By example I still have three sets of folks near here who I persuaded onto the FortClient suite and despite its poor results in “tests”, none of them has got infected either.

What do others think?

[blues]

I think what you say makes a good deal of sense.

My wife and I switched to MSE from Avast & Avira respectively.

We have never been infected. On her system MSE detected one trojan (which it removed automatically) and Sandboxie showed one piece of malware that was unable to leave the sandbox.
She is not a sophisticated user and relies on me for her setup.

In addition to the items in my signature, I use WOT & NoScript with my browser along with BetterPrivacy and AdBlock Plus. (I started using ClearCloud a few months back.)

I have never had any malware detected (and hope it stays that way).

For me the layered approach is definitely working though I do try to pay attention to the actions I take.

[bo.elam]

For me by using Sandboxie, CCloud, XP FW and NoScript my threat and
stress level are about one. The only stress that I get happens when I
want to try a new program on my real system, never when surfing or
opening files that I have downloaded from the internet.

Bo

[Terarus]

with the addition of sandboxie, my stress level is 1 and i think with tweaks + good computer habits, the protection is around 8 or 9

i want to make sure what u mean by system, because if you include software policy restrictions and lua into "system", i think the protection is at least an 8. SPR doesnt seem to have any real opponents other than zero day vulnerabilities and perhaps a very dumb admin

[Taurus]

Quote:

Originally Posted by MidnightCowboy

Considering the addition of no maintenance items like DNS filters, NoScript and WOT will eradicate many threats before an AV even comes into play also led me to believe those people who said they switched to MSE and have never been infected are likely telling the truth. By example I still have three sets of folks near here who I persuaded onto the FortClient suite and despite its poor results in “tests”, none of them has got infected either.

What do others think?

MC, are you saying that DNS filtering, NoScript, and WOT are more effective at blocking threats than MSE or FortClient?

My intuition tells me that the second a client feels that their browsing experience is somehow limited by the use of these "no maintenance items", those no maintenance items will be removed by the client. The clients stress level is lowered until they get nailed by and infection. LOL..Then your stress level is immediately elevated because they will bring that infected machine back to you.

Security measures native to the client's OS work the best because the client doesn't have to do anything and they will rarely become infected. That's the beauty of Linux and Win 7...it's all built in. The challenge to you is teaching the client to use native protection effectively.

Win 7 has IE9, a two way firewall, and system imaging built in. Can IE9 go into a "virtual" mode with Win 7? If so, that pretty much covers the bases if a standard user account is utilized.

[Bob]

Quote:

Originally Posted by MidnightCowboy

Statistics of course are great fun and often need to viewed in this manner
Anything other than 1+1=2 is so open to manipulation and any internet research will throw up opposite data for the same products if you search for long enough

And just about any drug company will try to find loopholes to "lie with statistics" - both in their advertising and the research they sponsor (whether openly or covertly). And it's not just presentation of statistics... Methodological transparency is a big issue which is being ethically addressed in medical research - though presumably not quite so much in the field of computer health and safety.

IMO, one of the things that Gizmo's can be proud of is the steps that Remah, Rizar and others are taking to minimize bias in security software testing so as to identify independently which products really do "perform" best (leaving aside ease of use and other pertinent considerations which will no doubt also affect choice of a Gizmo's Top Pick).

Just my 2c on the role of statistics etc... as distinct from the specific points MC was making.

[Taurus]

Quote:

Originally Posted by Terarus

with the addition of sandboxie, my stress level is 1 and i think with tweaks + good computer habits, the protection is around 8 or 9

Same here. And I'm on an old XP SP3 box with a pentium processor and 1 GB of RAM.

[MidnightCowboy]

Quote:

Originally Posted by Terarus

with the addition of sandboxie, my stress level is 1 and i think with tweaks + good computer habits, the protection is around 8 or 9

i want to make sure what u mean by system, because if you include software policy restrictions and lua into "system", i think the protection is at least an 8. SPR doesnt seem to have any real opponents other than zero day vulnerabilities and perhaps a very dumb admin

I purposely didn't include SRP in this scenario because from experience the typical user in this group would not be interested and will already have switched UAC off

[MidnightCowboy]

Quote:

Originally Posted by Taurus

MC, are you saying that DNS filtering, NoScript, and WOT are more effective at blocking threats than MSE or FortClient?

What I meant to convey is that these tools between them will account for a lot of baddies before you even need to rely on an AV to pick them up, irrespective of whatever built in browser security might also have been activated.

Depending on your chosen client of course not all DNS filters will block access, but merely advise against it. This is where maybe some of the so called tests could be expanded. Instead of just saying stuff like "fed 400 samples and blocked 384" it might be interesting to know what percentage of these would have been blocked or alerted by a DNS filter or browser extension anyway. I'm referring here to modern and/or generic malware. Then we would have much more of an idea about a products performance with what was left. I accept that signature detections are also important if for no other reason than to indicate something must be radically wrong with a product that doesn't flag a known sample that is six months old.

I guess all this is just a roundabout way of trying to convey that because product "A" scores 98% in a test, only a fraction of these detections might be relevant to user "B's" needs and if more reliable information was available, many Windows users might decide they don't need a resident AV at all. This point was made quite eloquently by Dedoimedo in one of his articles a while back.

[Bob]

Quote:

Originally Posted by MidnightCowboy

I guess all this is just a roundabout way of trying to convey that because product "A" scores 98% in a test, only a fraction of these detections might be relevant to user "B's" needs and if more reliable information was available, many Windows users might decide they don't need a resident AV at all. This point was made quite eloquently by Dedoimedo in one of his articles a while back.

I think that's why your articles on how to secure your own computer efficiently and effectively are so relevant. I'm thinking in particular of your Safe Computing in Under an Hour and Gizmo's Security Wizard.

IMO, we average computer users may have got into an unfortunate habit of judging security programs mainly for their individual talents, rather than on how they play together as a team on our own patch of turf.