Be careful of Windows update

In message "First of
One" was claimed to have wrote:

A few things make daily AV software updates overkill:

- Just because a zero-day virus is in the wild doesn't mean it has infected
the file you happen to be downloading today. In fact virus propagation on
the internet takes time.
- When an AV software developer is made aware of a new virus in the wild,
they still need time to analyze it and develop the signature, so even daily
AV updates will lag behind virus threats by a few days.

Right... So why add additional latency to the process?

* First of One:
Checking for AV updates daily is really overkill.

No, it isn't.

:-) I update my Avira
Antivir definitions once a month and I download all kinds of cracks and
no-CD patches without infection.

Just because you were lucky so far doesn't mean your approach is
sensible. In fact, you can be infected without knowing it.

Updating your AV software daily only takes seconds and is done
automatically. There is absolutely no sane reason to not do it.

Benjamin

* First of One:
A few things make daily AV software updates overkill:

- Just because a zero-day virus is in the wild doesn't mean it has infected
the file you happen to be downloading today. In fact virus propagation on
the internet takes time.

This is not true, as the past has shown. Many zero day exploits are
widely used within a few days.

- When an AV software developer is made aware of a new virus in the wild,
they still need time to analyze it and develop the signature, so even daily
AV updates will lag behind virus threats by a few days.

No. Just because you (the public) haven't heard of it before does not
mean the AV software developers haven't, too.

- Signatures is only one means of detecting viruses, the other being
heuristics.

Heuristics is very unreliable and only works when the malware is already
on your system.

Sorry, but your relaxed and very naive approach is a prime example why
bot net operators never run out of zombie PCs.

Benjamin

In message Benjamin Gawert
was claimed to have wrote:

- Signatures is only one means of detecting viruses, the other being
heuristics.

Heuristics is very unreliable and only works when the malware is already
on your system.

*all* desktop AV software only works when malware is already on your
system.

Heuristics are trivially defeated by any virus author with a copy of the
AV software they're trying to defeat and are therefore not particularly
reliable, but that's another debate entirely.

* DevilsPGD:

Heuristics is very unreliable and only works when the malware is already
on your system.

*all* desktop AV software only works when malware is already on your
system.

Well, yes (it was badly worded, sorry). However, heuristics only works
once the malware is *active* while signature-based scanning works when
the malware is still *inactive*

Heuristics are trivially defeated by any virus author with a copy of the
AV software they're trying to defeat and are therefore not particularly
reliable, but that's another debate entirely.

Heuristics is a last chance of detecting something nasty but the chance
that it works is minimal. Once malware is running then the whole system
should be considered compromised and cleaned up appropriately.

Benjamin

"Benjamin Gawert" wrote in message
...
Just because you were lucky so far doesn't mean your approach is sensible.

Then I've been lucky for 12 years and counting. Not a bad track record. :-)

In fact, you can be infected without knowing it.

Your system may be infected, too. The only difference is you can say your
system is clean with 99.9% confidence, while I can say it with 99.8%
confidence.

Updating your AV software daily only takes seconds and is done
automatically. There is absolutely no sane reason to not do it.

Except no single AV app is completely effective anyway. Depending on whether
the developer gets the virus sample before or after it's in the wild, there
may be a lag in getting the signatures prepared. Different dev houses get
different virus submissions, too, which affects their detection ability.
Occasionally I get infected spam email attachments that penetrate Yahoo
Mail's Symantec virus scanner, but they scan positive using Avira with my
weeks-old definitions. What's more important? A good scan engine or
daily-updated definitions?

If you work in a particularly high-risk environment, you would need to scan
files on-demand with at least two AV programs (they obviously cannot run in
the background simultaneously). "Zulu" from alt.2600.cracks advocated this,
using some metaphor about contraceptives...

--
"War is the continuation of politics by other means.
It can therefore be said that politics is war without
bloodshed while war is politics with bloodshed."

* First of One:

Just because you were lucky so far doesn't mean your approach is sensible.

Then I've been lucky for 12 years and counting. Not a bad track record. :-)

Well, if it is 12 years or 20 years is irrelevant as malware got only
really really bad within the last 5 to 7 years. Before that it was very
easy to avoid malware, however this is not the case anymore.

In fact, you can be infected without knowing it.

Your system may be infected, too. The only difference is you can say your
system is clean with 99.9% confidence, while I can say it with 99.8%
confidence.

Updating your antimalware program once a month does in no way give you
even 90% confidence, in reality you are probably more down to 70%, if at
all. Timely updates are critical for antimalware tools, updating once a
month is barely batter than not updating it.

Updating your AV software daily only takes seconds and is done
automatically. There is absolutely no sane reason to not do it.

Except no single AV app is completely effective anyway. Depending on whether
the developer gets the virus sample before or after it's in the wild, there
may be a lag in getting the signatures prepared.

Right. So what? Just because a virus program is not 100% effective or
that there might be a delay between new virii and new signatures there
is no reason to add another, even longer delay.

Following your logic, a cancer patient would only get his medications
once a month when he is supposed to take it daily, simply because there
is a delay in development and diagnostics of cancer, and despite the
treatment he might die anyways.

Different dev houses get
different virus submissions, too, which affects their detection ability.

Not really. Today, antivirus companies and security experts works quite
closely together and exchange virus signatures and malware information
quickly.

Occasionally I get infected spam email attachments that penetrate Yahoo
Mail's Symantec virus scanner, but they scan positive using Avira with my
weeks-old definitions.

Well, "Symantec" says it all.

What's more important? A good scan engine or
daily-updated definitions?

It is not one or another. One is worthless without the other. Simple as
that.

If you work in a particularly high-risk environment, you would need to scan
files on-demand with at least two AV programs (they obviously cannot run in
the background simultaneously). "Zulu" from alt.2600.cracks advocated this,
using some metaphor about contraceptives...

If you use files from what you call "high-risk environments" then the
safest way is to only use them is in locked-down virtual machines.

But that makes regular timely updates of your antimalware tool not less
important.

Benjamin