AV - should companies keep buying it?



  • I asked about this before - and felt we didn't really discuss it much.

    So again I'm asking.

    Also - would it be better money spent on a solution for patch management?
    Sure Chocolatey covers a lot of freeware/shareware, but it doesn't handle most paid software.

    It seems that updating software daily is much more critical to systems being secure instead of trying to rely on AV.

    Thoughts?



  • Should companies buy AV?

    Generally, I would say "no". Not that they shouldn't have AV, but good AV is free and maintained by the system. Additional AV isn't necessarily bad, but the cost of it is often ridiculously high and very difficult to justify. There are good AV programs out there like Webroot and Bitdefender. But Defender is good, too, and included.

    AV is mostly a panacea today. It's a second line of defense, but typically only turning out to be useful at times when blatant disregard for security basics were already the cause of problems. And third party AV in the real world seems to cause more issues than it solves.



  • @Dashrender said in AV - should companies keep buying it?:

    It seems that updating software daily is much more critical to systems being secure instead of trying to rely on AV.

    This has always been the case, education is just leading more people to realize how many people have not patched in the past and people are more prepared to hold those not patching accountable for the risk that they put people at.



  • AV was super important in the era of "no security" with DOS and Windows 98, for example. AV was "the security mechanism" that you added to your system. Since the Windows NT family has security mechanisms, the role of AV has almost always been just a placebo, or nearly so.



  • Now I want to compare the third party setup to a bare bones windows defender setup. Our webroot protected systems get 10/10 (totally stops all ransomware tests) when testing with ransim. I guess I'll spin up a win 10 VM and see what that scores.



  • @RojoLoco said in AV - should companies keep buying it?:

    Now I want to compare the third party setup to a bare bones windows defender setup. Our webroot protected systems get 10/10 (totally stops all ransomware tests) when testing with ransim. I guess I'll spin up a win 10 VM and see what that scores.

    Since it's simulated - I'm not sure I think it has any real value. True attacks are using both old and zero day exploits - I'm guessing very little will stop zero day exploits, the number one thing is user education and awareness.



  • @Dashrender said in AV - should companies keep buying it?:

    @RojoLoco said in AV - should companies keep buying it?:

    Now I want to compare the third party setup to a bare bones windows defender setup. Our webroot protected systems get 10/10 (totally stops all ransomware tests) when testing with ransim. I guess I'll spin up a win 10 VM and see what that scores.

    Since it's simulated - I'm not sure I think it has any real value. True attacks are using both old and zero day exploits - I'm guessing very little will stop zero day exploits, the number one thing is user education and awareness.

    True, but I have no other way to test short of trying to get infected on purpose. And I know it's not testing the user-clicked-a-dumb-link scenario. I think the real test will be if defender freaks out when I unzip the installer (like webroot did). That shows that it is detecting something at least.



  • @Dashrender said in AV - should companies keep buying it?:

    @RojoLoco said in AV - should companies keep buying it?:

    Now I want to compare the third party setup to a bare bones windows defender setup. Our webroot protected systems get 10/10 (totally stops all ransomware tests) when testing with ransim. I guess I'll spin up a win 10 VM and see what that scores.

    Since it's simulated - I'm not sure I think it has any real value. True attacks are using both old and zero day exploits - I'm guessing very little will stop zero day exploits, the number one thing is user education and awareness.

    I'd say it has some value, but not a ton. Middle ground. It's telling, but not definitive.



  • We use it as a last ditch tool to protect end users from themselves. Necessary no, useful yes.

    Bonus - sophos also manages our bit defender keys

    Bonus x2 - sophos also does phish testing, which is not only useful but also amusing

    Bonus x3 - sophos actually works and doesn't do dumb stuff that wastes my time.



  • @MattSpeller said in AV - should companies keep buying it?:

    We use it as a last ditch tool to protect end users from themselves. Necessary no, useful yes.

    Bonus - sophos also manages our bit defender keys

    Bonus x2 - sophos also does phish testing, which is not only useful but also amusing

    Bonus x3 - sophos actually works and doesn't do dumb stuff that wastes my time.

    #3 is why I like webroot. Easy central control. Can you get any kind of management console for windows defender without giving MS a bunch more money?



  • @scottalanmiller said in AV - should companies keep buying it?:

    And third party AV in the real world seems to cause more issues than it solves.

    This is really what it boils down to. Adding 3rd party security software to a system has to open more holes in the underlying operating system, for itself at the bare minimum. Instead of providing additional security, they increase the attack surface. Just the opposite of what your trying to do.

    That's not to say they are never worth while. A centralized dashboard to manage all the computers can be well worth the cost.



  • @scottalanmiller said in AV - should companies keep buying it?:

    @Dashrender said in AV - should companies keep buying it?:

    @RojoLoco said in AV - should companies keep buying it?:

    Now I want to compare the third party setup to a bare bones windows defender setup. Our webroot protected systems get 10/10 (totally stops all ransomware tests) when testing with ransim. I guess I'll spin up a win 10 VM and see what that scores.

    Since it's simulated - I'm not sure I think it has any real value. True attacks are using both old and zero day exploits - I'm guessing very little will stop zero day exploits, the number one thing is user education and awareness.

    I'd say it has some value, but not a ton. Middle ground. It's telling, but not definitive.

    really? sounds like it's little more than the eicar test. yep.. the AV detected the known pattern - yeah.. lol



  • @RojoLoco said in AV - should companies keep buying it?:

    @MattSpeller said in AV - should companies keep buying it?:

    We use it as a last ditch tool to protect end users from themselves. Necessary no, useful yes.

    Bonus - sophos also manages our bit defender keys

    Bonus x2 - sophos also does phish testing, which is not only useful but also amusing

    Bonus x3 - sophos actually works and doesn't do dumb stuff that wastes my time.

    #3 is why I like webroot. Easy central control. Can you get any kind of management console for windows defender without giving MS a bunch more money?

    no of course not - but you didn't get it from Webroot for free either.

    As for actually getting reporting - You could get logs from the local machine via powershell and a logging server, then run reports, etc, etc, etc...
    but yeah - that is kinda ugly.



  • @travisdh1 said in AV - should companies keep buying it?:

    @scottalanmiller said in AV - should companies keep buying it?:

    And third party AV in the real world seems to cause more issues than it solves.

    This is really what it boils down to. Adding 3rd party security software to a system has to open more holes in the underlying operating system, for itself at the bare minimum. Instead of providing additional security, they increase the attack surface. Just the opposite of what your trying to do.

    That's not to say they are never worth while. A centralized dashboard to manage all the computers can be well worth the cost.

    To what end though? If the centralized console tells you it stopped an infection - now what? do you actually review what the user was doing? I suppose if you want to read daily reports that the AV is updated - you could get that from WSUS for Windows machines, though BYOD makes that kinda hard - though not impossible.



  • @RojoLoco said in AV - should companies keep buying it?:

    #3 is why I like webroot. Easy central control. Can you get any kind of management console for windows defender without giving MS a bunch more money?

    You can make your own, but that's the same as spending money (basically.) The nice thing about Defender is that you rarely need central control. If that's something you need, then Defender is weak today. But rarely have we found a need for that.



  • @Dashrender said in AV - should companies keep buying it?:

    @travisdh1 said in AV - should companies keep buying it?:

    @scottalanmiller said in AV - should companies keep buying it?:

    And third party AV in the real world seems to cause more issues than it solves.

    This is really what it boils down to. Adding 3rd party security software to a system has to open more holes in the underlying operating system, for itself at the bare minimum. Instead of providing additional security, they increase the attack surface. Just the opposite of what your trying to do.

    That's not to say they are never worth while. A centralized dashboard to manage all the computers can be well worth the cost.

    To what end though? If the centralized console tells you it stopped an infection - now what? do you actually review what the user was doing? I suppose if you want to read daily reports that the AV is updated - you could get that from WSUS for Windows machines, though BYOD makes that kinda hard - though not impossible.

    That's my take on it, that's not information that I really want people sifting through under normal circumstances.



  • @Dashrender said in AV - should companies keep buying it?:

    As for actually getting reporting - You could get logs from the local machine via powershell and a logging server, then run reports, etc, etc, etc...
    but yeah - that is kinda ugly.

    Kinda ugly, once. But once you have the tools, it is free "forever." I wonder if ELK or something does that well.



  • @scottalanmiller said in AV - should companies keep buying it?:

    @Dashrender said in AV - should companies keep buying it?:

    As for actually getting reporting - You could get logs from the local machine via powershell and a logging server, then run reports, etc, etc, etc...
    but yeah - that is kinda ugly.

    Kinda ugly, once. But once you have the tools, it is free "forever." I wonder if ELK or something does that well.

    That was my wondering as well.



  • @scottalanmiller said in AV - should companies keep buying it?:

    @Dashrender said in AV - should companies keep buying it?:

    @travisdh1 said in AV - should companies keep buying it?:

    @scottalanmiller said in AV - should companies keep buying it?:

    And third party AV in the real world seems to cause more issues than it solves.

    This is really what it boils down to. Adding 3rd party security software to a system has to open more holes in the underlying operating system, for itself at the bare minimum. Instead of providing additional security, they increase the attack surface. Just the opposite of what your trying to do.

    That's not to say they are never worth while. A centralized dashboard to manage all the computers can be well worth the cost.

    To what end though? If the centralized console tells you it stopped an infection - now what? do you actually review what the user was doing? I suppose if you want to read daily reports that the AV is updated - you could get that from WSUS for Windows machines, though BYOD makes that kinda hard - though not impossible.

    That's my take on it, that's not information that I really want people sifting through under normal circumstances.

    Yeah, and when you really need it, it's already failed.



  • @scottalanmiller said in AV - should companies keep buying it?:

    @RojoLoco said in AV - should companies keep buying it?:

    #3 is why I like webroot. Easy central control. Can you get any kind of management console for windows defender without giving MS a bunch more money?

    You can make your own, but that's the same as spending money (basically.) The nice thing about Defender is that you rarely need central control. If that's something you need, then Defender is weak today. But rarely have we found a need for that.

    The console is mostly to see who did something stupid so I can say "hey, don't do that shit".



  • @travisdh1 said in AV - should companies keep buying it?:

    @scottalanmiller said in AV - should companies keep buying it?:

    And third party AV in the real world seems to cause more issues than it solves.

    This is really what it boils down to. Adding 3rd party security software to a system has to open more holes in the underlying operating system, for itself at the bare minimum. Instead of providing additional security, they increase the attack surface. Just the opposite of what your trying to do.

    That's not to say they are never worth while. A centralized dashboard to manage all the computers can be well worth the cost.

    Once of the biggest worries I've seen with third party tools is customers (so this is more for MSPs than in house people) who want to change it up, switch vendors, go to Defender, miss their renewals, or whatever (or in the case of ESET, a malicious vendor that disabled protection to try to extort money.) Anything goes wrong, and the protection shuts off.

    That was what happened to one of our customers last week (they weren't our customer when it happened.) The had Defender for free, but old tools like Sophos and Kaspersky had disabled Defender and were actively removing it even after it was enabled even after they were removed. S&K ended up leaving us far more exposed than if we had never had them.



  • OK - newish direction -

    You're spending money on AV today - should you ditch it for something like KnowBe4?

    I already asked about ditching it and instead spending on a patch management - and while Scott said patching is finally getting the recognition is deserves, he didn't say if people should shift their spending... and if they should - to what product do people like today?



  • @RojoLoco said in AV - should companies keep buying it?:

    @scottalanmiller said in AV - should companies keep buying it?:

    @RojoLoco said in AV - should companies keep buying it?:

    #3 is why I like webroot. Easy central control. Can you get any kind of management console for windows defender without giving MS a bunch more money?

    You can make your own, but that's the same as spending money (basically.) The nice thing about Defender is that you rarely need central control. If that's something you need, then Defender is weak today. But rarely have we found a need for that.

    The console is mostly to see who did something stupid so I can say "hey, don't do that shit".

    But again, I ask - to what end? it's not likely the company will fire them if they do it again, or do it 10 more times. So why waste your breath? As an IT person I want to help people be safer on the internet, etc - but I've come around to realize that unless I'm the dictator - that's simply not a priority in most companies - and I just need to LET IT GO.



  • @Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.



  • @RojoLoco said in AV - should companies keep buying it?:

    @Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

    What? How can they install something? They dont' have admin rights, right?



  • @Dashrender said in AV - should companies keep buying it?:

    You're spending money on AV today - should you ditch it for something like KnowBe4?

    For internal IT? Almost always, yes.

    For MSPs, not likely. Customers like the "monitoring feel", but dislike being told what to do.



  • @Dashrender said in AV - should companies keep buying it?:

    @RojoLoco said in AV - should companies keep buying it?:

    @Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

    What? How can they install something? They dont' have admin rights, right?

    See bold text. And yes, I know. Beyond my control.



  • @Dashrender said in AV - should companies keep buying it?:

    @RojoLoco said in AV - should companies keep buying it?:

    @Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

    What? How can they install something? They dont' have admin rights, right?

    There are a lot of things that you can "install" (using install in the light sense) that can include ransomware, that doesn't require admin rights, as we saw at a now customer over the last few days. It was an end user account with access to the main document store that ransomed everything.



  • @RojoLoco said in AV - should companies keep buying it?:

    @Dashrender said in AV - should companies keep buying it?:

    @RojoLoco said in AV - should companies keep buying it?:

    @Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

    What? How can they install something? They dont' have admin rights, right?

    See bold text. And yes, I know. Beyond my control.

    If you have end users acting as admins, then a powerful central AV is way more important and doing things potentially beyond standard AV functions that are making more of a difference for you.



  • @RojoLoco said in AV - should companies keep buying it?:

    @Dashrender said in AV - should companies keep buying it?:

    @RojoLoco said in AV - should companies keep buying it?:

    @Dashrender true, but in my small environment, it's more to remind them of company policy (don't install shit until I approve it). It hasn't been a huge issue, but it helps fill in the gaps left by everyone being local admin and the lack of web filtering.

    What? How can they install something? They dont' have admin rights, right?

    See bold text. And yes, I know. Beyond my control.

    Wow!



  • @scottalanmiller said in AV - should companies keep buying it?:

    @Dashrender said in AV - should companies keep buying it?:

    You're spending money on AV today - should you ditch it for something like KnowBe4?

    For internal IT? Almost always, yes.

    For MSPs, not likely. Customers like the "monitoring feel", but dislike being told what to do.

    In my case I have a customer who I consult for. They have Webroot today - they are asking - should we renew?

    I'm thinking - nope, save the money. They are pulling Rojo's POV - not that it happens a lot, but they do get the notices when someone bounces into something bad, and they get a feel good feeling from it.

    I'm thinking I should suggest either:
    a) dump webroot and buy abc patch management software
    b) dump webroot and buy knowbe4 and train train train your users
    c) dump webroot and buy knowbe4 AND patch management software (not likely because of cost).


Log in to reply