This is actually a real problem we need public perception changed. If you have proper white-listing in place then AV does nothing but actually decrease the security as these AV programs probably need to be white-listed and thus expose the machines to the kinds of issues as shown here.
Unless the compliance auditors are happy with the software just being installed and don't check whether it actually runs. That would still be a colossal waste of money for the licenses but at least it would not compromise your security.
It's a really sad truth that to this date the only effective way to almost fully stop malware is to take away the ability from people to do what they want with their computers.
All operating systems that have some way to allow people to run malware, will get malware. Windows, OSX, GNU, Android all can get infected quite easily. Then there's iOS where you cannot, and instead Apple decides which software you can or cannot run.
The downside is of course that you cannot run any software going against the corporate values of Apple.
If you want the right to shoot yourself in the foot, AV is the necessary evil you must have, unless of course you're sure you'll never visit a website that contains an exploit, old or zeroday, against you browser or its components, and you will never open a office document, PDF or executable that has malware in it. And even then you can get owned.
> If you want the right to shoot yourself in the foot, AV is the necessary evil you must have
No. AVs are actually pretty useless at stopping anything except the most basic attacks (and sometimes, not even that - just look at Cryptolocker).
Use Google Chrome (really! Firefox isn't even playing in the same league security-wise), disable Flash player, only run trusted executables with valid digital signatures.
Firefox still doesn't use process separation between page rendering and the browser chrome. The thing that renders the pages on Chrome is a subprocess per tab (at considerable memory cost) which is also running in a sandbox.
In Firefox all tabs run in the same process and thus inherently can't be sandboxed (because it needs to write to the disk cache and save files the user downloads)
The only tests against real malware out there I've seen are done by AV-Test and AV-Comparatives, and the top products are pretty good at blocking them. Calling them useless sounds more like your hopes than facts, like calling seatbelts useless because people die in car accidents.
Uninstalling Flash, Adobe reader, Office and JRE, and using Chrome with adblock also helps you enormously, but is still a far cry for any user having difficulties with finding the download-button from sourceforge.
Getting a signing cert is easy as just buying one from Honest Achmed's Used Cars and Certificates, so the only real use for signed software with malware protection is to manually maintain your own list of trusted signers.
> The only tests against real malware out there I've seen are done by AV-Test and AV-Comparatives, and the top products are pretty good at blocking them.
Of course they do well there – the vendors use those as a primary marketing feature. It's like learning that Oracle does well at a TPC benchmark they'll be printing on glossy brochures.
The question a buyer should be asking is “What percentage of attacks the average Internet user faces are stopped by this product?” and that has been declining steadily since the 90s because virus authors can easily test before releasing a new version and confirm that they've managed to avoid the current signatures. It doesn't matter that your product is great at stopping last year's malware if that's not what exfiltrates or encrypts your data.
> Uninstalling Flash, Adobe reader, Office and JRE, and using Chrome with adblock also helps you enormously, but is still a far cry for any user having difficulties with finding the download-button from sourceforge.
The part that you left out is that using Chrome gets you all of those but ad-blocking. It's true that it's hard for many users to operate securely but millions of them have managed to install Chrome and that's far more effective than any security product on the market.
About those tests, you should know that the testing orgs are using an array a computers with up-to-date AV solutions, and then making them all go to e.g. websites dealing malware right then as soon as they find a new sources of malware attacks.
I honestly cannot imagine a better way to objectively test how well the products fare against attacks against an average Internet user.
Edit: If I was not clear, nobody tests with historical samples anymore. Only live attacks are being used for tests.
The problem is trying to extrapolate future performance based on performance against a historical sample. The process looks something like this:
1. Malware author releases something new
2. Users start getting compromised
3. Antivirus vendors start getting samples and analyzing them
4. New signatures are released
5. Clients download and install the new signatures
That cycle used to work better but in the Internet era it's a given that malware vendors are taking advantage of the substantial time delays between steps 4 and 5, which are often measured in hours or even days, and will change their code as soon as new signatures are released.
When someone reports results and they specify that the percentages are based on a historical library, that tells you little about what it'll do for you now. When they tell you that results are based on samples collected in the month prior to the test, which is what AV Test and AV Comparatives say they do, that's less stale but since it's starting after the vendors have already completed the entire process it still doesn't tell you how long you'll be exposed between steps 1 and 5 or whether some malware authors are consistently staying ahead of the loop.
This is really coming back to security fundamentals: trying to enumerate all of the bad things on the internet is futile. The better strategy is removing the ability to run programs which aren't on a known-good list but that breaks a lot of legacy practice.
> I honestly cannot imagine a better way to objectively test how well the products fare against attacks against an average Internet user.
The most reliable way to do this would be to simulate randomly surfing around the web, being sure to click on all of the ads, while monitoring for changes to existing programs or new programs, access to files the browser had no reason to open, and unexpected network connections.
There is a middle ground. Have the OS enforce only running, signed executables, but put the user in control of the certificate authority list. Then if you want Apple's style of security, just put their key in the list. If you want more freedom, add you own key and sign away.
of course, then you'll end up with regsvr32.exe which is signed by microsoft and still happily downloads and executes script code from remote servers.
Unfortunately, not even this approach will work. No. To be totally safe, you have to whitelist by digest of the exe and command-line arguments. Which basically means that you have to know the the OS works internally.
In general, I think that approach would need one other change to either prevent “core” resources (e.g. firmware, kernel, system binaries) from being modified or having a fail-safe way to reset those files back to a trusted base state. Otherwise it'll just hit the same problem where many users will approve any request described as necessary to run the free game/movies/porn/etc. and lose control of their computer.
This is basically what Apple shipped in OS X 10.11 where you can trust third-party developers but System Integrity Protection (https://support.apple.com/en-us/HT204899) tries to limit the damage that even getting root can cause.
Unless the compliance auditors are happy with the software just being installed and don't check whether it actually runs. That would still be a colossal waste of money for the licenses but at least it would not compromise your security.