I came across an interesting article today on "Breaking the conventional scheme of infection" at the evil fingers blog site. Actually, it's by my colleague in Argentinia, ESET Latin America Security Analyst, Jorge Mieres, but I didn't realize that at first. (The original blog is in Spanish, and if your command of that language is better than mine, you can find it here.)

The article derives from a question asked recently by a journalist about "moderately advanced users who claim not to need antivirus software."

I must admit that there was a time back in the 90s when not all my machines ran antivirus all the time. That wasn't completely out of arrogance: it was at a time when 99.99% of all viral threats were in some sense user-launched, Trojans were a tiny proportion of the total threat spectrum, and I figured I was smart enough to spot a social engineering ploy from 100 yards in a thick fog. (I'm not sure why I'd be operating a PC in a thick fog: let's just call it poetic license and leave it at that.)

In my own defence, while I wasn't in the anti-malware business then, I was working as an IT support professional specialising in security, and fairly well-known in the AV research community. So I was probably almost as safe as I thought I was, though not necessarily as smart.

I guess two things changed for me. One was a gradual but eventually rather dramatic upsurge in "self-launching" threats that can infect or deliver a payload without any action on the part of the victim. The other was a realization that targeted malware and spear phishing were going to become a more than theoretical problem . It dawned on me that it would be perfectly possible for a bad guy to craft a message that would push my own particular buttons and persuade me to open a link or attachment incautiously, if they knew enough about me. (And in these days of social networking, it's all too easy to find out quite a lot about practically anyone.)

Today there's too much in the way of self-launching exploits and targeted malware to take that risk unless you're prepared to spend a lot of time maintaining alternative defences. Even then, I'd consider the extra layer of protection well worth the investment for most people (and almost all Windows users). The days when the everyday user could simply rely on antivirus software to protect himself from all threats are long gone, but it's still worth putting something in place that's capable of stopping very high volumes of malware variants. Defence in depth still works for me!

David Harley
Director of Malware Intelligence