I don't use it on any OS. There was a dark age of plentiful zero-days when it made sense to use antivirus (I suppose), but these days as a technical user you're pretty safe if you run an adblocker and don't download random binaries.
Antivirus is not an effective way to protect against Zero-day exploits. Antivirus is effective against known threats, but zero-days are new threats that antivirus programs are not designed to detect.
it's not really so black-and-white. It is not unusual, for example, for signature-based antivirus to detect the payload of a zero-day-based delivery mechanism. When they are packed in one file, this can incidentally protect you from the original exploit. This scenario is actually a lot more common than you might think, as simple economy means that a lot of malware authors will use different delivery mechanisms over time for the same payload. You see this a lot with botnets, for example, where there's a relatively small number of popular botnet agents that are delivered by multiple groups using multiple means.
In general, it's important to remember that malware involves multiple separate steps, typically today something like the initial exploit, a downloader, and persistence, which may retrieve additional payload binaries. Even if your antivirus is completely unaware of the original exploit, it may detect the downloader or persistent binary. This common problem (for malware authors) has lead to work on things like fileless persistence but those methods are more difficult and less reliable, so a lot of malware still needs to drop a persistent binary somewhere and use one of a fairly limited number of methods to get it to start again in the future. This is a huge opportunity for antivirus to detect a problem no matter the original exploit, and one of the things that antivirus is most effective at.
There is also heuristic-based protection, and in practice few host-based security solutions are purely signature-based. Heuristic protection has significant limitations but can be effective, especially for common malware patterns like loading drivers (no longer as common on modern Windows due to restrictions on driver loading). Heuristic-based systems tend to make enemies of their users though since it's difficult to tune them to be at all effective without a noticeable false positive rate. You see this a lot with packer detection: a lot of AV products use heuristic methods to recognize common packers (obfuscators), with the result that some self-extracting executables and commercial obfuscated binaries will also be detected. There's a lot of interest in machine-learning heuristic detection, but the false positive issue limits its use so far.
While it is true that signature-based antivirus can sometimes detect the payload of a zero-day-based delivery mechanism, it is not a reliable or comprehensive method for protecting against malware. Zero-day exploits and advanced malware can evade signature-based detection, and I wouldn’t bank on rely on this method of protection. In addition, heuristic-based protection methods have limitations and a high false positive rate, making them less effective.
nothing is a reliable or comprehensive method of protection - that's why we employ defense in depth, including host-based security and software hardening.
There are virus "kits" that allow creating new binaries as often as needed. So for whatever lag time (typically days to weeks) the AV folks have, you just generate something newer. Things are plenty sophisticated to allow VMs, encrypted binaries, and obfuscation tricks ... shared by commercial software that you can't just blacklist all bad binaries in any kind of general way.
So there's an infinite supply of bad binaries and AV companies are by definition, behind. Basically selling snake oil that promises to help, but never will.
You don't even leave the built-in Windows Security (or Defender) running on Windows?
I haven't noticed any performance impact or false positives in the years it's been running, and it is supposed to be highly effective. Better safe than sorry I guess.
Windows defender definitely has a performance impact, sometimes to the point of freezing when plugging in a USB stick for example (on low spec hardware).
And you can disable it, but only with hackistry.
"Although I have never had a virus in 30+ years. "
And this might translate to: you never had a virus you were aware of.
Most professional virus are quite silent and don't want to be noticed by doing noisy stuff. Their point? Spreading everywhere, until they find a high value target. But I doubt windows defender is a defence against those.
Afaik, modern malware will also do things like keylog for passwords, silent malware is neither reserved for high value targets or reserved for av evasion tier malware (which is relatively easy to do)
But a criminal gang won't risk attention, to steal some bucks of a poor linux hacker, who potentially will raise hell, to find out how that steal happened.
Which is the reason linux is more secure in the first place - there is simply plenty of easier prey elsewhere.
I know that from basic reasoning (what if I wanted to to make money via hacking) and the fact that allmost everyday there is news about someone being ransomed on windows, but very, very rarely (if at all) on linux (on the desktop).
Lower numbers, sure, but also a higher IT affinity. Overall not worth the hassle.
It's been a few years since I ran Windows, but I remember some annoying behavior.
- Every time you open a network drive in Windows Explorer, it will (sometimes?) partially download the contents to scan for viruses. It was noticeable on wifi.
- If you run grep in a large repo (in the multi-GB range), it will scan each file before letting grep access it. Ripgrep is multithreaded, but that didn't matter since Defender seemed to be single-threaded. I could see it pegging just one core as it made sure none of those text files had a virus.
I ran Process Hacker, which had a tray icon you could quickly hover to see what's using CPU. I noticed Defender slowing things down often enough that it had to go.
> You don't even leave the built-in Windows Security (or Defender) running on Windows?
Is there even an option to disable it? I disabled what I could on my VM and it still eats up all my CPU and memory (I should maybe get a faster laptop, but it works fine for everything except this, and I only rarely need it to test something).
