The case AGAINST antivirus
There are two main complaints against antivirus: it’s riddled with bugs and the way it’s designed gets in the way of other software measures. Let’s start with the first. Head over to Google’s Project Zero ( bugs.chromium. org/p/project-zero) and search for antivirus under “all issues” – you’ll find a long list of reported bugs from a host of vendors. You’ll also quickly notice that the vast majority of reports are filed by one Tavis Ormandy, Google’s belligerent and persistent security researcher.
The infamous bug hunter and antivirus critic last summer uncovered flaws in Symantec products that he said were “as bad as it gets”, and has also dug out bugs in Kaspersky, McAfee, Trend Micro and Sophos. In a statement to PC&TA, Symantec said that it “continually improves the protection delivered by our products with regular updates” and that it works not only with its own experts but independent security researchers.
However, Ormandy isn’t alone in discovering cavities in the software that’s meant to be protecting us. Joxean Koret, a researcher at Singaporean security firm COSEINC, spent a year poking holes in antivirus, finding dozens of vulnerabilities largely in software using C/C++. In his presentation, he uses language saucier than this magazine can print to suggest that antivirus companies don’t care about security in their own products, and wonders “why is it harder to exploit browsers than security products?”
Meanwhile, a report from Flexera Software at the end of last year revealed that 11 of the 46 pieces of software on • its rankings of most vulnerabilities were actually security products.
Naturally, it’s not only white hats who are searching for holes in antivirus. The tranche of 8,000 pages of documents about the CIA’s hacking skills published by WikiLeaks revealed the American spies have an unflattering opinion of antivirus. Comodo was described as being a “colossal pain in the posterior” for spies to get
around, but an older version of its antivirus has a “gaping hole of doom”. A now-patched flaw in Kaspersky allowed spies to bypass all protections, and one CIA hacker crowed about a “totally sweet” bug in AVG.
“Antivirus is a technology that should be used with extreme caution,” said Craig Young, security researcher at Tripwire. “In recent years, evidence has been piling up to show that weaknesses in virtually every antivirus product available could actually expose end users • to more serious risks than the viruses they are protecting against.”
Those flaws are all the more dangerous because of the way most antivirus software occupies an elevated position, and because it uses invasive techniques to sniff out attackers. Normally, malware must trick users into clicking a link, opening a document or running an executable, Young notes.
That means “weaknesses in the antivirus program can be exploited without any user interaction,” he explains. “If an adversary knows what kind of antivirus a target is using and can identify a vulnerability in that product, gaining complete control of the remote systems can simply be a matter of sending an email, even if the email is never opened.”
Robert O’Callahan worked at Firefox-developer Mozilla for 16 years and, when he left the company, he took a parting shot at security software developers with an inflammatory post on his blog ( tinyurl.com/ hojduc4), titled “Disable your antivirus software (except Microsoft’s)”. He said that antivirus “products poison the software ecosystem because their invasive and poorly implemented code makes it difficult for browser vendors and other developers to improve their own security”.
O’Callahan’s own example came when he was working on Firefox for Windows to implement address space layout randomisation (ASLR), which protects against a type of attack called “buffer overflow” by randomising where executables are loaded into memory. O’Callahan said “many antivirus vendors broke it by injecting their own ASLR-disabling DLLs into our processes.
“Several times antivirus software blocked Firefox updates, making it impossible for users to receive important security fixes,” he continued. “Major amounts of developer time are soaked up dealing with antivirus-induced breakage, time that could be spent making actual improvements in security.”
Another concern is how most antivirus sits between your browser and the web, creating the possibility for a man-in-themiddle attack. To see encrypted traffic and check it’s not malicious, the software intercepts it – sometimes by default, other times with user permission – creating its own secure Transport Layer Security (TLS) connection to do the work of the web browser by checking certificates. In other words, therefore, antivirus breaks existing browser security systems to use a hacking technique against its own customers.
Antivirus is a technology that should be used with caution