The case FOR antivirus

PC & Tech Authority - - FEATURE -

Antivirus ven­dors de­fend their ef­forts. We asked sev­eral ma­jor play­ers for a re­sponse, and the strong­est came from Pan­daLabs. “We know that Project Zero re­searcher Tavis Or­mandy likes analo­gies so we would like to put one for­wards,” said Luis Cor­rons, tech­ni­cal di­rec­tor of Pan­daLabs. “It is a fact that med­i­cal vac­cines work and have saved mil­lions of lives, vir­tu­ally erad­i­cat­ing some of the nas­ti­est dis­eases ever known. How­ever, you will al­ways find some ‘bright spark’ who says it is much bet­ter not to in­oc­u­late the pop­u­la­tion, just use knowl­edge to avoid the in­fec­tions, and we al­ways have an­tibi­otics if we feel sick.”

Cor­rons added: “Anti-mal­ware so­lu­tions are one of the most ef­fi­ca­cious meth­ods of de­tect­ing and pro­tect­ing against hun­dreds of mil­lions of known se­cu­rity threats. Not us­ing anti-mal­ware ex­poses you to un­nec­es­sary risks.”

For a more in­de­pen­dent de­fence, we turned to Dr Ves­selin Bontchev. He pre­vi­ously worked at antivirus firm Frisk in Ice­land, but now works at the Na­tional Lab­o­ra­tory of Com­puter Vi­rol­ogy at the Bul­gar­ian Academy of Sci­ences, and he’s stepped into the fray on Twit­ter to counter the case made by Or­mandy and his col­leagues.

There’s no deny­ing the bugs, of course, and Bontchev ad­mits that all ma­jor antivirus firms have re­ported flaws, al­though they’ve since been fixed. He also con­cedes that the de­ci­sion made by antivirus firms to sit at ker­nel level makes those flaws all the more danger­ous. He even agrees with Or­mandy et al that antivirus opens up new at­tack sur­faces. “In this claim, they are cor­rect,” he said. “It’s the con­clu­sions they make from this that are to­tally wrong, mis­lead­ing, and even harm­ful for the users.”

He says we must per­form a risk as­sess­ment. Antivirus may be flawed, but so too will any other piece of soft­ware you run. Which is most likely to make you a tar­get – a rare, hard-to-hack bug in antivirus, or the many ba­sic flaws in ev­ery other piece of soft­ware? “What [antivirus] does is re­place one risk, an at­tacker in­vad­ing your ma­chine by us­ing an un­known and un­patched bug in your antivirus, with an­other: your ma­chine get­ting in­fected be­cause you opened a ma­li­cious file and you had no antivirus to stop you from do­ing so,” Bontchev ar­gues.

The chances of an at­tacker ex­ploit­ing a bug in antivirus soft­ware, Bontchev adds, are slim. “It takes an ex­tremely com­pe­tent at­tacker to find one and to ex­ploit it,” he said. “There are very few such at­tack­ers around.” Septem­ber 2017

Not us­ing anti-mal­ware ex­poses you to risks

On the other hand, stan­dard mal­ware is easy to find and easy to ex­ploit. “Clearly, com­mod­ity mal­ware presents a much greater risk than ex­tremely so­phis­ti­cated at­tack­ers us­ing a hy­po­thet­i­cal bug in your antivirus soft­ware,” Bontchev ar­gues. “I can think of only one or two cases when mal­ware lever­aged a bug in some antivirus prod­uct to at­tack com­put­ers,” he said. “Com­pare that with a mil­lion-per-day cases of ‘nor­mal’, com­mod­ity mal­ware at­tack­ing mil­lions of peo­ple around the globe. Clearly, us­ing antivirus soft­ware for pro­tec­tion against at least the mal­ware it can de­tect and stop by far out­weighs the risk of hy­po­thet­i­cal un­patched bugs in said antivirus soft­ware.”

F-Se­cure se­cu­rity ad­vi­sor Sean Sul­li­van agrees. “For the last decade, it’s not been high-skilled, high-mo­ti­vated at­tack­ers that we’ve been deal­ing with,” he said, adding that re­searchers such as Or­mandy ap­pear to be try­ing to pro­tect vic­tims from tar­geted, spe­cialised at­tacks.

He’s also crit­i­cal of the way re­searchers of­ten pub­lish such flaws if they’re not fixed within a de­fined pe­riod of time. “I don’t know that that’s the best util­i­tar­ian choice in terms of harm and the amount of harm it might cause,” he said. “Be­cause when they dis­close some­thing like that, they are po­ten­tially giv­ing cy­ber crim­i­nals… a free gift.”

Bontchev agrees that antivirus de­sign too of­ten uses “de­sign that is not the best from a se­cu­rity point of view,” but, once again, “while the com­plaints are cor­rect, the con­clu­sion is com­pletely wrong”. To Bontchev, there is good rea­son to med­dle with HTTPS, for ex­am­ple, as plenty of mal­ware uses such en­crypted chan­nels for com­mu­ni­ca­tion. “If you don’t break the en­cryp­tion, you can see which site the user is try­ing to visit (more ex­actly, its IP ad­dress) but not which par­tic­u­lar link (URL, page) on this site,” he ar­gues. “Some­times mal­ware is stopped be­cause the user is at­tempt­ing to ac­cess a ‘known bad’ URL. If you can’t get the URL, you can’t stop it.”

Time for an­other risk as­sess­ment. “What presents a greater risk: at­tack­ers try­ing to break your en­cryp­tion when you’re vis­it­ing sites, or com­mod­ity mal­ware that would in­fect your ma­chine?” Bontchev asks. “While the for­mer isn’t harm­less — it can lead to the at­tacker cap­tur­ing your pass­words — it is rare; prac­ti­cally un­heard of, ex­cept when pro­fes­sional spy agen­cies are in­volved. The lat­ter, com­mod­ity mal­ware, hap­pens ev­ery damn day to mil­lions of peo­ple.”

Stan­dard

mal­ware is easy to find and easy to ex­ploit

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.