The case FOR antivirus
Antivirus vendors defend their efforts. We asked several major players for a response, and the strongest came from PandaLabs. “We know that Project Zero researcher Tavis Ormandy likes analogies so we would like to put one forwards,” said Luis Corrons, technical director of PandaLabs. “It is a fact that medical vaccines work and have saved millions of lives, virtually eradicating some of the nastiest diseases ever known. However, you will always find some ‘bright spark’ who says it is much better not to inoculate the population, just use knowledge to avoid the infections, and we always have antibiotics if we feel sick.”
Corrons added: “Anti-malware solutions are one of the most efficacious methods of detecting and protecting against hundreds of millions of known security threats. Not using anti-malware exposes you to unnecessary risks.”
For a more independent defence, we turned to Dr Vesselin Bontchev. He previously worked at antivirus firm Frisk in Iceland, but now works at the National Laboratory of Computer Virology at the Bulgarian Academy of Sciences, and he’s stepped into the fray on Twitter to counter the case made by Ormandy and his colleagues.
There’s no denying the bugs, of course, and Bontchev admits that all major antivirus firms have reported flaws, although they’ve since been fixed. He also concedes that the decision made by antivirus firms to sit at kernel level makes those flaws all the more dangerous. He even agrees with Ormandy et al that antivirus opens up new attack surfaces. “In this claim, they are correct,” he said. “It’s the conclusions they make from this that are totally wrong, misleading, and even harmful for the users.”
He says we must perform a risk assessment. Antivirus may be flawed, but so too will any other piece of software you run. Which is most likely to make you a target – a rare, hard-to-hack bug in antivirus, or the many basic flaws in every other piece of software? “What [antivirus] does is replace one risk, an attacker invading your machine by using an unknown and unpatched bug in your antivirus, with another: your machine getting infected because you opened a malicious file and you had no antivirus to stop you from doing so,” Bontchev argues.
The chances of an attacker exploiting a bug in antivirus software, Bontchev adds, are slim. “It takes an extremely competent attacker to find one and to exploit it,” he said. “There are very few such attackers around.” September 2017
Not using anti-malware exposes you to risks
On the other hand, standard malware is easy to find and easy to exploit. “Clearly, commodity malware presents a much greater risk than extremely sophisticated attackers using a hypothetical bug in your antivirus software,” Bontchev argues. “I can think of only one or two cases when malware leveraged a bug in some antivirus product to attack computers,” he said. “Compare that with a million-per-day cases of ‘normal’, commodity malware attacking millions of people around the globe. Clearly, using antivirus software for protection against at least the malware it can detect and stop by far outweighs the risk of hypothetical unpatched bugs in said antivirus software.”
F-Secure security advisor Sean Sullivan agrees. “For the last decade, it’s not been high-skilled, high-motivated attackers that we’ve been dealing with,” he said, adding that researchers such as Ormandy appear to be trying to protect victims from targeted, specialised attacks.
He’s also critical of the way researchers often publish such flaws if they’re not fixed within a defined period of time. “I don’t know that that’s the best utilitarian choice in terms of harm and the amount of harm it might cause,” he said. “Because when they disclose something like that, they are potentially giving cyber criminals… a free gift.”
Bontchev agrees that antivirus design too often uses “design that is not the best from a security point of view,” but, once again, “while the complaints are correct, the conclusion is completely wrong”. To Bontchev, there is good reason to meddle with HTTPS, for example, as plenty of malware uses such encrypted channels for communication. “If you don’t break the encryption, you can see which site the user is trying to visit (more exactly, its IP address) but not which particular link (URL, page) on this site,” he argues. “Sometimes malware is stopped because the user is attempting to access a ‘known bad’ URL. If you can’t get the URL, you can’t stop it.”
Time for another risk assessment. “What presents a greater risk: attackers trying to break your encryption when you’re visiting sites, or commodity malware that would infect your machine?” Bontchev asks. “While the former isn’t harmless — it can lead to the attacker capturing your passwords — it is rare; practically unheard of, except when professional spy agencies are involved. The latter, commodity malware, happens every damn day to millions of people.”
malware is easy to find and easy to exploit