Question of the Fortnight
Does your antivirus do more harm than good?
since antivirus (AV) products began appearing in the 1980s people have questioned whether they are necessary. Sceptics accuse security companies of exaggerating the threats, with some claiming that they even create malware to sell more software.
Former Firefox developer Robert O’callahan doesn’t go that far, but in a recent blog post ( www.snipca.com/23283) he urged Windows 10 users to uninstall their AV (he describes all AV sellers as “terrible”). Controversially, he said that Windows Defender is all you need.
He painted himself as a whistleblower, saying that because he no longer works for Mozilla (which runs Firefox) he’s “free” to lift the lid. There’s “negligible evidence” that AV boosts your defences, he said, adding: “more likely, they hurt security significantly”. For evidence he points to AV flaws discovered by Google’s Project Zero, which was set up in 2014 to detect zero-day vulnerabilities.
O’callahan claims that AV companies don’t “follow standard security practices”, in contrast to the “generally competent” Microsoft, and that their products can “poison” other types of software. He draws on his experience with Firefox, blaming AVS for blocking security updates to the browser. Fixing this required “major amounts of developer time”.
His comments have been slammed by AV testers, although they do accept that security software can cause problems. Security blogger Graham Cluley acknowledged that AV “sometimes suffered from its own flaws and vulnerabilities”, but people would still be “crazy” to use the web without one.
But was O’callahan right to recommend Windows Defender? The latest analysis would suggest not. It was the worst AV in our recent test (see Issue 493, left), failing to block 10 of the 84 threats it was exposed to. Respected AV tester Simon Edwards, who runs SE Labs ( https://selabs. uk), says that while Windows Defender is better than it used to be, rival programs “are consistently stronger”.
Edwards says that he understands O’callahan’s frustration with AV, but calls his advice “misguided”. He says that no AV is perfect, but it’s “just plain wrong” to say that they are all “equally ineffective”.
But it would be a mistake to dismiss O’callahan as a lone dissenter. Other security developers share his view, including Chrome’s Justin Schuh. He said on Twitter that “worthless” antivirus code delayed the introduction of features in the browser.
He pointed the finger at AV companies: “I expect it’s possible to make an [antivirus] that isn’t more harm than good, but none of you are even trying”. There are likely to be many developers who hate the changes AV makes to their software.
Yet rather than a reasoned