The Futility of Antivirus SoftwareBelow are excerpts from several articles that illustrate the hazard that antivirus sofware represents to a computer. Note that the last article I have reprinted in full because it seems to have disappeared from the internet.
Security Now! with Steve Gibson, Episode 568, July 12th, 2016
"[T]his article in Yahoo! News was supporting the idea that antivirus software is becoming increasingly useless and may make your computer less safe. Now, it was a series of interviews of security people following from the rather catastrophic Symantec kernel flaw that we talked about last week where virtually the entire Symantec product line was found to have a bad vulnerability because it was filtering Internet traffic in the kernel. It was remotely exploitable by something that - just by sending a message. No user had to take any action because the act of this flowing through the connection could allow a system compromise.
"...[T]hat's an instance of what we've [identified as] the broader topic of the general attack surface problem, which is the more stuff you add ... the more opportunities there are for something to break because, as we know, security is hard. So anyway, that was just sort of the gist of this story. There were, among the quotes there from various security experts that the author of the story quoted, someone said, yeah, antivirus software used to be 80 to 90% effective, but now it was really about 10% effective, mostly because the nature - and Leo, I've heard you talking about this a lot on The Tech Guy show. The nature of the problem has changed. We have polymorphic viruses. The viruses are not static. They're staying ahead of the virus signature updates."
(The article he referred to is reprinted here in full at the end of other excerpts.)
This is not the Yahoo article referenced by Security Now above, but another one about the same thing: Ars Technica
"These vulnerabilities are as bad as it gets," Tavis Ormandy, a researcher with Google's Project Zero, wrote in a blog post. "They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."
Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it - the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.
"Tuesday's advisory is only the latest to underscore game-over vulnerabilities found in widely available antivirus packages. Although the software is often considered a mandatory part of a good security regimen—on Windows systems, at least—their installation often has the paradoxical consequence of opening a computer to attacks that otherwise wouldn't be possible."
Steve Gibson quotes Matthew Green on the relative insecurity of full-featured operating systems (e.g. Windows) versus the tighter security of mobile operating systems (e.g. iOS on an iPhone).
"In the parlance of security professionals, ... you have a huge attack surface. In English, this means that, from the perspective of an attacker, there are many different avenues through which to compromise your machine."
"So does using iOS mean I'm perfectly safe?" He says: "Of course not. Unfortunately, computer security today is about resisting attacks. We simply don't quite know how to prevent them altogether. Indeed, well-funded attackers like governments are still capable of compromising your iOS device, and your Android, and your PC or Mac. Literally the only question is how much they'll have to spend doing it."
So, finally, "You're telling me I have to give up my desktop machine? Not at all. Or rather, while I'd love to tell you that, I understand this may not be realistic for most users. All I am telling you to do is to be thoughtful. If you're working on something sensitive, consider moving the majority of that work and communications to a secure device until you're ready to share it."
You can still use your normal computer just fine, as long as you're aware of the relative risks. That's all I'm trying to accomplish with this post.
"In conclusion, I expect that many technical people will find this post objectionable, largely because they assume that, with their expertise and care, they can make a desktop operating system work perfectly safely. And maybe they can."
An article originally from Canadian CBC, about July 2016
I have marked in boldface the sections I wish to emphasize.
Antivirus software is 'increasingly useless' and may make your computer less safe
Is your antivirus protecting your computer or making it more hackable?
Internet security experts are warning that anti-malware technology is becoming less and less effective at protecting your data and devices, and there's evidence that security software can sometimes even make your computer more vulnerable to security breaches.
This week, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) issued a warning about popular antivirus software made by Symantec, some of it under the Norton brand, after security researchers with Google's Project Zero found critical vulnerabilities.
"These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," wrote Google researcher Tavis Ormandy in a blog post. Symantec said it had verified and addressed the issues in updates that users are advised to install.
It's not the only instance of security software potentially making your computer less safe.
Concordia University professor Mohammad Mannan and his PhD student Xavier de Carné de Carnavalet recently presented research on antivirus and parental control software packages, including popular brands like AVG, Kaspersky and BitDefender, that bypass some security features built into internet browsers to verify whether sites are safe or not in order to be able to scan encrypted connections for potential threats. In theory, they should make up for it with their own content verification systems.
'Surprised at how bad they were'
But Mannan's research, presented at the Network and Distributed System Security Symposium in California earlier this year, found they didn't do a very good job.
"We were surprised at how bad they were," he said in an interview. "Some of them, they did not even make it secure in any sense."
When contacted about Mannan's research, Kaspersky said it was reviewing the research and AVG said it had made precautionary changes to its software. Alexandru Balan, chief security researcher for BitDefender, defended his company's encrypted content scanning feature as valuable protection against threats, but said that type of "SSL or TLS filtering" feature needs to be designed and constantly updated in a careful fashion, which he believes his company does.
However, Mannan recommends that if you use antivirus software, you should choose one that doesn't have the feature or turn it off.
He doesn't use antivirus protection on his primary machines and hasn't for years, he said.
"I don't see any clear advantage of using them," he wrote in a followup email, noting that they can slow your machine down and introduce new vulnerabilities.
Neither the vulnerabilities reported by Mannan nor the Symantec vulnerabilities are known to have been exploited, but that doesn't mean they never have been.
Meanwhile, many experts agree that antivirus software may not do a great job at protecting your computer against today's threats.
"Antivirus is getting increasingly useless these days," wrote Stu Sjouwerman, CEO of KnowBe4, which trains employees of other companies to be smarter about internet security, in a blog post this week.
When asked to elaborate in an interview, he said, "The bad guys … basically have gone smart and they say, 'We're not going to try and circumvent antivirus. We're just going to attack organizations at the weakest link in IT security, which is the user.'"
Increasingly, attacks focus on social engineering or phishing that lures users onto compromised websites that can steal information or serve ransomware.
Those websites are so short-lived that antivirus software often doesn't update fast enough to recognize them, Sjouwerman added.
Still worth it?
J. Paul Haynes, CEO of Cambridge, Ont.-based cybersecurity firm eSentire, said that while antivirus software used to protect against 80 to 90 per cent of threats, but it's now thought to protect against less than 10 per cent because of the cybercriminal tactics cited by Sjouwerman.
"It gets a little worse every day, every week, every month," Haynes said.
But both Sjouwerman and Haynes suggest that even a small level of protection offered by antivirus software may still be worth the price for corporations.
"This is the easiest and cheapest stuff to stop," Haynes said.
However, they both warned against having a false sense of security if you have an antivirus installed.
For the consumer, Haynes said, "ransomware is probably the thing that people have to worry about." Ransomware typically encrypts your files and demands a ransom of several hundred or thousand dollars to restore access.
And because those compromised websites are so short-lived, "it wouldn't matter how good your antivirus is," Haynes said, you'd still be vulnerable.
Tips for protecting yourself
So what can you do to protect yourself in the post-antivirus age?
Mannan, Haynes and Sjouwerman all have similar recommendations:
- Back up everything regularly. You can back up photos and non-sensitive files to the cloud. But you should also keep a backup on an external hard drive that is not physically connected to your computer (otherwise it can be compromised in a ransomware attack). That way, if you get attacked by ransomware or another threat, you can roll back to the previous version of your computer.
- Keep your operating system and software such as browsers up to date and patched. Turn on automatic updates if they're available.
- Think before you click on links or attachments. If you're not sure about them, get in touch with the person who sent them to double-check.