Antivirus Software Could Make Your Company More Vulnerable

itwbennett writes: Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications. And evidence suggests that attacks against antivirus products are both possible and likely. Some researchers believe that such attacks have already occurred, even though antivirus vendors might not be aware of them because of the very small number of victims. Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status 'sold.'

cost and benifit

[fermion]

I don't know if it is possible to have a MS Windows running on the internet without a anti virus software. So the question is not which AV software has vulnerabilities, as all software has this issue, but which provides significantly more protection than risk. Or if there is better way to protect MS Windows machines than AV software.

Re:cost and benifit

[gilgongo]

If it's any help (and if you're referring to desktop Windows computers behind standard domestic NAT-ed router/firewalls), then with the exception of WSE since it came out (WinVista?), I've *never* run anti-virus on any Windows installation in our 4-person home in over 20 years.

About once a year I boot each machine from something like Trinity Rescue Disk and run a sweep using two or three different anti-virus packages. This might come up with perhaps one or two low-risk infections (usually Java), but that's it.

I assume therefore that if the people using the machines are not in the habit of visiting certain types of website, and aren't inclines to open attachments they're not expecting, then all will be well.

Re:cost and benifit

[Frosty+Piss]

I ran XP and later Win7 with nothing more than Microsoft Security Essentials, and never had an infection. Ran CCleaner and Malwarebytes regularly and never found a thing.

Re:cost and benifit

[DarkOx]

Yes its possible if you don't do stupid things and don't foul up Windows security. the vast majority of liabilities/vulnerabilities on modern Windows desktops arise directly from PBCAK (Person between chair and keyboard). I personally use a mixture of Slackware and OSX at home but I do security work and I can tell you if you are following the rules below on Windows 8 and later its very unlikely anyone is going to pop your box.

[Stuff that comes out of box if you don't f**k it up]
0) Have a strong password.
1)Leave UAC enabled.
2)Leave the windows firewall on and with recommended settings, even if you are behind NAT and or some other hardware firewall.
3)Install updates promptly.
4)Don't run things from sources you don't trust.
4a) If you really must run stuff from untrusted sources have a separate user account to download and execute that stuff with that you do not use to handle any information you don't want public, and for goodness sake don't let it elevate.
5) Do not install Flash
6) Do not install the Java browser plugins.

[Mostly painless things you can do to really harden windows boxen]
7) Install EMET
8) Install KB2871997 and disable wdigest

[annoying but still a good practice]
9) logoff (not just lock) your desktop when not in use. Optionally suspend or hibernate the system, instead.

Re:cost and benifit

[whoever57]

PEBCAK (Problem exists between chair and keyboard).

FTFY.

Re:cost and benifit

[Marillion]

Passive AV software is about eliminating malware AFTER it has taken root on a system. Active AV injects itself into critical checkpoints. Microsoft, to their credit, has taken proactive steps to close the exploits that malware have used enter a system. Steps like including Flash player updates with Windows updates. Is it perfect? Of course not. But it's gone a long way to the point of making AV software the "low hanging fruit" of attack surfaces.
I'll also echo what many have said - WSE and SPI Firewalls (Stateful Packet Inspection is the prerequisite of NAT is what actually protects you) have been the only thing I've been using for years.

Re:cost and benifit

[DarkOx]

Seriously, if windows needs a 'security' kludge like UAC to stay secure, then it's not really secure at all.

That is seriously ignorant. What UAC is really under the hood is very similar to having two accounts. One privileged and one less so. The shell has some smarts in it to spot when things that are likely to need escalation such as programs named setup.exe are called and asks, when the user is privileged. Its also a little more convient for the user because the environment etc is shared, and depending on the registry settings they maybe don't need to type their password, and because the OS takes special steps to ensure programs cannot send events to UAC windows that is still somewhat tamper proof.

You could very correctly compare this to a Linux system where your user account is a member of the wheel group and wheel is allowed to run any command via sudo. The difference is UAC without a password can still be an effective security control while sudo without a password can't (the malware can just try and invoke it). So either sudo has to require password entry (annoying) or its only protecting the system from things like accidents like you thought the working directory was /home/myself/documents turns out wrong window and you are in /bin for whatever reason (still valuable).

Is the old advice of having an account that is not a local administrator and a separate account that is to use for things that need that, and then running them either via runas or via logout / login to the other account still be better. Probably, but years of practice has shown us users won't as a general rule do that. Which is why the UNIX and like world has sudo and Windows now has UAC.

The alternative is everyone runs around running everything privileged all the time. Which years of practice has shown us means malware gets to do whatever it wants.

Re:cost and benifit

[SwashbucklingCowboy]

"and never had an infection"

That you know of.

Re:cost and benifit

[sabt-pestnu]

I was, at one time, tasked to incorporate CCleaner as a 'plugin' to an app I was working on.

AFAIK, CCleaner does absolutely no virus checking. The version I was working on would 'clean up' your registry, temp directory, and a couple other spots, but not check for viruses per se.

And having looked through what it purports to do in the way of registry element deletion, I would be exceptionally cautious about letting it run free. Some of the bits it wanted to clean up as unused were not unused/useless on the system I was running it on. Not saying it did not find stuff that actually WAS useless, just that I saw it register some false positives.

YMMV.

Learned helplessness

The main vector for malware is people doing what computers tell them to do. Users have become so accustomed to oversight and "someone else" taking care of their computers that they feel they do need to "update their media player program", "install a codec" and "download this antivirus to remove the trojan horse" when their computer tells them to. That's what the pros do, right? Update and install something and then everything works. And Windows has a "security center" which lambasts the users with red exclamation marks until they download an antivirus, and now that website has found something and offers a free antivirus software. Phew, close one.

Microsoft, Google, Apple, etc. need to stop their programs from telling people how to keep their computers safe. If you know how, then just do it. If you don't know, then what's the point in warning the users: They certainly won't know what to do. Either way, shut up about it. When the computer tells them it has a virus, then users must know that the message is not from someone who looks over them, but probably from someone who wants them to do something that they shouldn't do. "Install this" should instinctively sound exactly as dangerous as installing software off the internet is.

Re:Not quite AV, but close

[ls671]

Every piece of software is a potential security hole. AVs, firewalls, encryption layers like SSL or what not constitute no exceptions.

Re:Not quite AV, but close

[Bert64]

Exactly, which is why things should be kept simple - the less code you have running the less you have to keep track of.

Bad title.

[Fencepost]

Introducing any new software onto a system has the potential to add increased attack vectors. In the case of antivirus software exploits may be easier to get to the right place because the software by definition is looking at all the traffic coming in, but you could just as easily look for vulnerabilities in network card driver stacks for widely-used network and wireless cards.

At least with antivirus they're likely already getting updates regularly; the same can't be said for hardware drivers on a huge percentage of systems.

Re:Not quite AV, but close

[Dutch+Gun]

I'll half agree with you... I think I know what you're getting at, but I think it's worth clarifying a bit. After all, it's not like any arbitrary code on a machine is vulnerable to random attacks from the internet.

Rather than talking about simplicity - because let's face it, that will never happen - we need to focus on minimizing and hardening the attack surface. For instance, if my personal machine sits behind a router, arbitrary incoming traffic from the internet is blocked. Anything that isn't blocked then has to make it past my personal machine's built-in firewall, which would tend to reject most anything else. Thus, it's likely that 99.999 percent of the code on my machine (any modern OS is *horribly* complex by nature) is completely immune to random internet-based attacks, at least ignoring user actions like launching an infected program or script.

A good example of minimizing attack surface is Amazon's recent release of a very tiny TLS library called s2n. With only 6000 lines of code, it's *much* easier to vet and declare secure than the feature rich but dangerously bloated OpenSSL library, which may put servers at risk with features they never used. Even the name (signal to noise) indicates the intent, which is to keep the library tiny and focused. We're discovering that there's a danger to letting code grow infinitely large and complex, and not depreciating it, because even if those old features work, they still may contain security issues. I'd be extremely surprised if s2n had any serious security flaws in its implementation simply due to its small size - there's just not as much that can go wrong there.