Antivirus Software Is 'Increasingly Useless' and May Make Your Computer Less Safe

Emily Chung, writing for CBC: Is your antivirus protecting your computer or making it more hackable? Internet security experts are warning that anti-malware technology is becoming less and less effective at protecting your data and devices, and there's evidence that security software can sometimes even make your computer more vulnerable to security breaches. This week, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) issued a warning about popular antivirus software made by Symantec, some of it under the Norton brand, after security researchers with Google's Project Zero found critical vulnerabilities. "These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," wrote Google researcher Tavis Ormandy in a blog post. Symantec said it had verified and addressed the issues in updates that users are advised to install. It's not the only instance of security software potentially making your computer less safe. Concordia University professor Mohammad Mannan and his PhD student Xavier de Carne de Carnavalet recently presented research on antivirus and parental control software packages, including popular brands like AVG, Kaspersky and BitDefender, that bypass some security features built into internet browsers to verify whether sites are safe or not in order to be able to scan encrypted connections for potential threats. In theory, they should make up for it with their own content verification systems. But Mannan's research, presented at the Network and Distributed System Security Symposium in California earlier this year, found they didn't do a very good job. "We were surprised at how bad they were," he said in an interview. "Some of them, they did not even make it secure in any sense."

Re:that hyperbole though

[EndlessNameless]

not running AV because some researcher are doing next-level shit is like not wearing your seatbelt because a sniper might get you

To extend your analogy, we are now driving at speeds that render the seatbelt inadequate. While it may still be wise to buckle up, we need a better seatbelt design, a supplementary measure, or a replacement.

Right now, we have IDS/IPS applications and ad/script blocking as reasonably good supplements. But even that isn't enough anymore---just as adding an air bag isn't enough to make a car safe at racetrack speeds.

There are suitable solutions for enterprise where the budget and administrative skills can support it, but there is really nothing for home users.

Re:Adblock

For people that don't open attachments, and are more resistant to Trojans, malvertising is probably the top infection vector there is.

I did a test on this a few years back. VM #1 running XP hasn't been patched, other than the browser (Firefox), and doesn't have any AV on it. VM #2 was patched all the way with Windows and all applications and add-ons (Flash, Acrobat, etc.) has all AV stuff, but no ad blocking.

I used VM #1 for dedicated web browsing for a long while, and when I shut it down, mounted the virtual drive, scanned it as well as used Autoruns to look at the registry, it was clean. VM #2, which was used for browsing a few mainstream social media sites was nailed in less than ten minutes with pop-up scareware ads, then software using a third party add-on exploit.

Moral of the story: I can go without AV and have a clean system. AV doesn't do anything against malvertising, and with the advent of sites using Flash + EME to protect their content, AV only adds complexity, expands the attack surface, and does nothing.

Re:that hyperbole though

[swillden]

the thing is, 99% of the malware you run into is run-of-the-mill stuff.

Which Windows' built-in antivirus protection will stop.

not running AV because some researcher are doing next-level shit is like not wearing your seatbelt because a sniper might get you.

Nonsense. There's nothing "next level" about this. What Tavis found is that running vulnerable A/V software adds a large and easily-exploitable attack surface to your system. The fact that most current-generation malware isn't exploiting these bugs yet doesn't mean they won't, soon.

Tavis Ormandy has uncovered a shit-ton of serious vulnerabilities in some big name AV / Endpoint Protection products. Great! Those will get fixed and life goes on.

And how many more will be added? A/V software adds attack surface to your system, running at high priority. That's bad. In the past it was a net win because the base OS did nothing to protect against malware, but that's no longer the case. Does Symantec actually provide additional protection over Windows Defender? If so, how do you balance that against the additional risk it adds?

Re:Windows Problems

[avandesande]

Yes, I use windows antivirus and have never had any problems.

chroot /var/empty; suid nobody

[emil]

Privilege separation and sandboxing are well-tested mitigation techniques that allow OpenBSD to assert "Only two remote holes in the default install, in a heck of a long time!" - this security record is far, far superior to the Windows OS and the virus scanners that run atop it.

What Microsoft still fails to grasp, even after Gates' force majeur with the XP-SP2 security redesign, is that all applications should default to a strong sandbox. When a developer pushes code outside the sandbox, it should trigger more aggressive audits prior to listing in the Windows store, and user warnings of increasing severity upon installation.

The pertinent question for developers and administrators, especially with regards to network-facing services, is "how strong can we build the cage, and how little can we let out?" Until OS-designers build from this focus, the security tsunami will continue.