Slashdot Mirror

← Back to Stories (view on slashdot.org)

Antivirus Software Is 'Increasingly Useless' and May Make Your Computer Less Safe (www.cbc.ca)

Posted by msmash on from the security-woes dept.

Emily Chung, writing for CBC: Is your antivirus protecting your computer or making it more hackable? Internet security experts are warning that anti-malware technology is becoming less and less effective at protecting your data and devices, and there's evidence that security software can sometimes even make your computer more vulnerable to security breaches. This week, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) issued a warning about popular antivirus software made by Symantec, some of it under the Norton brand, after security researchers with Google's Project Zero found critical vulnerabilities. "These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," wrote Google researcher Tavis Ormandy in a blog post. Symantec said it had verified and addressed the issues in updates that users are advised to install. It's not the only instance of security software potentially making your computer less safe. Concordia University professor Mohammad Mannan and his PhD student Xavier de Carne de Carnavalet recently presented research on antivirus and parental control software packages, including popular brands like AVG, Kaspersky and BitDefender, that bypass some security features built into internet browsers to verify whether sites are safe or not in order to be able to scan encrypted connections for potential threats. In theory, they should make up for it with their own content verification systems. But Mannan's research, presented at the Network and Distributed System Security Symposium in California earlier this year, found they didn't do a very good job. "We were surprised at how bad they were," he said in an interview. "Some of them, they did not even make it secure in any sense."

31 of 212 comments (clear)

  1. You Misspelled Title by zenlessyank · · Score: 2

    ilcreasingingly

  2. Having Symantec Comment On Antivirus Info by zenlessyank · · Score: 3, Funny

    Is like having a guy with peanut allergies pushing Planters products.

    1. Re:Having Symantec Comment On Antivirus Info by arth1 · · Score: 3, Funny

      Is like having a guy with peanut allergies pushing Planters products.

      I bet that drives you nuts...

  3. Clicking on attachments by martyros · · Score: 3, Insightful

    After a recent debacle where Symantec apparently didn't get the proof-of-concept exploit sent to them by a security researcher because the mail filter automatically opened the document and crashed, I friend of mine joked that antivirus software was actually a tool to "automatically click on attachments for you".

    --

    TCP: Why the Internet is full of SYN.

  4. that hyperbole though by Anonymous Coward · · Score: 3, Informative

    ok look, i do some malware analysis.

    the thing is, 99% of the malware you run into is run-of-the-mill stuff.

    to paraphrase someone who was talking about EMET:

    not running AV because some researcher are doing next-level shit is like not wearing your seatbelt because a sniper might get you.

    Tavis Ormandy has uncovered a shit-ton of serious vulnerabilities in some big name AV / Endpoint Protection products. Great! Those will get fixed and life goes on. There are also some AV suites that taviso has NOT found bit problems in.

    keep in mind also that some other big names in "next level" endpoint protection and security services who monetarily gain from pushing the idea that "endpoint security is dead".

    1. Re:that hyperbole though by EndlessNameless · · Score: 4, Interesting

      not running AV because some researcher are doing next-level shit is like not wearing your seatbelt because a sniper might get you

      To extend your analogy, we are now driving at speeds that render the seatbelt inadequate. While it may still be wise to buckle up, we need a better seatbelt design, a supplementary measure, or a replacement.

      Right now, we have IDS/IPS applications and ad/script blocking as reasonably good supplements. But even that isn't enough anymore---just as adding an air bag isn't enough to make a car safe at racetrack speeds.

      There are suitable solutions for enterprise where the budget and administrative skills can support it, but there is really nothing for home users.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    2. Re:that hyperbole though by swillden · · Score: 5, Interesting

      the thing is, 99% of the malware you run into is run-of-the-mill stuff.

      Which Windows' built-in antivirus protection will stop.

      not running AV because some researcher are doing next-level shit is like not wearing your seatbelt because a sniper might get you.

      Nonsense. There's nothing "next level" about this. What Tavis found is that running vulnerable A/V software adds a large and easily-exploitable attack surface to your system. The fact that most current-generation malware isn't exploiting these bugs yet doesn't mean they won't, soon.

      Tavis Ormandy has uncovered a shit-ton of serious vulnerabilities in some big name AV / Endpoint Protection products. Great! Those will get fixed and life goes on.

      And how many more will be added? A/V software adds attack surface to your system, running at high priority. That's bad. In the past it was a net win because the base OS did nothing to protect against malware, but that's no longer the case. Does Symantec actually provide additional protection over Windows Defender? If so, how do you balance that against the additional risk it adds?

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Adblock by Anonymous Coward · · Score: 5, Insightful

    I think installing an adblocker in your webbrowser is probably the best antivirus available today.

    1. Re:Adblock by Anonymous Coward · · Score: 5, Interesting

      For people that don't open attachments, and are more resistant to Trojans, malvertising is probably the top infection vector there is.

      I did a test on this a few years back. VM #1 running XP hasn't been patched, other than the browser (Firefox), and doesn't have any AV on it. VM #2 was patched all the way with Windows and all applications and add-ons (Flash, Acrobat, etc.) has all AV stuff, but no ad blocking.

      I used VM #1 for dedicated web browsing for a long while, and when I shut it down, mounted the virtual drive, scanned it as well as used Autoruns to look at the registry, it was clean. VM #2, which was used for browsing a few mainstream social media sites was nailed in less than ten minutes with pop-up scareware ads, then software using a third party add-on exploit.

      Moral of the story: I can go without AV and have a clean system. AV doesn't do anything against malvertising, and with the advent of sites using Flash + EME to protect their content, AV only adds complexity, expands the attack surface, and does nothing.

    2. Re: Adblock by arth1 · · Score: 2

      I'm not going back to Amiga despite its lack of viruses

      This is rather funny, considering that the Amiga was infamous for its plethora of viruses.
      Some of which were rather amusing, like playing a song with the stepper motor of the floppy drive, or using any modem found to dial the home phone number of an Antivirus creator, or randomly inserting words like "sex" in any text files. All in the 1kB boot block.

    3. Re:Adblock by Etcetera · · Score: 2

      For people that don't open attachments, and are more resistant to Trojans, malvertising is probably the top infection vector there is.

      Moral of the story: I can go without AV and have a clean system. AV doesn't do anything against malvertising, and with the advent of sites using Flash + EME to protect their content, AV only adds complexity, expands the attack surface, and does nothing.

      BS. "Malvertising" doesn't exist fundamentally at a technical level any more than "malshareware" exists. The problems are, respectively, vulnerabilities in flash/imagemagick/browser software/etc and intentionally subversive code that doesn't do what it claims to do. "Restricting advertising" as an AV response is catching things in the dragnet, but that's much more just rationalizing the fact that you just don't want to see ads on websites.

      We've all seen parents' and friends' computers that didn't have AV software installed and the sh*tshow they usually are, and it's not because they saw banner ads but because they got infected with viruses. Is AV foolproof or guaranteed to catch everything? Of course not. Does it run as a privileged process and thus require extra scrutiny in the privileged code sections? Of course. So does sudo. But most people are much better off with AV software than without, notwithstanding the fact that people at heightened risk should have even more layers of protection.

      --
      Hire a Linux system administrator, systems engineer,
    4. Re: Adblock by thoromyr · · Score: 2

      Aspiring programmers created many viruses for the Amiga. If memory serves, LAMER was one of the more prevalent ones. It was so-named for being targeted at pirates (and quite possibly written by a commercial software programmer). The Amiga had *zero* security features. Any application could write to any portion of memory which made poorly written but otherwise non-malicious software a problem for system stability. It was an inherently single-user system. File attributes are not protection. RDB permitted the inclusion of arbitrary code that would be loaded on demand when a drive was scanned (this was intended to allow a drive to provide its own file system drivers, but like many such cool features no one had given security even a passing thought).

      However, *most* of the "viruses" on the Amiga were toys or jokes -- there weren't that many with malicious intent (though see LAMER) -- so users often were not particularly concerned about them.

    5. Re:Adblock by dcooper_db9 · · Score: 2

      Perhaps. But the biggest vulnerability in Windows computers (for home users) comes from users running as an administrator. The Windows install process should really be changed to setup an administrator account as well as a standard user account. Very few users get viruses when they have to elevate privileges.

      I currently have 117 home and small business clients that I've educated about this. I create a new administrator account and change their original user account to standard. Only one of my clients that made the change have had a virus infection in the past three years. Almost all of my clean-up business comes from the people who continue to run as admin. And yes, I sometimes wonder how much money I'm losing by doing this.

      --
      I do not block ads. I do block third party scripts.
  6. Blacklist vs. whitelist by tepples · · Score: 3, Informative

    Antivirus software that detects apps known to be harmful is a form of blacklisting. But as a general rule, blacklisting is considered less secure than whitelisting. An antivirus using whitelisting, such as PC Matic, allows only known good apps to run.

    The obvious problem with this approach is who defines the set of known good programs. In a corporate environment, an IT department has the resources to review the programs on which employees rely. But a home PC owner who isn't quite a PC expert may not feel qualified to do this, instead delegating review to a trusted party. This has led to cases of rent-seeking, where a gatekeeper demands payment from each developer to review each app.

    Bruce Schneier explains further

    1. Re:Blacklist vs. whitelist by hibiki_r · · Score: 2

      And the moment you put a whitelisting antivirus on a programmer's machine, who will often compile their own executables, the corporate plan goes to shit anyway.

      Just like how IT departments often make programmers' kufe hell by not make exceptions for a directory used for compilation and artifact downloading. Triple your compile times for no good reason!

  7. Stupid Software Design Decisions by nateman1352 · · Score: 2

    Seriously why the hell does Antivirus software need to run its scan engine at Admin group privileges, and why is half of the scan engine running in Ring 0 kernel drivers?

    Its amazing, my work laptop BSODs about once a day just because of some crappy driver included in the Antivirus software installed by IT.

    Since it crashes that frequently just in normal operation it seems likely that there is at least 1 vulnerability in that driver which is exploitable from user mode.

    1. Re:Stupid Software Design Decisions by cbiltcliffe · · Score: 2

      If the scan engine wasn't running as Ring 0 kernel drivers, then it wouldn't be able to detect Ring 0 rootkit drivers, and other such crapware. Since we know there are kernel vulnerabilities which allow infection with Ring 0 malware, not running your scanner at least partially in Ring 0 would make it even less useful than it currently is.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    2. Re: Stupid Software Design Decisions by nateman1352 · · Score: 2

      Since the whole point of it is security it really makes sense to have two copies of your scan engine installed, one in Ring 0 for early boot rootkit detection that scans every driver as it loads and only scans if the binary passes MSFT's driver signing checks first.

      All of your scanning of code modules after the kernel is up should be forwarded to a sandboxed user mode service so that even if the scan engine is compromised the malicious code can't go anywhere. Not a bad idea to fire up a new process for every scan so the exploit will be short lived.

      Its pretty clear that antivirus software isn't written this way. They run everything in high privileges.

  8. Most Clients Get Infected Looking For Free Movies by zenlessyank · · Score: 5, Informative

    Almost every client that I have had to deal with infected machines were looking for free movies on the web. They lie and say they have no idea, but when I show them their browsing history then they get all stuttery and defensive. I would say it is about 50/50 with porn and regular movies. I haven't seen many infections thru e-mail that actually make it to the machine.

  9. Now, that's unfair by Opportunist · · Score: 5, Funny

    Saying that Antivirus Software is useless and using Symantec as an example is like saying that editors are useless and using /. editors as examples.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  10. Re:Most Clients Get Infected Looking For Free Movi by jawtheshark · · Score: 2

    I would say it is about 50/50 with porn and regular movies.

    Which I don't understand. You can get porn risk free pretty much on all big platforms. Free porn is a solved problem. No need to go to shady websites.

    Hell, it's in the interest of most porn providers to avoid infecting you because, they'd rather have you as a paying customer. Go to the big streaming porn websites, invariably there are payvideo on demand, webcam sites and dating sites behind them. They want you to pay for that. They don't want your credit card number to be lifted by some malware writing shady criminals...

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
  11. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  12. Your anecdote is worthless by s.petry · · Score: 2

    I have been working in IT security for nearly 3 decades. Work for a mail hosting company or support large mail infrastructure if you want to find people infected by mail. I have, do, and can tell you that most business PCs are infected through email and attachments. For home PCs, you are right that most comes from malicious sites often hosting video. There is another very small set of hosts who get attacked quite differently. These are targeted service attacks generally masked by a massive DDOS. They are specific, crafted, and staffed with experts at exploiting systems.

    You not having clients infected by means other than pr0n is purely due to a very shallow pool of clients.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  13. Re:Windows Problems by avandesande · · Score: 3, Interesting

    Yes, I use windows antivirus and have never had any problems.

    --
    love is just extroverted narcissism
  14. Re:Ad networks are currently juicier targets by tepples · · Score: 2

    In ad industry jargon, the publisher hosts an article, and the ad network hosts the ads embedded in the article. Both the publisher and the ad network operate servers. What's a more readily understood term meaning "site on which an advertisement is placed"?

  15. Comparing closeness to a binary state by tepples · · Score: 3, Informative

    Let me explain this usage:

    In prescriptivist theory, comparative words such as "more" or "increasingly" cannot be used with binary state words such as "unique" or "useless". But in practice, when a comparative word is used with a binary state word, the binary state word takes on the meaning of closeness to that state. So "more unique" means "closer to unique", and "increasingly useless" means "increasingly close to useless".

    1. Re:Comparing closeness to a binary state by cwsumner · · Score: 2

      The problem is that there are not really any "binary words". The universe does not have anything like that, it is fractal.

      So the poplular usage, in this case, is actually more accurate. Words like "unique" can not accuratly be used to describe anything real, they are imaginary states.
      Except to mathematicians...

  16. Re:Best adblocker & more vs. threats online by coastwalker · · Score: 2

    You really ought to rewrite this occasionally you know. It reads like a spam advertisement by an African prince with a mental illness. I suppose that at least the way it is written we all know what it is and skip past it without bothering to read it. You are welcome for thanking me for my advice.

    --
    Facts are history now plebs have politics for religion on social media.
  17. chroot /var/empty; suid nobody by emil · · Score: 3, Interesting

    Privilege separation and sandboxing are well-tested mitigation techniques that allow OpenBSD to assert "Only two remote holes in the default install, in a heck of a long time!" - this security record is far, far superior to the Windows OS and the virus scanners that run atop it.

    What Microsoft still fails to grasp, even after Gates' force majeur with the XP-SP2 security redesign, is that all applications should default to a strong sandbox. When a developer pushes code outside the sandbox, it should trigger more aggressive audits prior to listing in the Windows store, and user warnings of increasing severity upon installation.

    The pertinent question for developers and administrators, especially with regards to network-facing services, is "how strong can we build the cage, and how little can we let out?" Until OS-designers build from this focus, the security tsunami will continue.

  18. Re: No shit by Etcetera · · Score: 2

    I remember that shit being so bad that at one point I had to hunt-down a third party program just to remove it since it was clearly designed as a virus itself...

    Yeah, Norton had to write a tool just to remove their own shit.

    The "Norton Removal Tool" is still available from the Norton site, which should tell people all they need to know about Norton.

    Why is that a bad thing? I'd prefer a separate tool to fully remove, rather than the normal Windows Uninstall being programatically accessible. Hell, if I install my AV, I'd love for a specific YubiKey being needed by some authoritative process to remove it.

    We shouldn't be trying to get the computer to do things for us, because that makes things more vulnerable to malicious cyberspace actors. Pumping that back into meatspace (hey, how about we bring DIP switches back and require them to be flipped to write to BIOS again) forces humans back into the loop. Physical security and intrusion detection is a hell of a lot more of a solved problem than IoT security.

    --
    Hire a Linux system administrator, systems engineer,
  19. Re:Windows Problems by operagost · · Score: 2

    Ever since I started carrying this rock, I have not been attacked by a single tiger.

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.