Why is Antivirus Software Still a Thing?

Antivirus has been around for more than 20 years. But do you still need it to protect yourself today? From a report: In general, you probably do. But there are caveats. If you are worried about your iPhone, there's actually no real antivirus software for it, and iOS is engineered to make it extremely difficult for hackers to attack users, especially at scale. In the case of Apple's computers, which run MacOS, there are fewer antiviruses, but given that the threat of malware on Mac is increasing ever so slightly, it can't hurt to run an AV on it. If you have an Android phone, on the other hand, an antivirus does not hurt -- especially because there have been several cases of malicious apps available on the Google Play Store. So, on Android, an antivirus will help you, according to Martijn Grooten, the editor of trade magazine Virus Bulletin.

When it comes to computers running Windows, Grooten still thinks you should use an AV. "What antivirus is especially good at is making decisions for you," Grooten told Motherboard, arguing that if you open attachments, click on links, and perhaps you're not too technically savvy, it's good to have an antivirus that can prevent the mistakes you may make in those situations. For Grooten and Simon Edwards, the founder of SE Labs, a company that tests and ranks antivirus software, despite the fact that Windows' own antivirus -- called Defender -- is a good alternative, it's still worth getting a third-party one. "Even if [Defender] wasn't the best and it isn't the best, it's is still a lot better than having nothing," Edwards told Motherboard. Yet, "we do see a benefit in having paid for AV product."

No.

That's an asinine view. Defender is the only av solution needed, and all other products create more problems than the occasional viruses. Third party av apps are security theater.

Re:No.

[nine-times]

I agree up to a point. For most personal users doing normal things, it's worth having one very lightweight AV that will catch obvious and egregious malware, and Defender fits the bill for that. I don't recommend a lot of the 3rd party stuff. Some of it's fine, but a lot of it is more trouble than it's worth, especially if you don't understand it.

However, for businesses, you should get something in addition to Defender, if only to get a centralized console that the IT people can use to monitor and configure the AV. Further, some of the "next gen" antivirus products are good for monitoring behavior and flagging things that may be of concern. Unfortunately, those new technologies tend to require some babysitting, so it's not necessarily great for individual use.

Re:No.

[hairyfeet]

That depends, I go by this simple formula "If user is not clueless then Defender, if clueless then Comodo AV". The reason why is simple...I have never seen Windows Defender do diddly squat against those FB malware links that clueless users will often get while Comodo AV shuts those suckers down.

But wait, there's more!

[jbmartin6]

Most of the paid antivirus packages come with more than the original file inspection. HTTP inspectors, system cleaners, identity theft insurance, etc. There are all sorts of value-added things in there which Defender doesn't do.

Re: But wait, there's more!

[phantomfive]

The summary is wrong, and it should be mentioned, antivirus CAN hurt you. And it can make your system *more* vulnerable.

Re:But wait, there's more!

[MobyDisk]

You are correct. But those are the things that break applications. When I did consulting for small businesses in 1990's and 2000's, the most common "hard" problem I found was antivirus software interfering with the system. I saw them silently block file shares, DHCP requests, email attachments, and CD burner applications, break SSL connections and backup software, even screw-up the system time. The system cleaners constantly broke Microsoft office. I would often uninstall the Symantec SuperDuper Network Security Pro that they paid a monthly subscription for, and install a cheap or even free antivirus package that had a simple daily scan.

Windows Defender is exactly what we need. Block applications from injecting themselves into the startup and adding shell extensions, and scan files for viruses. If you want web protection, 90% of that can be gained with an ad blocker. Even if it breaks a few sites it can be easily disabled.

Conflict of interest?

Guys from Virus Bulletin and SE Labs that make lots of money from companies that make commercial third-party anti-virus products recommend you buy commercial third-party anti-virus products? Of course.

Architecture and Design

[ytene]

This is a fabulously important question for us to look at.

The answer is: because we continue to operate operating systems and software which are acutely vulnerable to malware - and because we refuse to learn from the lessons of past mistakes.

A big part of the problem is that we've now had malware present in our lives for such a long period of time that there are professional developers and system designers working today who have never known a technology community without malware. Given this context, it is not entirely surprising that we have come to collectively accept this situation as a "given".

The important thing that we need to remember is that it is entirely possible to design and produce a technology stack that is not vulnerable to malware. It's certainly not going to be easy, but it's also not impossible. So now the question becomes: how badly do we want it? The problem is, nobody is asking that question, there is not public discussion or debate.

So the most widespread software in use today (the Microsoft Windows platform, Android, iOS, etc) are not being design in a way where the designers have been given a (design) brief or have been set design objectives with respect to the ability of that software to withstand malware.

So we have logical partitioning and "containerisation" as third-party add-ons (which have to be paid for). We have come to accept this as "the norm". But just think for a moment about that situation in, say, motor vehicles. Imagine that cars and trucks were sold without brakes. Or without locks on the doors. Imagine that you had to buy your car and then somehow get it to a brake system specialist and pick and choose a reasonable set of brakes for your vehicle. Oh, and if you chose wrong and your car didn't stop and you rolled into someone - well, that's just your fault... Would that be acceptable to motorists today?

Somehow I don't think so.

So why should we be willing to accept and pay for incomplete, vulnerable and defective software - and then, having made a purchase (and if you want a copy of, say Windows 10 Pro for a new-build PC, then you are looking at hundreds of dollars), you need to go and spend a bunch more cash making that product secure.

It's really easy to discuss this and fall in to the trap of bashing Microsoft, Apple or Google for shipping vulnerable or incomplete software. But the truth is that we're responsible for this, not them. We're responsible, because enough of us are willing to just roll over and accept this situation. If we collectively pushed back hard enough, maybe used the law, maybe worked to overturn those horrible EULA "this software comes without any warranty, expressed or implied" schtick and had lawmakers push for tighter and more stringent controls, then maybe we'd get better software.

Sadly, I can't see the market fixing this. If it were possible, it would have happened by now.

Re:Architecture and Design

[swillden]

The important thing that we need to remember is that it is entirely possible to design and produce a technology stack that is not vulnerable to malware.

Is it, is it really? The fact that it has never, ever been done on any system of significant size or complexity argues strongly that you're wrong. Formal verification seems like the only path with real potential, but so far it is impossibly hard to do at scale.

And then there's the issue that even if you had a system with zero vulnerabilities, that still doesn't make AV unnecessary. One of the hardest problems is how to handle software that does not exploit any vulnerabilities and uses only legitimate, reasonable APIs, but uses them in ways that may harm the user. The Android security team (of which I'm a member) doesn't use the term "malware", because it's too narrow. Instead we use "Potentially-Harmful Apps" (PHA) to include apps that don't qualify as malware in the traditional sense, but yet may do harmful things.

Now, some of the abusive apps are able to be abusive only because of badly-designed Android APIs. For example, I don't think there's any reason even to have an API that allows apps to retrieve a user's whole contacts database. If an app legitimately needs contact information (say, to make a phone call), they should request a contact from a system API which presents the user with a picker to select the contact whose phone number they wish to provide, and only that number should be provided to the requesting app.

But there are other cases in which the APIs are completely reasonable and needed, but still allow harmful things to be done when misused in certain ways. I'm not sure it is possible to prevent PHAs of that form by anything done in the operating system. There's lots of academic research on data tagging and tainting and other approaches, but it's really not clear that they can work without creating a painfully-unusable system.

So I don't think it's possible to produce an operating system that is not vulnerable to malware. I'd love to be proven wrong, though, so by all means figure it out and publish about it! If you figure it out you'll get all sorts of academic rewards, and if you play it right you can easily make yourself stinking rich as well. Please do!

BTW, regarding the claim in the summary that third-party AV tools on Android make sense, I disagree. Third-party tools simply can't have the visibility into the system needed to be really good without rooting, and rooting your device opens it to a raft of exploits. On a rooted device it's possible to disable SELinux, which instantly demolishes much of the compartmentalization of the system. No longer are 5-10 step exploit chains needed, one is enough in most cases.

What does make sense is to enable the built-in AV tool, Verify Apps.

Oh, while I'm posting about Android security, I'd like to take a moment to gloat that -- yet again -- Google's phone is undefeated in Moble Pwn2own, despite having (along with iPhone) the largest offered prizes.

Defender is poised to take over on Windows

[Uteck]

The latest version of Windows Defender has an option to run it in sandbox mode, so even if it gets infected it can't spread.
Other AV are becoming the targets of attacks and they do not have the deep links into the OS like Defender has, so their days are numbered.

Re:CYA is the biggest reason

[Kjella]

I cannot imagine the need for an antivirus on Linux. Either the code breaks into supervisor mode or it does not.

Or it does not but can access all the logged in user's data and attached devices and whatnot. Neither Windows, Mac nor Linux is built around a hostile software model, if it's installed it's trusted. So if there's any breach in any software, they can do install a cryptolocker and encrypt all your files or whatever. Sure in theory you could set up a custom chroot jail/SELinux/AppArmor/cgroups setup per application but it's very far from easy. I'd like to be able to install a relatively untrusted closed source game and have it play in a sandbox. Like you can wipe my save games, rickroll me or whatever but you can't access my webcam or delete my family photos. That's the kind of security users want and I think that's where we're going when Apple or Google wants to topple Microsoft on the desktop.

Re:Or, just don't be stupid.

[BringsApples]

Don't download from porn sites

pffft. you'll have better luck telling folks to not have actual sex with dirty people. Viri are going to spread via sexual desires - always.