Why is Antivirus Software Still a Thing?

Antivirus has been around for more than 20 years. But do you still need it to protect yourself today? From a report: In general, you probably do. But there are caveats. If you are worried about your iPhone, there's actually no real antivirus software for it, and iOS is engineered to make it extremely difficult for hackers to attack users, especially at scale. In the case of Apple's computers, which run MacOS, there are fewer antiviruses, but given that the threat of malware on Mac is increasing ever so slightly, it can't hurt to run an AV on it. If you have an Android phone, on the other hand, an antivirus does not hurt -- especially because there have been several cases of malicious apps available on the Google Play Store. So, on Android, an antivirus will help you, according to Martijn Grooten, the editor of trade magazine Virus Bulletin.

When it comes to computers running Windows, Grooten still thinks you should use an AV. "What antivirus is especially good at is making decisions for you," Grooten told Motherboard, arguing that if you open attachments, click on links, and perhaps you're not too technically savvy, it's good to have an antivirus that can prevent the mistakes you may make in those situations. For Grooten and Simon Edwards, the founder of SE Labs, a company that tests and ranks antivirus software, despite the fact that Windows' own antivirus -- called Defender -- is a good alternative, it's still worth getting a third-party one. "Even if [Defender] wasn't the best and it isn't the best, it's is still a lot better than having nothing," Edwards told Motherboard. Yet, "we do see a benefit in having paid for AV product."

Conflict of interest?

Guys from Virus Bulletin and SE Labs that make lots of money from companies that make commercial third-party anti-virus products recommend you buy commercial third-party anti-virus products? Of course.

Re: But wait, there's more!

[phantomfive]

The summary is wrong, and it should be mentioned, antivirus CAN hurt you. And it can make your system *more* vulnerable.

Re:No.

[nine-times]

I agree up to a point. For most personal users doing normal things, it's worth having one very lightweight AV that will catch obvious and egregious malware, and Defender fits the bill for that. I don't recommend a lot of the 3rd party stuff. Some of it's fine, but a lot of it is more trouble than it's worth, especially if you don't understand it.

However, for businesses, you should get something in addition to Defender, if only to get a centralized console that the IT people can use to monitor and configure the AV. Further, some of the "next gen" antivirus products are good for monitoring behavior and flagging things that may be of concern. Unfortunately, those new technologies tend to require some babysitting, so it's not necessarily great for individual use.

Re:But wait, there's more!

[MobyDisk]

You are correct. But those are the things that break applications. When I did consulting for small businesses in 1990's and 2000's, the most common "hard" problem I found was antivirus software interfering with the system. I saw them silently block file shares, DHCP requests, email attachments, and CD burner applications, break SSL connections and backup software, even screw-up the system time. The system cleaners constantly broke Microsoft office. I would often uninstall the Symantec SuperDuper Network Security Pro that they paid a monthly subscription for, and install a cheap or even free antivirus package that had a simple daily scan.

Windows Defender is exactly what we need. Block applications from injecting themselves into the startup and adding shell extensions, and scan files for viruses. If you want web protection, 90% of that can be gained with an ad blocker. Even if it breaks a few sites it can be easily disabled.

Re:Architecture and Design

[swillden]

The important thing that we need to remember is that it is entirely possible to design and produce a technology stack that is not vulnerable to malware.

Is it, is it really? The fact that it has never, ever been done on any system of significant size or complexity argues strongly that you're wrong. Formal verification seems like the only path with real potential, but so far it is impossibly hard to do at scale.

And then there's the issue that even if you had a system with zero vulnerabilities, that still doesn't make AV unnecessary. One of the hardest problems is how to handle software that does not exploit any vulnerabilities and uses only legitimate, reasonable APIs, but uses them in ways that may harm the user. The Android security team (of which I'm a member) doesn't use the term "malware", because it's too narrow. Instead we use "Potentially-Harmful Apps" (PHA) to include apps that don't qualify as malware in the traditional sense, but yet may do harmful things.

Now, some of the abusive apps are able to be abusive only because of badly-designed Android APIs. For example, I don't think there's any reason even to have an API that allows apps to retrieve a user's whole contacts database. If an app legitimately needs contact information (say, to make a phone call), they should request a contact from a system API which presents the user with a picker to select the contact whose phone number they wish to provide, and only that number should be provided to the requesting app.

But there are other cases in which the APIs are completely reasonable and needed, but still allow harmful things to be done when misused in certain ways. I'm not sure it is possible to prevent PHAs of that form by anything done in the operating system. There's lots of academic research on data tagging and tainting and other approaches, but it's really not clear that they can work without creating a painfully-unusable system.

So I don't think it's possible to produce an operating system that is not vulnerable to malware. I'd love to be proven wrong, though, so by all means figure it out and publish about it! If you figure it out you'll get all sorts of academic rewards, and if you play it right you can easily make yourself stinking rich as well. Please do!

BTW, regarding the claim in the summary that third-party AV tools on Android make sense, I disagree. Third-party tools simply can't have the visibility into the system needed to be really good without rooting, and rooting your device opens it to a raft of exploits. On a rooted device it's possible to disable SELinux, which instantly demolishes much of the compartmentalization of the system. No longer are 5-10 step exploit chains needed, one is enough in most cases.

What does make sense is to enable the built-in AV tool, Verify Apps.

Oh, while I'm posting about Android security, I'd like to take a moment to gloat that -- yet again -- Google's phone is undefeated in Moble Pwn2own, despite having (along with iPhone) the largest offered prizes.