It might be time to stop using antivirus

[Krazychic 3,311]

 

Former Firefox developer Robert O'Callahan, now a free agent and safe from the PR tentacles of his corporate overlord, says that antivirus software is terrible, AV vendors are terrible, and that you should uninstall your antivirus software immediately—unless you use Microsoft's Windows Defender, which is apparently okay.

 

Spoiler

A couple of months back, Justin Schuh, Google Chrome's security chief, and indeed one of the world's top infosec bods, said that antivirus software is "my single biggest impediment to shipping a secure browser." Further down the thread he explains that meddling AV software delayed Win32 Flash sandboxing "for over a year" and that further sandboxing efforts are still on hold due to AV. The man-in-the-middle nature of antivirus also causes a stream of TLS (transport layer security) errors, says Schuh, which in turn breaks some elements of HTTPS/HSTS.

 

These are just two recent instances of browser makers being increasingly upset with antivirus software. Back in 2012, Nicholas Nethercote, another Mozillian working on Firefox's MemShrink project said that "McAfee is killing us." In that case, Nethercote was trying to reduce the memory footprint of Firefox, and found that gnarly browser add-ons like McAfee were consuming a huge amount of memory, amongst other things. If you venture off-piste into the browser mailing lists, anti-antivirus sentiment has bubbled away just below the surface for a very long time.

 

The problem, from the perspective of the browser makers, is that antivirus software is incredibly invasive. Antivirus, in an attempt to catch viruses before they can infect your system, forcibly hooks itself into other pieces of software on your computer, such as your browser, word processor, or even the OS kernel. O'Callahan gives one particularly egregious example: "Back when we first made sure ASLR was working for Firefox on Windows, many AV vendors broke it by injecting their own ASLR-disabled DLLs into our processes." ASLR, or address-space layout randomisation, is one of the better protections against buffer overflow exploits.

 

Furthermore, because of the aforementioned knotweed-style rhizomes of antivirus programs, the AV software itself presents a very large attack surface. As in, without AV installed, a hacker might have to find a vulnerability in the browser or operating system—but if there's AV present, the hacker can also look for a vulnerability there. This wouldn't necessarily be a problem if AV makers made secure software, but for the most part they don't (except for Windows Defender, because Microsoft is "generally competent," according to O'Callahan).

 

Back in June last year, Google's Project Zero found 25 high-severity bugs in Symantec/Norton security products. "These vulnerabilities are as bad as it gets," said Tavis Ormandy, a Project Zero researcher. "They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption." Over the past five years, Ormandy has found similar vulnerabilities in security software from Kaspersky, McAfee, Eset, Comodo, Trend Micro, and others.

 

All this isn't to say that you (or your parents) shouldn't use antivirus software, but you should certainly be aware that using antivirus software doesn't necessarily make your computer any more secure. In some cases, AV might make your computer less secure, and cause a deleterious effect on system performance—and, if you believe the browser makers, the continuing popularity of AV software might have a gnarly knock-on effect on other developers, too.

 

The nail in the coffin, according to O'Callahan, is that software vendors rarely speak out about antivirus issues "because they need cooperation from the AV vendors." He then links to a mailing list thread in 2012, where he suggests keeping a list of the AV software that interferes with Firefox. Later in the thread, Mozilla PR swoops in and tells him to knock it off.

 

Antivirus software is so ingrained with Windows users, and synonymous with the concept of "good security," that software makers have their hands tied. "When your product crashes on startup due to AV interference, users blame your product, not AV," O'Callahan says. "Worse still, if they make your product incredibly slow and bloated, users just think that's how your product is ... You can't tell users to turn off AV software because if anything bad were to happen that the AV software might have prevented, you'll catch the blame."

 

As always, irrespective of whether you decide to use AV, regularly updating your OS and software is one of the best ways to keep your computer safe. This also means that you should stop using Windows 7 or 8 and update to Windows 10.

 

When it comes to keeping your personal data safe, the problem is a little more complex: all of the sandboxing and antimalware software in the world won't save you from a well-executed phishing attack, or if a database that contains your details is breached. For that, you should use unique passwords, a physical security key where possible, and generally be very wary of offering up any kind of personally identifiable data.

 

Source

[WaeV 5,049]

Many third-party AV clients cause more problems than they solve.

 

Panda Antivirus Flags Itself As Malware, Bricks PCs

Remote stack buffer overflow in Norton Antivirus, other Symantec products; trivially exploitable

Comodo Antivirus Forwards Emulated API calls to the Real API during scans; runs code with SYSTEM privileges

 

Use Defender and be done with it.

[Solaris 3,581]

Lots of weird stuff going on around this sphere...

 

Kaspersky Lab’s top investigator reportedly arrested in treason probe

[Skeezix the Cat 3,089]

I on occasion will run a malwarebytes, spybot and combofix run if I feel like I should.  I've recently started allowing Defender to be activated and update so I'll probably use it.

[WaeV 5,049]

Malwarebytes is one I've only had good experiences with. I especially like their tool "Hijack This!"; great for getting rid of stubborn malware.

[Pra3tor1an 1,234]

I haven't used AV for quite some time.

[Takka 13,376]

I've never run into a need for one, as I don't do anything sketchy. I've tried Malwarebytes a few times after being without any AV for 2 or more years and never found anything.

[Kavawuvi 7,026]

I like MalwareBytes as well.

 

Antimalware should be unintrusive and left as a background task. There are only a few times where it should ever display anything to the user:

• When it's being used to manually run a scan, the user may want to know the progress of the scan and that everything is all right. If a scan is automated, no result or indication should be displayed outside of changing the icon on the taskbar unless malware has been detected.
• During configuration, the user will need a graphics user interface. I prefer a minimalistic, but functional GUI.
• When it detects a file or website the user is trying to open that has tripped the antimalware service, the user should be made aware why it was triggered and should be given the option to either override the protection (temporarily or permanently) or cancel.
• An icon on the taskbar should be present so the user can interact with the active antimalware program without having to find and run the executable, but the user should be given the option to hide it using Windows's Notification Area settings.

[WaeV 5,049]

As shitty as the state of digital security is these days, we still have come a long way.

 

Every now and then I think back to how Windows XP got its system updates through the goddamn web browser.

 

But then I remember that Windows 9x didn't get updates at all. Except via CD release maybe.

 

Ironically, it was sometimes easy to tell if you were infected with a virus back in the day. Windows still supported 16-bit disk drivers, which were a popular target for malware. But if you got infected your hard drive would sloooooowwwww dowwwwwwn so it was really obvious. These days you'd be hard-pressed to find malware that's trying to hide.

 

Our security is getting better over time, but there are billions more computers these days. I think that makes the problems compound more.