Friday, 27 January 2017

Anti-virus is worthless

I get a kick out of reading reactions by the anti-virus industry, rose-coloured glasses views from academia, or anecdotes from those who work in the IT industry whenever someone writes a constructive criticism of anti-virus solutions.

Let me put it out there before I go any further, Robert O'Callahan is correct when he says that you should disable your anti-virus solution--unless it came with your operating system such as it does in Windows 10. And for disclosure here: I did briefly work for an anti-virus vendor.

Whenever an argument is made for the value that anti-virus doesn't provide, you are bound to get the following reactions from anyone I mentioned before:

  • [Insert testing programme here] has given [AV product] the best detection rate in the industry for [year]!
  • I use [AV product] and I have never gotten malware.
  • [Software vendors] should open up their APIs to make anti-virus much easier to work with.
  • The anti-virus industry creates the malware.
  • If you went without anti-virus for [period of time] you'll eventually catch malware!
I could go on and on about these reactions but I think this well summarizes the absentmindedness that certain pro-anti-virus persons give:

It's obvious which light bulb a sane person would choose.

Tavis Ormandy has demonstrated extremely well through Google's Project Zero initiative (and before that with Sophail) that anti-virus applications have ticking time bombs sitting within their suites. From remote file retrieval, installing shady remote access tools, improper sandboxing, Node.JS debuggers, to permitting possible collisions in SSL certificates are just a sampling of the nearly five dozen vulnerabilities discovered by one single human being. 

That is just what is being published in the open. If you are aware of an anti-virus vulnerability, Zerodium will pay for remote code execution attacks. There have been suggestions that they go for at least $20,000 to $50,000 USD.

So let's pretend now that the problems with anti-virus being typically poorly coded just simply don't exist: are they still worth using?


The commonly forgotten trait about anti-virus is that it either has to predict the malware's existence through heuristics or it has to have knowledge of its past artifacts via signatures. Both of these require teams of people to write the protections to handle either approach while at the same time being mindful of the fact that for every detection they make, they could be missing a thousand others. The dirty secret that the AV industry really hates to talk about is how their approach simply cannot scale.

Part of the approach that a majority anti-virus industry has opted to go about deflecting this is to add more value to their product by redefining themselves as "endpoint solutions". In the past decade, we've seen features like application whitelisting, web content filtering, and physical device control in order to make it seem like their product is more useful than if it was just simply doing AV.

Another angle to take is come out with outlandish claims that your product can detect everything using some new obscure method that nobody else in the industry has come up with. 

This is sort of the approach that Cylance has taken where they claim that their magic algorithm can stop malware even if they haven't seen it before. Unfortunately, there are lots of anecdotes that their product has an extremely high false positive rate which sort of makes sense if they can predict future malware: detect everything and anything without pause. 

However, testing their product and being open about what your experience with them is difficult because they require an NDA to get a proof of concept demonstration going in an enterprise environment. In one instance, a friend of mine was demonstrating it, posted about it on an open forum, and apparently Cylance responded negatively, citing the agreement. 

This job posting by them reveals a lot however:

I guess all of these contractual restrictions make sense seeing that the engine is likely coded in C#, as suggested in this job posting. The whole anti-virus industry relies on obfuscation of their practices and it's either going to be done by being closed source which is really everyone or by making it so nobody can actually poke around by stipulating such in a contract.

No vendor has a better approach than the other; they're all the same. You either have it never firing on actual malware or have it fire on everything as if it were Chicken Little.

So let's make some useful suggestions here on how to actually protect your computer:
  1. Use the anti-virus your operating system provides. If it doesn't have one, don't install one. Likely if it doesn't have one already, it's either a Mac, you run Linux, or your Compaq from 2005 needs to be replaced with something running Windows 10.
  2. Keep the operating system up to date. If Windows 10 rebooting on you is so inconvenient, you're a lost cause--the most recent update lets you defer up to a month by the way.
  3. Install ad blockers and use something other than Internet Explorer or Edge such as Chrome which sandboxes things fairly well.
  4. Don't follow random guides on the Internet to allow you to make changes to your system that somehow make things go "faster". More often than not they're done by people who don't know what they're doing.
  5. Don't use pirated software or pirate any content. Netflix is cheap, Spotify is free if you tolerate ads, and honestly there are tonnes of open source solutions for whatever you need to do.
Don't waste your money or bandwidth on an anti-virus solution that will just create more holes.

Anti-virus is worthless.