The complex discussion around anti-virus software

2017-02-02

Does anti-virus make you more or less secure? It seems like an odd question to ask, but it’s an important one and the conversation around it has been growing more nuanced in the last year. On it’s face, and for someone not steeped in internet and network security discussions it seems like the answer would be simple. I probably wouldn’t be writing about it if it was a simple answer.

There are two major types of threat detection in modern anti-virus, signature matching, and heuristic pattern analysis. The first is a cut-and-dried system of looking for known malware (look at all data coming into a system and compare it against a database). The second is an art form, and difficult to do without getting false positives. You look for program or system behavior that seems suspicious and then stop it before it does any harm. The first is like having a picture of the villain, the second is like having a description of what a villain might be up to.

Modern computer operating systems are designed to help prevent the loss of your data to untrusted applications. We trust that when we visit our banking website that our PDF reader isn’t coming along for the ride and making copies of all our data to send off. So there are protections that prevent processes from messing with other processes, and security measures that keep your HTTPS traffic secure.

How can an anti-virus work if it can’t see your internet traffic, or read your files? Well it can’t. Which is why most anti-virus and security suites install tools that give them administrative level access and put hooks in the system that circumvent the security protection of your operating system. Generally if a program we installed did that it would get called a “root-kit” and be deemed harmful malware. However security suites and anti-virus tools are pretty much required to do this if they want to have any chance at being effective.

And therein lies the problem and the concern. You now have an application running with administrative privileges (aka “ring zero”, or “root”) and that application does its level best to see everything you do. What would happen if the programmers of that application didn’t do a very good job? What if, instead of catching vulnerabilities, installing that anti-virus software actually increased the number of vulnerabilities on your machine. Not only that, but any vulnerabilities in the anti-virus itself will give root access immediately.

Bruce Schneier is credited with the following security axiom: “Complexity is the enemy of security” The more complex a system is, the harder it is to secure. In the last year there has been a lot of discussion from industry professionals whether or not the security trade-off of a more complex system is worth the risk it entails.

From an attacker standpoint, security suites are rich targets. They’ve got low level access, a giant attack surface, and large user bases. There’s also been some evidence that, despite the security focus of their products, anti-virus developers aren’t much better at software programming than anyone else, from a security standpoint.

It’s a sticky topic, and in a corporate environment its a difficult conversation to have. If you’re in charge of security and something bad happens and you have security software installed everywhere you might get to shrug and pass the buck. If you don’t have security software installed and something bad happens you’re going to be answering some hard questions with people who probably aren’t prepared to have a nuanced opinion of security software.

I won’t be surprised if we continue to see recommendations to stop using anti-virus and security software. For the moment, at least, there’s not a clearly correct answer. You need to figure out what your threat model is and what the right solution for you is likely to be.

securityanti-virus

Krebs: House Passes Long-Sought Email Privacy Bill

Preparing for an Internet of Things with UniFi