Antivirus programs and the human factor
A substance with no real medicinal value sold as a remedy for all diseases.
The term comes from the 19th-century American practice of selling cure-all elixirs in traveling medicine shows. Snake oil salesmen would falsely claim that the potions would cure any ailments. Nowadays it refers to fake products.
We have seen the above statement in various blog posts over the years. Many writers have claimed that antivirus software causes more harm than good and that users should stay away from it to avoid risking their computer’s security.
This article aims to give some insider information from the antivirus industry. While there is indeed a grain of truth in what gets thrown around against us antivirus software makers, there’s also some key information that is missing from these well-meaning security articles.
It’s the missing bits that often define the conclusions. I urge you to learn more about the situation and then decide for yourself whether antivirus software is snake oil or an essential part of every computer system.
What is antivirus/anti-malware software supposed to do?
Protect from viruses, trojans, ransomware and all other sorts of malware, of course!
But wait, there is more to this seemingly banal answer. Let’s have a look at malware’s origins first.
How does malware get into my computer?
Online threats don’t just appear out of thin air. Nor are they an inevitability. It’s a misconception that we simply have to accept malware as an unavoidable part of our lives.
In reality, online threats are more like unwanted visitors to your home. Just like thieves, they will try to get into your home by different means, such as open windows or ventilation shafts on the side of the building, but the easiest way is still by knocking at the main door and convincing you to simply let them in or deceiving you to leave the house unprotected so they can sneak in during an unobserved moment.
What I’m trying to say here is:
It’s mostly the human element that makes computers unsafe, not the tech.
Nobody really wants to hear it, but humans do make mistakes. We always have and we always will, regardless of our level of knowledge or skill. It’s one of nature’s constants, and attackers know exactly how to use that fact to their advantage. Attackers expect that you:
Are not careful with your software updates and might miss installing patches for newly detected leaks. This allows attackers to get in and place a trojan or bot by using exploit code.
I would click a download button if is attractive enough and uses enticing (and false) information so they can install unwanted software that nags you with ads and pop-ups all day.
Are curious and might open an email attachment that looks like an invoice or a parcel delivery confirmation, but actually installs an encrypter that holds all your files for ransom.
I would click a link in an email if it looks like all the other emails you receive every day. The link might invite you to enter your most secret banking password, so they can clear your bank account.
Just click Next, Next, Next, without reading the installation dialogs carefully, so they can install adware bundles or system damagers (aka system tuners).
Are lazy and reuse your easy-to-remember passwords or don’t implement a strong anti-brute force policy on your remote desktop service, so they can run through the most likely password variations very quickly and steal your data or take over your machine.
Let’s take another look at what antivirus software is actually supposed to do:
Antivirus software is supposed to prevent you from making mistakes that can risk your computer’s security.
Which other protection measures are there?
Just a decade ago, antivirus was more or less the only way to keep your system safe. Today, we, fortunately, have multiple protection layers to prevent the worst case situation from happening:
In the early computing days on Windows, all software ran with the same (highest) privileges, which meant that basically any malicious script loaded from a website was able to completely access (and destroy) all your data. Today, default user permissions are mostly quite restricted and while still far from being perfectly implemented, those permission concepts changed the malware scene quite a lot. Downloaded programs typically need to be confirmed by you to be allowed to run.
The fact remains: permission systems are typically complex and therefore often contain leaks, too.
Many of us remember the early 2000s when new major flaws in Windows and its Internet Explorer browser were detected on a monthly base. Each of them was followed by a series of worm malware that used the newly detected leaks to fool you with infections. While security leaks are still being found in software and hardware today, the industry has learned to deal with them much more professionally to limit their potential impact. Windows and other software updates are now done automatically in the background so the unprotected time gap is smaller, leaving less opportunity for attacks.
However, computer code is never perfect and not all leaks are reported to the software vendors to help them fix their code. Some are traded on the black market for enormous amounts of money.
Modern browsers are doing a great job of keeping website scripts far away from the data stored on your computer. The technology to separate stuff safely is called sandboxing and is mostly safe, considering there are no built-in leaks to exploit in the sandbox code itself.
Conceptual weaknesses of antivirus software
It’s no surprise that some security experts call antivirus software dangerous because it can be. Here is why:
The “privileges” problem
Antivirus software needs to run on the operating system with the highest privileges so it can monitor and scan the entire system with all its installed programs, and not just the user data. There is simply no feasible way to build a powerful antivirus without getting access to the stuff it is supposed to protect.
But running with the highest privileges also means that any bug in the software can be fatal in terms of security, especially when it allows attackers to misuse the antivirus to get into the system.
So the statement that antivirus can make the system unsafe is technically correct. But here it is important to note that the same thing applies to each and every bit of software that you install on your computer with administrator permissions. This includes every hardware and software driver that you install and every other system near a tool that runs in the background.
As I’m writing this article, my Task Manager shows 221 active processes, of which 111 are running with system-wide permissions. Only one of them is the Emsisoft Anti-Malware protection service process. But the other 110 are at least as dangerous for your security as the protection service.
While that isn’t an excuse for writing bad code, we have to acknowledge that the chances of one of your hardware drivers containing a leak (or even an intentional rootkit or backdoor) is at least as likely as your antivirus software containing one.
The truth is, there are potential leaks in all software – history has clearly taught us that lesson. There are leaks in the operating system, in antivirus, and also in other drivers and tools that are running with high privileges.
When a leak is found, the best we all can do is get it fixed as quickly as possible.
The “SSL/TLS inspection” problem
About half of the internet’s websites are already served via a secure, encrypted communication protocol called TLS (and its better-known predecessor SSL). You can tell an encrypted website by the “https” (note the “s”) at the start of a website address.
While SSL is generally appreciated by everyone, it does pose an interesting problem for some antivirus vendors, as many products rely on deep inspection of website traffic to check for threats. As SSL traffic is encrypted between the browser and the webserver, it’s technically impossible to scan website content unless the antivirus installs a local SSL proxy that simulates the real security certificates of websites. However, this is a very dangerous way of using the technology, as things can go wrong – worst case scenario, it could deceive a user into believing a website is safely encrypted when in fact it’s not.
But deep traffic inspection is not the only way to protect from dangerous websites, so this problem does not apply to all antivirus products.
For example, Emsisoft proves that surf protection can be done without trashing the SSL security concept. DNS based filtering is the way to go, if you’re worried about your SSL security.
The “incompatibilities” problem
Advanced protection technologies like behavior blocking require antivirus software to reside between the operating system layer and the user programs layer. The problem here is that Windows originally was not really designed to allow security software to position themselves in there as nobody back then envisioned antivirus ever becoming more sophisticated than simple fingerprint-style file scanning.
So, developers had to be creative and use undocumented Windows interfaces and so called ‘dirty’ code. It got the job done, but it was far from best and safe coding practice.
This often led (and occasionally still leads) to incompatibilities between programs, resulting in conflicting security concepts (especially with sandbox technology), or even program- and system-crashes.
Fortunately, Microsoft and other software vendors acknowledged those problems and started to provide solid and standardized interfaces to build advanced antivirus technology. The introduction of a new filter driver platform in Windows Vista was a big relief for the entire industry and enabled much more robust and compatible antivirus technology.
Is antivirus now useless or what?
Let me take my marketing hat off for a moment and switch to my logician hat instead. Of course I can’t deny that I make my living off creating antivirus software here. But if making money was my primary objective, I would rather join the dark side and create malware. Honestly, malware just has (unfortunately) a far better business model!
I have dedicated more than half of my life to what I still believe is most important when it comes to using computers: allowing people to use them safely.
If antivirus was obsolete, why are there so many threats being found?
Our malware scanner finds millions of dangerous files and our real-time protection blocks millions of attacks every year. There is no doubt about the effectiveness of antivirus/anti-malware software. As one of our resellers put it:
We have sold hundreds if not thousands of copies of Emsisoft through our retail business. I have to say Emsisoft works so well that I feel like it may be hurting our repair business. – David Gentry, Lantean Systems LLC, USA
Statements like that are confirmation for us that time and money spent on antivirus/anti-malware software isn’t wasted. We don’t just detect malware for the sake of detection and creating a good feeling with customers; we are, in fact, preventing bad things from happening – every day.
Security isn’t an absolute thing – it’s a balance of risks
One thing that I’ve learned in the security industry is that many people tend to see only black and white, but nothing in between. They see an individual security leak in one specific program and immediately come to the conclusion that all such programs must be bad.
Often there is no clear right or wrong though, especially when it comes to extremely complex systems and concepts. It always depends on individual expectations and levels of acceptable risks.
If you are one of the few true computing experts who can safely say that they can avoid all potential threats by using their knowledge and skills, you may not need antivirus software. The trade-offs for potential leaks in the software may be higher than the risk that you may actually get an infection.
But if you didn’t spend the last 20 years learning about operating system architecture and security concepts, you may find that the risk of making a human-typical mistake is much greater than the risk of your antivirus becoming the victim of an attack itself.
The average Emsisoft Anti-Malware user get saved from attacks several times a year – attacks that would have otherwise most likely been fatal for the computer. Our users are also protected against potentially unwanted programs (PUPs), which may not even fall into the ‘threat’ category from a security perspective.
The best balance of risks for you as an individual is ultimately your decision.
Would the world be a better place without antivirus software?
I personally will see my big mission completed when the day comes that we don’t need antivirus software anymore. In an ideal world, we could rely on computer architecture that was safe by design and prevents all potential human error, but unfortunately, that doesn’t exist yet.
As long as the software is written by humans and computers are used by humans, there will probably also be security leaks that we have to fight.
Until then, we will continue our journey and try to provide the best possible answers to ransomware, trojans, viruses, unwanted programs and all other types of malware, so you can enjoy spending time online without worrying about security.