SE Labs

Posts tagged 'insecure security products'

Developer claims anti-virus does not improve security

822a4507-9279085

Anti-virus is bad, dead (again) and worse, its corpse is poisoning the ecosystem of good software.

There is, according to former Mozilla developer Robert O’Callahan, negligible evidence that anti-malware software produced by third-parties provides any additional security. His arguments have spread from his blog to Twitter and then to IT news websites like IT Pro and The Register.

We test anti-malware software and have, as a team, being doing so for years. We think we have plenty of strong evidence that third-party anti-malware software provides improved security over that which comes with Windows by default. Our enterprise, small business and consumer reports are free to download.

There is no doubt that updating your operating system makes it more secure. We’ve run tests to prove that this oft-quoted advice is based on real, reproducible data. But what we’ve also seen is that adding a decent anti-virus package to a good patching schedule raises protection levels even higher.

There is a difference

results-7727891

To say that all anti-virus software is equally (in)effective is just plain wrong, and there are plenty of results from different testing labs that show this. You may not trust all of those labs, and you may have problems with some (or all) of the ways that they test, but I would strongly suggest that we can’t all be wrong.

Our position on the Microsoft anti-malware included with Windows is that it is far better than it used to be, but that some commercial third-party packages are consistently stronger.

Why do people bash ‘anti-virus’ all the time?

Different individuals and companies have axes to grind when it comes to anti-virus or, to use a more modern and appropriate term, ‘anti-malware’ software.

  • New anti-malware vendors sometimes disparage more established vendors as providing less sophisticated products as a marketing tool.
  • Windows developers at Microsoft don’t like the perception (which is sometimes the truth) that anti-malware products slow down Windows. When a user has a bad Windows experience, for whatever reason, Microsoft feels the impact.
  • Other developers hate that anti-malware products embed themselves into Windows in sometimes strange and unusual ways, causing potential havoc with their own efforts and possibly introducing new and powerful security vulnerabilities. Anti-malware vendors argue that they need to do this to prevent particularly nasty threats from digging in at the lowest security levels within the operating system.
  • Users who have never (knowingly) suffered a malware attack often question the very necessity for anti-malware.
  • Some testers/ researchers make it their life’s mission to discover technical problems with anti-malware, sometimes apparently taking the position that “anti-malware is bad for you,” rather than, “you need it, it’s a bit broken but here’s how to fix it.”

So is anti-virus the ultimate solution?

skullnbones-1122521

I have never seen a perfect anti-malware product, in terms of the protection that it offers, the performance impact that it makes and the additional attack surface that it exposes. But nor have I encountered a perfect operating system, browser or user.

We can throw away our anti-malware software when our operating systems are fully secure; we, as users, stop clicking on links to malware; and criminals and other ‘agencies’ stop attacking our computers en-masse.

The Great Anti-Virus Conspiracy

20110517023616-6824093One problem with the internet is that anyone can set themselves up as an expert. There’s money to be made from convenient messages. Examples abound in nutrition and health, as well as many other areas.

Despite widespread public ridicule, such sites thrive and make their owners rich because they play into what people already believe. The tendency being exploited is called confirmation bias, and it can even exert enough power over us to compromise the online safety of entire nations. 

Take this post from the Above Top Secret forum from 2008. The author began with the hunch that the biggest beneficiaries of malware are the anti-virus (AV) companies themselves. However, Google only returned stories explaining why this view was incorrect. This raised the author’s suspicions. Did anyone else have any information?

The ensuing nine pages of comments were a tour de force of ideas, theories and claims, but a recurring theme was distrust. Many commenters simply don’t trust what they don’t understand, and they don’t understand computers or AV. 

above2btop2bsecret2bpost2b2-2590096


above2btop2bsecret2bpost2b1-5852347

It took a few seconds to find similar examples from other forums, some dating back to 2005 and even 2002. There are many more and they usually cover the same ideas, but a common theme is still distrust. Compounding this, some commenters vaguely remember something about John McAfee once claiming to have written viruses to create demand for his first AV product, which of course proves everything.

anandtech2bpost2b1-8075294

That was a decade or more ago, but with phishing and ransomware now firmly in the public eye, the benefit of online protection will be obvious, right? Not necessarily.

In August 2016, the Daily Mail reported that some AV products can fail to adequately secure your computer. The research being reported actually identified the potential for man-in-the-middle certificate attacks. It’s something our own Simon Edwards wrote about in a more general context in his own blog over 18 months earlier

As usual, the comment section of the Daily Mail’s report was far more revealing than the article:

daily2bmail2bpost2b3-6769095


daily2bmail2bpost2b1-8831954


daily2bmail2bpost2b2-8316150

And so on. Perhaps what’s most disturbing is that despite living in a world now publicly trying to cope with a grand cybercrime epidemic, such uninformed views are so mainstream. There’s even a certain pride to some of them.

The McAfee virus-writing story is also still doing the rounds. Mr McAfee hasn’t helped matters by claiming to have planted keyloggers in laptops he then gave away to government officials in Belize. But did he really write malware to create demand for his own AV software?

In March 2014, McAfee went on the Alex Jones show to talk conspiracies (what else?). A caller asked if he was indeed responsible for writing early malware. Despite Jones talking over portions of his answer, this was the nub of his reply:

There were at the time thousands of computer viruses, he said. We could barely keep up with the viruses that were out there, so we certainly had no time to build new ones. It would just be a senseless thing to do. So I can categorically say, and you can talk to any of the McAfee employees that were there are the time, that thought never crossed anyone’s mind.

Indeed, in his book Computer Viruses and Malware, John Aycock of the University of Calgary in Canada also points out that if AV companies really are writing malware and yet simultaneously failing to detect some of it, then what’s the point in all that effort being expended for zero gain? 

So, how do you protect the distrustful, the misinformed, and even the downright cynical online? One solution is to do it automatically, but this demands that governments, their intelligence agencies, and the ISPs become involved in actively blocking malicious content. Public reaction to any such suggestion is predictably very bad.

When GCHQ recently proposed their DNS filtering technology to block malicious domains, there was instant outrage. The Guardian, which broke the Edward Snowden story, has little love for the Cheltenham Doughnut, and was predictably upset. As usual, it’s the public’s comments that are really interesting. 

grauniad2bpost2b1-7296248
So, we’re at an impasse. Despite their poor reputations, governments and the intelligence agencies they run are the only entities with the authority and capabilities to attempt to protect entire nations online. However, the tools they use are by their very nature shadowy, double-edged and closed to scrutiny. The public at large worries that policing cyberspace means the erosion of freedom and privacy. Nothing will convince us that this isn’t the start of a dictatorship or a new world order. Too much evidence of past lies and misdeeds confirms this deep-seated bias. 

grauniad2bpost2b2-7557116

If the public won’t listen to the government, who will it listen to? Who is it listening to?

Something about the caller who asked John McAfee if he wrote early viruses keeps coming back to me. He seemed to remember being told something by some old OSSguy. This idea of an unnamed source vaguely remembered is a common feature of discussions where facts are scarce and conjecture runs free. It’s a feature of the threads I referenced above.

That being the case, maybe it’s down to us, as infosec professionals, to be those sources in future. Maybe it’s down to us to engage friends and family, to explain how cybercrime works, how it relies on them not protecting themselves, and what to do about it.

But then again, I would say that wouldn’t I. 😉

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press