IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Is antivirus bad for security?

Browser developers suggest antivirus isn't helping with security

free security software

Is it time to ditch antivirus? With near-constant serious attacks and the threat of hackers targeting your business or personal accounts, it may seem an obvious answer: of course not.

But an ongoing debate about the value of antivirus suggests that the answer may not be so simple to some.

Robert O'Callahan is a former Mozilla developer and in a blog post spotted by The Register he lays out the case against antivirus software, saying: "antivirus software vendors are terrible; don't buy antivirus software, and [un-ininstall] it if you already have it (except, on Windows, for Microsoft's)."

He does stress that for this to hold true your operating system needs to be up-to-date. "If you're on Windows 7 or, God forbid, Windows XP, third-party [antivirus] software might make you slightly less doomed."

Here's his argument against antivirus: O'Callahan says there's little evidence that it offers a real improvement in security, and it at times actually features bugs leaving users at risk he pointed to the vulnerabilities spotted by Google's Project Zero as evidence. "These bugs indicate that not only do these products open many attack vectors, but in general their developers do not follow standard security practices," he said, noting that Microsoft's developers are "generally competent".

On top of that, he argues that antivirus products "poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security." In particular, he mention ASLR which is address space layout randomisation, a feature that helps protect against a specific type of attack called buffer overflowsaying antivirus software often broke it in Firefox for Windows.

His view was backed by Tweets from Justin Schuh, a security developer working on Google Chrome saying "worthless" antivirus code delayed a series of useful protective features and introduced vulnerabilities for users. "I expect it's possible to make an [antivirus] that isn't more harm than good, but none of you are even trying," he concluded.

Better solution?

Simon Edwards, founder of SE Labs, disagrees, arguingthat his antivirus testing lab shows that some antivirus is more effective than others and Microsoft's isn't the best. "You may not trust all of them, and you may have problems with some or all of the ways that they test, but I would suggest that they can't all be wrong," he said. "Our position on the Microsoft anti-malware included with Windows is that it is far better than it used to be, but that commercial third-party packages are consistently stronger."

That said, he said that there may well be good reasons to dislike antivirus, or "anti-malware" software, which he argues is a more appropriate term. While for some, disparaging established antivirus firms is a marketing tool, others will dislike the way such products "embed themselves into Windows in sometimes strange and unusual ways, causing potential havoc with their own efforts and potentially introducing new security vulnerabilities," he said.

But rather than argue wholly against antivirus, he'd prefer a different tactic. "Some testers make it their life's mission to discover technical problems with anti-malware, sometimes apparently taking the position that 'anti-malware is bad for you,' rather than, 'you need it, it's a bit broken but here's how to fix it'," he said.

What should you do?

Independent security analyst Graham Cluley said the "vast majority" of people should stick with antivirus.

"That doesn't mean that anti-virus software is perfect, or that it hasn't sometimes contained its own flaws and vulnerabilities," he said. "But the typical user is much much more likely to be protected by antivirus software than find themselves targeted by a sophisticated attack which exploits a flaw in the security software."

Edwards agreed, and said O'Callahan was right to focus on OS updates."There is no doubt that updating your operating system makes it more secure. We've run tests to prove that this oft-quoted advice is based on real, reproducible data," he said. "But what we've also seen is that adding a decent antivirus package to a good patching schedule raises protection levels even higher."

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Microsoft Defender review: Effective, effortless protection for zero cost
antivirus

Microsoft Defender review: Effective, effortless protection for zero cost

3 Dec 2021
RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021
US government warns of increased risk of ransomware over holiday season
ransomware

US government warns of increased risk of ransomware over holiday season

24 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022