Does antivirus software do more harm than good?

Woman confused and worried

Antivirus slows down your computer, interferes with apps and nags you with renewal pop-ups. But what if they were the least of its crimes? What if it was actually making your PC less secure?

A long-running debate between developers and antivirus vendors has escalated into a knives-out brawl. The developers argue the antivirus industry's lazy techniques widen the attack area and that sloppy code is filled with flaws, giving hackers more routes into the OS. Security firms, on the other hand, argue those without antivirus remain at greatest risk.

Who is correct? Both parties have a case, but the increasingly rancorous battle between some of the biggest names in the tech industry is currently generating more heat than light. Would you genuinely be better off uninstalling your security software? Read on and draw your own conclusions.

The case against Antivirus

There are two main complaints against antivirus: it's riddled with bugs and the way it's designed gets in the way of other software measures.

Let's start with the first. Head over to Google's Project Zero and search for antivirus under "all issues" you'll find a long list of reported bugs from a host of vendors. You'll also quickly notice that the vast majority of reports are filed by one Tavis Ormandy, Google's belligerent and persistent security researcher.

The infamous bug hunter and antivirus critic last summer uncovered flaws in Symantec products that he said were "as bad as it gets", and has also dug out bugs in Kaspersky, McAfee, Trend Micro and Sophos. In a statement to PC Pro, Symantec said that it "continually improves the protection delivered by our products with regular updates" and that it works not only with its own experts but independent security researchers.

However, Ormandy isn't alone in discovering cavities in the software that's meant to be protecting us. Joxean Koret, a researcher at Singaporean security firm COSEINC, spent a year poking holes in antivirus, finding dozens of vulnerabilities largely in software using C/C++.

In his presentation, he uses language saucier than this magazine can print to suggest that antivirus companies don't care about security in their own products, and wonders "why is it harder to exploit browsers than security products?"

Meanwhile, a report from Flexera Software at the end of last year revealed that 11 of the 46 pieces of software on its rankings of most vulnerabilities were actually security products.

Naturally, it's not only white hats who are searching for holes in antivirus. The tranche of 8,000 pages of documents about the CIA's hacking skills published by WikiLeaks revealed the American spies have an unflattering opinion of antivirus. Comodo was described as being a "colossal pain in the posterior" for spies to get around, but an older version of its antivirus has a "gaping hole of doom". A now-patched flaw in Kaspersky allowed spies to bypass all protections, and one CIA hacker crowed about a "totally sweet" bug in AVG.

"Antivirus is a technology that should be used with extreme caution," said Craig Young, security researcher at Tripwire. "In recent years, evidence has been piling up to show that weaknesses in virtually every antivirus product available could actually expose end users to more serious risks than the viruses they are protecting against."

Those flaws are all the more dangerous because of the way most antivirus software occupies an elevated position, and because it uses invasive techniques to sniff out attackers. Normally, malware must trick users into clicking a link, opening a document or running an executable, Young notes.

That means "weaknesses in the antivirus program can be exploited without any user interaction," he explains. "If an adversary knows what kind of antivirus a target is using and can identify a vulnerability in that product, gaining complete control of the remote systems can simply be a matter of sending an email, even if the email is never opened."

Robert O'Callahan worked at Firefox-developer Mozilla for 16 years and, when he left the company, he took a parting shot at security software developers with an inflammatory post on his blog, titled "Disable your antivirus software (except Microsoft's)".

He said that antivirus "products poison the software ecosystem because their invasive and poorly implemented code makes it difficult for browser vendors and other developers to improve their own security".

O'Callahan's own example came when he was working on Firefox for Windows to implement address space layout randomisation (ASLR), which protects against a type of attack called "buffer overflow" by randomising where executables are loaded into memory. O'Callahan said "many antivirus vendors broke it by injecting their own ASLR-disabling DLLs into our processes.

"Several times antivirus software blocked Firefox updates, making it impossible for users to receive important security fixes," he continued. "Major amounts of developer time are soaked up dealing with antivirus-induced breakage, time that could be spent making actual improvements in security."

Another concern is how most antivirus sits between your browser and the web, creating the possibility for a man-in-the-middle attack. To see encrypted traffic and check it's not malicious, the software intercepts it sometimes by default, other times with user permission creating its own secure Transport Layer Security (TLS) connection to do the work of the web browser by checking certificates. In other words, therefore, antivirus breaks existing browser security systems to use a hacking technique against its own customers.

The case for antivirus

Antivirus vendors defend their efforts. We asked several major players for a response, and the strongest came from PandaLabs. "We know that Project Zero researcher Tavis Ormandy likes analogies so we would like to put one forwards," said Luis Corrons, technical director of PandaLabs. "It is a fact that medical vaccines work and have saved millions of lives, virtually eradicating some of the nastiest diseases ever known. However, you will always find some 'bright spark' who says it is much better not to inoculate the population, just use knowledge to avoid the infections, and we always have antibiotics if we feel sick."

Corrons added: "Anti-malware solutions are one of the most efficacious methods of detecting and protecting against hundreds of millions of known security threats. Not using anti-malware exposes you to unnecessary risks."

For a more independent defence, we turned to Dr Vesselin Bontchev. He previously worked at antivirus firm Frisk in Iceland, but now works at the National Laboratory of Computer Virology at the Bulgarian Academy of Sciences, and he's stepped into the fray on Twitter to counter the case made by Ormandy and his colleagues.

There's no denying the bugs, of course, and Bontchev admits that all major antivirus firms have reported flaws, although they've since been fixed. He also concedes that the decision made by antivirus firms to sit at kernel level makes those flaws all the more dangerous. He even agrees with Ormandy et al that antivirus opens up new attack surfaces. "In this claim, they are correct," he said. "It's the conclusions they make from this that are totally wrong, misleading, and even harmful for the users."

He says we must perform a risk assessment. Antivirus may be flawed, but so too will any other piece of software you run. Which is most likely to make you a target a rare, hard-to-hack bug in antivirus, or the many basic flaws in every other piece of software? "What [antivirus] does is replace one risk, an attacker invading your machine by using an unknown and unpatched bug in your antivirus, with another: your machine getting infected because you opened a malicious file and you had no antivirus to stop you from doing so," Bontchev argues.

The chances of an attacker exploiting a bug in antivirus software, Bontchev adds, are slim. "It takes an extremely competent attacker to find one and to exploit it," he said. "There are very few such attackers around."

On the other hand, standard malware is easy to find and easy to exploit. "Clearly, commodity malware presents a much greater risk than extremely sophisticated attackers using a hypothetical bug in your antivirus software," Bontchev argues.

"I can think of only one or two cases when malware leveraged a bug in some antivirus product to attack computers," he said. "Compare that with a million-per-day cases of 'normal', commodity malware attacking millions of people around the globe. Clearly, using antivirus software for protection against at least the malware it can detect and stop by far outweighs the risk of hypothetical unpatched bugs in said antivirus software."

F-Secure security advisor Sean Sullivan agrees. "For the last decade, it's not been high-skilled, high-motivated attackers that we've been dealing with," he said, adding that researchers such as Ormandy appear to be trying to protect victims from targeted, specialised attacks.

He's also critical of the way researchers often publish such flaws if they're not fixed within a defined period of time. "I don't know that that's the best utilitarian choice in terms of harm and the amount of harm it might cause," he said. "Because when they disclose something like that, they are potentially giving cyber criminals... a free gift."