The Importance Of Detection

I received a comment on one of my articles recently about antiviruses being useless and I’d like to talk a bit about that. I personally do not run any antivirus software – not on Linux Ubuntu 12.04 and not on my Windows 8 Release Preview despite the fact that Windows 8 comes with Microsoft Security Essentials by default.

Antiviruses are often considered a staple for security. The average user has an antivirus installed and that’s pretty much the central piece of security for them. It’s simply the most widely used method for security. But a lot of people, especially those with some knowledge about computer security, will tell you that antiviruses are not enough or even, as n=n+1 stated, entirely useless.

Why I Don’t Use Antivirus

I’m one of many users who doesn’t use antivirus software, and not just because I’m on Linux. The fact is that current antiviruses are stupid, the entire basis for their model is “If I don’t know it’s bad, I assume it’s good”, which isn’t inherently wrong but you should never really assume anything is good. It should be “If I don’t know it’s bad, I assume it’s bad and take precautions when running it.” Basically if the AV doesn’t flag the software the software has full access to my /user/ or /home/ folders and can potentially escalate.

Antiviruses are also a bit heavy. New on-access AVs are better about this but compared to other solutions that simply hook specific APIs and otherwise use virtually no resources it’s a lot. Disk and file access goes up and I just like to keep things shaved down.

Every antivirus relies on updates. If your AV isn’t up to date you’re vulnerable, it’s like trying to stay patched except attackers are creating malware 1000x an hour. And heuristics isn’t an answer with the current model, you’re either so low it’s useless or so high you’re bothering the user every 5 seconds with false positives.

Speaking of false positives, they all have them, and as soon as a user gets one single false positive the entire antivirus becomes virtually useless when protecting against social engineering. Social engineering is all about trust and if a user downloaded the file they already trust the file, the antivirus’s job is to be trusted more and every false positive seriously degrades that trust.

Why I Like The Idea

The idea of an antivirus is noble and I believe inherent to a proper security policy (which doesn’t exist currently.) Antiviruses attempt to make decisions about things that users are incapable of. As I said above if a user has downloaded a file that means they trust it. An antivirus tries to get the user to stop trusting it. It’s a good thing, just a horrible horrible implementation that hasn’t gotten better despite years of issues.

Heuristics is necessary for true security. Decision making is inherent to all security because everything comes down to a users decisions – visit the website or not, download the file or not, run the file or not, admin rights or not, etc. Users are not (and never ever will be, no matter how much education) capable of making these decisions. Heuristics act on a level that we can not, they can perform code analysis and behavioral analysis and correlate trends in malware with what they see. Our brains are amazing learning beautiful things but we’re better at the whole survival reproduction – leave file analysis to the experts.

So while I absolutely think that heuristics is not just important, but necessary, I wouldn’t touch an AV with a ten foot poll right now. They’re useless for a targeted attack, not all that useful even with automated attacks, and generally a pain in the ass.

That said, I also wouldn’t ever tell an average user to turn their AV off. Not on Windows at least.