This week was popcorn-time on Twitter. The good old debate started again. On one side, browser developers, penetration testers and AV bug hunters, on the other side, members of the AV industry. It is hard to get the essence what the debate is about, but it is mostly around this statement:
“AV increases attack surface. AV introduces more risks with this increased attack surface than it reduces.”
I agree with the first sentence. I don’t agree with the second sentence. If you are interested why, here it is.
My definition of AV is that it should protect the users from malware. Malware is introduced into a machine via multiple channels, like:
- web download, where the user downloads and starts the malware
- spam attachment downloaded from mail client
- portable drives (e.g. flash drive)
As AV is integral part of the system, vulnerabilities in the AV can be exploited to download and start malware. Which is equally true to any software installed onto the system, let it be Office, browser plugin, or whatever. Surely exploiting the AV is the best case scenario for attackers, because in this case they usually execute code in kernel mode, and they don’t have to deal with bypassing the AV. Bypassing AV is not hard (it depends on the product we are talking about), but let’s face it, not all attackers are advanced attackers. Actually, 99% of the attackers are not advanced attackers. Even if they use multi-scanners to create FUD, it can easily be blocked by many features (reputation, heuristics, behavior, etc) not covered by these multi-scanners. I am not saying these protections will block all malware, but some (or even most), yes.
Sticking to this metaphore, I will certainly not buy a lightbulb which sets the room on fire. But guess what, if this happens one in a million, I would buy it, rather than breaking my neck in the dark every day.
There is no data on how many companies or home users are owned by AV exploits. What we do know that there are full time researchers who fuzz AV, find bugs and sell it to people. These people use these codes to exploit other people. As we don’t have data on this, I have a feeling this attack vector is only used in targeted attacks, and I can even say in sophisticated attacks. Hey, they are using a 0-day here. If these attacks were used on home users, we would have data on these attacks. Which means exploiting AV to execute code on victim machine happens, but it is rare. Compared to the other 400k daily new malicious sample seen by the AV industry (and some others not seen by them), there is maybe 1 AV attack per day (my guess is that it is even less).
Now, I am sure there is alien technology out there which can tamper with the computer by some clever form of direct radio waves, and change the memory state in the computer (remote Rowhammer attack). There is no AV on the earth which could prevent this kind of attack, right? Right. Should AV detect and protect against these kind of attacks? I doubt it. As long as it is not widespread, it is economically not reasonable to protect against these. The same applies to AV exploits. As long as it is not widespread, and people are not hacked left and right with this, it is just a nice-to-have feature to protect against those. IMHO a very important, but still, nice-to-have feature. For example notifying people that a process is accessing their webcam or mic is much more important feature, yet only implemented in a few AV. Will the AV exploiting become widespread sooner than the alien technology remote Rowhammer? Probably yes.
Now, let’s discuss the browser (Chrome) angle. We are all grateful for the Chrome developers for their work. They have pushed the browser security to a next level. Now home users are not infected via browser exploits when they use Chrome, and the download white-list + black-list checks also helps filtering out malware. But, users can get infected by other means. Office macro files, Office exploits, infected flash drive, spam downloaded from Thunderbird/Outlook, and so on. In a corporate environment, you can do a lot of things to prevent these things from happening (with money and expertise), but in a home environment, it does not scale … Also don’t forget not all users will, or can use Chrome. And these people will need AV as a last line of defense against regular web exploits or malware download. Unfortunately, not all companies have unlimited money and talent to solve the malware issue. And AV helps in these cases to decrease the risk to an acceptable level.
I do believe that when attackers can’t use their old attacks economically, they will move to new attack vectors. And attacking AV could be a Nr. 1. choice in the future, when exploiting Flash is not worth anymore. Which means, as a preventive measure, AV vendors should get their sh*t together today, implement sandboxing in their scanners, review their 20+ years old C code parsing untrusted input, move a lot of code from kernel to user-space, change their compiler from Visual Studio `97 to 2015 and turn on most (if not all) compiler security flags, etc. AV companies spend millions on signatures, yet close to nothing to improve the security of their own product. Which is bad. But this does not mean that today, people should remove AV. This just does not make sense. If they remove AV, the situation will be much worse.
Unfortunately AV products have a lot of things from the past. Performance and false positives were more important in the past than it is today, in my opinion. Now that people have SSD and 8 Gbyte RAM in their computer, AV developers should check where they have sacrificed security for performance in the past. Also now that a ransomware or a true APT can cause significantly greater damages than it did in the past, maybe it is time to raise the detection level, and sacrifice on more false positives.
I also love how people recommend Windows Defender, just because that is the only AV out there which was developed with security in focus. But as long as it scores ~80%-90% on multiple AV tests, I would not recommend it …
Think of AV as a gatekeeper at the castle. It is very nice that you can’t bribe him as easily as the other gatekeepers, but if the gatekeeper fells asleep in 20% of his duty, it is kind of worthless.
I do believe that there are people, companies out there whose security level is so high that installing AV on their computer decreases the overall security. These companies can complain that due to compliance reasons they still have to keep AV. And I feel their pain. But this is like 1% of the overall computers. And you are probably not this 1%, and neither is your parents computers. Was any malware discovered by AV in the past 2 years on any of your desktops/servers? If the answer is yes, you probably still need AV.
Justin Schuh wrote a great article, which I agree with 99%.
The part I don’t agree with is the title, and after carefully reading the whole article, the title is not supported by it’s content. At the current (bad) state of world, most people still need AV. But I would rather buy AV which has tons of proactive protections (e.g. EMET like exploit protection, generic ransomware protection, integrated adblocker, etc.) and less signatures. And his article does not answer all the other infection methods discussed before. You can do everything what is written there, a motivated stupid user will still infect his own computer (and the corporate network).
What I do recommend to people who think AV should be removed from computers today is that please quit your job, be the CISO at a medium sized company in a not-so-rich country, and after one year evaluate your opinion. Surely you can do a 5 year program which at the end will increase the security level to the point where you can remove AV from the endpoints, but in the meantime, you should be crazy to remove it … Expectations how things should work, and reality how things work are way too far today.
Let me finish my rant with a metaphor. AV systems are like dinosaurs. They will die out sooner or later, but as long as we live in the Jurassic Period, they are here with us. Some AV is like a Brontosaurus, others are like Velociraptors. But we need dinosaurs before birds can fly over the sky. Dinosaurs are integral part of evolution.
Update 2019 February 18: Review institute published a meta study on AV: https://www.reviewinstitute.org/antivirus-software-meta-study/
Last but not least I have collected the best moments from these conversations. Enjoy.