On the Usefulness of Anti Virus Software

Anti virus software is probably one of the first things to be installed on a fresh system before any other software hits the harddisk. There seems to be consensus that a virus scanner is a must-have nowadays, the only thing that is not clear, is which one is supposedly the best when it comes to malware, ransomware, spyware, scareware, root-kit, spam, phishing, botnet, trojan or <place random word here> detection. No-one has ever been blamed for using AV, the opposite might be the case though. But in fact, there is an ongoing discussion about the usefulness of such software and it is as old as virus scanners themselves. The reason for questioning their usefulness is as simple as it is convincing: Finding eight out of ten threats* is not necessarily better than finding two threats, since both cases would leave the user with a compromised system that should not be operated anymore. On the other hand, one might ask, what are the chances for a user to really come across all these viruses so that the better perofming AV fails just like the lower performing AV? Answering this question would require empirical data, ideally obtained from infected and/or successfully protected systems across all AV vendors and operating systems.

Either way, this discussion reaches a new level when AV scanners are convicted of posing threats themselves by introducing additional vulnerabilities. This gives the topic a new spin, since the worst case is not absence of benefits anymore, but presence of harm. This discussion, as well, is not new but drew a lot of attention lately because of prominent incidents. Only a few days ago Tavis Ormandy and Natalie Silvanovich discovered a critical vulnerability in the Microsoft Malware Protection Engine[4]. This vulnerability allows for remote code execution and comes along with software that is actually supposed to increase security and protect users. Another case is that of a vulnerability introduced by Checker ATM. Checker ATM, usually intended to enforce restrictions (execution of applications, periphery, connectivity etc.), exposed a remote code execution vulnerability to attackers posing as control servers. According to the different outlets reporting on this issue[1,2], there are some ‘ifs’ in exploiting this vulnerability. Nevertheless it serves as a good example for security software that missed its purpose. A good overview of general problems of AV software dates back to 2007 and was published by Alvarez and Zoller[3].

Be it viruses that effectively circumvented AV software or AV software that posed threats itself, the past year was rich in incidents, that made us question the security of our IT systems. Ransomware and botnets accounted for a large proportion of such incidents. The most recent threat, WannaCry, dates back only four days and compromised an estimated 200.000 devices worldwide.

The question on how to effectively AND efficiently protect IT systems remains unanswered. Virus scanners will never be able to detect all threats, they frequently raise falls alarms and sometimes even introduce additional vulnerabilities. Besides, the signature-based approach that virus and malware detection mostly relies on, naturally comes with a delay that leaves systems vulnerable until those signatures are updated. With increased propagation speed, this time span of vulnerability must be close to zero. The AV industry came to this insight as well, which is why many AV suites already implement features to allow for proactive detection of malicious program code based on heuristics. It appears they are just not very effective yet.

(*) Even the best scoring anti virus suites do not detect all threats[5,6].