Are antivirals worth it? Researcher says ‘No’.

Published on August 2, 2014 By DrJBHL In Personal Computing

OK…most of the possible exploits found and described by Joxean Kotek (COSEINC Singapore based security firm researcher) are pretty exotic and would need real experts to design bugs for, but some really aren’t, and worse…even when told of the bugs only a couple of companies bothered to ask how to fix them and only one (ESET) did so nicely. Apparently they expected him to supply the fixes free.

“At the SyScan 360 security conference in Beijing earlier this month, Joxean Koret claimed to have found flaws in antivirus engines found at the hearts of many major antivirus software products, including those made by Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda and eScan. Koret also documented several ways that antivirus software could be allegedly compromised or manipulated to make what should be a wall into a door.” – TomsGuide

The details are very technical, but they’re available online in pdf form.

Importantly, Malwarebytes was not tested…and so many of us use that program. That was disappointing.

Essentially, Koret some very important things (which reminds me of the_Monk’s assertions):

“antivirus programs often install with high administrator privileges, which lets them perform necessary actions such as scanning the entire and modifying or removing malicious programs. However, if a antivirus program were compromised, it would have extensive power to abuse the computer on which it was installed.” – ibid

If that’s indeed true (and it is), then the AV program actually increases the attack surface and that many more connections that can be hacked or otherwise exploited. His results show the AVs have serious flaws, even zero-day flaws…just like any other program.

Also, most AVs update via HTTP connections not digitally signed, encrypted HTTPS connections making them vulnerable to man-in-the-middle attacks where one thinks he’s downloading an update, however downloads entirely different content:

Koret stated he found various vulnerabilities in 17 major AVs. Some (such as Avast and ESET) patched their software by the time of his presentation in China…but the others allegedly had not.

So, should you be worried? Andreas Marx, CEO of AV-Test says that the vulnerabilities exist but are (currently) largely theoretical.

"Insecure code might put the user at risk, as demonstrated in the presentation. However, at the moment, such attacks are more research-oriented (proof of concept) or might be used for targeted attacks," Marx told Tom's Guide. "I'm not aware of a recent widespread virus or other malware which exploited a vulnerability in AV software." – TomsGuide

He said that because there are many AVs none of which have a commanding market share. So why pick a small target when huge ones like Java, Adobe Reader and Adobe Flash are on millions of computers in the world?

While that does make sense, something in me really is unhappy with the idea of an AV made vulnerable by poor/inadequate testing and sloppy updating protocols (among other problems). Their code should be impeccable and updating should be as secure as possible. After all, the only way they can do their purpose is by elevation of privileges.

Even worse? Why wouldn’t they pay him a reward for his work and get their butts busy on fixing the defects? To me, that kind of greed or pride goes before the fall.

So, are AVs worth it? Yes, with a good deal less enthusiasm. VPNs are looking a lot better. Common sense and good browsing habits are as well.

Maybe the_Monk will help us all with a “how to” on the subject of privileges, although a vulnerable AV would pretty much neutralize that by virtue of the fact that AVs typically assume the highest ‘privileges’.

ESET…beginning to look at you again after a long hiatus in our relationship…if only because you were polite.

Sorry if this causes sleepless nights…I didn’t sleep well last night myself.

Sources:

http://www.tomsguide.com/us/antivirus-software-insecure,news-19227.html – primary.

http://www.infopackets.com/news/9309/most-antivirus-not-secure-exploitable-report

http://www.syscan360.org/slides/2014_EN_BreakingAVSoftware_JoxeanKoret.pdf – presentation in pdf form. Should be read.

http://www.pcworld.com/article/2459760/antivirus-products-riddled-with-security-flaws-researcher-says.html

Comments

Cauldyth

on Aug 02, 2014

I was expecting a post about anti-viral drugs based on the title...

the_Monk

on Aug 03, 2014

I am in agreement with Andreas Marx of AV-test and his point that while those vulnerabilities exist they would seem most dangerous from a 'targeted' approach.

Having said that, I have long espoused a privilege-based security policy resembling whitelist theory as opposed to a third-party software control-based security policy more consistent with the traditional blacklist approaches. Anyone having been reading my posts on these forums knows this.

Doc, I have given that 'how to' some considerable thought for a while now, but always end up dismissing the project because to me 'least privilege' and everything that comes along with it cannot be (in my opinion) properly explained for every possible os/system/user configuration in a 'how to' .PDF or two. It requires a moderate (at least) and sometimes advanced understanding of one's OS (this varies from OS to OS), a deeper understanding of systems 'trust relationships' is usually helpful as well as a clear grasp of things like file/user permissions, rights and authentication types. This type of knowledge is usual found at the enterprise organizational level and not many other places which is of course one reason why so much of the 'malware-infested-systems-landscape' is claimed by personal use systems. I truly wish that could change and I do try to point people in the right direction (with regard to doing their own research into thinking 'least privilege') and making some changes to how they compute etc. but as far as actually writing a 'how to' I may never be able to provide something of actual worthwhile substance that can't already be found by performing a web search.

I think the two most important tips which could be reiterated to the average computer user (and which everyone should already be aware of) are:

1. Create a separate ADMIN account to be used for 'admin duties' and change one's regular user account to a 'limited' account.

2. Never browse the internet (or do anything else requiring internet connection unless critically necessary) while logged in to the ADMIN account.

Those two things alone will go much further in keeping you and your system safer on a day-to-day basis than any third-party software solution ever can (in my opinion). I personally also do not have any third-party AV installed. Instead I keep an updated 'emergency kit' handy on USB which can be used for regular on-demand scanning and/or in case system instability is observed. In the case of the latter the emergency kit can be used in conjunction with a pre-install environment in order to ensure better 'cleaning' should there actually be a threat present.

DrJBHL

on Aug 03, 2014

I think there's a catch 22 here, Monk...the AVs are vulnerable through really stupid stuff and have 'elevated' privileges...so I'm not sure they're really worth having...maybe Malwarebytes...

You might appreciate having the free Portable Tools article, though.

Although I understand your response (and thank you), I think I'll have to continue to taunt you...if only on general principle.

the_Monk

on Aug 03, 2014

DrJBHL

reply 3

I think there's a catch 22 here, Monk...the AVs are vulnerable through really stupid stuff and have 'elevated' privileges...so I'm not sure they're really worth having...maybe Malwarebytes...

Agreed. That is why as I posted above, I don't even have a third-party AV installed in the first place. I'd rather keep system resources for stuff I really want to run, secure my system as posted above and keep AV and other related tools relegated to the (emergency toolkit) 'second opinion' shelf!

DrJBHL

reply 3

You might appreciate having the free Portable Tools article, though.

Yeah I saw that post. As always a nice find Doc!

DARCA1213

on Aug 09, 2014

I only sleep on Sunday lol.

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!