Is Anti-Virus Dead? | S1E3

Marc Briggs  0:05  
Welcome to DE:CODED, Series One, Episode Three - your weekly podcast providing in depth insight into cyber security. Show notes, including any links mentioned in the show, are available at DecodedCyber.com.

Simon Edwards  0:24  
I am talking on this podcast alone. Because to be frank, this subject is a total hobby horse of mine, and probably no one else here cares as much about it as I do, so I thought it was kinder to the team for me just to handle this episode on my own. Hopefully you'll find it useful.

Simon Edwards  0:44  
I really just want to give my perspective on the issue of antivirus being dead. Because that simple headline actually obscures some quite complex and important issues. I think it's really interesting.

Simon Edwards  1:00  
Antivirus Is Dead. Three easy words that make an almost guaranteed route to headlines in the technical press. But what do they actually mean? That antivirus software is useless?

Simon Edwards  1:13  
Let's dig down into this thorny issue and separate the facts from the marketing messages. For some reason, antivirus technology seems to divide experts into barely rational groups of those who think it's completely useless and those who think it (or rather, their preferred brand) is a panacea.

Simon Edwards  1:34  
First of all, what is antivirus? Well, it's another name for anti-malware, which is another name for Endpoint Protection. An endpoint is a computer that a person will use directly, like a laptop or virtual desktop. And essentially we're saying that antivirus is a historical term for endpoint protection for most people.

Simon Edwards  1:58  
It is true that similar technologies can be loaded onto servers and other systems that aren't endpoints. But when most people talk about antivirus being dead, they're usually talking about something that's on the endpoint.

Simon Edwards  2:13  
So why are people saying that it's dead? If it's a historical term, does that mean that antivirus is obsolete? There are a few reasons why people keep trying to bury antivirus, ranging from cynical marketing to frustrated software developers, via conspiracy theories!

Simon Edwards  2:32  
Here are the top four reasons I've seen for saying antivirus is dead.

Simon Edwards  2:37  
Number one, they're a security company selling something that competes in the endpoint protection space. And they want to distinguish what they've made from the crowd, and to claim that their approach is fresher and more effective.

Simon Edwards  2:52  
The second reason could be that the person understands that antivirus is not 100% effective, but believes that makes it a complete waste of time. Some very technical researchers hold this opinion, as well as some less well informed, opinionated individuals who just believe that for whatever reason.

Simon Edwards  3:13  
And sometimes people get confused about what antivirus is. They're thinking of the original ways in which antivirus works using signatures. And we'll talk more about signatures shortly.

Simon Edwards  3:25  
Number four, and the final one, software developers. They can really struggle to get their products to work when antivirus gets in the way. There was an ex-Mozilla developer who famously said the antivirus was more or less a waste of time. And Solar Winds, a network management company you may have heard of, used to recommend disabling antivirus when installing its software. And given their software sometimes contained malware itself, that's pretty ironic and very bad advice.

Simon Edwards  3:59  
Extremely briefly, it's important to understand a very short history of antivirus for some of this stuff to make sense. The original antivirus products (I'm going to refer to them as AV from now) worked by recognizing known viruses and other bad files using patterns and signatures. They're like fingerprints. If you know a file is bad, you take its fingerprint. When another similar files turns up, you compare its fingerprint to your database. And if there's a match, you could be very confident that this second file is bad.

Simon Edwards  4:32  
When you hear people going on about AV signatures, that's what they're talking about. They might also talk about hashes. For this discussion, these are all the same thing.

Simon Edwards  4:42  
Now in the last few years, we've seen new companies selling their anti-malware products aggressively, claiming that the old ways are completely useless and you need their new technology. And what you tend to find is that their marketing message is, "antivirus is the old school signature-based technology of the 80s and the early 90s" and what they've produced is something involving AI and machine learning, which makes it better. And because it doesn't use signatures, it's faster and always up to date.

Simon Edwards  5:12  
And mostly these representations are very misleading. Modern antivirus uses machine learning, and has done for well over a decade. Signatures provide just one part of the puzzle. And if you know the fingerprints of some serious criminals, why wouldn't you use them? Your other detection techniques can be used too. You don't have to make a choice. Signatures are really useful and can actually save time and increase accuracy.

Simon Edwards  5:39  
Also, some of those early so-called next-gen products did use signatures, and also needed updates because machine learning is always being improved. So I think it's fair to say that marketing claims that "AV is dead" are just a bit disingenuous.

Simon Edwards  5:55  
Some years ago, a journalist asked me about some "AV is dead" headlines. And my response was this:

Simon Edwards  6:02  
"The claim that AV is dead is guaranteed to make headlines in the technical press. This is why the claim is made so often, sometimes by companies that actually have anti-malware solutions within their own products."

Simon Edwards  6:17  
But let's assume that AV works to a point but isn't perfect. Some people feel that running it is actually more dangerous than not. Tavis Ormandy and Joxean Koret are just two researchers who have researched bugs in AV software that open up routes for attack. The issue here is that all software contains vulnerabilities. It's almost inevitable. And the hope is that developers who work in security are more aware of secure coding than the rest of the world. But that's not necessarily true.

Simon Edwards  6:51  
You can write a product that can scan a million viruses really fast. But that doesn't mean you've ensured your own software is hack proof. And here's an anecdote for you:

Simon Edwards  7:00  
Years ago we were demonstrating how we tested targeted attacks. We had a vendor from a major US security firm watching as we attacked a system that was protected by a top-tier anti-malware product. The attack worked and we got our remote access, which looks just like in the movies. A black terminal window with text.

Simon Edwards  7:21  
And in those days, we had to hide inside another process. We generally chose Windows Explorer, because it's always running. So we listed out the processes to find the right number (because processes all have numbers, and that's how you migrate into them - is to type a command with that number.) So we needed the number. And I happened to notice that the antivirus agent was listed on the screen nearby. So, rather mischievously, we migrated into that instead of Explorer. In Hollywood terms, we were hiding inside the security program itself.

Simon Edwards  7:56  
Now I expected something dramatic to happen. I thought maybe an alert or probably a blue-screen-style crash. But no, we entered the security program and nothing was spotted. If you thought your system was infected, the last thing you'd do is turn off your antivirus, which is where we were hiding. So that's at least proves that security products aren't always the most bulletproof applications.

Simon Edwards  8:20  
But it doesn't mean that they're useless either. And if you are a normal user and not an elite security researcher, you have tons of apps on your computer. And having an AV product isn't opening up anywhere like the security gaps that running dozens of other apps does. Do you really think that games developers spend much time checking for vulnerabilities.

Simon Edwards  8:43  
Next year, antivirus will be 40 years old. And what that means is software labeled "antivirus" has been around for nearly 40 years. But the DOS program flushot, which only used 10k of memory, is nothing like the latest endpoint security products that take many megabytes of RAM and gigabytes of disk space. The hard disks available back in the 80s were smaller than the software agents running in today's PCs' RAM.

Simon Edwards  9:12  
You'd hope that, with all of those resources being used, the functionality might be greater too. The only similarity between those old programs and the new is about $19. You can still get good antivirus for that sort of money today, or even for free.

Simon Edwards  9:30  
Anyway, I mentioned fingerprints or hashes earlier. Many of the first antivirus products relied on hashes. As more threats emerged, the antivirus vendors started collecting vast libraries of files. They calculated each file's hash and created databases. And these were then supplied to their antivirus clients. Initially on bulletin boards and, believe it or not, monthly batches of floppy disks sent in the post. But later, anti malware products could download up updates from the internet.

Simon Edwards  10:02  
It wasn't that long ago, that Norton Antivirus had weekly updates. And now all products are updating constantly and send queries to the cloud too. But even though they often still use hashes, they have other ways of working too. They can often detect hacker techniques such as heap spraying. They can detect when a program starts encrypting large numbers of files. And they can spot programs making unexpected connections out to the internet.

Simon Edwards  10:30  
There are so many ingenious ways that these programs can try to detect threats, that to simply write them all off a signature-based antivirus is really unfair. The vast majority are not.

Simon Edwards  10:43  
I wrote a blog post about this back in 2014. A couple of reports had come out from some now very respected security companies - one from FireEye, clearly focused on signature-based AV, although that's not made clear initially. So people assumed it's all antivirus. And also we can look at a really, really bad report from Imperva, which made some very basic errors and got a lot of criticism as well.

Simon Edwards  11:14  
In real world tests that we run, and that others have run as well, products are rarely 100% effective, but neither are they completely useless. So back in the day, Microsoft Security Essentials, which is now Windows Defender, it often appeared to be quite weak. And in our tests it always appeared at the bottom of the ratings. But it still stops more than 50% of threats. So it's not useless. It's quite good, actually.

Simon Edwards  11:43  
But the best products stop more than 90% of the threats. And some of those threats are really horrible ransomware, that kind of thing. Password stealers. So that doesn't sound like a product that can stop these things, in 90% of the cases, is dead or obsolete.

Simon Edwards  12:01  
So I think that kind of covers what we think about signatures. They are a useful approach to stopping threats, but you wouldn't want to rely on them 100% without anything else as well.

Simon Edwards  12:16  
And finally, AV can be tricky to work with. If you write software, you expect your program to work with Windows in a certain way. There are documented ways in which your creation is supposed to work with Windows. But sometimes malware writers choose to do weird things to avoid detection. And to counter this, AV companies then also do weird things. So you come along, and you've written some cool software for Windows, but it doesn't work for a bunch of your clients because they're running AV solutions that are having their own private Cold War with the malware writers on your system or on their system. And this annoys the developers. And it annoys the clients. And it annoys Microsoft because people generally blame Microsoft for everything related to Windows breaking. So when a grumpy developer says the antivirus is useless, bear in mind there might be a bit biased and focused on their own problems.

Simon Edwards  13:15  
So then let's look at what businesses need versus what consumers need. When making general statements about the effectiveness of antivirus, commentators usually focus on the needs and resources of really large businesses. I'm sure that one of those massive cyber security companies would do a great job with their response teams, should a massive client of theirs get hacked.

Simon Edwards  13:40  
But I doubt, they'll be sending those guys into your house or mine to help with a ransomware infection. They'll be focused on the big clients, not people spending 40 or 50 pounds or dollars a year on an antivirus subscription. Similarly, see how companies that focus on whitelisting handle antivirus and the media. It's always dead. But what about consumers? Can they handle whitelisting products?

Simon Edwards  14:04  
Whitelisting products, if you don't know, it's kind of the opposite of how antivirus works in a way. Rather than trying to recognize threats and stop them, what they do is they're told to allow known good things to run and block everything else. So, in a really simple world where life was easy, you might have - the Windows operating system is obviously allowed to run, and maybe Microsoft Word, maybe GarageBand if you're using a Mac, that kind of thing. And if your system is only allowed to run the things that you know are good, and blocks everything else, then the theory is that you should then be safe.

Simon Edwards  14:42  
But there are very few such products available for consumers. And the ones that have existed are hard and annoying to use. They might scale well for businesses, where a small team can handle the whitelisting for many 1000s of employees, setting up rules, that kind of thing. But as an individual, you're not going to want to handle these things for your extended family, even if it's a large one, it'd be a full time job. And every time something gets updated, you run into issues.

Simon Edwards  15:12  
And just think, have you ever tried even the most basic parental control software? It's very labor intensive to use in the real world, where real people, including small, demanding children, provide feedback that you just can't ignore. You know, your clients are your kids. And if they get upset with you, you can't just say, "Sorry, it's against policy" and move on.

Simon Edwards  15:35  
Also, they'll require instant reactions from you, too. You can't just put it off until the following week.

Simon Edwards  15:40  
So anyway, anti-malware based products are clearly one of the few options that are available for consumers. And as long as those products are not entirely signature-based, they should do a reasonable job of protecting people. They'll be better than nothing, at least, which doesn't sound like dead or obsolete.

Simon Edwards  15:58  
And then finally, the third point I wanted to make was about post-event protection. So currently, businesses seem to be facing far greater threats than consumers because they're being attacked relentlessly. And so malware is likely to infect a system on a business network. At some point it may then spread one way or another through that network, and into other systems or even other networks. And that's why products from companies like FireEye and Palo Alto and Cisco don't just try to prevent the initial infection. They have to be able to detect when an infection has occurred, and should alert technical staff that something needs to be investigated. At least a few will use signature-based antivirus as part of that process.

Simon Edwards  16:44  
In fact, I know that some do and have been doing for years, and why not? We have seen a file appear on Fred's PC. And we can take a signature of that and search other files on the network for other copies. I mean, that just makes sense. And it doesn't sound like dead or obsolete. But apart from just being useless, obsolete and dead, there are other issues that some people have with antivirus software.

Simon Edwards  17:14  
Not that long ago, maybe three, four years ago, a developer claimed that antivirus doesn't improve security. But he wasn't actually talking about whether or not antivirus can detect threats. According to (it was a former Mozilla developer) Robert Callahan, there is "negligible evidence" that anti-malware software produced by third parties provides any additional security.

Simon Edwards  17:39  
His arguments spread from his blog to Twitter, and then to IT news websites like IT Pro and The Register. Now, I've been testing anti-malware software with my team for many, many years. And we think we've got plenty of strong evidence that third-party anti-malware software provides improved security over that which comes with Windows by default.

Simon Edwards  18:02  
I mean, Windows' own antivirus has got a lot better in the last couple of years, but it isn't always the best. And, you know, if you look at our Enterprise and Small Business and Consumer reports, you can see which ones consistently come at the top of the charts. There is no doubt that updating your operating system makes it more secure. And in fact we ran tests that prove this often-quoted piece of advice is actually true. It's based on real reproducible data.

Simon Edwards  18:35  
But what we've also seen is that adding a decent antivirus package or endpoint security program, or whatever you want to call it, if you add that to a good patching schedule, you raise your protection levels even higher. And to say that all antivirus software is equally effective or ineffective is just plain wrong. And there are plenty of results from different testing labs that show this.

Simon Edwards  19:00  
You may not trust all those labs. And you may have problems with some or all of the ways that they test. But I strongly suggest that we can't all be wrong. Our position on the Microsoft anti-malware included with Windows is that it's far better than it used to be. But that some commercial third-party packages are consistently stronger. Or at least that was true, up until about the middle of 2018.

Simon Edwards  19:27  
So it does make us wonder, you know, why do people bash antivirus all the time. I mean, I don't make antivirus. I've don't have any particular skin in the game. I'm just sort of surprised that there's so much emotion from the negative side to this.

Simon Edwards  19:42  
And you know different individuals and companies, they have axes to grind when it comes to antivirus or anti-malware, whatever you want to call it. Sometimes, the new anti-malware vendors disparage the more established ones. They're saying that they're old technology and you need this new next generation product. But of course, that's marketing. And when we test these new products with, or without permission sometimes, very rarely do they massively outrank, anything that's been around for five or 10 or 15 years.

Simon Edwards  20:15  
The Windows developers, Microsoft, they don't like the perception, which is sometimes the truth, that anti-malware products slow down Windows. Because when a user has a bad Windows experience, for whatever reason, Microsoft feels the impact. So they don't like slow antivirus. It makes Windows look bad.

Simon Edwards  20:34  
Other developers hate that anti-malware products embed themselves into Windows in sometimes strange and unusual ways because that can potentially cause havoc with their own efforts, and make new powerful and security vulnerabilities. Anti-malware vendors argue that they need to be able to dig down and do strange things to prevent particularly nasty threats from digging in at the lowest security levels within the operating system. So they have to use strange techniques to try and get one ahead of the bad guys. But that can make things harder for everybody else.

Simon Edwards  21:09  
And then there are users who have never knowingly suffered a malware attack. And they often question whether they need antivirus or anti-malware at all. And there are some testers and researchers who make it their life's mission to discover technical problems with anti-malware, sometimes seemingly taking the position that actually anti-malware is bad for you, rather than you need it, it's a bit broken, and here's how to fix it.

Simon Edwards  21:35  
And I would definitely say that Tavis Ormandy, a researcher, seems to take a very kind of almost personal dislike to antivirus and says it's it's worse than having nothing at all. I've never seen a perfect anti-malware product in terms of the protection it offers, the performance impact that it makes and the additional attack surface that it exposes, because when you install any piece of software you are potentially adding another area for an attacker to go for. But then I haven't encountered a perfect operating system, or web browser or user either.

Simon Edwards  22:10  
So you know, we can throw away our anti-malware software when our operating systems are fully secure. And we, as users, stop clicking on links to malware, and criminals and other agencies stop attacking our computers en mass.

Simon Edwards  22:25  
Potentially all software has vulnerabilities. And that can include (or does include) security software like antivirus. So let's have a look at how security can actually make things worse.

Simon Edwards  22:39  
This is a true story. A local shop near to where I used to live, a very small shop, maybe have up to 15 customers at any one time inside. It used to have a security guard who stood by the door. And he monitored who entered the shop and who left and with what.

Simon Edwards  22:58  
So hopefully he could hinder armed robbers from entering the store and prevent shoplifters laden with stolen goods from leaving it. And this seems like a no-brainer. Even if he's not a very perceptive guard, and captures only a fraction of the threats to the business, surely he's better than nothing?

Simon Edwards  23:18  
Well, in this case, he wasn't better than nothing because he was stealing from the shop. He himself presented a threat to the business. Not only that, but he had greater access to the shop's goods than an ordinary customer. So even if the security guard was not intentionally malicious, he could be completely incompetent.

Simon Edwards  23:39  
Criminals who know this could target the store, assured that they'd be able to commit crimes without sanction. His very presence poses a threat, because the bad guys know that they can distract him easily while they shoplift.

Simon Edwards  23:51  
For example, let's apply this idea to security software. Maybe we have an antivirus program that monitors SSL connections, and detects a percentage of incoming threats that were downloaded from a secure HTTPS website. This seems sensible. I mean, at least it will catch some of the threats, if not all.

Simon Edwards  24:13  
But what if the way that software works is a bit broken? What if it exposes an extra jugular for an attacker to aim for? This is the incompetent security guard. Criminals who know about the business's vulnerability (the broken security measures, software or human) can target it. Now in the cases of Superfish, and Privdog, it seems that the way these products work provides an opportunity for bad guys to pretty much undermine the assurances provided by websites using SSL.

Simon Edwards  24:44  
Superfish was adware pre-installed on Lenovo computers back in 2015. It could intercept SSL connections for bad reasons. Whereas Privdog was an ad-blocker application from around the same time. But in that case, it was trying to block ads. But the way it did it was to get into the SSL connection. And that actually made things worse for users from a security point of view.

Simon Edwards  25:14  
So I think this covers most of what I wanted to say. And while it's true that every time you install a new application you are bringing in a new vulnerability, ultimately we're here to use our computers to get work done or to have fun. And if we lock things down to the point where antivirus is unnecessary, we're probably looking at a fairly non-functional computer.

Simon Edwards  25:37  
All of the security experts that I've asked over the years run some form of AV. No one believes that antivirus is a panacea. It's just daft to run without it.

Simon Edwards  25:51  
Please Subscribe. And if you enjoyed this episode, please send a link to just one of your close colleagues. If you want to join the DE:CODED community, and access private content, including our monthly executive briefings, apply at DecodedCyber.com/circle.

Simon Edwards  26:12  
And that's it. Thank you for listening, and we hope to see you again soon.