In my last post which you can read here I used a tool called veil to bypass the antivirus on a test machine and create a backdoor from which I could remotely issue commands to that machine. Unfortunately, many people will add this incident into their lists of why antivirus doesn’t provide any value anymore, some will even argue that antivirus never added any value in the first place and that we should probably boycott the use of antivirus or at the very least distance ourselves from it. I am not one of those people.
The misconceptions: Where they come from
To uneducated users, Antivirus is marketed and sold as a silver bullet solution to any computer security issues, as sad as I am to say this is not true. Antivirus is only one piece of a security solution. Unfortunately nobody ever told the antivirus marketing departments because they keep publishing ads like the one below, which don’t help to erase this misconception that end users have developed about Antivirus:
One of the problems the Industry has which is evident in the video above is that due to the highly technical nature of how virus and antivirus solutions work, there is an over reliance on metaphors to convey “how it works” while most complex fields also have this problem they are not marketed anything like Antivirus is. What these metaphors do is create a perception that Antivirus is omnipotent at eliminating security threats, after some experience and research users find out that this is not the case and a select few start to condemn antivirus as vapourware.
How it is sold: Antivirus
Bruce Schneier has spoken about trust v fear based selling within the Information Security, He proposes that the information security business should aim to sell products and services based on trust rather than fear, while some companies do sell goods and services based on trust there is still an overwhelmingly high proportion of organisations which sell their products on fear.
I don’t want to pin the blame on organisations for using fear based selling. Recent current events make it impossible to sell products on a trust basis but these same recent current events make it very easy to sell to users based on fear. It’s likely that these same events will have a major measurable impact for years to come.
In any case I believe we should look at promoting and educating the public about the more integrated and interesting Information security picture. When I say this I am talking about the range of security tools and how they work some examples are (please note however, some of these are enterprise tools and there’s a good chance you won’t need them on your personal devices):
- Mail filters
- Parental controls
- Identity management systems
- Privileged identity management systems
- Container based
- Rootkit protection
- Secure coding
- Memory protection
- Hardware protection
- Application architecture
- Regular updates and bug fixes
- Good old fashion suspicion and common sense
Why we shouldn't boycott antivirus and why it still matters: Antivirus
Why shouldn't we boycott antivirus? Two simple reasons. Reason one, it actually helps us. While new malware is being created at an astounding rate antivirus firms are also working on signatures and behavioural based techniques to identify all of the new malware out there so that they can help incorporate that into their products, while the odds are stacked against them they are continually working on improving their products, for you their customer.
While this does sound a little reactive rather than proactive most antivirus products will detect hundreds of thousands of threats while there is an unknown yet considerably larger number of malware out there why would you not let antivirus take care of these for you.
A lot of the colleagues I have worked with prefer to use virtual machines to run suspicious programs and files, opposed to antivirus, while this is a good practice it’s also good to do this with antivirus because there is a range of sophisticated malware out there which can detect whether it’s being run on a virtual machine or a physical machine and respond accordingly. This malware is called blue pill malware aptly named after the sequence in the matrix where Morpheus offers Neo the blue pill (accepting the illusion) or the red pill (facing the hard truth).
Blue pill malware is just one example but ultimately what I would like readers to take away from this post is that antivirus is just one tool for fighting against cyber criminals, just like firewalls are another and just like sandboxing and containers are another, we should use all of these tools (or as many as possible) in unison to fend off cyber threats, as I mentioned earlier Antivirus is useful but it is being marketed as the tool for everything not just one tool in an extremely large set of tools. This marketing decision does take away from antivirus as its inflated potency is unable to live up to reality and this makes people understandably upset.
Reason two, we shouldn’t boycott antivirus or the industry because of how much the AV industry contributes to InfoSec in general. What I mean by the previous statement is look at how much the antivirus industry gives back to InfoSec, below is a breakdown of some of the many contributions the AV industry has either directly or directly made to InfoSec:
- First off small improvements are being reintegrated into the antivirus analysis process by researchers ever day (i.e. every enhancement these companies make to their internal processes and procedures helps you).
- The Industry hires a lot of talented and smart people to look at attempting to solve some of the bigger and more threatening issues in the industry. The ways much of this is done is through the research papers that published by researches working on them for Antivirus companies.
- In addition to research papers antivirus companies and threat researchers are as part of their work developing products and solutions to other security problems, many of these are passed to you, the customer where appropriate.
- Antivirus firms are often the only ones looking into assisting dissidents which have been infected by advanced or undetected malware which may have been created and sent to them by nation states. In today’s world this is not something that tech companies are going out of their way to do, in many cases they may be working against their own governments.
- Antivirus companies have lent resources and people to help break down cybercrime rings, Symantec has been extensively referenced in a number of academic papers and articles where a combination of law enforcement personnel and academics have infiltrated and taken down botnets. You can read one here from just two days ago
I rewrote this post a number of times because I felt important information was missing, while I still feel that to some degree here, I feel this version of the post best articulates why antivirus is still useful and can provide you with a measurable level of protection for your devices. I would like to stress that when I say this Antivirus is not a silver bullet for security issues but I think in the future as we get closer to a silver bullet the Antivirus products you use and the work done by AV companies will be a big part of that silver bullet.
As always please let me know if found this article useful or if you didn’t, leave a comment below to let me know another area you would be interested in reading posts about.