Is antivirus software about to become history?
Many users still consider antivirus software to be a necessity for Windows users. Malware and viruses are very common and pro-actively protecting yourselves from these nasty bunches of bits seems to make perfect sense. In 2016, malware is just as common and every bit as nasty as it once was, so why are some folks turning their back on traditional antivirus solutions? There are a number of reasons, but let’s start with a story that’s been widely discussed between IT professionals this month.
If you follow our Twitter or Facebook feeds you may have heard about the embarrassing security holes that were discovered in the popular Trend Micro antivirus suite by security researcher Tavis Ormandy. Up until recently, when the bug was fixed, any user running Trend Micro’s Windows antivirus suite could have their passwords stolen, their PC infected with malware or even wiped entirely clean, just by visiting a website that contained a specific, specially programmed payload.
Pause for a moment to take that in. By installing Trend Micro’s antivirus suite, users actually made their computers significantly more vulnerable to certain malware and hacking attacks. Indeed, software designed to protect a users computer did, in many ways, actually make it more prone to attack. Since continuing his research in this field, Ormandy has found serious vulnerabilities in Comodo, Avast and several other popular antivirus engines according to his Twitter feed.
This Issue is nothing new and perhaps not surprising, back in our August 2014 newsletter we reported on a security researcher who had found vulnerabilities in dozens of antivirus products. The paper he published was quite complex, but in the following paragraphs we’ll try and sum up his findings in the most non-geek-speak way we can.
By installing software on your computer, you increase the “attack surface”, that is, the number of places there could potentially be a bug (a software programming mistake) that can be exploited by malicious users or software. If you install software that runs at the highest privilege level, that is, software that’s allowed to interact with your system and operating system files, then that “attack surface” covers the most vital parts of your Windows operating system. Almost all antivirus runs with the highest level of administrator privilege (even if you only run your Windows account as a standard user). When you install an antivirus suite, you’re trusting that the vendor hasn’t made any serious programming mistakes that actually make your PC less secure. Given how complex and monolithic antivirus packages have become, that’s quite a leap of faith.
Should we really all be abandoning antivirus software? Well let’s consider the flip-side to the argument for a moment. The attacks on the Trend Micro antivirus (or any other antivirus) would have to be specially designed to target that antivirus. Realistically, you would probably be more likely to encounter malware that had been designed to target some specific Windows components or perhaps your web browser (be that Internet Explorer, Microsoft Edge, Google Chrome or Mozilla Firefox). After all, not everyone uses the same antivirus software, but the vast majority of people using desktop or laptop computers still run Windows. Even given this fact, traditional antivirus, which depends on a signature file (basically a large database of malware that is used to check against) is struggling to protect users. In this modern, highly connected world, virus and malware writers often change a tiny portion of their code to evade detection, effectively creating a game of cat and mouse with the antivirus vendor. Because of this, most modern antivirus software includes something called “heuristic” scanning, which means they can check files and programs for suspicious components that may turn out to be malware. Unfortunately, this has caused a great number of “false positives”, where perfectly harmless and often useful software is flagged as malicious accidentally.
So are we damned if we do and damned if we don’t install antivirus software? Well, hopefully not. The fight against malware will continue for decades to come, while it might seem like the bad guys are always winning, in actual fact, amongst the PCs we look after here, both in the office and for friends and family, the number of incidents of malware infection amongst our users is dramatically down since the Windows XP era. Modern versions of Windows are much better protected than in the past and more modern web browsers include more advanced software techniques to protect their users.
Before you even consider installing antivirus, here are some pointers that you can use on any system to improve your security:-
Always keep your software up to date. Keeping Windows up to date is the most important thing, of course, any bugs or vulnerabilities that have been discovered are swiftly patched by Microsoft. Occasionally you will encounter individuals who warn you against installing Windows updates because they can break your computer. While this can happen, it’s thankfully rare and a lot rarer than malware that takes advantage of systems that haven’t been patched. Windows updating is automatic for the most part, but you can learn how to manually check for updates here.
It’s a good idea to keep other software on your PC up to date too. After Windows itself, the most commonly targeted program is your web browser. Again, web browsers usually update automatically, but you can always manually check for updates too. For Internet Explorer and Microsoft Edge, updates are performed through Windows update. For Google Chrome, you can manually check for updates by clicking the menu button (the three horizontal lines in the top right hand corner) and then choosing “help->About Google Chrome”. In Firefox, you click the same button and then click the ‘?’ icon and then choose “About Firefox”. Be sure to regularly check for updates in any office/productivity software (such as OpenOffice/LibreOffice or Adobe Reader) regularly too.
Run as a standard user – Do NOT disable UAC – Ever since Windows Vista came out, there’s been a certain number of self-declared Windows ‘experts’ who claim UAC is a “useless feature” or “only for protecting novice users” or similar such claims. We’re not going to mince words here, these self declared experts are wrong, very wrong. UAC might not be the be all and end all of Windows security, but disabling it is very foolish. Without UAC enabled, every program you run on your PC has full access to everything else on your system. Think on that for a moment, if you ran a business, would you give the janitor the keys to your office safe?, hopefully not.
To make the most of UAC, configure yourself a separate, day-to-day account and keep an administrator account for the odd occasions you need to change some system settings on your PC. You can learn how to set up separate user accounts here. You can read more about how effective this tip is in our final story this month.
Be sensible – Don’t follow links in spam e-mails, Facebook/Twitter posts, or even e-mails sent from your friends that look suspicious. Some exploits only require you to visit a web page, though most will require some user intervention. Don’t trust a web site that, out of the blue, claims you need to “Click to download and update your media player” or other similar deceiving messages, as this is often how criminals trick you into installing software.
So what antivirus do we use here at TWT HQ, or don’t we use any at all? Well, I can reveal that we now use Microsoft Security essentials on all our machines. While this free, standard Windows antivirus has received a critical mauling in the past, that was typically from reviewers who simply compared it with other products based on how many viruses it managed to catch from a sample. As we’ve seen above, this isn’t the only benchmark for an antivirus package. Given that Microsoft have made huge strides to improve security and that nobody knows Windows internals better than Microsoft itself, we can feel more confident that any vulnerabilities in Security Essentials will be found and patched quickly, while the software still provides a layer of protection from the more commonly encountered malware on the internet.
What is the future of virus prevention?
If the traditional antivirus is dying off, what programs or techniques will replace it? There’s several techniques and technologies already in use today.
Sandboxing – Remember when you were a child, you probably played in a sandbox (more commonly called a sand pit here in the UK). In your own little domain, you were free to build and destroy without affecting anyone else and, as long as you never got sand in your eyes, without any risk either.
In computing, the term sandboxing derives from these halcyon childhood days. An app that is “Sandboxed” is isolated from every other app in the OS. If an error occurs in your sandboxed app, there’s no way for it to affect anything else on the computer because of the sandboxing process. That’s the theory anyway, in practice of course nothing is perfect. The Windows 8/10 App store and the “Trusted Windows Store app” are sandboxed (to a degree anyway), meaning that you can install and use Trusted Windows Store apps relatively safely.
The disadvantage to this approach is that sandboxed apps are limited in what they can do. For instance, in our Windows 10 Superguide we talk about a program called “Metro Commander”, that’s designed as a touch screen friendly replacement for File Explorer. Because Metro Commander is a trusted Windows Store app, it’s not permitted to launch other programs, so if you’re browsing your computer using Metro Commander and you wanted to launch a program you had browsed to, well, tough luck unfortunately.
White-listing – Rather than assume every application is trustworthy, other than those on your antivirus black list, why not go the other way around and only allow programs that have specifically been cleared to run? This approach is slowly gaining some traction in business environments, but may be slower to catch on for home users who typically enjoy the flexibility of trying out lots of new apps.
Anti exploit – Anti-exploit techniques aim to limit or prevent an attacker from taking advantage of a bug or software error in an existing app. Windows has a number of these technologies built in already and others are being developed all the time. Microsoft’s own “Enhanced Mitigation Experience Toolkit“, for instance, is one way to add another layer of security to applications on your PC and a technology that is likely to be made more consumer friendly and even built into Windows in the future.
While we’re not quite ready to give up on antivirus software just yet, the way the IT industry evaluates antivirus software clearly needs to change. It’s no good to simply mark packages against how many malware samples they detect any more. Antivirus vendors need to step up their game with regards to testing and security auditing. As a user, we apologise if this article has left you feeling bamboozled with jargon, but we hope we’ve laid out the facts clearly enough so that you can make up your own mind on which security software you install on your PC. |