Thursday, 29 March 2012

Why even experts need antivirus

[This article is written in response to Wired's recent article, Is Antivirus Software a Waste of Money? As is usually the case, when you see a headline posed as a question, the answer is usually "no".]
"I don't run anti-virus, actually," he said, "and I've never had a virus."

"Really?" I asked. "How do you know?"

"I think I'd know," he scoffed.

I had that conversation with the UK head of marketing for an anti-virus company that, while not one of the top brands, is certainly quite well known in Europe. We probably spoke around 2008.

Scroll back to the eighties and possibly even early nineties and he'd probably be at least half right. Viruses might hide for a while but they usually gave away their presence at some stage, possibly by deleting or encrypting files, sending a cheeky message or producing a graphic effect that was hard to ignore.

In the later parts of the nineties things started to change. Malware began to commercialise, and it made sense for these malicious programs to be more subtle. Dialers were one of the first such threats. They resided silently on victims' systems and made phone calls to premium numbers.

Once malware started to hide, the game changed. Without appropriate tools even an expert would not know that a system was infected. Even then, sensible behaviour, such as avoiding pirated software, license key generators and pornography websites was sufficient to avoid most problems.

Halfway through the noughties (around 2005-6) a new approach rendered the classic advice of "be careful" fairly useless.

Criminals started compromising legitimate websites, loading malware from otherwise innocent sites onto visitors' computers. In many cases users would have no idea that this was happening. Even a paranoid expert would have a tough time using the internet in a useful way without exposing their computer to such threats.

Rootkits are also now prevalent. It is hard to detect these threats even with specialised software, let alone some sort of tuned-in, Jedi-like human virus-detector sense.

In Wired's article Is Antivirus Software a Waste of Money? a startup CEO called Dan Guido was quoted as saying, "If it weren’t for [compliance] nobody in the security industry would run [anti-virus]."

I contacted Dan to see if he was happy with the angle of the article. He was, by and large, and claimed that,
"The issue with AV is that their virus detection capabilities only become effective after tens of thousands of people have been compromised with the same virus and days or weeks after that virus was first observed."
Having seen how some anti-malware tackles new attacks, sometimes involving zero day exploits, I don't agree with his blanket statement. He went on to make other very general assumptions about how anti-virus software works. One notable point of view was,
"At the time of infection, every major attack group has procedures that allow it to avoid all the known checks that AV runs through."
In other words, criminals check their malicious software before releasing it, checking to see if anti-virus will catch it. This is certainly true.

Underground versions of VirusTotal-style services exist but I find it hard to believe even the most advanced attacker is capable of running a full end-to-end test to ensure success without alerting the anti-virus vendors.

For example, they must either allow or block cloud service queries. Block these queries and the test is not complete. Allow them and information is fed back about the new threat to the vendor.

I polled a few security professionals, in an admittedly unscientific study, and found that they all used anti-virus. No one believes that anti-virus is a panacea. It's just daft to run without it.

Despite this Lance Spitzner sent me a Twitter message, guessing that maybe experts don't use anti-virus "because most security professionals use a Mac :)" Having been to very many security conferences I have to admit that he has a point.