It's time to toss out your antivirus software

Running antivirus on a personal computer is like having the bomb squad inspect a suspicious package inside the house right next to you. No matter how careful or how good that bomb squad is, one of these days they'll make a mistake and explode in your house. As a matter of fact, the bad guys are deliberately rigging the bombs in a way that will blow up the house if someone tries to scan it and this is exactly what's happening with malformed ARJ or ZIP packages.

There's been plenty of debate lately that maybe with the release of Windows Vista, we might be able to get away with not using antivirus on our computers.  Running antivirus on a personal computer is like having the bomb squad inspect a suspicious package inside the house right next to you. Well I'm about to make an even bolder assertion, that running antivirus or even additional third party security software such as firewalls on your computer makes you even less safe!  Now before you start the flaming, hear me out first.

It's well understood in the security community that every additional piece of software on a computer system is another potential target for attack.  That's why it comes as no surprise that another antivirus package is open to a massive attack that can affect 200 million Symantec antivirus users running Symantec Antivirus 10.x or Symantec Client Security 3.x.  This is actually nothing new and virtually every Antivirus vendor has had their share of remote exploits.  Even an extra security feature such as compressed file scanning opens the user up to additional vulnerabilities and all the major AV solutions have had their share of malformed compressed file vulnerabilities.  Just the mere act of decompressing a ZIP or ARJ file to see what's inside of it could set off a malicious payload.

Every third party firewall product such as ZoneAlarm and Kerio have exposed the very users they're suppose to protect to complete system level compromise.  Ironically the built in Windows XP SP2 firewall which always gets unfairly picked on has never had any remote exploits.  Sure it doesn't provide any outbound packet filtering which is only relevant if my computer is already owned in which case any firewall could be disabled anyways, but at least it doesn't leave me wide open to a remote attacker.  With the Windows Vista built-in firewall, outbound packet filtering is now supported but the pundits are already jumping on it because it doesn't turn on outbound blocking for user actions by default and requires command line manipulation to access the outbound controls.  What's left out is that the XP SP2 and Vista firewall can be centrally managed via Microsoft's Active Directory group policy whereas the third party firewall vendors want you to buy an expensive enterprise management and policy deployment system.  But with Microsoft's personal firewall and its superior security track record, and the fact that it doesn't cost anything extra, one has to wonder what the point of third party firewalls is.

I've owned personal computers for 15 years running some form of Windows or another and I have never had any virus problems on my computer and this is consistent with every other expert user I've talked to.  I personally can't stand the performance overhead and extra expense of third party security software and I simply don't use them.  For my family computer which is used by plenty of less security-savvy users, I don't use any antivirus or anti-spyware software on them and they never have any problems though I never let anyone else run as an administrator.  While running as a standard user isn't always practical under Windows XP, it most definitely is practical under Windows Vista.

Windows Vista not only runs users in restricted mode, but goes as far as running all its services in restricted mode and has default outbound firewall policies in place to prevent services from making outbound connections that they have no business making in the first place.  Internet Explorer 7 under Windows Vista runs under a severely restricted jail cell and the same technique is available to all other ISVs such as Mozilla and Opera.  Along with hardware-enforced DEP which has proactively stopped the two most recent zero-day Internet Explorer 6 exploits in their tracks without the assistance of any antivirus software with updated definition, or software patch, Windows Vista is actually more secure than ever compared to an AV/AS loaded Windows XP computer.

Does this mean there is no place for antivirus scanning in the world?  No, I've been on record as far back as four years ago saying that gateway level scanning was the way to go and this exactly what I mean when I say "it's time to toss out your antivirus".  This means you scan for viruses transparently at the HTTP and FTP gateway and at the SMTP mail gateway BEFORE it enters your internal network and your PC.  As an added bonus, the scanning is only done once and the cleaned file is cached at the gateway so that you're not scanning the file on the client side thousands of times if you have thousands of users.  Since scanning viruses is such a dangerous task because the software is handling raw and potentially malicious payloads coming from the Internet, the task should only be handled in the DMZ and under a service or daemon operating in a jail cell.  Handling raw Internet files at the client level under a system level service is simply more of a liability than a benefit.  We should probably even stop antivirus scanning on the internal mail server and have all mail attachments forwarded to the DMZ gateway scanner to check the file in a jail cell before it's handed back to the internal mail server.  Note that on TechRepublic, we'll start doing some articles on how to implement inexpensive gateway antivirus for the home.

Running antivirus on a personal computer is like having the bomb squad inspect a suspicious package inside the house right next to you.  No matter how careful or how good that bomb squad is, one of these days they'll make a mistake and explode in your house.  As a matter of fact, the bad guys are deliberately rigging the bombs in a way that will blow up the house if someone tries to scan it and this is exactly what's happening with malformed ARJ or ZIP packages.  It's time we started thinking of antivirus activities the same way and that it's too dangerous to be done on your personal computer or even inside the internal network.  Check that bomb before it enters the house and the end result is that we'd all be spending less money, we'd all have faster computers, and we'd all be a lot safer.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All