The sorry state of security software

The sorry state of security software

Summary: Over the years, I’ve made no secret of my distrust of the Windows security software industry. With the security tools in Windows XP Service Pack 2 and Windows Vista, an alert Windows user is protected from the overwhelming majority of security threats and has to actively participate in any plot to infect his or her PC. That’s bad news for the ringleaders of the security software racket, who want to keep you afraid so you’ll buy more stuff from them. The latest examples include security software that makes your system unusable, and one that detects Apple's QuickTime as a "high-risk parasite."

SHARE:
TOPICS: Security
30

Over the years, I’ve made no secret of my distrust of the Windows security software industry. With the security tools in Windows XP Service Pack 2 and Windows Vista, an alert Windows user is protected from the overwhelming majority of security threats and has to actually participate in any plot to infect his or her PC. That’s bad news for the ringleaders of the security software racket, who want to keep you afraid so you’ll buy more stuff from them.

In 2005, I wrote this:

On a healthy computer with multiple layers of security, most threats should be blocked or neutralized before the user ever sees them. Getting lots of warnings is a sign that one of those layers isn’t working as well as it should. But that’s exactly the opposite of what motivates developers of security software today.

Three recent experiences convince me it’s even more true today.

Problem #1: Too much security software. Three weeks ago, when I was in Arizona, I stopped by a friend’s house in response to a desperate plea to check her computer’s performance: “It’s so freaking slow, it takes more than a lifetime to do anything, even open an e-mail. I’m beyond frustrated with this thing.”

It took me about 20 seconds to confirm that she had a problem. Opening a browser of any kind took minutes. It took another 20 minutes to find and fix the problem. Her resident computer expert, no doubt trying to be helpful, had loaded this computer with no fewer than six security programs – three antispyware programs, two system cleaners, and an all-in-one security suite. The culprit in this case was Webroot Software’s Window Washer. I removed it and four other redundant programs, leaving behind only Norton Internet Security. After a reboot, the machine was back to its snappy self.

The moral: Adding more security software does not make your system more secure, but it sure can make it less stable.

Problem #2: Overaggressive security software. Microsoft developer Aaron Stebner reported this one. If you’re running Tenebril SpyCatcher, it can interfere with your ability to install the .NET Framework components used by dozens of different applications. As Aaron notes:

[I]n the cases I've seen so far, closing or disabling Tenebril SpyCatcher is not enough to resolve this issue.  The customers I have talked to have had to fully uninstall Tenebril SpyCatcher in order to get the .NET Framework to install successfully.

Even worse was this report from a few months ago that a routine scan by Spybot Search And Destroy could wipe out crucial system files on a Tablet PC.

Problem #3: False positives. Is Apple’s QuickTime some sort of high-risk parasite? The good folks at Trend Micro think so. Yesterday, I installed Trend Micro’s PC-Cillin Internet Security 2007 here. It’s an excellent antivirus program and firewall, but as I’ve documented in the past, its antispyware capabilities leave something be desired.

Sure enough, after I gave in to its nagging to perform a full scan, it reported back to me that my system was infested with “118 dangers.” Good heavens!

Trend Micro scan results

A closer look revealed that maybe things weren’t so bad after all. At least four of those “dangers” were multiple sightings of Apple’s Quick Time tray icon, Qttask.exe. Following the link for more info took me to a page that simply described the qualities of a generic “remote access program” (i.e., a Trojan horse) with no indication of why this one had been flagged.

Trend Micro flags QuickTime as parasite

The scan also turned up a handful of password-cracking utilities I keep on hand for testing, and for some reason it flagged the Keyfinder utility, which you can use to retrieve your Windows and Office product keys from the registry. The developer of the Keyfinder utility is none too happy about this:

Another thing I'd like to address is all of the emails I've been receiving saying the Keyfinder is infected with a virus. No... it's not. Your virus scanner, essentially, is being overprotective. It's trying to do more than scan for viruses. With today's wonderful world of spyware, it seems that a lot of scanners out there are identifying software that "can be used by a malicious user for malevolent purposes." (That is a direct quote from the Trendmicro write-up for the Keyfinder.)

In this case, too, the More Info links didn’t provide any useful information to help me make a better, more informed trust decision.

The remainder of the threats were simply cookies. Security software companies love to pick on cookies from advertising companies, because it allows them to appear to be aggressively fighting dangerous things that they can clean up for you. The more they find, the more valuable they appear to be.

I wrote about this two years ago in a discussion of a post by Joe Wilcox, who was feeling relieved because Norton Antivirus had apparently saved him from a nasty Trojan horse program.

And it illustrates everything that is wrong with the commercial security software business. Joe feels good because the software told him it had protected him, even though the likelihood that this was an actual attack is microscopic. The lesson that Joe is unwittingly sending to the vendors in question is, “Give me more false positives, because the more times you tell me you’ve protected me from something, the more I’ll feel like I’ve gotten my money’s worth from your software.” If he had a better security program, it would have realized that this outgoing connection was just fine and would not have given him any warning at all.

If your burglar alarm goes off 12 times a day, does it make you feel more secure? The best security system is one that does its job silently and effectively.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

30 comments
Log in or register to join the discussion
  • Seems like the nightmare continues...

    I really wonder why people tolerate this crap. Really, is this the land of masochist ? Sure seems that way from these reports and what I have seen over the years.

    Oh well, on a positive note, looks like Vista is getting a pretty good bill of health so far. That's nice to hear finally. But how long and what of the other issues we hear about... does that make it all right? ]:)
    Linux User 147560
    • Vista

      Vista wont change much of anything, because the same people that will say "yes" to anything on XP will be using it.
      toadlife
  • And it's not getting better...

    When yu have a support issue, all you can do is cross your fingers and hope your vendor/supplier gets back to you. Symantec takes a looooooong time, and McAfee doesn't. (I got a reply that they would get back to me in 2 business days. It is 5 and counting...)
    sordito
  • You nailed it Ed

    You nailed the issue here:

    "The best security system is one that does its job silently and effectively."

    You're right, but how many people (I'm talking about average users here) who haven't heard a peep from their AV or firewall app are going to bother updating the software once the year's subscription is out? What I've seen over the past seven or eight years is a huge increase in the amount of useless feedback that security software bombards the user with. The big name brands literally scream at users daily "Look at me, I'm working hard to protect you - don't let your subscription elapse because you'll be in big trouble".

    Personally I now run Sophos AntiVirus which is a commercial product (but they give away freebies to journalists :-) and that just sits quietly on the system and only talks to me when it has something important to say. Soon, I'm offloading all AV work onto an applicance I have lined up.
    Adrian Kingsley-Hughes
  • Anatomy of a Windows hack

    A really good article covering the discovery and analysis of a Windows exploit.

    http://www.secureworks.com/research/threats/gozi/

    One that went undetected by anti-virus systems for a long time. Even able to spoof SSL/SSH connections. Sophisticated programming, organized and coordinated support. This was an up to date machine running XP Pro SP2.

    Is anyone surprised Mac's are turning up in my small business customer offices? And those of us in the know are avoiding Windows in particular and MSFT products in general?

    Vista will be the most secure OS MSFT has ever fielded...for about three months. Then something like this will surface. Something sophisticated and stealthy. And I'm sure MSFT will patch it, after it infects 100K or so users. A drop in the bucket for Windows. What are your odds of being one of the lucky winners? Not very high but when you play that lottery by using Windows on the internet every day, sooner or later your number is up.
    Chad_z
  • Bullseye

    This article, along with your earlier 2005 article, matches my past and happily forgotten experience perfectly. This is why I won't put any security software on my computer unless Microsoft itself makes it.
    kesgardner
    • In that case....

      ... you're at an even bigger risk. Tests have shown that Microsoft's security software performs significantly more poorly than the other ones available. IIRC in a test of 17 products it came bottom.
      bportlock
  • Yes & No....

    Ed,

    Some thoughts....

    Problem #1: Why was Webroot's Window Washer the problem? Why wasn't it the awful Norton product or the other 4? I like Webroot's products because they are less intrusive, while I detest Symantec and McAfee because they both want to install dozens of processes that kill system speed and are not needed. Also, Webroot tends to get better ratings from most tests results I've seen here on ZDNet & other PC magazines, including my own experience with the products. I agree with your moral, just not the programs.

    Problem #2: While Spybot did have an adverse affect, it's not like it couldn't have been set to not automatically fix problems. I've never let any product "automatically" fix a problem. That's just asking for more problems. Anyone installing a program should understand it before they actually try to use it.

    Problem #3: I agree with the false positives, but you have to agree that the QuickTime tray icon is a pain. I consider it <i><b>Pain in the rump ware</b></i> myself because the install doesn't give you the option of not having it install itself. You have to do it manually afterwards. A lot of programs are like this and create a lot of problems for us IT folks that are supporting many systems. Some of the biggest offenders are Adobe Flash, Real Player and Apple QuickTime.

    Thanks....Ray
    k12IT
    • Answers

      Ray, here are answers:

      1. Windows Washer was the one using all the CPU resources. It probably would have been fine by itself, but it wasn't by itself, and it didn't play well with others.

      2. If the criteria for installing a program included understanding what it does and how ti works, the world would be a better place and the amount of software installed would drop by a ton! I would reckon that 90+% of the people who install antispyware software have no idea how it works. The burden is on the software maker to prevent their software from doing harm.

      3. QuickTime is PITAWare, I agree. The problem is that it was identified as a "high-risk parasite" that functions as a Trojan horse. That's ludicrous.
      Ed Bott
  • Too Many AntiSpyware Apps?

    Great article but my question is did the person have three AntiSpyware Apps installed or running in real-time? The reason I ask is it makes a big difference since apps like Ad-aware SE (free edition) Spyware Search & Destroy, CWShredder and Spyware Blaster do not run in real time. I usually install the first three to run scans and the latter provides non resource intensive malicious site blocking through the built-in zone security settings in IE. Finally I install Windows Defender which is a real-time Anti-Spyware app and the only one running that could possible effect performance. I think it is important you make this distinction since the way you stated it can be misinterpretted if people have multiple non-realtime AntiSpyware apps installed and this leads them to believe it may be a problem.
    Master Tech
  • you did What?

    Leaving Norton on this person's machine did them no favors. Norton used to be good but there are free progams out there that work better than the expensive ones. I work with companies and their IT people and have heard horror stories about NAV. Microsoft security products are worse than useless. I just had to remove 3 viruses 6 illicit registry entries from a lap top that had Norton Corporate edition with all the updates and windows Defender that claimed that the computer was acting normally but the CPU was using 100% trying to call out. Adaware SE found the registry entries and Avast found the viruses.
    yagijd
    • What should Ed have done then?

      [i]"Leaving Norton on this person's machine did them no favors"[/i]

      Used Microsoft's One Care perhaps, the unpatched version of which deletes your mail folders? All this stuff is bad.

      I'm of the opinion that anti-virus stuff just perpetuates viruses.

      <RantMode>
      IMNSHO,

      1) mail programs such never execute scripts
      2) mail should never load remote images automatically
      3) antivirus stuff should be banned.

      After a few hefty repair bills, even the terminally stupid will start to learn to not click on anything. By having the system "protect" them they can carry on indulging in their stupid behaviour at little cost except to the rest of us who have to deal withthe results of their bot-infected PCs
      </RantMode>
      bportlock
    • My client's judgment

      IK don't substitute my judgment for my clients'. I confirmed that Norton was working well for them. They paid for a full year's subscription. I told them I don't personally recommend Norton products and offered to help them find another solution. They were happy to stick with Norton.

      In a case like that, I respect my client's decision, especially when I have confirmed, with hands-on testing, that the system in question is operating properly.
      Ed Bott
      • I would like to know the process you followed for this...

        I have confirmed, with hands-on testing, that the system in question is operating properly.
        mrlinux
        • What part wasn't clear?

          I observed one process taking up nearly 100% of CPU usage. After killing that process, I removed the program that spawned it. Problem went away.
          Ed Bott
      • Ed, what do YOU recommend here?

        Ed, I know I have asked you this question before about XP, but what about Vista? Or do you even run antivirus software at all, on the theory that you are in that 1% group that feels confident enough not to run it?
        kesgardner
        • No recommendation

          I don't recommend Norton; I just removed it from a test system here becauser its behavior was just too annoying. I actually like Windows Live OneCare and thinks its flaws have been overrated by a couple of sensationalist stories recently. For the most part, I run Trend Micro 14 and Trend Micro 2007 on systems here when I feel like installing AV software; it takes a little tweaking to make its behaviuor not so obnoxious. Butin my test environment there's very little threat and very little reason to use AV software day in and day out. My personal choice.
          Ed Bott
          • No recommendation

            Thanks. I have been using Windows Live Care without a hitch despite seeing some of those sensationalist stories myself. [Note: I do wish I could turn off the "performance tuning" feature, but I digress.] And yes, "obnoxious" is the perfect word to describe many of these third party solutions (especially Norton). :) I like Windows Live Care because Microsoft, more than anyone else, wants it to work seamlessly and well with the Vista or XP OS. The two key words here are "seamlessly" and "well."
            kesgardner
          • You're right, that's no recommentation :-)

            I know you said you weren't giving a recommendation but I'm a bit shocked by your personal choices. I had been using Trend Micro 2005 and was keen to move to something else once my contract ran out since they temporarily broke my PC (and thousands of others) with a bad file push a bit over a year ago (an AV company that actually distributes a virus, not good). So, I did some research a few weeks ago when a ZDNet article put me on to this excellent site:

            http://www.av-comparatives.org/

            Note that Trend Micro doesn't even make the cut. Also, MS OneCare faired so poorly that they won't be evaluated next time around. Not good. The one constant I found on this site and others, Kaspersky. I bought their Internet Security 6.0 (from CompUSA w/ rebate) and have been very happy. Like you said, it's a personal choice, but the research doesn't support yours.
            msmitchel
          • What exactly got tested?

            Like Ed, I am (increasingly highly) skeptical of security software generally, including these "tests" of various AV software. Typically, they test by seeing how well various programs handle and catch various "security threats," both real and imagined. They never seem to test for what I regard as the most important feature: how well the AV integrates into or works with the OS for overall performance, security, and stability. These tests further assume that the user is a total security dumbass and that the malware will somehow bypass the normal security features of Vista and XP SP2.

            I use a different test. I have used Microsoft OneCare with XP and Vista without any hitch whatsoever. It operates seamlessly and without any transparent adverse effect on overall performance and stability. It helps that I use the default security settings for both operating systems, don't open attachments from strangers, don't automatically install active X controls, use a firewall, and so on.

            Other AV programs, to varying degrees, do not perform as well and are decidedly not seamless. Some are downright obnoxious about warning you about so-called "security threats" from items as harmless as cookies. By contrast, Microsoft is the one vendor who has a genuine motive for making sure that the security software actually works seamlessly and well with the operating system.
            kesgardner