It's time to toss out your antivirus software
Summary: Running antivirus on a personal computer is like having the bomb squad inspect a suspicious package inside the house right next to you. No matter how careful or how good that bomb squad is, one of these days they'll make a mistake and explode in your house. As a matter of fact, the bad guys are deliberately rigging the bombs in a way that will blow up the house if someone tries to scan it and this is exactly what's happening with malformed ARJ or ZIP packages.
There's been plenty of debate lately that maybe with the release of Windows Vista, we might be able to get away with not using antivirus on our computers. Running antivirus on a personal computer is like having the bomb squad inspect a suspicious package inside the house right next to you. Well I'm about to make an even bolder assertion, that running antivirus or even additional third party security software such as firewalls on your computer makes you even less safe! Now before you start the flaming, hear me out first.
It's well understood in the security community that every additional piece of software on a computer system is another potential target for attack. That's why it comes as no surprise that another antivirus package is open to a massive attack that can affect 200 million Symantec antivirus users running Symantec Antivirus 10.x or Symantec Client Security 3.x. This is actually nothing new and virtually every Antivirus vendor has had their share of remote exploits. Even an extra security feature such as compressed file scanning opens the user up to additional vulnerabilities and all the major AV solutions have had their share of malformed compressed file vulnerabilities. Just the mere act of decompressing a ZIP or ARJ file to see what's inside of it could set off a malicious payload.
Every third party firewall product such as ZoneAlarm and Kerio have exposed the very users they're suppose to protect to complete system level compromise. Ironically the built in Windows XP SP2 firewall which always gets unfairly picked on has never had any remote exploits. Sure it doesn't provide any outbound packet filtering which is only relevant if my computer is already owned in which case any firewall could be disabled anyways, but at least it doesn't leave me wide open to a remote attacker. With the Windows Vista built-in firewall, outbound packet filtering is now supported but the pundits are already jumping on it because it doesn't turn on outbound blocking for user actions by default and requires command line manipulation to access the outbound controls. What's left out is that the XP SP2 and Vista firewall can be centrally managed via Microsoft's Active Directory group policy whereas the third party firewall vendors want you to buy an expensive enterprise management and policy deployment system. But with Microsoft's personal firewall and its superior security track record, and the fact that it doesn't cost anything extra, one has to wonder what the point of third party firewalls is.
I've owned personal computers for 15 years running some form of Windows or another and I have never had any virus problems on my computer and this is consistent with every other expert user I've talked to. I personally can't stand the performance overhead and extra expense of third party security software and I simply don't use them. For my family computer which is used by plenty of less security-savvy users, I don't use any antivirus or anti-spyware software on them and they never have any problems though I never let anyone else run as an administrator. While running as a standard user isn't always practical under Windows XP, it most definitely is practical under Windows Vista.
Windows Vista not only runs users in restricted mode, but goes as far as running all its services in restricted mode and has default outbound firewall policies in place to prevent services from making outbound connections that they have no business making in the first place. Internet Explorer 7 under Windows Vista runs under a severely restricted jail cell and the same technique is available to all other ISVs such as Mozilla and Opera. Along with hardware-enforced DEP which has proactively stopped the two most recent zero-day Internet Explorer 6 exploits in their tracks without the assistance of any antivirus software with updated definition, or software patch, Windows Vista is actually more secure than ever compared to an AV/AS loaded Windows XP computer.
Does this mean there is no place for antivirus scanning in the world? No, I've been on record as far back as four years ago saying that gateway level scanning was the way to go and this exactly what I mean when I say "it's time to toss out your antivirus". This means you scan for viruses transparently at the HTTP and FTP gateway and at the SMTP mail gateway BEFORE it enters your internal network and your PC. As an added bonus, the scanning is only done once and the cleaned file is cached at the gateway so that you're not scanning the file on the client side thousands of times if you have thousands of users. Since scanning viruses is such a dangerous task because the software is handling raw and potentially malicious payloads coming from the Internet, the task should only be handled in the DMZ and under a service or daemon operating in a jail cell. Handling raw Internet files at the client level under a system level service is simply more of a liability than a benefit. We should probably even stop antivirus scanning on the internal mail server and have all mail attachments forwarded to the DMZ gateway scanner to check the file in a jail cell before it's handed back to the internal mail server. Note that on TechRepublic, we'll start doing some articles on how to implement inexpensive gateway antivirus for the home.
Running antivirus on a personal computer is like having the bomb squad inspect a suspicious package inside the house right next to you. No matter how careful or how good that bomb squad is, one of these days they'll make a mistake and explode in your house. As a matter of fact, the bad guys are deliberately rigging the bombs in a way that will blow up the house if someone tries to scan it and this is exactly what's happening with malformed ARJ or ZIP packages. It's time we started thinking of antivirus activities the same way and that it's too dangerous to be done on your personal computer or even inside the internal network. Check that bomb before it enters the house and the end result is that we'd all be spending less money, we'd all have faster computers, and we'd all be a lot safer.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
George, your glasses are a little fogged
You PC "power users" are hilarious. "Millions of other users might have been hit by Code Red, Nimda, MSblast (etc), but not me, *I'VE* never had a virus. I've never suffered data loss due to remote exploit on my PC. Therefore there is no WIndows problem".
Ha!
On that basis, all that stuff about malaria being the biggest killer of humans since the dawn of time? Well, I'VE never had malaria, and no-one I know has ever had it either, so it can't be true, can it? And as for all those alleged AIDS deaths, I'VE never had AIDS, and no-one I know has had AIDS, so it must be untrue, musn't it?
And its strange, but while I truly have NEVER had a virus (on my Linux machine), I have spent hundreds of hours- free hours- over the last four years, helping out those of my friends and family who do have Windows PCs at home, to disinfect, clean up, re-install their trashed machines. Again and again. These are not stupid people, They are people who's money Microsoft has pocketed in exchange for a second rate system for which Microsoft themselves refuse to be accountable.
For the MS party faithful to say that "I've never had a Windows virus so everyone else must be stupid" is to shoot themsleves in the foot. The Windows users who trot that stuff out are the tech-savvy, a teeny, tiny minority of the user-base. Are you REALLY saying that unless all users are as "clever" as you are, they are doomed to suffer the Windows drop-off consequences? That kind of demeans your perceived cleverness rather a lot. You're not expected to know as much as your doctor, or your electrician, or your mechanic, so why are they all expected to know as much as you about PC hardware and software?
Windows is inherently insecure because it's design is inherently prone to virus and worms. Windows is a single user, non-networked OS into which proprietary, commercial applications were welded in order to preclude third party competition. Complicated, of course, by the fact that 100's of Mb of patches are applied to this tottering system every few weeks. Can you imagine any other software product who's deficiencies were so much a part of it that the end user routinely downloaded its own weight in code (as a patch) every few weeks? In a never ending circus? And always AFTER the critical exploits had already impacted some of those users? It would be funny if it wasn't so sad.
Face facts George- when Microsoft elected to compromise the OS by embedding proprietary applications into it, they were in effect cementing a row of ever open doors into their low-level OS functionality. All that can be done now, is to retrospectively nail wood over the cracks.
EXTREMELY well said! George? Snappy come back? (NT)
Yes, it was extremely well said!
What factual errors?
Windows Firewall is a glue-on. It came about in SP2, remember? Their new foray into AV is a glue-on too. Why should I believe that their code is any less prone to vulnerabilities than other vendors such as Zone Labs and Norton? Both of these vendors have been doing it a lot longer than MS, albeit hampered by not having direct access to the OS code base.
I did not even hear any "zealotry" in his post or anything at all about other OSes such as Linux. Further, I use Windows as my primary and only OS for my daily work, so I don't have any Linux agenda either. Your post on the other hand, makes you sound like a pompous @ss.
Okay, I'll be specific
And I use Linux at home more than I use Windows so I don't have a Windows agendy.
I'll start with you:
[i]I find that the amount of code and patches needed to bring a restored Win XP Pro SP2 computer, that has been returned to factory state, to take several hours to download and apply.[/i]
Yikes, are you on a modem? First, I don't find it takes hours so I can't really say that has bothered me. Regardless, I find that it takes longer to update my 3 Linux boxes than I do my Windows boxes so I don't view the time it takes to update a fresh install as a Windows only issue.
[i]Windows Firewall is a glue-on. It came about in SP2, remember?[/i]
This is factually incorrect. The initial release of XP came with a firewall. SP2 simply turned that firewall on by default. And what do you mean by "glue-on"? If you mean "not a part of the OS" then I would say this is a good thing! If you meant something else, could you explain what you meant?
Now, you asked me to be specific about errors in whisperycat's post.
[i]15 years and 100,000 new Windows viruses later, that overhead is still a necessity for the majority of Windows user with a PC at home.[/i]
It sounds scary to say [b]100,000 viruses[/b]! Actually, I usually hear the term 140,000 viruses which is [b]40%[/b] scarier! Oh no, there are 140,000 pieces of code out there that can hurt my machine!! Well, I have a firewall so actually, only 80,000 pieces of code can hurt my machine. Oh, I use Firefox so actually, only 50,000 pieces of code can hurt my machine. Oh, I don't run executable attachments that promise to show me naked pictures of famous people so actually, only 10 pieces of code can hurt my machine. I can live with that. The truth is that out of the 140,000 pieces of malware, there are only a handful that aren't a very simple variation of another piece of malware. There are only a handful of unique pieces of malware and out of that handful, they can all be defended against through extremely simple means. To bring up the malaria example again, it sounds scary to think that [b]MILLIONS[/b] of people catch malaria every year. Ooooo!!! Then you think about how easy it is to avoid getting malaria and it isn't quite so scary any more.
[i]Windows is inherently insecure because it's design is inherently prone to virus and worms. Windows is a single user, non-networked OS[/i]
This is 100% factually untrue. whisperycat is obviously unaware that the NT branch of Windows application (from which 2000/XP/2003/Vista come from) has been multi-user and networked for 15+ years. It would be like me saying "OSX is not a preemptive multitasking OS and has lousy memory management because OS9 was that way". XP is as closely related to the Win9X series of OSs as OSX is to MacOS9: not very.
[i]into which proprietary, commercial applications were welded in order to preclude third party competition.[/i]
Again, factually untrue. I can only imagine he is alluding to the commonly held belief that "IE the browser is welded into the OS". Factually untrue. I can uninstall "IE the browser" any time I want. What is more difficult is removing "IE the HTML rendere" but I would have almost as much difficulty removing Web Core from OSX or KHTML from KDE. There is nothing wrong with including HTML rendering libraries in an OSs set of included libraries. It is especially more embarassing to make such comments considering Windows isn't the only one to do it. I'm not even sure if Microsoft was the first to do it although if they were, I guess people would have to admit that it was pretty innovative. ;)
[i]Complicated, of course, by the fact that 100's of Mb of patches are applied to this tottering system every few weeks.[/i]
Again, factually untrue. I actually find that the monthly patch from MS is pretty small when compared to a month's worth of patches I need to install on my Linux boxes.
So, is that specific enough?
[i]Your post on the other hand, makes you sound like a pompous @ss.[/i]
Yeah, probably. It is how I sound when confronted with willful ignorance on a scale shown by whisperycat. I won't apologize for it in this case. I'm much nicer to people who show the desire to learn instead of just repeating oft rebuked statements that they picked up on slashdot.
IE the Browser
Not quite right. Once you uninstall "IE the browser" (IE 5/6/7), you will find that IE 4 is welded into your OS. Try it some time. Throw a simple browser detection javascript in a file on a server, and put in that url in a Windows Explorer window. You'll find that it loads up, displays the content, and detects as IE 4. Windows Explorer is just a fancy name for a modified IE 4.
Same with KDE
But back to the original question: can you remove IE the browser? Yes, you can. The fact that Windows Explorer uses the same HTML renderer does not change that fact any more than the fact that when you remove Safari from OSX, you are still using Web Core in a myriad of other applications. No one blinks twice about saying that that Safari is gone so why the double standard?
KDE
As for OS X, if you were to remove the web core, would the OS lose significant ammounts of functionality like it does when you remove the IE 4 html hooks from windows?
size of the Linux patches
I wonder if the size of the Linux patches is because they include patches for all the apps installed on your systems?
Very well said
I didn't say.....
George is telling us
If you're going to ride a motorcycle, George, be sure to leave the helmet at home.
Nope
You have a perfectly good helmet...one which came with your Harley and fully protects your head. So don't go out and put another helmet over top of it. That will just cause more problems and compromise you as a rider.
See the difference?
Go ever further
From his article:
[i]Does this mean there is no place for antivirus scanning in the world? No, I've been on record as far back as four years ago saying that gateway level scanning was the way to go and [b]this exactly what I mean when I say "it's time to toss out your antivirus"[/b]. This means you scan for viruses transparently at the HTTP and FTP gateway and at the SMTP mail gateway BEFORE it enters your internal network and your PC.[/i]
I read this article as more targetting corporate environments, not the home user (which is what most of the talkbacks seem to be focusing on). What I read George to be saying is: scan for viruses, just don't do it on the same computer that has all your valuable information on it. If a gateway computer is compromised, this is less of a problem than if a worker's computer is compromised. A gateway computer shouldn't have any access rights to anything on the internal network and certainly not to sensitive data. Workers do.
So to take your analogy even further:
1. Wear the helmet that came with your Harley.
2. Drive in the middle of a pack of semis and let [b]them[/b] get in the accidents!
Really - guard just the perimeter?
Hey, but why should I complain? I got two days off with pay. Thanks MS!
LOL
"Drive in the middle of a pack of semis and let them get in the accidents!" I LOVE IT lol.
Actually for the home and SOHO too
What about road warriors among us, George?
I use a personal VPN to access the web when I'm logged into the WiFi. Are you advocating removing AV and firewall in such an instance?
I understand that the security software is itself a potential target. It may not be the best solution, but isn't it better than no solution at all?
I look forward to your (or anyone's) constructive advice.
Mike Aldridge
Okay...
rephrase
For many people, buying boxed computers is kinda pointless, why, cause you're getting one BIG feature, and a bunch of junk (AV software) So they go and buy the parts themselves. Now for those of you who have built your own computer, you'll surely know that there are tonnes of parts out there to possibly buy. We'll take the CPU for example. It's the brains of the computer. AMD sells the PIB versions (Processor In a Box) it comes with a fan, now almost 60% of people who build their own computer build it specifically to get exactly what they want, they don't really do anything more than slap parts together, and install an OS. For them, that Fan that comes with the processor is Perfect(windows firewall) So you install it, run your system, sure it's running at 40c but whatever, it works fine and is 50% lower than the max temp. Now, WHY would they want to go out and buy a nice big 3rd party fan(AV software), the third party fan requires changing braces, and installing new mounting brackets, and is noisier, and it drops CPU temps by, MAYBE 5c, AND you have to put up with the extra noise. Now, why not just stick with what the computer comes pre-configured to work with, sure, it doesn't feature a mossfet cooling chute, or heatpipe technology, but for the basics, it works perfectly fine.
George also mentioned gateway scanning, Most new routers feature firewalls in them, these work pretty well, and best thing is, they require very little to get them set up. Heck, the only real thing they require is the power plug, the LAN plug, and the connection to the computer... not that hard. AND best of all, no overhead, sure you get a little bit of a cost, but when you're also paying to share internet with a couple computers, and to create networks, it's not that much.
And my final statement.
Lets take a look at programs like napster, Kazaa, limewire. I work as a computer technician. The most common thing I am asked to do is remove viruses. 99% of the people who have viruses ALSO have Norton/Mcaffee/AVG/CA/Zone Alarm... and they still get viruses. WHY??? Simple, they all have programs like limewire, that allow you to bypass your firewall and drop virus infected illegal files right onto your computer. I have never actually looked at the stats, but I'd have to say that file sharing programs account for >50% of all virus transmissions on the web, why, because they are great big gaping holes in your security programs. 15mins of education for internet/computer users would decrease our virus woes by 75+%. Unfortunately, everyone has this horribly WRONG assumption that Windows=bad, AV program = good+safe
No, just hear me out
No, that was for Windows XP. Vista is different because it's locked down out of the box. Furthermore if we're talking a corporate environment, we can lock the users down. If the admin sets it so that no untrusted and unsigned code can run with standard or admin rights, then no one can harm themselves. All such code will run in side of the new reduced privilege mode where all it can do is damage some temporary files.
I?m saying the risk/benefit ratio of desktop AV has been altered to the point that we need to start taking a hard look at the way we do desktop security.
The benefit of AV isn?t as good as it use to be because Vista is much more secure running standard users with jailed IE and hardware-enforced DEP. AV was never that good in the first place because it can only look for known patterns. Any targeted attack with a malicious file can easily defeat any AV system on the market, the attacker has the benefit of running his payload through an AV scanner first to see if it will trigger it.
The risk of running AV has increased because the bad guys are booby trapping the payloads to exploit in the security scanner instead of the intended target. It's like having a bomb squad operate inside the house, no thanks. To add insult to injury, that bomb squad drinks you cold beer and soda and then makes a mess in your bathroom. This is exactly what AV does when it sucks up your resources and makes a mess in your registry and startup services. Best thing to do is have that bomb squad operate 100 feet away from the house at the gates. AV scanning is a very dangerous business. The bombs are now sophisticated enough to blow up as soon as you attempt to x-ray them. This could be alleviated if the AV vendors would start separating and isolating their scan code in to a sand box such that if the scanner is exploited then the damage is limited. The way it is now, you come across a malformed ZIP file and boom you?re owned!
What I'm talking about isn't practical until Vista is widely in deployment and has PROVEN itself. The purpose of this blog is not to change your mind, but to stimulate thought.