Comment by nayuki
1 year ago
Antivirus products are worse than viruses. Change my mind.
(AV hogs CPU, RAM, disk, and network resources. AV comes with their own exploitable vulnerabilities, often running in kernel mode. AV has their own zero-days and zero-click exploits.)
Counterpoint: I have a very non-technical friend that visited recently, and I was horrified to see that her macbook was full of malware. She casually talked about how someone stole money through her credit card. An AV scan actually found something on the laptop.
The AV industry is, unfortunately, terrible. Also unfortunately, some people really need them. I have no idea how one even gets a virus these days, but it does happen. People really do get infected all the time, and basic security advice that people get is not up to the task.
> her macbook was full of malware
I’m guessing her OS was very out of date? Because I’m having a hard time imagining how this happens in 2024 with XProtect, Gatekeeper, and Notarization all turned on by default. Non-technical people are unlikely to turn these off.
Scripts (OSX ships with Python, Perl, Bash, Zsh, and I think JS) bypass all of those.
Also I would not be suprised if editing scripts in runtime based apps (like electron) still bypass all of those.
Last I looked at code signing in MacOS it was weaker than Windows in places. With code signing checks enabled in Windows (they are used as a smart screen signal but not required by default) you actually need to sign shell scripts to run them.
1 reply →
You don’t need to be very computer savvy to google “how to bypass gatekeeper”. My kids figured that out pretty quickly.
Phones are a bigger problem. Nothing stops people from installing applications with insane permissions.
The basic security advice is install adblockers everywhere. You see someone using a browser without it? Talk to them.
Phones tho have a default security model which isolates apps from each other, unlike desktop OSes where each app can read anything on the system
8 replies →
About the only protection most third party AV provides is that it so badly cripples computer performance that PCs become incapable of running sophisticated malware
@nayuki Did this comment change your mind?
I think it's a relatively consensus viewpoint in the security industry that AV products are worse than no AV product. I don't think that makes them worse than viruses, though.
The AV our company uses regularly pops up obnoxious warnings about things that are benign. This trains people to click through warnings without reading them (on any product).
Is the consensus that third-party AV is worse than no AV, or that any AV (including Windows Defender) is worse than no AV?
In the corperate security "industry", anti-virus use is always recommended and required. The more invasive, buggy and annoying for users the better the AV probably is /s
Third party. I don't think anyone is actively opposed to Defender.
13 replies →
My comment will not aim to change your mind, but I felt the need to make my case:
I used to work for an AV vendor. I'm quite familiar with its internals. I used to look at some C++ and disassembled malware samples. I'm technically skilled for that kind of reverse engineering.
The engine is so lightweight and optimized that other vendors license it.
It's so lightweight that those underspec'd bank ATM machines you use on the streets with the unfortunate Windows XP or earlier will use that AV with nearly zero performance impact.
> AV hogs CPU, RAM, disk, and network resources.
I hear you, but this is not the case with the AV vendor I used to work for. Years after leaving the company, I still pay for my license (at a legacy discount of course).
Actually, one of the reasons I pay for my license is precisely computer performance. Windows Defender has some BS file indexer[0] that clogs the SSD with 100% continued usage. I just dread it. This bug still remains since the days of Windows 7.
Once you get a proper AV product in your computer, Windows Defender steps down. Bug fixed by myself. Done deal.
The other reason is peace of mind: Windows Defender is not a real security product. I know the protection capabilities of the AV product I licensed. I'm not a complete idiot using my computer, and yet, even I prefer to have it installed and paid for.
It triggers me people saying Windows Defender is enough. It's quite irresponsible. People haven't seen half the crap I've seen. Windows Defender is a little weak kitten compared to the beasts' proper AV products are.
I'm not saying buy the one I use. All I ask is that people buy a lightweight one that has been properly tested by an unbiased third party like AVTest or Virus Bulletin (look for their VB100 100% Detection award).
> AV comes with their own exploitable vulnerabilities, often running in kernel mode. AV has their own zero-days and zero-click exploits.)
As Windows Defender does. Remember, if you don't have any AV product, you have Windows Defender.
I feel that you made a moot point, as every software under the sun comes with vulnerabilities (whether zero-day or known).
--
[0]: https://nerdschalk.com/how-to-fix-100-disk-usage-issue-on-wi... (read the 15th reason).
For all you say about Defender, AV Test rates it highly, and 100% on protection.
How is anyone supposed to pick a product when the recommended sites say its fine, and you're saying its an irresponsible choice
The issue for me is privacy, practically all AV are root level spyware, you don't know what are they sending or how, EULA are nightmarish. They can send logs, files to outside server because so, the code is not available or even opt out of diagnostics. They monitor browser data and send it to outside servers.
I mean I can't say all of them do it, but most of them and those I have checked out. Examples: https://www.tomsguide.com/news/avast-avg-data-collection
For paid one lets look for EULA (that one mentioned above with VB100 100% Detection ) eset
https://help.eset.com/eav/18/en-US/eula.html >b) Forwarding of infiltrations and information to the Provider. The Software contains functions which collect samples of computer viruses and other malicious computer programs and suspicious, problematic, potentially unwanted or potentially unsafe objects such as files, URLs, IP packets and ethernet frames ("Infiltrations") and then send them to the Provider, including but not limited to information about the installation process, the Computer and/or the platform on which the Software is installed and, information about the operations and functionality of the Software ("Information"). The Information and Infiltrations may contain data (including randomly or accidentally obtained personal data) about the End User or other users of the Computer on which the Software is installed, and files affected by Infiltrations with associated metadata ... >For the purpose of this Agreement, it is necessary to collect, process and store data enabling the Provider to identify You in compliance with Privacy Policy
How is it lightweight to scan entire disk every week?
I joked to a friend yesterday that, having removed Defender, my computer is now malware free.
Ive discovered outdated viruses on old backup media that were quickly picked up by AV; new threats aside, old well known threats can still be dangerous if you're not expecting them
macOS has a built in, invisible, Apple-maintained antivirus system called XProtect which works great and most people don’t even know exists.
Bad antivirus software is indeed terrible, but the good stuff is performant and invisible.
> Apple-maintained antivirus system called XProtect which works great
Earlier this year it began detecting Apple-distributed iOS simulator bundles as malware and deleted those [0]. This was a major headache for several days as different headless CI systems developed the problem; we could not figure out how to get a 'good' version of XProtect installed in-place and ended up removing and rebuilding machines.
[0]: https://eclecticlight.co/2024/05/03/did-xprotect-remediator-...
> and most people don’t even know exists.
This part is for sure correct.
I don't see any way you can possibly justify that claim. So you're saying the deliberately hostile software, which will cause damage if you install it, is somehow better than the software which can accidentally damage your computer? Even if AV is dangerous 99.999999% of the time (which I think is a bold claim), it would still be better than something which is malicious 100% of the time.
Also I note that half of your argument basically boils down to "it has vulnerabilities". But as bad as that is, it's still not as bad as being exploited. This argument is like saying "being immunocompromised is worse than actually having a deadly illness". It makes no sense.
> Even if AV is dangerous 99.999999% of the time (which I think is a bold claim), it would still be better than something which is malicious 100% of the time.
You are missing the fact that you are supposed to run the AV software 100% of the time, while you are unlikely to ever download a malicious software, let alone execute it with all kinds of countermeasures, such as code signing, in place these days.
> Also I note that half of your argument basically boils down to "it has vulnerabilities". But as bad as that is, it's still not as bad as being exploited.
The point is that it increases your risk of being exploited. With an AV installed there's a lot more code running with extremely high privileges that malware can possibly exploit. While this may be a risk you are willing to take, AV softwares do undoubtedly increase your attack surface and have a history of being exploited.
https://www.theverge.com/2024/2/22/24080135/avast-security-p...
They reduce overal risk to the business while having bearable impact (ransomware also hogs CPU, RAM, disk and net).