Security professionals DO use anti-virus

It was back in the 1990s when someone told me that operating systems like Windows NT were getting so safe that AV would soon be out of business. And I hear on a regular basis that AV is so ineffective it's not worth having. Because I get some of my income from the anti-virus industry, no doubt you'd expect me to disagree. I do, but that's not why.

Kevin Townsend asked my opinion of a Wired article quoting several security people at RSA saying that they don't use anti-virus (also summarized here). You can read some of my response in a good, balanced article in Infosecurity Magazine, which shares my concern that non-experts will be misled into assuming that because some security people say that, it's fine for everybody to take it off their machines. But I'm going to expand on those points because I think this is important.

As it happens, there was a time back in the 90s when I didn’t use AV on my own machines except for test purposes. But I do now, and I probably know more about malware than most of the guys outside the AV sector who are now saying that AV is unnecessary. Originally, because I envisioned a rise in 0-day-type compromises where the security of an OS or an application was beyond my control – and I wasn’t wrong – and more recently because sometimes I have to look at URLs or files that may be risky, AV software doesn’t guarantee my safety from malicious code, or anyone else’s, but I’m not going to refuse an extra layer of security: AV still detects a substantial amount of malware (and other unwanted code) proactively. And I'd be using AV software even if all I had was the machine I do my writing on and didn't do any hands-on research.

AV is  not The Answer, or any sort of 100% solution, but nor are whitelisting, or detailed DIY log analysis, or the other panaceas du jour. I agree that the man in the street shouldn’t think that because he has AV or a personal firewall, he’s Safe: it’s perfectly true that AV can’t detect everything. Though it’s not true to say that AV relies on static signatures and detects only known malware, and all the other stuff that's parroted year after year by people who should know better. In the real world, a decent AV scanner (or, better, an internet security suite) and some common sense are still a lot better than nothing. In fact, for most people they're better than a guru-friendly but consumer-hostile security program that isn't installed and maintained properly…

And no, checking a malicious file against VirusTotal doesn't give you a fully accurate picture of what is and isn't detected, contrary to a suggestion in the Wired article: that isn't what the site is for. In fact, VT's Julio Canto and I put together a presentation on that topic last year for a forensics conference: I'll see if I can make that available for those who are interested.

But you should be aware that most individuals and many companies don’t know the technology well enough or simply don’t have time or capacity to use the sort of complex tools that security experts do. I doubt if the average Windows user is going to play with open source security software (good though some of it is) or go poring through incomprehensible logs.

And you should also bear in mind that some of the security experts who are denigrating AV en masse right now have their own commercial agendas to push, in favour of other technologies that are not the 100 Per Cent Solution either.

Believe me, if there was a viable, 100% effective solution, I'd be very happy to tell you to use it and then go and do something else with my life.

Small Blue-Green World/AVIEN
ESET Senior Research Fellow

Author David Harley, ESET

  • Nick

    Well said. It's often forgotten that just because a solution isn't 100% effective that does not make it useless. I know that a trained locksmith could pick my front door (I could probably do it myself with a bit more practice), but that doesn't mean I don't lock the house when I leave. Likewise I know there are plenty of ways around AV, but I also know that it prevents a lot of threats from getting through, leaving me to worry about the ones that do.
    It's certainly true that there can be a sense of false security from AV (and other technology, like firewalls) but as long as the real risks and vulnerabilities are appreciated it's still a valuable tool in the toolbox, IMHO.
    PS I'd certainly be interested in the VirusTotal paper from the Forensics conf!

    • David Harley

      Nicely put, Nick. Thanks for reminding me about the VT paper: I’ll take a look today.

  • Kevin Costain

    While I'm not clear here what you seem to have a problem with – it seems that you don't want the average user to be swayed because some professionals say they don't use AV software. That's a fair enough statement to make. In my experience, I think 100% of users want to think they have it. I don't see that changing too quickly.
    To say that technical professionals should always use AV software, everywhere is a little disingenuous since a person well-versed in what's going on with his/her computer can certainly get by without requiring such software. That's just common sense – it's not even a technical conversation.
    To to the question of wether AV software is required on an average user's computer. I tend to think it's better than nothing, yes, but in many user's case, all today's AV software does is amount to a serious false sense of security for the user – one that I find AV companies perpetuate.
    What  is the most effective form of protection possible? Not AV software, Not VirusTotal, not just locking the door – no, the most effective way to protect yourself is by being smart about what you do with technology. Question everything. Learn to understand the technology better every day. Nothing is safer or more effective than user dilligence, and that should be the conversation, but sadly THAT furthers no one's comericall agenda, right?

    • David Harley

      Kevin, I’m afraid you’ve allowed your distaste for the antivirus industry to colour your perception of what I’m saying. Where did I say that technical professionals should always use AV software, everywhere? That’s nonsense, and I certainly couldn’t do some of the work I do myself if I had AV calling the shots on every machine I use. However, I can’t agree that user awareness and technical sophistication is the 100 per cent solution. That calls to mind the Ken Thompson observation that (I may be misquoting here, as I’m recalling from memory) that you can’t completely trust an operating system you didn’t write yourself. Since most of us didn’t write Windows – let alone the numerous other applications we may run – we can’t rely on our own knowledge of everything that could be used against us to provide 100% protection. And most people can’t put in a fraction of the time necessary to fully comprehend and counter the range of threats to which they’re susceptible at any one time, so they use security-related software (AV or not, commercial or not) to take some of the strain. I’ve said time and time again that people can do a great deal to protect themselves by raising their own awareness, and that no-one should think that antivirus is not 100% protection (far less the -only- way to protect themselves), and I resent your suggesting otherwise.

  • Kevin Costain

    First, David, I should be clear. I don't have a distate for the AV industry. That said, some AV vendors go about the process of protecting machines (and making money – different than others). Some of those methods don't exactly inpire love and admiration. Let's not even get into how bloated some of these programs have become. Eeish.
    Second, I should be clear that I said "The MOST effective form of protection", not the 100% solution. Not a foolproof solution. Not anything like a cure-all. No one knows everything bad that's coming for them. But, I would hardad to say that most AV user think they're "protected" and thus become easy pickings for zero day attacks. I see it over and over. Furthermore, there is no cure-all, we both know that. In my experience with hundrends and hundreds of users: a skeptical and educated user is MUCH MORE effective than an AV program. Combining the both together is likely the best protection possible today ( I think we agree on that point, anyway).
    In some ways, I think the landscape is really evolving into something that we've not dreamed up yet. The threats to data and digital information are at unprecidented levels and with the so-called "Post PC" era becoming more of a reality, I think the venerable desktop AV application will will relegated to a free background service in every OS and it will perform to the baseline of what we consider acceptible today from AV programs. As far as how mobile devices will be protected, that's going to be interesting.

  • michaelgiacomazza

    Since November 2011, I have spent about $4,300 on new computer products, devices that were intended to partially replace the hardware and softare lost after a system wide attack that began was the destructions of my daughters laptops, expensive computers well known for thier stance against all things wild, like virus etc. Plus every computer except for my smartphone had a form of norton security, which was provided by COmcast our ISP at the time. From April 2010 until November 2010, indepedent security groups, the chain shops like the big large national stores and individuals solely stores all examied mostly the desktop, laptops while the well known banded that has long time solid rep waskept informated as well as the cell carrier but thie American Icon who over my life has collected mid-five figures for home personal machines, not including fact that I had a school law review switch to use it products that resulted with a few law school prof purchasing the product, so I am confident when I estimate that I a personally responsible for sale f over $120k in computers, and another 25-40 smartphones since introduced. I was part of tech group of a large national firm when we made recommendation that with a stroke of pen bought over 300 new desktop with a suite of professional software fpr different levels of users, but over 120 legal professionals at the time. I am sorry that the Texas manufcturer was selected in 19998-99, but only purhcased two brands a Texas and Californis designed, the latter never disappointed until  my 3rd smartphone. The entire stroy is so crazy , if suggested in a movie as fact, most would not believe or the others would think how stupid my character was. But I was being told that machine were fine, security up-to-date, but that it whatmake this ?*#$@ so powerful, it can run , hide, it works with the two major OS, and appears to have its roots with a smartphone. It uses Buetooth and ALL that a cell phone uses Bluetooth to connect, like the vehcile where it comes with its own cell phone and Navigation system that either connected with 3 – 4 over head satelettes, so positions can be tracked using ne device while connected to another. On a few days, the ???? made itself well known that live remote access was and is practiced when messages , intended to scare me , which it did but the email sent to my daughters, gave me power to chase a ghost. I have large volume of data but its about to be destroyed, I went to Nationl Security, FBI, local Police who each offered different answers, from be careful, it is the wildwest but once it involves a threat to our homeland, we are interested, with the national agency who is better known for tracking the rich 7 famous entertainers, like John Lennon and Richard M Nixon, said it is imposible that my story is true but about 90 days later the top political leaders of agency along with top buiness leaders have press conference hat certain threats into printers and use or mis use of Bluetooth are very real, true it is limited by distance but that merely offords it netter protection becuase , s I read, the device can be hidden at bank ATM so when anyone will swip the bank card, the encrypted dated is transmitted 20-50 feet to the criminal who sits with a cell phone and netbook, but may now use a powerful smartphone. All agree the hacking will only grow worse, which s why if you have read closely the U.S Military to private business have offered jobs with big bucks into the legit world, in retrun for help in protecting all ntworks because lack of knowledge? I do know that after we lost everything after the 1st attack, we had a new ISP innstalled          that was hacked into with the end of the week. I had tried to capture the skilled  but at one point one group was representing activity as if it was me. Unsure if other group undertood, but they can make anything appear real or fake. They just need a keybaord a connection, I found some like  , others the pther brand while the newer version of used too.

  • Christian R.

    Thanks for this great post. I'm also interested in the VirusTotal paper. Was this made public yet? Thanks!

    • David Harley

      Unfortunately, I don’t have time right now to check through it for public consumption (it was presented at a specialist conference). I will though, as soon as I’ve met an upcoming deadline (two other papers for another conference!)

  • Marcus Watkins

    In the security industry, like many others "secure" is a made up word that doesnt exsist in our propriatary money hungry system of solving problems. It kind of makes me curious why so many people; system adminisdtrators at that, think that because they pay to renew their trial liscense of Mcafee that came on their system they are totally safe. Until the way security is handled is changed to a truly open source and standardized community installing an AV might stop a secratary from opening an attachment from an unknown sender your not gonna ge a whole lot out of the software.

  • Gavin Smith

    The anti-virus industry creates the need for anti-viruses. I’m convinced of that.

Follow us

Copyright © 2018 ESET, All Rights Reserved.