I was just reading some Tweets and an associated Hackernews thread and it reminded me that, now that I've left Mozilla for a while, it's safe for me to say: antivirus software vendors are terrible; don't buy antivirus software, and uininstall it if you already have it (except for Microsoft's).
At best, there is negligible evidence that major non-MS AV products give a net improvement in security. More likely, they hurt security significantly; for example, see bugs in AV products listed in Google's Project Zero. These bugs indicate that not only do these products open many attack vectors, but in general their developers do not follow standard security practices. (Microsoft, on the other hand, is generally competent.)
Furthermore, as Justin Schuh pointed out in that Twitter thread, AV products poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security. For example, back when we first made sure ASLR was working for Firefox on Windows, many AV vendors broke it by injecting their own ASLR-disabled DLLs into our processes. Several times AV software blocked Firefox updates, making it impossible for users to receive important security fixes. Major amounts of developer time are soaked up dealing with AV-induced breakage, time that could be spent making actual improvements in security (recent-ish example).
What's really insidious is that it's hard for software vendors to speak out about these problems because they need cooperation from the AV vendors (except for Google, lately, maybe). Users have been fooled into associating AV vendors with security and you don't want AV vendors bad-mouthing your product. AV software is broadly installed and when it breaks your product, you need the cooperation of AV vendors to fix it. (You can't tell users to turn off AV software because if anything bad were to happen that the AV software might have prevented, you'll catch the blame.) When your product crashes on startup due to AV interference, users blame your product, not AV. Worse still, if they make your product incredibly slow and bloated, users just think that's how your product is.
If a rogue developer is tempted to speak out, the PR hammer comes down (and they were probably right to do so!). But now I'm free! Bwahahaha!
The title says it all. I did exactly that a few months ago coincidentally.
ReplyDeleteI did this 10 years ago...
DeleteI really agree. It is particularly troubling for application software vendors, that it's essentially impossible to test against common AV software.
ReplyDeleteThe AV vendors update and patch their products frequently, modifying the way they hook the OS. They don't ever allow anyone access to pre-release versions. This is the kind of thing that, even with the best of intentions, causes problems.
As a long-time software developer, I have seen many problems caused by AV behaviour, particularly network hooks which modify traffic (TLS interception anyone?).
I switch off Microsoft's Windows Defender as well. It makes my laptop unusable when it's running, which I've found to be a general problem with AV software.
ReplyDeleteI guess what we need is "the people's AV". If Mozilla gets Firefox back on track, could they start something?
ReplyDeleteI have not used AV software for years (apart from on the mail filter) - must have been around 8.06. Ubuntu ofcourse.
ReplyDeleteI totally agree with this. I bought new TP-Link USB wireless Adapter and whenever I connected to my wifi, windows 10 crashes with bad pool header error and only after uninstalling my MalwareBytes software, that crash got fixed.
ReplyDeleteWas "now that I've left Mozilla for a while" supposed to be linked to somewhere, rather than underlined?
ReplyDeleteNo. I just wanted to make sure Mozilla doesn't get blowback.
Delete