Sunday, May 14, 2006

Is Anti-virus Software Really Necessary?

There is a blog post from May 9th titled Linux Security - The Illusion if Invulnerability over a (Kaspersky Lab's blog). This quote sums up the theme of the post:

At the Kaspersky stand we talked to a lot of visitors. Pretty soon, it dawned on us exactly what the biggest threat to Linux systems is: the almost overwhelming belief in the invulnerability of Linux

I think they have it wrong - it's not belief in invulnerability, and it's not Linux. It's a belief that "Yeah, it could happen to me, but it probably won't" and the fact that you could envision users of OS X, Windows, or any OS saying this. But the quote pre-supposes that there is a need for anti-virus software at all. Sound crazy? Perhaps not. Here's a few questions to think about:

  • For some reason, the metric used to judge anti-virus products is how quickly they release signature updates to counter new threats. This seems backwards to me. Has any anti-virus vendor ever done research on how many infections their software has prevented, and what the impact could have been?
  • More to the point, is anti-virus software really a valuable part of an IT security policy, or are there better ways of preventing viruses/malware?
  • Why does it seem that despite the entire world running Windows desktops, and almost all of those running some form of anti-virus software, there are still major virus outbreaks?
  • Does it help to divide malware threats into known and unknown categories? Clearly, antivirus software protects against the former, but not the latter.
  • Does reliance on a single security product give a false sense of security? For example, a common misconception is that a firewall is all one needs for protection against external network threats. The truth is much more complicated than that, as most security practitioners know.

This question of whether or not you really need anti-virus software is answered quite well at

If an expert proclaims you need antivirus software to protect you from a virus, you can counter with the following argument:

If we'd turned off automatic macro execution in Word before Melissa came along, then our PCs wouldn't have gotten infected. If we'd turned off Windows Visual Basic Scripting before ILoveYou came along, then our PCs wouldn't have gotten infected. This means our PCs could have protected us even when antivirus software failed to do its job. Perhaps we don't need to update our antivirus software so often -- maybe we really just need to update our antivirus experts.

Technorati Tags: ,


kurt wismer said...

to answer the questions you asked
1) gathering the information to determine how many infections an anti-virus product prevented would turn the anti-virus product into spyware so i very much doubt such metrics are available...
2) an IT security policy would undoubtedly find preventative measures valuable - those measures can be divided into 2 groups: blacklists (known virus scanners), and whitelists (that only let known good applications run)... depending on the nature of the systems being defended, either or both could be valuable... blacklists obviously suffer from not knowing all bad software, but whitelists suffer from not knowing all good software (and that can be a big pain in the arse when you're trying to apply an update)...
3) there are still virus outbreaks because all preventative measures fail sometimes... there is no such thing as perfect security...
4) it is misleading to state that anti-virus software only protects against known malware - for one thing, heuristic scanning well known for being able to find previously unknown derivatives of known viruses... further, not all anti-virus software is of the known virus scanning variety...
5) finally, yes using only one product does tend to leave people less secure, so the vendors have taken to providing security product suites that have multiple products bundled together...

as for rob's quote (from vmyths), you should look closely at his chosen examples - both types of viruses are dependent on optional system components... the fact of the matter is, that's not true for viruses in general, he chose exceptions to the rule for his examples - why, i don't know...

Doug said...

Thanks for the insights.

For 1), I was referring not to automated collection of signature matches, but a real study done in cooperation with a target business that indicated whether or not the host system was actually vulnerable to what had been blocked. I'm not sure this could be automated, anyway. It just seems odd that no major AV vendor has commissioned such a study, given the potential for good press, or that no major company has done something like this themselves, given that AV software is has a non-trivial cost in the large enterprise. Maybe we just haven't heard of such studies...

Similarly for heuristic-based detection (yes, I should have mentioned it). How do we know how well it works? For starters, it's probably more prone to false-positives or false-negatives, depending on the threshold it's using to detect differences from known malware.

On 3), perhaps it's just the publicity, but it seems that AV software fails more than "sometimes". Again, how do we know?

I think your mention of whitelists in right on target - secure, but inconvenient, so not used very often.

You've probably seen Marcus Ranum's rant about dumb ideas in computer security. His #2 point talks about this very topic.

Joyce said...

We are living in an internet time where you can not without Anti Virus Software and such. Too bad, but I think it will only get worse by time.

My place for free Anti Virus Software is:

They always have the latest and best anti virus available and have good reviews of all available anit virus programs.

Viruses should be stopped and people distributing these viruses should be put in jail. They jeopardize our operating system.