No, disabling your anti-virus software does not make security sense

Don’t throw the baby out with the bath water.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

No, disabling your anti-virus software does not make security sense

Ex-Mozilla developer Robert O’Callahan has got a bee in his bonnet about the merits of anti-virus software:

Antivirus software vendors are terrible; don’t buy antivirus software, and uninstall it if you already have it (except, on Windows, for Microsoft’s).

He continues:

At best, there is negligible evidence that major non-MS AV products give a net improvement in security. More likely, they hurt security significantly; for example, see bugs in AV products listed in Google’s Project Zero. These bugs indicate that not only do these products open many attack vectors, but in general their developers do not follow standard security practices. (Microsoft, on the other hand, is generally competent.)

I couldn’t disagree more with Robert O’Callahan.

I think the vast majority of people would be crazy to connect to the net without having an anti-virus in place.

That doesn’t mean that anti-virus software is perfect, or that it hasn’t sometimes suffered from its own flaws and vulnerabilities.

But the typical user is much MUCH more likely to be protected by anti-virus software intercepting a piece of malware than find themselves targeted by a sophisticated attack which exploits a flaw in the security software.

Sign up to our free newsletter.
Security news, advice, and tips.

Don’t believe me? Just find a relative or friend’s Windows PC that doesn’t run any anti-virus software. Chances are that it is riddled with multiple instances of malware, adware and unwanted browser search bars.

Just because anti-virus software cannot find every new piece of malware doesn’t mean it doesn’t provide a security benefit for most people.

Techies who are capable of disassembling every program that comes their way to determine if it’s safe to run or not might not need anti-virus software as much as my Aunty Hilda, but boy it helps save a heck of a lot of time and effort.

And just how do you think you’ll feel when your company’s data breach is making the headlines of the newspapers, and they’re asking your CEO live on TV why your firm made the decision to ditch its anti-virus software.

So, yes. Keep running anti-virus software. Check the independent reviews by expert testing agencies like Virus Bulletin, AV-Test.org, and AV-Comparatives to determine which products do the best job.

Anti-virus software isn’t the complete solution, and it isn’t flawless. But it is part of the layered defence which can help protect your home and office PCs.

And there’s a reason why most companies are still protecting themselves with anti-virus software 30 years after the malware threat first emerged. No-one has come up with anything better.

If you really want to reduce your attack surface, you should be ditching the likes of Adobe Flash long long before you take the drastic step of throwing out your anti-virus software.

Further reading: The guys at independent anti-virus testing firm SE Labs have also commented on O’Callahan’s controversial blog post.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

20 comments on “No, disabling your anti-virus software does not make security sense”

  1. theGentleman

    Thank you Graham for sharing your thoughts. When I read that post from Mr. O'Callahan, I was very surprised. He prefer usability a lot more than the security aspect of technology. "Just so I won't have to code my software to work well with security vendors, you should not have any security" sounds very selfish, childish and blatantly stupid coming out from an IT professional's perspective.
    Now we know why he is an "Ex" Mozilla employee. Thank you Mozilla for getting rid of this $kumb@g named Bob O'Callahan!

    1. Browser contributor · in reply to theGentleman

      O'Callahan left to pursue a personal project. In fact he was one of Mozilla's best engineers and was as highly regarded among Chrome (and I believe IE/Edge) developers as his fellow Mozilla employees. You might like to dismiss what he has to say out of hand but he was on the front lines and had a better view than most into the damage that AV software does to browser maker's ability to protect their users. (I've had much less visibility into this and have been pretty disgusted.) Personally I'd give what he has to say a lot of weight rather than ignorantly slurring him as a "$kumb@g". Maybe go and more closely read exactly what he said. For the reasons O'Callahan gave, I'll have to remain anonymous here, sorry.

    2. Sub · in reply to theGentleman

      Uh, Robert was saying he wanted to make browsers more secure but AV makes them less secure, not less usable. FWIW Chrome security engineers have said the same things as Robert. For example, @justinschuh tweeted "AV is my single biggest impediment to shipping a secure browser" followed by a list of issues: https://twitter.com/justinschuh/status/802491391121260544

  2. Bob

    "are still protect themselves" should be "protecting".

    1. Graham CluleyGraham Cluley · in reply to Bob

      Thanks. Now fixed.

      And I also added Virus Bulletin to the list of respected testing agencies. (I know there are others, but three examples are enough!)

  3. Steve

    I understood that Microsoft AV as fine, just dump the other AV software.

    1. Graham CluleyGraham Cluley · in reply to Steve

      That would be a recipe for disaster.

      If everyone used the same anti-virus you would be asking for the same trouble as if everyone used the same operating system… Oh.

  4. Mark

    I think you are missing the point, O'Callahan isn't saying that everyone should be running without an AV, he's saying that you don't need 3rd party AV products and to just use Windows Defender.
    On a home PC Windows Defender is perfectly adequate and in a lot of cases better than 3rd party products.
    At work I still deploy a 3rd party product mainly because of the better centralized management and reporting, however with Windows 10 ATP shaping up nicely I may well be changing my current solution.

    1. Graham CluleyGraham Cluley · in reply to Mark

      The whole world should use the same anti-virus product?

      I'm sure there are plenty of online criminals who would be rubbing their hands in glee at the thought of that… :(

      1. Bruce · in reply to Graham Cluley

        Please explain why that would be bad.

        1. Graham CluleyGraham Cluley · in reply to Bruce

          Sorry, I should have expanded my comment to explain.

          In nature biodiversity helps protect ecosystems against the spread of infections. It's a similar story when it comes to computer malware.

          Life is a lot easier for a malicious attacker if they know their malware only has to defeat one anti-virus product rather than any of the, say, three dozen alternatives.

          People using different anti-virus products is a good thing. It increases the chances of an attack being spotted. It also means that a determined attacker has to work far far harder to avoid detection.

          A similar argument can be made for operating systems. It's a good thing that all the world's computers aren't running Windows.

          1. Bob · in reply to Graham Cluley

            Mark,

            Microsoft Defender ranks amongst the lowest security products. Its protection is nowhere near as good as paid-for solutions. The two, universally accepted, best are: Kaspersky and Bitdefender.

            Defender doesn't:

            scan SSL connections
            provide email protection
            protect against zero-day threats*
            provide webcam protection
            block intrusive ads/banners
            provide many configuration options
            have its own database of 'safe' software**

            *Commercial antivirus checks in real-time any developing threats.

            *Windows relies upon Smartscreen. Normal antivirus solutions maintain their own database of hash sums to compare it.

            Also the Windows Firewall is extremely basic when compared to a commercial solution.

            I recommended everybody use an antivirus / internet security solution; even computer experts. The protection you get is far superior to the basic Microsoft protection.

            Remember that the Home Secretary granted a secret warrant (released in the Snowden disclosures) allowing GCHQ to reverse engineer Kaspersky because the security software was so effective at preventing target systems from being hacked!

            https://business-reporter.co.uk/2015/06/22/gchq-granted-secret-warrants-to-hack-forums-and-security-software/

          2. Chris · in reply to Bob

            Windows Defender and Firewall, Windows OS and Office bang up to date, programs/apps always up to date – Ninite is your friend here, keep UAC enabled and don't log on with Local Admin rights, use Chrome or similar with the fewest plugins possible, use discretion and common sense when browsing internet. Without using paid for third party solutions, a system set up as above is pretty well secured.

  5. _gh_

    I thought it was an interesting take.

    We place a lot of trust in AV products they hook deep into our OSes and programs and we are mandated to have them and trust them not to brick our machines, oh and they don't play nicely with each other because, guess what, AV programs look and act like malware to AV programs.

    I've spent a lot of time of late wondering how we improve this as the security infrastructure we need to run an site grows and grows. The empirical evidence that I have is developers today are still making the same basic mistakes and QAs today take time to learn how to truly mess up software in testing.

    It comes back to the fact that faced with a general purpose computing device, we can write anything and the tools let us, when in reality no tool should permit the creation of a raw page with a comment box and a post command.

    So we rely on unit tests, integration tests, SCA , application scanners, vulnerability scanners, IDS, IPS, anti-malware, firewalls, TLS certs, SIEMs, containers, sandboxes, pen testers… In fact lots & lots of security stuff wrapped around frequently quite simple programs. And most of the time any part of that could disappear, silently.

    It's not simple but making: OSes, development environments inherently more secure rather than adding more and more layers of defensive security would seem like a place we should be heading (as I wrestle with the browser extension for my password vault that has stopped working again). I'm not proposing that once utopian goal of Java to solve all our problems but programs are hugely unsafe and the web more so where I can set a tool to simulating my webpage and then attack having stripped all the client side defences.

    Even with projects like OWASP and security tools we don't have a way of baking having devs code securely.

  6. Jones

    It's nothing more than a false sense of security. A 12 year old with a $20 crypter can defeat most of the well known anti-virus products in a few seconds.

    AV or no AV, a machine will end up with a nasty infection until the user is educated or switches to a safer platform, such as iOS or Chrome OS. Most people do not need to use Windows.

    Let's not mention the free AV which installs adware and toolbars.

    Many people in the security industry have a vested interest in promoting AV because it brings in a lot of money. Always remain sceptical. :-)

  7. Ross

    Is this the IT equivalent of an anti-vaxxer?

  8. Wayne Ruppersburg

    Thanks Graham for bringing us some sanity to this subject. Robert O'Callahan may have a point to make but it"is too easily misinterpreted by the casual reader. Better safe than sorry I say… but I wish I understood this issue better.

  9. IanH

    There should also be a very public line between those AV applications that collect data from users during usage and those that don't. This anonymisation sop belongs in the garbage. Zero Knowledge should be a new key figure of merit to distinguish those who sell AV to users from those who sell users to marketing companies.

  10. _gh_

    Interestingly a new study shows that many MITM AV products are just like Superfish and don't provide upto date protection when passing off the traffic which is why I don't recommend security proxies to parents.

    http://www.zdnet.com/article/google-and-mozillas-message-to-av-and-security-firms-stop-trashing-https/

    The full paper is at:

    https://zakird.com/papers/https_interception.pdf

    The commercial intercept devices are less interesting because although many fail they are all configurable I can removed ciphersuites and protocols. I would prefer that these devices however came configured with high security rather than rely on it being done (because it doesn't).

  11. Courtright

    I'm shocked by the lack of evidence and facts in this post. There's lots of rhetoric and opinion, which is great I guess if you're looking to spread FUD, but it's terrible if it's the truth we're seeking. Let me share some in hopes that a more informed decision can be made.

    On 2017.02.10, I downloaded the top 20 malware seen by malwarebytes, and tried to install each one on an unpatched system. AV Vendor#1 detected and blocked 17 of them. I uninstalled av and repeated. Now, Windows Defender detected and blocked 18 of them. I did better with no traditional AV on the system. Next, I disabled WinDefender and repeated with no defensive software. All 20 malware executed unrestricted. And all 20 failed to cause impact. Why? How? Because the user running the malware had only default access (i.e. non-admin). Using non-admin accounts costs less money, cost less processing power, don't require daily signature updates, and don't require deployment or maintenance. With very little effort, I produced an experiment capable of producing facts and evidence that I'd the OP should have considered before posting.

    But that was a small sample size. What does more data look like? I've not run AV on any Windows system since 2000. By using only accounts with default access (i.e. non-admin) no damage has been done during any encounters with malware. And on countless occasions during these 17 years, I've also purposefully tried to infect myself. If I received malware via email, I executed it. If I received email with risky links, I followed/opened them. From time to time, I also downloaded and executed the virus-du jour. While crazy-sounding to some, these were simple real-world experiments I conducted to validate whether malware can infect a system under an account that is not an administrator.

    Simple truth : Nearly all malware needs elevated access in order to successfully execute.

    Simple truth : In the real-world, running NO anti-virus under a non-admin account is safer than when running av software under an admin account.

    Simple true : The single, strongest control against malware is when users have default access, and do not have elevated access/privileges. Similar to AV, this strategy can stop damage from old/known malware. Unlike AV, non-admin accounts can also stop damage from 0-day malware, cost less money, cost less budget, don't require deployments, don't require daily sig updates, and it also prevents just about every kind of system damage a user might inflict on their system accidentally.

    Simple truth : This strategy is not fool-proof. In my experience, it's over 99.9% effective. There are exceptions – there's no such thing as a panacea. But this strategy has far fewer exceptions than the list of exceptions associated with traditional AV.

    And in case it's relevant …. I'm a professional ethical hacker for a "Fortune 1" company (please feel free to look me up). While my views stated here are completely my own, and are not associated or representative of my current/past/future employer/company…… you're free to infer whether or not I've seen my fair share of attacks and defenses related to malware.

Leave a Reply to _gh_ Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.