The massive lie about anti-virus technology

Stephen CobbStephen Cobb has been working in the field of computer security research, and raising awareness of security and privacy issues for over 20 years.

In this article, he explains how he feels there is a lie being told about anti-virus software, and that it's time the public knew the truth.

If you have an article that you'd like to share on grahamcluley.com, please do get in touch.

File scanHere is one of the privacy and security predictions I am making for 2014.

This is in addition to the ones I contributed to ESET's We Live Security blog, where I had the honor of presenting predictions from my fellow researchers at ESET. Note that the following are my personal opinions, which may differ from those of my employer (although my employer has some pretty cool opinions).

The media will repeat a massive lie about anti-virus technology.

I predict that in 2014 every major newspaper and magazine will perpetuate, to the detriment of data security and human understanding, the grossly erroneous notion that "for an anti-virus firm to spot malware, it first needs to have seen the malware, recognized that it's malicious code, and written a corresponding virus signature for its products."

I predict that, although this assertion is simply not true, and has not been true for many years, that fact will not deter people from repeating it, over and over. This is a bit like Car and Driver or Consumer Reports saying that cars cannot be started without first engaging the crank handle.

True, there was a time, long ago, when crank handles were routinely used to start cars, just as some anti-virus programs were, in the distant past, based solely on signatures derived from known bad code.

I've got a free t-shirt and more for the first mainstream journalist who breaks rank from the ill-informed herd and points out that any anti-virus app worthy of the name today uses a lot more than signature matching to protect systems from malicious code.

By the way, a huge hat tip to the guys in Norway who posted that YouTube video of a hand-crank start: they are braver men than me; I've seen how much pain a crank handle can cause.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

7 Responses

  1. C. Parker

    December 18, 2013 at 2:54 pm #

    This is why InfoSec personnel are so important. When this function is left up to a system to follow, there will be issues. The SysAdmin puts in the rules for the application. The application reviews the packets and if one of the packets looks suspicious, based on the static at the time rules and also dictionary of known malware, then it let's the SysAdmin know.

    If the malware is relatively new or has not been found yet, the AV won't be able to pick it up with the scan. With a security person in place, they are able to review the different logs, usage, and find the issue up front, versus waiting until the data is sent out of the company's server and control. Once you automate a function this significant, the potential for significant issues, especially if you have something deviants want (aka personally identifiable information), increases significantly., in my humble opinion.

    • Stephen Cobb in reply to C. Parker.

      December 18, 2013 at 5:36 pm #

      Yes, it pays to monitor the network, but what a lot of people don't realize is that a good AV program can recognize some malicious code that has never been seen before, and can block attacks before a threat-specific signature update has been issued. Besides which, most AV apps today also come with a range of end point protection features that go far beyond scanning for known bad code.

      Of course, you are right in saying that the security value of a vigilant SysAdmin should never be under-estimated!

  2. Nick

    December 19, 2013 at 8:35 am #

    Anti-virus programs are good as a background program to take out most of the common malicious threats. But one should never only rely on an anti-virus.

    Those who have been on security related forums, would know already that there are a ton of programs and services that can make detected malware fully undetectable by all anti-viruses both scantime and runtime. It can remain undetected for months if the malware is private and not sent to antivirus companies. So its important to remain vigilante about the links you click and files you download.

    • Hugo in reply to Nick.

      December 29, 2013 at 3:33 pm #

      Well said. This blog post is a little self-serving.

      • Stephen Cobb in reply to Hugo.

        January 1, 2014 at 6:12 pm #

        Hugo – Skepticism is a valuable tool in the security practitioner's toolbox, but I can assure you I am not a shill for the AV industry. My goal is to educate people about all aspects of information system security, which means fighting FUD and trying to get accurate reporting, rather than the endless repetition of tired old misconstructions.

        In 2014, the media will spill more "ink" on security stories than ever before (the Snowden/Target effect). I want to help them get it right when they talk about the many moving parts that make up a security strategy. I would be the first to say you cannot and should not rely on antivirus alone (and my colleagues at ESET would, and do, say the same thing). My job, what they pay me for, is to help people understand threats and responses. Reporters repeating tired old errors of fact is not helping.

        (That said, I wrote this post on my own time, originally on my own blog, and Graham asked if he could reprint it–writing about privacy and security is also my hobby, sad as that may sound to some.)

  3. Siggy

    December 21, 2013 at 12:30 am #

    I was half expecting this item to be about AV companies publishing their own malicious code! You can't keep a good myth down…

    With regards to being vigilant, I found a clever keylogger on an office notebook a few years ago. The owner was blissfully unaware of it and relied on Nod32 to reassure her that everything was just fine. I showed her the logs which revealed the most disgusting and intimate details of her sordid and very secret affair with the MD. She got very angry and upset that I'd found the logger but didn't seem to give a stuff about having revealed all her banking passwords and the contents of thousands of confidential and sensitive emails she'd sent to her clients. Needless to say, after this revelation, I could never look her or the MD in the eye. Ignorance is bliss?

    • venom in reply to Siggy.

      May 31, 2014 at 12:32 am #

      funny. but how did you find the keylogger?

Leave a Reply