<h1>Antivirus Software is a Hack</h1>
<p>
<img src="https://nextcloud.53hor.net/index.php/s/jJoFoA7Ppjb7rey/preview" />
</p>
<p class="description">
I read a really terrific article today about computer security and
really dumb ideas or trends that have developed in this field. It's
<a href="https://www.ranum.com/security/computer_security/editorials/dumb/">M. Ranum's <em>The Six Dumbest Ideas in Computer Security</em></a>, and I highly recommend reading through the whole thing. It's got
great anecdotes and really simple language for what I consider to be
some of the obvious issues with the way programmers and sysadmins think
about security (myself included). One portion of it (idea #2), however,
finally put something into words that I've felt for a really long time.
It enables me to explain why I think all antivirus software is a total
hack and is virtually useless.
</p>
<blockquote>
hack<br />
1. n. Originally, a quick job that produces what is needed, but not
well.
<br />
<cite>-- The Jargon File (version 4.4.7, 29 Dec 2003) [jargon]</cite>
</blockquote>
<p>
This is the Jargon File's definition of a hack. And to me, this is what
antivirus software is. Antivirus software, as I understand it, emerged
in the mid to late 1980s and became prolific in the 1990s. In the 2000s
it was considered an essential piece of software and people were paying
for yearly subscriptions for antivirus suites from Norton, Avast, and
McAfee.
</p>
<p>
The most basic functionality of an antivirus program is to determine
whether malware exists on a host operating system. The typical method of
doing this is to use a collection of virus definitions and compare each
and every potentially-infected file with each and every definition to
determine whether the file is malware or has been infected by some. An
over-simplified way of implementing this is to store a collection of
hashes, each taken from a known potentially unwanted program or
infectious executable. You can then hash entire files or portions of
files and compare the checksums to see whether a file contains or is
equivalent to the definition, and is therefore infected and shouldn't be
executed. Some security suites go beyond this with heuristic matching,
but if you run an antivirus that has to "update definitions" on a
routine basis, it probably works something like this*. With any luck, it
does it without being a total detriment to system performance. Ideally
it also doesn't act like a piece of malware itself by making itself near
impossible to remove (looking at you, McAfee).
</p>
<p>
To me, a virus definition database is "enumerating badness" (Ranum's
Dumb Idea #2). The premise is that it is not only logical but even
possible to compile a list of <em>all</em> potentially unwanted
programs, viruses, ransomware, and worms. An environment of trust should
be built around the programs that you want to run (read:
<em>allow to run</em>), not the other way around. Picture an operating
system where no binary file can be executed unless it is specifically
flagged as being allowed to. Oh and picture also being able to restrict
this execution to just the file's owner, or other groups of users.
Wouldn't it be easier to store the list of 30 odd programs that you and
other system users trust to be run than the thousands (millions?) of
programs that are infectious, forbidden, or unwanted? What about when
those trusted applications become compromised? Would it not also be
easier to maintain a list of checksums for those binaries and compare
those checksums before they're executed to make sure they haven't been
infected or replaced?
</p>
<p>
The answer is yes, it would be easier. And yes, it is easier. Of course,
your system has to work that way. Antivirus software is a hack because
it's a hack-y solution to a problem that has a better, simpler solution.
It also has the potential for making a ton of money but I won't go into
that. It's easier to enumerate goodness, to specifically open up to a
select few trustworthy applications. Good lists are usually shorter than
bad lists. This builds on top of Ranum's Dumb Idea #1: Default Permit.
You wouldn't configure a firewall to just block some known bad ports and
traffic. You configure it to block all of it, and then whitelist the
ones you know you can trust. You wouldn't configure a browser ad-blocker
to permit all ads, and select the ones you don't want to see. You block
all of them! Then, if there are sites or ads you're okay with seeing,
you whitelist them. You shouldn't default permit all programs to be
given control over your computer, and then meticulously list the ones
that don't have that permission.
</p>
<p>
Oh and of course, as always, there's free software that lets you do
this. You don't have to pay for an antivirus suite, or even use an
unpaid one that slows down your computer or barrages you with ads. On
the BSDs and virtually all Linux distributions, there are built-in tools
to control access and execution of binaries. There are additional tools
that you can install that check whether binaries (in locations like
<code>/bin</code> or <code>/usr/local/bin</code> have been modified
since you last used them. On Windows, the story is a little different.
Most home Windows 10 users are automatically allowed to install and run
any software they want to by default. Windows Server does have Software
Restriction Policies that allow you to create a "default deny" policy
and whitelist only the software that's allowed to run. If you're using a
home edition you probably have to look for software that lets you do
this. I haven't tried any of them so I'm not going to endorse or even
name them here.
</p>
<p>
Preventing malware from running on your system is a problem. Solving
this problem is the right thing to do. But please, try to solve it the
right way. I stopped using an antivirus after I moved out and got to
control my own computer. I don't think it ever did me any good besides
flag false positives (a lot of the time with programs or applications
that I wrote, which weren't malicious in any way!) and grind my spinning
disk to a halt. Evaluate what software you use. Is most of it online?
Are there one or two applications that you know you need to use? How
often do you install and use unknown or untrusted software? Odds are you
can come up with a list of very few programs that you want or need to
use. If it's less than 100,000, you're probably better off with a
default deny policy than an antivirus suite.
</p>
<p>
* What I didn't mention here is that as soon as a new piece of malware
is constructed, if it's different enough from its predecessors, it's
impervious to all antivirus suites on the planet that don't have it in
their definitions. So until that malware is used, detected, and added to
the list, it has free reign.
</p>