summaryrefslogblamecommitdiff
path: root/posts/2020-12-29-antivirus-software-is-a-hack.php
blob: 93040a05d5f56c1bd0a2a016514acfb4553dc888 (plain) (tree)
1
2

                                     

































































































































                                                                                                                                                                                                                        
<h1>Antivirus Software is a Hack</h1>


<p>
	<img src="https://nextcloud.53hor.net/index.php/s/jJoFoA7Ppjb7rey/preview" />
</p>

<p class="description">
	I read a really terrific article today about computer security and
	really dumb ideas or trends that have developed in this field. It's
	<a href="https://www.ranum.com/security/computer_security/editorials/dumb/">M. Ranum's <em>The Six Dumbest Ideas in Computer Security</em></a>, and I highly recommend reading through the whole thing. It's got
	great anecdotes and really simple language for what I consider to be
	some of the obvious issues with the way programmers and sysadmins think
	about security (myself included). One portion of it (idea #2), however,
	finally put something into words that I've felt for a really long time.
	It enables me to explain why I think all antivirus software is a total
	hack and is virtually useless.
</p>

<blockquote>
	hack<br />
	1. n. Originally, a quick job that produces what is needed, but not
	well.
	<br />
	<cite>-- The Jargon File (version 4.4.7, 29 Dec 2003) [jargon]</cite>
</blockquote>

<p>
	This is the Jargon File's definition of a hack. And to me, this is what
	antivirus software is. Antivirus software, as I understand it, emerged
	in the mid to late 1980s and became prolific in the 1990s. In the 2000s
	it was considered an essential piece of software and people were paying
	for yearly subscriptions for antivirus suites from Norton, Avast, and
	McAfee.
</p>

<p>
	The most basic functionality of an antivirus program is to determine
	whether malware exists on a host operating system. The typical method of
	doing this is to use a collection of virus definitions and compare each
	and every potentially-infected file with each and every definition to
	determine whether the file is malware or has been infected by some. An
	over-simplified way of implementing this is to store a collection of
	hashes, each taken from a known potentially unwanted program or
	infectious executable. You can then hash entire files or portions of
	files and compare the checksums to see whether a file contains or is
	equivalent to the definition, and is therefore infected and shouldn't be
	executed. Some security suites go beyond this with heuristic matching,
	but if you run an antivirus that has to "update definitions" on a
	routine basis, it probably works something like this*. With any luck, it
	does it without being a total detriment to system performance. Ideally
	it also doesn't act like a piece of malware itself by making itself near
	impossible to remove (looking at you, McAfee).
</p>

<p>
	To me, a virus definition database is "enumerating badness" (Ranum's
	Dumb Idea #2). The premise is that it is not only logical but even
	possible to compile a list of <em>all</em> potentially unwanted
	programs, viruses, ransomware, and worms. An environment of trust should
	be built around the programs that you want to run (read:
	<em>allow to run</em>), not the other way around. Picture an operating
	system where no binary file can be executed unless it is specifically
	flagged as being allowed to. Oh and picture also being able to restrict
	this execution to just the file's owner, or other groups of users.
	Wouldn't it be easier to store the list of 30 odd programs that you and
	other system users trust to be run than the thousands (millions?) of
	programs that are infectious, forbidden, or unwanted? What about when
	those trusted applications become compromised? Would it not also be
	easier to maintain a list of checksums for those binaries and compare
	those checksums before they're executed to make sure they haven't been
	infected or replaced?
</p>

<p>
	The answer is yes, it would be easier. And yes, it is easier. Of course,
	your system has to work that way. Antivirus software is a hack because
	it's a hack-y solution to a problem that has a better, simpler solution.
	It also has the potential for making a ton of money but I won't go into
	that. It's easier to enumerate goodness, to specifically open up to a
	select few trustworthy applications. Good lists are usually shorter than
	bad lists. This builds on top of Ranum's Dumb Idea #1: Default Permit.
	You wouldn't configure a firewall to just block some known bad ports and
	traffic. You configure it to block all of it, and then whitelist the
	ones you know you can trust. You wouldn't configure a browser ad-blocker
	to permit all ads, and select the ones you don't want to see. You block
	all of them! Then, if there are sites or ads you're okay with seeing,
	you whitelist them. You shouldn't default permit all programs to be
	given control over your computer, and then meticulously list the ones
	that don't have that permission.
</p>

<p>
	Oh and of course, as always, there's free software that lets you do
	this. You don't have to pay for an antivirus suite, or even use an
	unpaid one that slows down your computer or barrages you with ads. On
	the BSDs and virtually all Linux distributions, there are built-in tools
	to control access and execution of binaries. There are additional tools
	that you can install that check whether binaries (in locations like
	<code>/bin</code> or <code>/usr/local/bin</code> have been modified
	since you last used them. On Windows, the story is a little different.
	Most home Windows 10 users are automatically allowed to install and run
	any software they want to by default. Windows Server does have Software
	Restriction Policies that allow you to create a "default deny" policy
	and whitelist only the software that's allowed to run. If you're using a
	home edition you probably have to look for software that lets you do
	this. I haven't tried any of them so I'm not going to endorse or even
	name them here.
</p>

<p>
	Preventing malware from running on your system is a problem. Solving
	this problem is the right thing to do. But please, try to solve it the
	right way. I stopped using an antivirus after I moved out and got to
	control my own computer. I don't think it ever did me any good besides
	flag false positives (a lot of the time with programs or applications
	that I wrote, which weren't malicious in any way!) and grind my spinning
	disk to a halt. Evaluate what software you use. Is most of it online?
	Are there one or two applications that you know you need to use? How
	often do you install and use unknown or untrusted software? Odds are you
	can come up with a list of very few programs that you want or need to
	use. If it's less than 100,000, you're probably better off with a
	default deny policy than an antivirus suite.
</p>

<p>
	* What I didn't mention here is that as soon as a new piece of malware
	is constructed, if it's different enough from its predecessors, it's
	impervious to all antivirus suites on the planet that don't have it in
	their definitions. So until that malware is used, detected, and added to
	the list, it has free reign.
</p>