Antivirus Software is a Hack

I read a really terrific article today about computer security and really dumb ideas or trends that have developed in this field. It's M. Ranum's The Six Dumbest Ideas in Computer Security, and I highly recommend reading through the whole thing. It's got great anecdotes and really simple language for what I consider to be some of the obvious issues with the way programmers and sysadmins think about security (myself included). One portion of it (idea #2), however, finally put something into words that I've felt for a really long time. It enables me to explain why I think all antivirus software is a total hack and is virtually useless.

hack
1. n. Originally, a quick job that produces what is needed, but not well.
-- The Jargon File (version 4.4.7, 29 Dec 2003) [jargon]

This is the Jargon File's definition of a hack. And to me, this is what antivirus software is. Antivirus software, as I understand it, emerged in the mid to late 1980s and became prolific in the 1990s. In the 2000s it was considered an essential piece of software and people were paying for yearly subscriptions for antivirus suites from Norton, Avast, and McAfee.

The most basic functionality of an antivirus program is to determine whether malware exists on a host operating system. The typical method of doing this is to use a collection of virus definitions and compare each and every potentially-infected file with each and every definition to determine whether the file is malware or has been infected by some. An over-simplified way of implementing this is to store a collection of hashes, each taken from a known potentially unwanted program or infectious executable. You can then hash entire files or portions of files and compare the checksums to see whether a file contains or is equivalent to the definition, and is therefore infected and shouldn't be executed. Some security suites go beyond this with heuristic matching, but if you run an antivirus that has to "update definitions" on a routine basis, it probably works something like this*. With any luck, it does it without being a total detriment to system performance. Ideally it also doesn't act like a piece of malware itself by making itself near impossible to remove (looking at you, McAfee).

To me, a virus definition database is "enumerating badness" (Ranum's Dumb Idea #2). The premise is that it is not only logical but even possible to compile a list of all potentially unwanted programs, viruses, ransomware, and worms. An environment of trust should be built around the programs that you want to run (read: allow to run), not the other way around. Picture an operating system where no binary file can be executed unless it is specifically flagged as being allowed to. Oh and picture also being able to restrict this execution to just the file's owner, or other groups of users. Wouldn't it be easier to store the list of 30 odd programs that you and other system users trust to be run than the thousands (millions?) of programs that are infectious, forbidden, or unwanted? What about when those trusted applications become compromised? Would it not also be easier to maintain a list of checksums for those binaries and compare those checksums before they're executed to make sure they haven't been infected or replaced?

The answer is yes, it would be easier. And yes, it is easier. Of course, your system has to work that way. Antivirus software is a hack because it's a hack-y solution to a problem that has a better, simpler solution. It also has the potential for making a ton of money but I won't go into that. It's easier to enumerate goodness, to specifically open up to a select few trustworthy applications. Good lists are usually shorter than bad lists. This builds on top of Ranum's Dumb Idea #1: Default Permit. You wouldn't configure a firewall to just block some known bad ports and traffic. You configure it to block all of it, and then whitelist the ones you know you can trust. You wouldn't configure a browser ad-blocker to permit all ads, and select the ones you don't want to see. You block all of them! Then, if there are sites or ads you're okay with seeing, you whitelist them. You shouldn't default permit all programs to be given control over your computer, and then meticulously list the ones that don't have that permission.

Oh and of course, as always, there's free software that lets you do this. You don't have to pay for an antivirus suite, or even use an unpaid one that slows down your computer or barrages you with ads. On the BSDs and virtually all Linux distributions, there are built-in tools to control access and execution of binaries. There are additional tools that you can install that check whether binaries (in locations like /bin or /usr/local/bin have been modified since you last used them. On Windows, the story is a little different. Most home Windows 10 users are automatically allowed to install and run any software they want to by default. Windows Server does have Software Restriction Policies that allow you to create a "default deny" policy and whitelist only the software that's allowed to run. If you're using a home edition you probably have to look for software that lets you do this. I haven't tried any of them so I'm not going to endorse or even name them here.

Preventing malware from running on your system is a problem. Solving this problem is the right thing to do. But please, try to solve it the right way. I stopped using an antivirus after I moved out and got to control my own computer. I don't think it ever did me any good besides flag false positives (a lot of the time with programs or applications that I wrote, which weren't malicious in any way!) and grind my spinning disk to a halt. Evaluate what software you use. Is most of it online? Are there one or two applications that you know you need to use? How often do you install and use unknown or untrusted software? Odds are you can come up with a list of very few programs that you want or need to use. If it's less than 100,000, you're probably better off with a default deny policy than an antivirus suite.

* What I didn't mention here is that as soon as a new piece of malware is constructed, if it's different enough from its predecessors, it's impervious to all antivirus suites on the planet that don't have it in their definitions. So until that malware is used, detected, and added to the list, it has free reign.