Antivirus Programs' Downsides
By Michael Ross
This article was published by ComputorEdge, issue #2844, 2010-10-29, as the cover article, in both their PDF edition (on pages 6-9) and their website.
In the movie Terminator 3: Rise of the Machines, the humans realize too late that Skynet, the powerful defense network that at one point they thought was protecting them against a cyber attacker, actually turned out to be the enemy. You may feel the same way if you have ever been called upon to fix someone's PC that is running terribly slow — only to discover that the security software that is supposed to be protecting it and helping the user, is causing the operating system to run at such a slow pace that the security software is unable to remove any malware.
This is not a theoretical scenario dreamed up by Hollywood scriptwriters, because I personally have worked on a couple machines that were so bogged down by antivirus software and other security utilities, that the computer was effectively unusable, and none of the offending programs could be uninstalled. In these cases, the best solution turned out to be the "nuclear option", i.e., wipe the hard drive and reinstall the operating system. But this has the obvious downside of losing any user data that has not been backed up (which sadly is the case with far too many users' data) — assuming that it is an older PC that does not allow you to boot off of a "live CD" and copy the data to a USB flash drive, or that the user has done such a horrendous job of organizing his data on the hard drive that it cannot be located manually, without running the original applications.
Antivirus product vendors make all sorts of claims as to the effectiveness and safety of their products — claims that oftentimes turn out to be false and misleading. In this article, we will examine some of the issues which get almost no coverage in the press — especially the press that accepts advertising from software vendors. The term "antivirus software" will be used in the more general sense, referring to any computer program designed to battle viruses, Trojan horses, and worms — but not those programs dedicated to fighting spyware. Our focus will be on software that runs under Microsoft Windows; but many of the principles apply equally well to PCs running Linux and Mac OS X.
Proponents of Windows may argue that it is unfair to focus on their favorite operating system, and that Linux and OS X have seen their share of security problems. But critics of Microsoft Windows can point to a history of lousy security, as well as several major weaknesses in the operating system's design. For instance, Windows allows any program to alter key components of the operating system: the Registry, the autorun files (which start automatically when Windows itself starts), and the executable programs at the core of the system. After all, what kind of system would invite unvetted applications to modify a critical part of the system — in this case, the Registry — during an unavoidable step, namely, installing the applications?!
To say that the history of antivirus software is checkered, may be a bit generous. When this type of software was emerging on the computer scene — in the late 1980s — the viruses were relatively primitive compared to those of today, making it much easier for security software to detect and report the viruses, regardless of whether a virus was embedded in an executable program or hidden in the master boot record (MBR) of a hard drive or diskette. Yet the virus authors quickly learned better techniques for cloaking their clever code so as to better evade detection by all the leading antivirus checkers. At the same time, those wishing to spread viruses also made progress via "social engineering", which in this realm means crafting spam and later Web pages to increase the odds that unsuspecting Internet users will download virus-infected programs to their computers.
As the years went by, security software manufacturers devoted greater resources to improving their products and the databases of virus signatures upon which they relied. But virus authors were always one step ahead, and apparently gaining ground all the time, as they developed "polymorphic viruses", which are designed to be shape-shifting so that their own digital signatures no longer match their virtual "mug shots" in the vendors' databases.
Those vendors certainly had more resources to throw at the problem. So how well did they do? Several years ago, a manager at the Australian Computer Emergency Response Team (AusCERT) stated that an astounding 80 percent of malware is not even detected by antivirus programs, let alone eradicated. In other words, popular desktop antivirus applications "don't work". One needs to seriously question the value of any antivirus product that catches less than 20 percent of the malicious code — certainly deserving of a failing grade.
Did the security software companies accept those embarrassing results as a challenge to redouble their efforts and improve their offerings? Apparently not, given that one year later an industry observer, Virus Bulletin, was sharply criticizing some of the major players — Microsoft, McAfee, Norton, and G DATA Software --for not "having their products right by now." John Hawes, a technical consultant at Virus Bulletin, even noted that "I had my head in my hands when I saw how poorly tailored some of the products were." If some of the leading products can do that to a security expert, one can only imagine the frustration felt by the average computer user when her chosen antivirus program seems to cause as much grief as a virus.
While the vendors should be praised for spending the money to bolster their antivirus programs, they should not win praise for the misleading ads that some commentators could only characterize as scaremongering — ads that featured all sorts of scary statistics as to the number of virus variants loose in the wild, and the damage they could do to one's computer. Such marketing efforts invariably failed to admit that the typical user's risk of infection was far less than the ads might suggest, and that the majority of the viruses would never be seen on any but the most backwater websites, none of which the average user would stumble upon or even hear about.
Doctors take a vow that they will "do no harm" — part of the Hippocratic Oath. If only the same were true for security software manufacturers. While a computer user may spend $75 or less for a security suite that may turn out to do no good whatsoever, that direct financial loss could be the least of the damage, considering that anyone with enough wherewithal to own a computer would certainly value her time — time that is wasted when she must wait for a resource-sucking program to connect to the vendor's server, check for the latest virus signatures, prompt to download and install them, perform said operations, and then begin scanning. Some of the more bossy of these applications don't bother to even give the user a chance to decide whether or not to do a full system scan, but launches into one anyway, effectively locking up the machine for hours. A cynic could joke that, consuming 100 percent of the CPU is the only way that some of these programs can be effective, by preventing the user from downloading virus-infected files, or doing anything else on the computer!
Even worse, some of the products conflict with other applications, making one's system unstable, and even cause file corruption or outright deletion. For instance, in March 2006, McAfee released an update to their Anti-Virus product that caused widespread damage for countless users by generating false positives for non-infected files in all sorts of applications, including Microsoft Office. One site alone lost tens of thousands of files on approximately 2000 machines. The fiasco was enough to prompt people to comment that they needed antivirus protection from their antivirus protection!
Twelve months later, users of the security service Live OneCare (from Microsoft, always a reliable source of security snafus) learned the hard way that when OneCare detected a virus in one of the e-mail messages in Outlook or Outlook Express, instead of simply deleting or quarantining the individual message, OneCare would delete the entire e-mail folder containing the virus. How's that for a nuclear option? By the way, OneCare came in last place when tested against 16 other antivirus products.
But of all the antivirus options on the market, perhaps the most disparaged and despised is Norton AntiVirus, now owned by Symantec. In the eyes of a legion of angry users, Norton has usually been the worst offender in terms of consuming system memory and processing power. It nags the poor user with alarming pop-up messages exhorting him to purchase the product after the trial period has passed. It can cause system crashes when not properly uninstalled or when hit by a virus on a non-XP system. It tends to be the priciest of the options, and yet the virus definitions are behind those of the competition. Even when it finds a virus, its quarantine process can be of little value. Internet gaming enthusiasts are annoyed when it blocks needed ports. Lastly, it is oftentimes forced upon people who have purchased PCs from Compaq and other hardware companies that bundle it onto their new PCs — in other words, replicating without people's knowledge — like a virus.
Thinking Outside the Computer Box
Given the raft of problems that can be caused by even some of the most heralded security programs out there, it can make the average computer owner wonder, "With friends like that, who needs enemies?" Fortunately, it is possible to use a computer every day, visiting innumerable websites, and downloading and installing software, without running any antivirus programs, and yet never encountering a computer virus or any other instance of malware — and I speak from experience.
Fully understanding a problem usually takes one at least halfway to the solution. So first consider the sources of the viruses, worms, and other malware. A couple decades ago, the primary vector of infection was the ubiquitous diskette, which was produced in the untold millions, and frequently used to transfer data files and executable programs from one computer to another. (This was the era before the Internet and e-mail.) Nowadays, your Internet connection is the only way that tainted software could land on your hard drive, assuming that you do not load a CD that was created by an individual and contains executable programs. Consequently, if you use a safe Web browser (i.e., anything other than Internet Explorer), avoid questionable websites, load only factory-made CDs, and never download any executable files except from the most trusted of shareware sites and vendors, then you probably will never need to scan your system for viruses. (Also, be sure to make diligent use of a firewall for blocking inbound attacks and outbound spyware communications.)
So when deciding whether an individual antivirus program, or a full security suite, is a wise addition to your overall strategy for protecting your computer, bear in mind that the cure is sometimes worse than the disease.
Copyright © 2010 Michael J. Ross. All rights reserved.