The internet is a scary place. You know that, whether intuitively, or because you’ve experienced some of the dangers first hand. Perhaps a devilish piece of ransomware got you and shut off your access to your data unless you paid something. Or perhaps you’ve experienced your Facebook or your Twitter account getting hacked, your password changed, and you had a nerve racking time undoing the damage, all while hoping that the guy who took control of your account wasn’t doing damage to your reputation online. Or in some ways worst of all, perhaps you’ve experienced identity theft, and had someone basically being you for some time, doing all sorts of things you’d rather not think of.
And because a lot of times, our computers get attacked through malicious software, or malware — which can take the form of the traditional virus, or ransomware, or spyware, or any of the forms they take — our first step to defend ourselves is to go get a good piece of antivirus software, load it up, and watch as it protects us while we tread along the putrid waters that we call the internet.
As we see that green shield or some other kind of assuring icon resting calmly in our system trays, or menu bars, or web browsers, we feel like we’re protected, that an incredibly smart software, built by incredibly smart guys, is protecting us. We may even shell out good money for it.
Or are we?
And while that may sometimes be true, what we may not realize is that our antivirus software, the very thing that is supposed to protect us from the dangers lurking on the internet, may in fact be directly contributing to making us easier to attack.
Antivirus software has a huge attack surface
To understand that, let’s explore a little on how an attack takes place. One way in which an attacker can get you, is to make use of vulnerable software that is sitting on your computer. When a piece of software is vulnerable, it means that someone, the attacker, can trick that software into doing things that it actually isn’t supposed to. Imagine your music player software. It’s supposed to play your music for your enjoyment. But if someone can somehow convince your music player to, instead, find a file on your computer and send it to them, then that isn’t good. That isn’t what your music player is supposed to do.
Now, the more things a piece of software can do, the more ways an attacker can trick or confuse that software to do things it isn’t supposed to.
Your music player is pretty simple. It (perhaps) only tries to read and play your music mp3 files. Which means that all it “understands” is mp3 music files.
Your calculator app is even simpler. It only understands the digits and mathematical expressions *you* put in. It probably doesn’t even need to understand what a file is!
Your music player and your calculator app are so simple, that there are only a few things an attacker can try, before they kind of run out of options. In a sense, their simplicity makes it harder for an attacker to find a sneaky way to abuse them. The amount of ways that an attacker has to try to trick or confuse your software, is what we call the “attack surface” of your software.
Now think about your antivirus application and what is has to do, to try to keep you safe. To put it simply, it needs to watch and see everything you do, in order to do its job. It needs to take a look at what apps you are opening. It needs to monitor what those apps are doing, perhaps even behind your back. It needs to check if the files on your computer look okay. It needs to see what websites you’re visiting, and when you visit those, what those websites are telling your computer, again probably behind your back, to do. Most of all this stuff that is going on behind your back is completely legitimate, and is the exact reason why our computers and web apps and mobile apps do what we expect them to do — because they’re doing lots of heavy lifting and intelligent stuff without bothering you with it. However, this means is that your antivirus software is doing a lot.
And what this means is that antivirus software has a huge attack surface. Which means that an attacker has loads of options to try, to trick it into doing something that it isn’t supposed to do.
How would an attacker do that?
Primarily, an attacker will try to give your antivirus strange inputs that it may not be expecting. Perhaps it may try to get the antivirus to scan a webpage full of “nonsense” that it cannot properly handle. Except that it’s not nonsense, it’s specifically crafted to confuse your antivirus.
Perhaps the attacker may send you an email, that your antivirus will try to look at, that contains random stuff. Again, except that it’s not random at all.
And therefore, you can see why the larger the attack surface, the more input options your attacker has to try. Without the antivirus, the attacker may have to find a vulnerability in your operating system, or your web browser, or something that you regularly use, which are usually much more specialized, and much more well defended.
In 2016, Google’s Project Zero found 25 high-severity bugs in Symantec/Norton security products. “These vulnerabilities are as bad as it gets,” said Tavis Ormandy, a Project Zero researcher. “They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
Antivirus software has bugs
Now the problem doesn’t happen if the attacker simply gives the antivirus strange inputs that it doesn’t understand. The problem happens when the antivirus itself has a bug, that manifests when it is trying to handle that strange input.
Antivirus software is extremely complex. Because it needs to do a lot. And it needs to do it fast, so that your system doesn’t slow down and frustrate you. And it needs to make complex decisions, again to protect you.
But this is a double edged sword. Antivirus software is written by humans, and all humans will definitely make mistakes. When mistakes happen, they lead to bugs. Especially in something as complex as an antivirus.
The fact is, not all bugs are dangerous. Some bugs are just annoying, or frustrating, like bugs that simply crash the application, or report an error, or prevent you from triggering a specific feature.
However, there are some bugs that can be craftily misused, to trick the software into doing things that it’s not supposed to do. And this is called a **vulnerability**.
A vulnerability is not simply a failure, or a crash, because in those cases, the software in a sense does nothing (but fail). In the case of a vulnerability, an attacker can exploit the software to steal your data, or execute commands that you don’t know about, or simply take control of your computer.
Antivirus software is very privileged
Again, for your antivirus software to do its job, it needs to be able to penetrate and look really deep into your operating system, and monitor all sorts of occurrences, called “events”, that happen as you use your computer. To do this, it needs great privileges, or permissions, from your operating system. You’ll quickly realize that this means that your antivirus software is running at a very privileged level, with the ability to do much more work, and much more damage, than your usual application. Like your calculator app.
This makes things worse. Once the attacker is able to exploit a vulnerability in your antivirus, they potentially gain the privileges of the antivirus, which are very high indeed. This gives them nearly unfettered access to your system (depending on the nature of the vulnerability).
So what should we be doing instead?
None of this is meant to suggest that you should (or shouldn’t) use antivirus, but really is to shine a light into the face that running an antivirus does not necessarily make you safer.
Antivirus does do a good job in detecting 80% or 90% of the very common threats out there. It can also do a reasonable job of identifying known malicious websites, or phishing emails, and warn you about them. To a large extent, it will block known viruses.
However, just know and do consider that running an antivirus does also, in other ways, make you less safe. It gives an attacker more options to try to attack you. And in a sense, it the stuff that antivirus fails to detect that are more concerning. An attacker that wants to launch an attack, can simply buy and/or download every single antivirus out there, and ensure that the attack he is launching is not discovered by any of them.
Update, update, update
If you do run an antivirus, make sure it’s always updated. Antivirus vendors take pains to reduce or eliminate the bugs in their software, and you should most certainly take advantage of that.
Practice digital hygiene
This is perhaps the most important.
By simply being careful, and aware of the dangers of the internet, you can protect yourself very well. The usual advice applies here — don’t run software you don’t trust, don’t open attachments you don’t trust, don’t click on links you don’t trust.
When you’re on the web, check for security certificates, and make sure that the site you’re going to is indeed the official site. If you’re heading to Facebook, make sure it’s facebook.com, and not something other similar looking URL.
If anything you do doesn’t feel right — a new software takes longer than reasonable to start, your computer suddenly slows down, you find yourself logged in (or out) of accounts that you distinctly not being the case, be suspicious.
Don’t dismiss that intuition.