Antivirus should be a last-ditch line of defense, not something you rely on to save you. To stay safe online, you should act as if you had no antimalware software on your computer at all.
Antivirus isn’t the cure-all it’s often considered. There’s a reason companies like Netflix are dumping traditional antivirus and even the makers of Norton have declared antivirus “dead.” Don’t have a false sense of security because antimalware software is running on your computer.
The Two Main Ways Malware Gets On a PC
There are two main ways malware could get onto your system. One is through exploits — often browser and plug-in exploits targeting vulnerable software like Flash and Java. The other is through downloading something bad and running it. Antivirus can’t protect you against the newest attacks.
Blacklisting Is Fighting a Losing Battle
Antivirus software relies on blacklisting and heuristics — and really, heuristics are just another type of blacklisting. Antimalware companies find malware in the wild, analyze it, and add “definitions” that antimalware software constantly downloads. Whenever you run an application, the antimalware software checks to see if it matches a definition and blocks it if it does.
Antimalware software also incorporates heuristics-based detection. Heuristics check to see if a piece of software behaves similarly to known malware. It can block new pieces of malware before definitions are available for them, but heuristics aren’t anywhere near perfect.
The problem with the blacklisting approach is that it assumes everything is safe by default, and then attempts to pick out the known-bad things. It would be more secure to flip this upside down — assuming everything is dangerous and shouldn’t run unless it’s been more proven to be safe. Unfortunately, Microsoft only offers the most powerful whitelisting features on Enterprise editions of Windows.
Criminals Are Designing Malware to Avoid Detection
Sophisticated attackers can engineer malware to bypass antimalware programs.
You may have heard of VirusTotal, a website — now owned by Google — that allows you to upload a file. It scans that file with many different antivirus engines and reports what they say about it.
It wouldn’t be too hard to set up your own version of VirusTotal that doesn’t share files you upload with these antimalware companies. In fact, attackers have their own VirusTotal-like tools, allowing them to scan a file with many different antivirus engines to see if it’s detected. If antivirus software detects it, they can make modifications to avoid detection by antimalware software.
Studies have shown this is indeed what is happening. For example, a study from Damballa found that antivirus software fails to detect 70 percent of new malware within the first hour. Criminals are specifically tuning new malware to avoid detection by the antivirus software running on their targets’ computers.
Once the Malware is Running, You’re In Trouble
Once a piece of malware gets an anchor on your system, it’s over. You’ve been compromised. The malware could add exceptions to your antivirus software or just disable it from running and detecting the malware in the future. Given all the unpatched Windows systems out there with vulnerabilities that could be exploited to gain additional privileges once the software is running on your computer, this wouldn’t even require agreeing to a UAC prompt a lot of the time — although agreeing to that UAC prompt would certainly seal your fate, too.
Just clicking through an antimalware software warning and saying you want to run the malware in spite of the warning a single time would also be disastrous. Once the malware is running, it’s impossible to know you’ve rooted out every last bit of it without performing a full reinstall of Windows.
What Can Protect You?
The solution isn’t just software, although it’s always tempting to look for a technical solution when the real solution is a social one.
We should all behave as if we have no antimalware software. That doesn’t mean you shouldn’t be running something — at least the Windows Defender software built into the latest version of Windows, for example. But it’s just a last-ditch line of defense, not your only one.
This means avoiding pirating software — downloading and running programs from shady websites is dangerous. It means keeping a look out and only downloading credible software, avoiding things that look a bit sketchy. It also means understanding which file types are potentially dangerous — a .png file is just an image so it should be fine, but a .scr file is a screensaver program that could run potentially malicious code. We’ve covered the good security practices you should be following.
The Future of Security Software
The future of security software isn’t just blacklisting. Instead, it will often be something more like whitelisting — shifting from “everything is allowed except known-bad stuff” to “everything is denied except known-good stuff.”
That’s what Netflix is shifting to — software that monitors the software running on its servers for irregularities rather than scanning it against known malware.
More sophisticated tools should also harden the software we use, blocking techniques attackers use rather than fighting the losing battle of constantly adding new definitions.
Malwarebytes Anti-Exploit is a great example of this, which is why we recommend it so heartily here. This free tool blocks common exploit techniques used against web browsers and their plug-ins. It’s the kind of thing that should be built into Windows and modern web browsers. Microsoft even has their own similar technology in EMET, although it’s largely targeted at the enterprise.
No, you probably don’t want to dump your antivirus software like Netflix did. Antimalware software still works fairly well against random older malware you might encounter online. But, against newer and smarter attacks, antimalware software often falls flat on its face. Don’t put all your trust in it to protect you.