There's no such thing as flawless protection
Jon loses his patience with AV vendor intimations that suggest they’re offering perfect security
The news that an antivirus package has managed to go rogue, and decide that key Windows system files were malware, caused quite a flurry of tut-tutting. But it isn't the first time this has happened. Every year or so, it seems that one of the major AV packages gets an updated set of definitions, only to cause huge disruption. It grabs core Windows system files and moves them into quarantine, or deletes them, or performs some other, quite unhelpful action. If you're unlucky, you won't notice this until the machine is rebooted, and the subsequent reboot attempt fails with the end result a thoroughly scrambled OS. If you're really unlucky, then the machine just dies before you've had an opportunity to save your work.
As in the previous instances, something went wrong inside the AV package, and the files got nuked, or scrambled, or moved away. Fixing this isn't simply a case of "press F5 when you boot and it will sort itself out". No, you need to get the files back from the quarantine area, and then put them into the right places, and then try to reboot. In most cases, it will probably be easier to recover from your image-based backup solution. You do have one of those, don't you? If not, try one of the various repair methods for Windows, and hope it works.
Now I understand that software has bugs; I've discovered a number over the past 30 years. I was probably responsible for some in my younger, coding years. But the very action of a piece of downloaded code attacking your Window system and causing chaos, without your authorisation, sounds remarkably like... do you know, it could almost be a virus? The very process you're trying to protect yourself from is the process that kills your machine. It's hard to take this sector seriously when such errors occur and are pushed out to the payingpublic.
Ah, but the cure is better than the illness, the AV vendors will claim. After all, aren't a few mess-ups such as this better when compared to the trillions of pieces of malware that come trundling down your internet connection every time you browse theJohn Lewis website, or order sometoilet rolls from Tesco?
They might be right. But here's the problem: I don't trust any AV package to secure my system. None of them because they demonstrably don't work. If they did, then I could say "Go buy package X", and you would. And then you'd never have a malware or virus problem ever again. You could sit content in the knowledge that your computer is going to be fine.
But this isn't the issue. And here is where I become really annoyed at the AV industry. You can take a whole bunch of malware it isn't difficult tofind; there are plenty of kosher websites out there from which you can download terabytes of malware every month. And then you can get your package to scan this seething cesspit and see what it finds. And it's entirely possible that everything is found, and cleaned, on the first sweepthrough.
This, you might conclude, means that the AV package is doing its job just fine, and that you'll be safe. Except for one nagging issue the difference between the macro and themicro. Does the efficacy of your package today give you any guarantee about how it will work tomorrow, when that new threat tomorrow is entirely unknown today?
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The AV vendors will whine thatthey have all sorts of reverse-engineering capabilities, and sandboxes and other fabulous things. All of which matter not one jot, simply because there may well be some malware tomorrow that gets through. It doesn't matter how good the software was last week; what matters is that it will fail tomorrow. It doesn't need 40,000 pieces of malware to be correctly identified today it just needs one, just the one, to get through tomorrow and you're hosed.
By any sensible measure of capability, this is a failure. The macro response is irrelevant when it's one piece of malware that gets through and trashes your computer. When it's the AV package itself that does this, one's faith in the whole scenario is further shaken.
Now the AV package vendor willclaim that it can't protect you against everything, and thus my annoyance ismisplaced. But go take awander around the websites of the major vendors. "We believe that everyone has the right to be free of cybersecurity fears" quoth Eugene Kaspersky. Webroot the vendor in question with regards to this latest screw-up has a question and answer wizard, which on completion recommends a product, claiming "Theperfect security for you is...SecureAnywhere AntiVirus." Not "recommended", but"perfect".
McAfee says, "By protecting consumers across all their devices, McAfee secures their digital lifestyle athome and away." Avast: "Our job is to keep you safe. Get Avast for home, business or on the go, and protect everything you do." Avira goes for, "It's the first-ever full security package that not only blocks malware,but anonymizes your browsing, and wipes your online traces clean for free."
You can decide for yourself how close these claims are to false advertising. But please note that noneof the vendors offers significant financial compensation for failure of their product to protect you. Which isn't quite the sort of liability you'd expect from a company making such bold claims.
Microsoft isn't blameless in this, either. The mere fact that a piece of malware, or Webroot in this case, cantake a hatchet to your running OS, shows that it isn't a secure operating system. Microsoft is happy to claim that "Windows Defenderis your antivirus security solution that delivers comprehensive and real-time protection against software threats across email, cloud and web. Because it not only detects and removes viruses, spyware and malware; Windows Defender is the last thing amalware threat ever sees." Which, iftrue, means that I have no need at allto purchase or install a third-party antivirus package. Why would I need to when, "Windows Defender is the last thing a malware threat ever sees"?
What's the answer? If we're going to use operating systems that are, frankly, so laughably easy to terminally corrupt, and which seem incapable of protecting themselves, then the only safe way to run them is within a virtual machine. That way you can snapshot it, roll it back when something goes wrong, andeven have a base starting point from which asession can be restarted. Why are we continuing to support a market worth some $25 billion per year when suppliers' claims are out of alignment with the end-user reality, and when a vendor is capable of operating in away that's indistinguishable from the very issue it claims to protect youfrom?