Is your antivirus protecting your computer or making it more hackable?
Internet security experts are warning that anti-malware technology is becoming less and less effective at protecting your data and devices, and there's evidence that security software can sometimes even make your computer more vulnerable to security breaches.
This week, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) issued a warning about popular antivirus software made by Symantec, some of it under the Norton brand, after security researchers with Google's Project Zero found critical vulnerabilities.
"These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," wrote Google researcher Tavis Ormandy in a blog post. Symantec said it had verified and addressed the issues in updates that users are advised to install.
It's not the only instance of security software potentially making your computer less safe.
Concordia University professor Mohammad Mannan and his PhD student Xavier de Carné de Carnavalet recently presented research on antivirus and parental control software packages, including popular brands like AVG, Kaspersky and BitDefender, that bypass some security features built into internet browsers to verify whether sites are safe or not in order to be able to scan encrypted connections for potential threats. In theory, they should make up for it with their own content verification systems.
'Surprised at how bad they were'
But Mannan's research, presented at the Network and Distributed System Security Symposium in California earlier this year, found they didn't do a very good job.
"We were surprised at how bad they were," he said in an interview. "Some of them, they did not even make it secure in any sense."
When contacted about Mannan's research, Kaspersky said it was reviewing the research and AVG said it had made precautionary changes to its software. Alexandru Balan, chief security researcher for BitDefender, defended his company's encrypted content scanning feature as valuable protection against threats, but said that type of "SSL or TLS filtering" feature needs to be designed and constantly updated in a careful fashion, which he believes his company does.
However, Mannan recommends that if you use antivirus software, you should choose one that doesn't have the feature or turn it off.
He doesn't use antivirus protection on his primary machines and hasn't for years, he said.
"I don't see any clear advantage of using them," he wrote in a followup email, noting that they can slow your machine down and introduce new vulnerabilities.
Neither the vulnerabilities reported by Mannan nor the Symantec vulnerabilities are known to have been exploited, but that doesn't mean they never have been.
Meanwhile, many experts agree that antivirus software may not do a great job at protecting your computer against today's threats.
"Antivirus is getting increasingly useless these days," wrote Stu Sjouwerman, CEO of KnowBe4, which trains employees of other companies to be smarter about internet security, in a blog post this week.
When asked to elaborate in an interview, he said, "The bad guys … basically have gone smart and they say, 'We're not going to try and circumvent antivirus. We're just going to attack organizations at the weakest link in IT security, which is the user.'"
Increasingly, attacks focus on social engineering or phishing that lures users onto compromised websites that can steal information or serve ransomware.
Those websites are so short-lived that antivirus software often doesn't update fast enough to recognize them, Sjouwerman added.
Still worth it?
J. Paul Haynes, CEO of Cambridge, Ont.-based cybersecurity firm eSentire, said that while antivirus software used to protect against 80 to 90 per cent of threats, but it's now thought to protect against less than 10 per cent because of the cybercriminal tactics cited by Sjouwerman.
"It gets a little worse every day, every week, every month," Haynes said.
But both Sjouwerman and Haynes suggest that even a small level of protection offered by antivirus software may still be worth the price for corporations.
"This is the easiest and cheapest stuff to stop," Haynes said.
However, they both warned against having a false sense of security if you have an antivirus installed.
For the consumer, Haynes said, "ransomware is probably the thing that people have to worry about." Ransomware typically encrypts your files and demands a ransom of several hundred or thousand dollars to restore access.
And because those compromised websites are so short-lived, "it wouldn't matter how good your antivirus is," Haynes said, you'd still be vulnerable.
Tips for protecting yourself
So what can you do to protect yourself in the post-antivirus age?
Mannan, Haynes and Sjouwerman all have similar recommendations:
- Back up everything regularly. You can back up photos and non-sensitive files to the cloud. But you should also keep a backup on an external hard drive that is not physically connected to your computer (otherwise it can be compromised in a ransomware attack). That way, if you get attacked by ransomware or another threat, you can roll back to the previous version of your computer.
- Keep your operating system and software such as browsers up to date and patched. Turn on automatic updates if they're available.
- Think before you click on links or attachments. If you're not sure about them, get in touch with the person who sent them to double-check.