Saturday, March 23, 2013

The Abysmal State of Security Software

Security software, specifically anti-virus and anti-malware software, has been a staple in the Windows world since Windows 95. Users are told they need this software to keep them safe, or else they're in for a world of hurt. In this post, I'll take a minute to tell the real story and reveal why your security may make you considerably LESS safe!

Security software rarely detects new or targeted threats

Sadly, the virus and malware authors are always one step ahead of security industry. These rogue programmers use the same software you do, and actively work to make sure they have defeated it. Since differentiating new malware from legitimate applications is nearly impossible, new malware usually slides right through the detection net. After all, if security software worked great, a lot fewer cases of malware infestation would exist!

But wait, you say, what about those 99% detection rate claims? Well, they are testing against samples already known to the security industry. I would certainly hope they have a good detection rate when it comes to those! For unknown , new, or targeted malware, which is regenerated daily, and the only kinds you are likely to encounter, the detection rate is much lower.

Security software is prone to false positives

In the effort to try to detect new, unknown, or targeted malware, some security products are well known to alert on just about everything, including lots of legitimate applications, especially those from smaller developers. As a small developer myself, I find this highly frustrating. I sign my applications, make sure they don't do anything that looks shady, and generally do all I can to avoid false positives, but still they occur so routinely they are to be expected.

It isn't just small developers that are affected though, false positives occur on all sorts of software. One false positive a few years ago, on svchost.exe, a critical part of Windows, had a catastrophic effect on countless PCs worldwide.

Worst is that the new web site rating services that security products now offer can take a single false positive and turn it into a badly rated domain. Getting these false positives or web site ratings fixed can be very difficult and time consuming. Some security companies are responsive, others much less so! I had one invalid site rating from a major security provider, which happened due to a false positive, last weeks, and then recur 4 times before they finally fixed it. I nearly lost my mind.

Better to have false positives than missed detections, you say? Well, unfortunately, it doesn't work that way. The malware authors work to avoid detection, so are somewhat less vulnerable to false positives. Further, users get so used to seeing false positives, they may very well quit taking detections seriously!

Security software companies often distribute malware themselves
(installer bundles)

Since I consider installer bundles malware, it is painful to see security companies using installer bundles. We've all seen these bundles. You download application X, and are presented with deceptively packaged offers for applications Y and Z. The user's intent was only to install application X, so it is a clear violation of the user's wishes.

It is extremely easy to accidentally get one of these bundled components installed. Since all parties involved make money per install, they have gotten more and more deceptive. Download sites like CNET now even attach their own bundles to downloads.

The most common bundles are toolbars and other web browser add-ons. They clutter up your PC and web browser, bringing performance down. Some are difficult to disable, and almost all behave in deceptive ways. This massive browser add-on problem got so bad, with some users ending up with an unreal number of browser add-ons, Microsoft had to start disabling all of them by default in Internet Explorer, forcing users to selectively choose which are enabled.

Sadly, the entire software industry seems to have adopted these bundles. While it would be nice for security software to detect these as malware, instead security software companies are themselves using installer bindes! They distribute free scanners, web site rating tools, and other 'teaser' components with common applications. One example is McAfee bundling its teaser products with Java!

I wish I could say there was ANY security company out there detecting installer bundles as malware, but there aren't. Instead, I can't think of one that does NOT use installer bundles.

Security software companies have a hard time deciding what is malware

Similar to not detecting deceitful installer bundles as malware, security companies have a hard time deciding what is malware, and what is just a deceitful application. They've even been sued. These days, rogue software companies simply push it up to the limit of being considered malware, and get away with virtual murder. Their borderline applications not only aren't detected, but the distributing web sites are often certified by security companies as safe, a service you can pay for at most security software companies. 

Given that rogue software of all types gets away intentionally undetected, the utility of anti-malware products goes down even further.

Security software offers a false sense of security

Given all this, we see that security software isn't very useful. However, it really becomes harmful when users believe they are protected from threats. This may leave them to act more wrecklessly, under the false notion that their security software is protecting them. It seems preferable to remove this illusion of security, and instead have users realize that their safety is in their own hands. User education and common sense is much more effective than any security software!


If slowing your PC down considerably wasn't bad enough, we now see that the actual utility of security software is quite questionable, as are the practices of many of these companies when it comes to rogue installer bundles. They are unlikely to detect any real threats, likely to let rogue borderline applications skate by, and give users a false sense of security. I'd say, toss away the illusion, and start realizing that nothing can protect you except your own judiciousness!

-- End --

appendum #1
Although you won't see it until something is detected, did you know that Microsoft Security Essentials is now part of Windows Defender, and built into Windows 8? Yes, that's right, you need NOT install any third-party security software! Windows Defender is arguably the best option people have right now, as it has a low false positive rate, is efficient, and not obtrusive. In fact, most people have no idea it is there! Further, Microsoft doesn't use installer bundles, as far as I know.

appendum #2
I believe in the long-term, we'll move to entirely store/approved applications, which will allow tracking and rating by vendor history. The problem is, the definition of malware does not include 'boderline' applications that are just plain deceitful, thus we'll always have crapware! Until corporations start acting with more moral fiber, things will continue to be much the same.

No comments:

Post a Comment