proxy70

# Is Anti-virus Software Really Necessary?

There is a blog post from May 9th titled [Linux Security - The
Illusion if Invulnerability][1] over a viruslist.com (Kaspersky
Lab's blog). This quote sums up the theme of the post:

> At the Kaspersky stand we talked to a lot of visitors. Pretty
> soon, it dawned on us exactly what the biggest threat to Linux
> systems is: the almost overwhelming belief in the invulnerability
> of Linux

I think they have it wrong - it's not belief in invulnerability, and
it's not Linux. It's a belief that "Yeah, it could happen to me, but
it probably won't" and the fact that you could envision users of OS
X, Windows, or any OS saying this. But the quote pre-supposes that
there is a need for anti-virus software at all. Sound crazy? Perhaps
not. Here's a few questions to think about:

* For some reason, the metric used to judge anti-virus products is
  [how quickly they release signature updates][2] to counter new
  threats. This seems backwards to me. Has any anti-virus vendor
  ever done research on how many infections their software has
  prevented, and what the impact could have been?

* More to the point, is anti-virus software really a valuable part
  of an IT security policy, or are there better ways of preventing
  viruses/malware?

* Why does it seem that despite the entire world running Windows
  desktops, and almost all of those running some form of anti-virus
  software, there are still major virus outbreaks?

* Does it help to divide malware threats into known and unknown
  categories? Clearly, antivirus software protects against the
  former, but not the latter.

* Does reliance on a single security product give a false sense of
  security? For example, a common misconception is that a firewall
  is all one needs for protection against external network
  threats. [The truth is much more complicated than that][3], as
  most security practitioners know.  This question of whether or not
  you really need anti-virus software is answered quite well at
  [vmyths.com][4]:

> If an expert proclaims you need antivirus software to protect you
> from a virus, you can counter with the following argument: If we'd
> turned off automatic macro execution in Word before Melissa came
> along, then our PCs wouldn't have gotten infected. If we'd turned
> off Windows Visual Basic Scripting before ILoveYou came along,
> then our PCs wouldn't have gotten infected. This means our PCs
> could have protected us even when antivirus software failed to do
> its job. Perhaps we don't need to update our antivirus software so
> often -- maybe we really just need to update our antivirus
> experts.

## Comments

**[kurt wismer](#19 "2006-05-15 14:03:00"):** to answer the
questions you asked1) gathering the information to determine how
many infections an anti-virus product prevented would turn the
anti-virus product into spyware so i very much doubt such metrics
are available... 2) an IT security policy would undoubtedly find
preventative measures valuable - those measures can be divided into
2 groups: blacklists (known virus scanners), and whitelists (that
only let known good applications run)... depending on the nature of
the systems being defended, either or both could be
valuable... blacklists obviously suffer from not knowing all bad
software, but whitelists suffer from not knowing all good software
(and that can be a big pain in the arse when you're trying to apply
an update)...3) there are still virus outbreaks because all
preventative measures fail **sometimes**... there is no such thing
as perfect security...4) it is misleading to state that anti-virus
software only protects against known malware - for one thing,
heuristic scanning well known for being able to find previously
unknown derivatives of known viruses... further, not all anti-virus
software is of the known virus scanning variety...5) finally, yes
using only one product does tend to leave people less secure, so the
vendors have taken to providing security product suites that have
multiple products bundled together...as for rob's quote (from
vmyths), you should look closely at his chosen examples - both types
of viruses are dependent on optional system components... the fact
of the matter is, that's not true for viruses in general, he chose
exceptions to the rule for his examples - why, i don't know...

**[Thinknix](#20 "2006-05-15 16:07:00"):** Thanks for the insights. For
1), I was referring not to automated collection of signature
matches, but a real study done in cooperation with a target business
that indicated whether or not the host system was actually
vulnerable to what had been blocked. I'm not sure this could be
automated, anyway. It just seems odd that no major AV vendor has
commissioned such a study, given the potential for good press, or
that no major company has done something like this themselves, given
that AV software is has a non-trivial cost in the large
enterprise. Maybe we just haven't heard of such studies... Similarly
for heuristic-based detection (yes, I should have mentioned it). How
do we know how well it works? For starters, it's probably more prone
to false-positives or false-negatives, depending on the threshold
it's using to detect differences from known malware.On 3), perhaps
it's just the publicity, but it seems that AV software fails more
than "sometimes". Again, how do we know?I think your mention of
whitelists in right on target - secure, but inconvenient, so not
used very often.You've probably seen [Marcus Ranum's rant about dumb
ideas in computer security.][5] His #2 point talks about this very
topic.

[1]: https://web.archive.org/web/20061016115242/http://www.viruslist.com/en/weblog?calendar=2006-05
[2]: https://web.archive.org/web/20061028003030/http://www.informationweek.com/software/opensource/166400446
[3]: http://en.wikipedia.org/wiki/Defense_in_depth
[4]: https://web.archive.org/web/20060714015534/http://www.vmyths.com/resource.cfm_id=31&page=1.htm
[5]: http://www.ranum.com/security/computer_security/editorials/dumb/