Do antivirus programs increase your attack surface and potentially give more power to malware?

Question

When I was a student one of my professors used to say that an antivirus actually increases your attack surface by injecting itself into system processes and let's say opening more doors for controlling and manipulating the PC for malware and by that he meant to say that you're better off without one.

• Is that even remotely true?

• What system processes do antivirus programs usually inject? I'm only aware of drivers implemented as .sys files on Windows and I've had experience with it giving a BSOD for example.

• Is this really better off without one if you're really careful?

Answer 1

In short: It's somewhat a "philosophical" question.

1. All software you add to your system increases the attack surface per se. The question is, is it worth it to increase the attack surface, in order to defend against other attacks? And this depends heavily on the product, the users, and how you measure attacks at all. Particularly on company networks it is easier to secure all systems by an antivirus system than rely on your users. So you can defend against common malware. Sometimes installing an antivirus system (in companies) is some kind of weird regulatories and moving around the responsibility of a secure system (but this has nothing to do with increasing security).

2. As far as I know AV relies more on API Hooks and start/stop/behaviour of processes than on process injection (if I understand you question correctly). But AV often runs under SYSTEM to do all the stuff it needs, so if an attacker can exploit the AV he can do whatever he want.

3. If you are really careful (which means do not click on every link you see, update your software as fast as you can, etc.), you do not need an antivirus, because it increases the attack surface more than it protects you.

I (>10 years of IT security and using a Linux desktop) do not use an AV, because I think it's not worth it for me. The more unaware about malware you are, the more you can rely on AV (e.g. for my parents, because I do not trust them clicking only good links :)). So if you are familiar with basic IT security I think it is better to avoid AV, but as I wrote at the beginning, it's more philosophical, and depends heavily on you.

In the past malware mostly was found by file patterns (signatures) so if you had a good AV with a lot of these patterns you were protected against a lot of malware. Today malware changes its signature so fast that most AVs do not rely heavily on signatures; they mostly check the behaviour, but in my mind, they don't do it very well. Additionally they can scan network traffic or surfed URLs, but this is also stuff you can take care of by yourself if you are careful.

Here are some thoughts on real-time AV.

Answer 2

The classical answer: It depends on your risk tolerance and the kind of threats you expect to face.

To say "You're better off without one" is a very absolute statement by itself. Perhaps in the scenario of a personal endpoint there is no reason to run another AV other than Windows Defender assuming you keep your OS updated with the latest patches, you don't run any outdated software (Drive-by exploits are a thing...) and you are extremely careful when it comes to downloading things.

But would you say the same if you are in a large organization with more than 5000 endpoints deployed with varying OS and delays in patching? (Always pay attention to patch tuesday!). Having an endpoint solution deployed adds another layer of defense and thus could save you a lot of headaches.

These are the following scenarios that could happen if you have it installed, from best to worst:

• Prevent the execution of malware.
• Detect running malware AND remediate the situation (Kill the running processes, clean up all files generated by malware and quarantine the binary/files with malware)
• Detect running malware AND be unable to remediate the sitaution.
• Not detecting anything.

An endpoint solution can find malware via the following means:

• Checking signatures (Doing static analysis of the binary or checking the MD5 hash against a known database. You can see this for yourself in VirusTotal)
• Checking its behavior at run-time (This is where the hooking DLLs and APIs happens. Perhaps somebody with more knowledge can expand upon this point)
• Sending the file to a sandbox (This can be an installed on-premise appliance or to the vendor's cloud), running it there and receiving an evaluation of what happened.

If you expect to face zero-day threats, the only way to get the best scenario (That is: Prevent malware execution) is with a sandbox by definition as the other 2 methods will not prevent it from executing given the fact that no one has knowledge about it.

But endpoint solutions not only do this! They can also actually reduce the attack surface (I am directly contradicting your professor here) via different means:

• Applying URL filtering so you can limit which websites users can visit.
• Having an application blacklist. Want to run NMAP or Tor browser? Sorry my friend...you can't.
• Limiting the kind of files you can download via a web browser

Finally, if you need more information about their performance or some sort of tool to compare solutions: The MITRE foundation runs tests to see how different solutions react (Regarding detection) to certain scenarios. You can find out more about them and see the results of the 2021 test HERE.

If some day you are in charge of protecting endpoints: Remember to always run proof of concepts and test the solutions under different scenarios to see if they actually do what they promise.