There are a lot of free antivirus software and free versions of commercial anti-malwares. Can we really trust these free antivirus programs?
The same question about commercial antivirus software. Maybe they install backdoors on our computers?
There are a lot of free antivirus software and free versions of commercial anti-malwares. Can we really trust these free antivirus programs?
The same question about commercial antivirus software. Maybe they install backdoors on our computers?
Maybe commercial or free anti-malware installs backdoors
Very true. Maybe they do.
However – there are a lot of technically experienced individuals who are in a position to check, either through monitoring unexpected connections outbound, or through reviewing the code, so we can have reasonable assurance that they don't.
But think about the alternative – we know that malware does install backdoors etc., so from a risk based perspective, which would you prefer? A control that you personally haven't vetted, but that many others approve, or a lack of control which leaves you open to malware.
Pretty simple. Trust isn't required – it's just up to you to balance the risk factors for your circumstances.
If you need any guidance, large companies use perimeter and desktop anti-virus and anti-malware, as well as anti-malware on laptops and other endpoints. It isn't cheap for them, so it is very much a risk based decision to spend that money.
There is no more reason to expect that these software could put in a back door than any other software. Your Internet browser could put in a back door, your word processor could, your computer hardware itself could. Fundamentally, you have to source your software and hardware from vendors you trust and you trust them based on either their reputation or the review of numerous other users who haven't found a problem yet.
You cannot trust anybody; but you have to... for instance, when you buy some food, you trust whoever produced it for not having put poison in it. It would be certainly feasible; yet it happens rarely enough that you accept that risk, especially since the alternatives have their own costs and risks (hunting wild animals, foraging for berries, growing potatoes in your own field, or simply starving to death).
Similarly, whenever you install some piece of software, any piece of software, you implicitly trust it for not playing bad tricks on you. Antivirus and antimalware are not special here; and, for that matter, the price (free or not free) does not matter much either. The software will have a backdoor if it is in the best interest of the author to plant backdoors in your computer, and the author has elastic enough moral values to indulge in such practices. The best interest is the operative expression here. @RoryAlsop, in his excellent answer, points out that installing or not installing an antivirus is a matter of risk (and the reduction thereof). Risk analysis applies to attackers to: you have to think what an antivirus writer would gain, and what he would risk to lose, by planting a backdoor in his product. Let's face it: hijacking your computer is unlikely to be a very attractive goal that would justify any substantial amount of effort for any attacker, let alone risking exposure to law enforcement agencies.
There still is a point here. Antivirus software is in a special class in the following sense: it auto-updates very regularly. This also applies to Web browsers. Applications which auto-update from a single source make that source a highly valuable target for people who want to hijack many machines (not just yours, but millions of machines). The risk here is not the antivirus author himself inserting a backdoor; rather, it is about some bad guy hacking into the distribution server of the antivirus and replacing the update file with a nasty piece of code.
There again, that the antivirus is free or not has no significant impact. What matters is whether the antivirus author knows how to protect his distribution server or not.
I have seen one instance where the virus actually installed itself in the AV's virus-signature folder. Since the AV did not scan it's own virus signatures (this would only raise false-positives), the actual virus remained undetected by the AV and was only found when the hard disk itself was attached as external drive in another computer and scanned by a different AV.
Im pretty sure i have seen other instances where security holes in AVs have been exploited in the past, but i cant find any sources anymore. However there are complains by AVG usersbecause the software changed the browser's homepage and default search engine to "AVG Secure Search", which is a behavior you only expect from malware.
The real risk is not the true antivirus software, it is the 101 website that tries to trick you into installing fake antiviruses software. Just because a website is called “GetAvj” , this does not mean it is going to install Avg on your machine. This is now one of the most common ways that virus are spread.
I know people that have got fake phone calls claiming to be from Microsoft or their ISP telling them they have a virus and to do x,y and y. Then software that steals the bank logon details is installed if they are fall for it.
Only one in many thousand people have to full for these tricks to give a good return on investment for the people that are doing them.
Backdoors
All “background” antivirus software install backdoors on your machine, as they have to update themselves, the questions is do you trust their vendors not to do something bad with the backdoor and to prevent anyone else using it.
There are “batch mode” antivirus software that you download to a machine and run once before the program deletes itself – these are mostly used when a virus has spread a lot as they can be run as part of a maintenance cycle on all pcs.
At one point (I don’t know if they skill do so) Microsoft used to run such a tool every time windows was updated on your PC, this tool only checked for a few virus that were on a great number of PCs.
Now for the two free AV I have used.
AVG free is given away so that people will buy the full version. As AVG makes lots of money from selling the full version there is no way they would take the risk of doing something with the free version that would stop people trusting them. However every time you upgrade the free version there are a 101 tick boxes you have to get right so it does not try to make you pay for the full version.
Microsoft Security Essentials is produced by Microsoft, as they get “Bad PR” every time a window machine gets a virus, and home users were not installing antivirus software. There is no pay for version, therefore they don’t try to get you to upgrade. As you already trust Microsoft with the monthly upgrades, no more trust is needed to use Microsoft Security Essentials.
Microsoft Security Essentials may only catch say 99% rather than say 99.1% of some test set of virus, but it does a very reasonable job if you are careful how you use the internet.
See Is it worth it to get paid anti-virus software? for why you may wish to pay for antivirus software.
For commercial software: They could probably make some money somehow by installing a backdoor. On the other hand, if found out, it would destroy their business. And it would be found out. So they don't do it, because the risk just isn't worth the very limited benefits that they could have.
For things on the internet: If you visit a website that finds 73 viruses on your computer, which are all windows viruses even though you are using a smartphone or a Mac or a Linux box, you know that all they want is your money. One thing their software will not do is find and remove any real viruses on your computer. Whether they just take your money and laugh at you, or whether they use their software to put malware on your computer, that's hard to say. Personally, if I could make people pay say $30 for useless software, and possibly convince them to pay another $20 for an upgrade, I wouldn't be bothered adding malware to it.
For some non-absolute value of trust, you can trust the intentions of an anti-malware product that has been reviewed -- including testing -- by someone with a reputation you trust (for some value of trust). Other answers have gone into this in more detail.
You can never trust their competence -- even if their product was perfect when released (and no code ever is), and their definitions were complete when released, new vulnerabilities and exploits appear all the time.
This latter point is partly why a defence-in-depth strategy is beneficial (use a more secure browser, restrict what scripts can run on the web, disable autoplay, good passwords, don't run root/admin if you don't understand why you have to, run a firewall...). Some of these tips could also help in the hypothetical case of the AV updates server (or a cache of it) being compromised. Some of them are about reducing entry points, some about damage limitation.
You can't trust any software if you can't check the source code. And even when you can, you are still at risk - there might be some old, nasty bug, waiting for years for some hearts to bleed.