46

There are a lot of free antivirus software and free versions of commercial anti-malwares. Can we really trust these free antivirus programs?

The same question about commercial antivirus software. Maybe they install backdoors on our computers?

Peter Mortensen
  • 877
  • 5
  • 10
  • 8
    What would lead you to believe we couldn't trust them... – Matthew Peters Aug 13 '14 at 15:21
  • 2
    Any software could be considered to be a backdoor if they contain certain vulnerabilities. You need to consider the reputation of the vendor and the attack surface of your assets. – schroeder Aug 13 '14 at 15:54
  • 20
    You can stick the word "Maybe" in front of just about any sentence and create paranoia. The key is to do your own research and draw your own conclusions based on logic and risk factors. – DKNUCKLES Aug 13 '14 at 15:54
  • 1
    I would point out many of these companies sell other products and therefore have a name to protect. Avast has commercial versions. Comodo states that their best interest is people feeling secure on the web (they make money off companies). My point is if they damage their reputation on the free products it may hurt their bottom line with their paid products. – Travis Pessetto Aug 13 '14 at 16:13
  • 1
    @TravisPessetto Comodo HAVE previously damaged their reputation by giving out dodgy certificates through one means or another : https://www.schneier.com/blog/archives/2011/03/comodo_group_is.html - of course they blamed an APT. Regardless. I wouldn't go near their AV products *edit- mistakenly stated they were root certificates* – user2867314 Aug 13 '14 at 19:16
  • 1
    @user2867314 While you do make a good point I don't see it as something Comodo intended to do (unlike a backdoor) rather neglected to secure. Also note, other articles sate it appears to be an Iranian government attack. I don't use Comodo AV either and stay away from it but have heard tests say it is good at preventing the installation of malware but is horrible at removing it if it is already installed or manages to install itself. – Travis Pessetto Aug 13 '14 at 20:26
  • If this is a concern for you, an avenue is to find an open source antivirus software. Since the source code is open, you can inspect the code and assure yourself it doesn't hide any backdoors. As of now, the most popular open source antivirus software is those by clamav. – Lie Ryan Aug 13 '14 at 22:42
  • A interesting book I read about trust in our society is "Liars and Outliers" by "Bruce Schneier". You'd probably like it. Not directly relevant to the question, but to the question: Who can I trust? Why do I need to trust people? What happens if we can't trust each other? – Josef Aug 14 '14 at 15:23
  • 3
    NSA + gag order = backdoor – jliv902 Aug 14 '14 at 15:39
  • i think OS already has a backdoor if not hardware to begin with. I think windows and apple already have backdoor created in them due to govt. And open source community of linux is compromised to some degree as well. – Muhammad Umer Aug 14 '14 at 20:16
  • @MatthewPeters *"> What would lead you not to trust them?"* I would say: that these programs do not come in the form of peer-reviewed, buildable source code. – Kaz Aug 14 '14 at 23:16
  • Antivirus PC 2009. I say no. – Kaz Wolfe Aug 15 '14 at 04:07
  • 2
    Not maliciously, but still: "By design, antivirus products introduce a vast attack surface to a hostile environment. … Many of the vulnerabilities described in this paper could have been severely limited by correct security design, employing modern isolation and exploit mitigation techniques. However, Sophos either disables or opts-out of most major mitigation technologies, even disabling them for other software on the host system. This makes the exploitation process straightforward, …" Tavis Ormandy, Information Security Engineer at Google. [PDF link](https://lock.cmpxchg8b.com/sophailv2.pdf) – Daniel Beck Aug 15 '14 at 15:01
  • 1
    Many antivirus products have design flaws that make them vulnerable... http://www.syscan360.org/slides/2014_EN_BreakingAVSoftware_JoxeanKoret.pdf – KristoferA Aug 16 '14 at 02:52
  • 1
    @Kaz neither does all of the software you run to install Linux. Have you seen the "Reflections on Trusting Trust" paper? – user253751 Aug 16 '14 at 03:44
  • It's shocking and telling how random the answers were to this question. The **fact** is though that no anti-virus program ever came close to detecting 100% of malware, and in fact most rarely do better than 40% these days. If you are satisfied with detecting 40% or less of the malware on your network, sure, anti-virus programs. – Jeff-Inventor ChromeOS Aug 16 '14 at 12:36
  • Somewhat related: [Which Windows virus scanners have scrutinized source?](http://softwarerecs.stackexchange.com/questions/926/which-windows-virus-scanners-have-scrutinized-source) – Kelly Thomas Aug 18 '14 at 03:02

8 Answers8

49

Maybe commercial or free anti-malware installs backdoors

Very true. Maybe they do.

However – there are a lot of technically experienced individuals who are in a position to check, either through monitoring unexpected connections outbound, or through reviewing the code, so we can have reasonable assurance that they don't.

But think about the alternative – we know that malware does install backdoors etc., so from a risk based perspective, which would you prefer? A control that you personally haven't vetted, but that many others approve, or a lack of control which leaves you open to malware.

Pretty simple. Trust isn't required – it's just up to you to balance the risk factors for your circumstances.

If you need any guidance, large companies use perimeter and desktop anti-virus and anti-malware, as well as anti-malware on laptops and other endpoints. It isn't cheap for them, so it is very much a risk based decision to spend that money.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 6
    I always thought the big companies just wanted someone to point the finger at and say "we gave you $$" whenever something goes wrong – user2813274 Aug 13 '14 at 15:57
  • heh - there is always an element of that, but big corps still bear the brunt of the reputational damage and fines. Especially Financial sector... – Rory Alsop Aug 13 '14 at 16:00
  • @user2813274 CYA can be one of many reasons. Expertise, accountability, vettability, regulations, etc... many reasons outside of finger pointing to consider when purchasing security software (not just AV). Trust also helps keep *providers* in check. Look at all the blowback from NSA related issues. What company is going to voluntarily install a backdoor when they can lose face and customers? – WernerCD Aug 13 '14 at 18:37
  • 1
    What prevents an AV company from ensuring that only specific targets at specific times run a specific code path on their proprietary software? Surely valuable executives aren't the type of geeky person who review their incoming/outgoing connections, so there's no reason to believe that a backdoor would be more easily found in an AV than in any other software. – Steve Dodier-Lazaro Aug 14 '14 at 01:09
  • Valuable executives are an interesting case - high risk individuals, but who typically want greater freedom/looser controls on their devices. So the risk management activities change significantly. This is a very large topic, with overlaps into physical security and personal protection. – Rory Alsop Aug 14 '14 at 07:56
  • @WernerCD Key word is "voluntarily". Even if the backdoor was placed involuntarily, than the software can be harmful. – jliv902 Aug 15 '14 at 13:44
  • But there are many legally and technically knowledgeable people in the NSA; the people who created and defended the very backdoors that they exploit. For this reason, I don't think the presence of highly knowledgeable technical people is any sort of deterrent. – SimonT Aug 16 '14 at 01:19
  • Simon, if you read my answer you will see that this is almost irrelevant. They may be inserting back doors, or they may not – Rory Alsop Aug 16 '14 at 09:09
  • @RoryAlsop I don't think the answer to this question should be the same for high-risk individuals, corporations, and your average end user actually. Esp for the latter category a risk-based analysis makes no sense because they don't have the knowledge or capabilities to acquire knowledge to perform such an analysis. This question is vague enough that there is no way to provide a proper answer, in my opinion... – Steve Dodier-Lazaro Aug 16 '14 at 15:22
  • For valuable individuals I'd assume they can get some help in assessing their risks, and then the question is more geared towards what forms of organisations can cater for the needs of their high-risk individuals, and how such organisations would decide on which defences to deploy. The end-user executives themselves would need to either blindly trust an AV product *or* relatively rationally trust their organisation to make decisions on their behalf. – Steve Dodier-Lazaro Aug 16 '14 at 15:24
21

There is no more reason to expect that these software could put in a back door than any other software. Your Internet browser could put in a back door, your word processor could, your computer hardware itself could. Fundamentally, you have to source your software and hardware from vendors you trust and you trust them based on either their reputation or the review of numerous other users who haven't found a problem yet.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • 6
    Actually, antivirus is usually installed with higher privileges and lower-level system acces than typical word processor. Also, some atypical behaviour is expected from an antivirus (eg working in the background, scanning your HDD and sending your files over the internet for inspection) which would seem suspicious in another software. Well, the second argument is becoming obsolete with cloud services : ) – Agent_L Aug 14 '14 at 13:32
  • @Agent_L - they could have a more effective backdoor, but they aren't any more or less likely to have one. – AJ Henderson Aug 14 '14 at 13:35
  • 1
    @Agent_L Actually anything can be installed with lower-system access. Trojans, like a word processor. – Robert Baker Aug 15 '14 at 02:30
  • @AJHenderson More effective backdoor with rising same level of suspicions OR equally effective backdoor with lower level of suspicions. – Agent_L Aug 18 '14 at 08:55
  • 1
    @Agent_L - right, sorry if I wasn't clear, I wasn't disagreeing with you that a virus in a high privilege process isn't a bigger threat, but the question doesn't ask how much of a threat it is, it asks if we can trust AV software. There is no reason to suspect AV software any more than anything else, including the OS itself. I was just pointing out why I didn't mention your point in my answer. – AJ Henderson Aug 18 '14 at 13:20
13

You cannot trust anybody; but you have to... for instance, when you buy some food, you trust whoever produced it for not having put poison in it. It would be certainly feasible; yet it happens rarely enough that you accept that risk, especially since the alternatives have their own costs and risks (hunting wild animals, foraging for berries, growing potatoes in your own field, or simply starving to death).

Similarly, whenever you install some piece of software, any piece of software, you implicitly trust it for not playing bad tricks on you. Antivirus and antimalware are not special here; and, for that matter, the price (free or not free) does not matter much either. The software will have a backdoor if it is in the best interest of the author to plant backdoors in your computer, and the author has elastic enough moral values to indulge in such practices. The best interest is the operative expression here. @RoryAlsop, in his excellent answer, points out that installing or not installing an antivirus is a matter of risk (and the reduction thereof). Risk analysis applies to attackers to: you have to think what an antivirus writer would gain, and what he would risk to lose, by planting a backdoor in his product. Let's face it: hijacking your computer is unlikely to be a very attractive goal that would justify any substantial amount of effort for any attacker, let alone risking exposure to law enforcement agencies.


There still is a point here. Antivirus software is in a special class in the following sense: it auto-updates very regularly. This also applies to Web browsers. Applications which auto-update from a single source make that source a highly valuable target for people who want to hijack many machines (not just yours, but millions of machines). The risk here is not the antivirus author himself inserting a backdoor; rather, it is about some bad guy hacking into the distribution server of the antivirus and replacing the update file with a nasty piece of code.

There again, that the antivirus is free or not has no significant impact. What matters is whether the antivirus author knows how to protect his distribution server or not.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 2
    Ideally, subverting the AV distribution server is not sufficient to infect existing users, because the AV's update mechanism will reject updates not signed using a particular key, and the key is not stored on the distribution server. But like you say, if the AV author doesn't know how do do that and doesn't implement it, then there's an avenue for trouble. – Steve Jessop Aug 15 '14 at 10:44
7

I have seen one instance where the virus actually installed itself in the AV's virus-signature folder. Since the AV did not scan it's own virus signatures (this would only raise false-positives), the actual virus remained undetected by the AV and was only found when the hard disk itself was attached as external drive in another computer and scanned by a different AV.

Im pretty sure i have seen other instances where security holes in AVs have been exploited in the past, but i cant find any sources anymore. However there are complains by AVG usersbecause the software changed the browser's homepage and default search engine to "AVG Secure Search", which is a behavior you only expect from malware.

iHaveacomputer
  • 523
  • 3
  • 6
  • 3
    I moved away from AVG for this sort of reason, Microsoft Security Essentials just does not get in my way as much as AVG did. – Ian Ringrose Aug 14 '14 at 08:18
  • @IanRingrose You prefer [less effective security] (http://www.pcpro.co.uk/news/security/384394/microsoft-security-essentials-is-designed-to-be-bottom-of-the-antivirus-rankings) over a configurable change to your browser? AVG hasn't done anything to my browsers because I never select the add-on. MS, however, has often interfered in my chosen configurations; getting Bing out of a couple browsers has been a real chore. – user2338816 Aug 15 '14 at 05:20
  • @user2338816, it more every time AVG needed upgrading and the AVG slowed down the PC too much. I have need AVG not slow down other PC, so it may depend on something else as well. – Ian Ringrose Aug 15 '14 at 07:50
  • @user2338816, if you read the link you posted, you will see that the test results mostly comes down to how much effort the different AV companies put into gaming them. – Ian Ringrose Aug 15 '14 at 07:54
  • @IanRingrose That's hard to find anywhere in that link. I sure don't see it now, nor did I see it any time I read the story earlier, though there is a statement about MS engineers trying to anticipate what test methods will be used. And it's not what the article's about. It's about the interview with MS's senior program manager of the Microsoft Malware Protection Center, explaining why MSE was slipping in results and why it would continue to do so. – user2338816 Aug 15 '14 at 08:49
  • Why would the definitions be detected as viruses? They aren't the actual virus themselves nor are they even stored as separate files. I would imagine most AV software stores the definitions in a big data file and those definitions would be hashes of malicious files or collections of attributes that help identify those malicious files. It doesn't make any sense that a virus scanner would detect its own definition database as a virus just because it defines the rules for detecting the viruses. – Mike D. Aug 16 '14 at 05:32
4

The real risk is not the true antivirus software, it is the 101 website that tries to trick you into installing fake antiviruses software. Just because a website is called “GetAvj” , this does not mean it is going to install Avg on your machine. This is now one of the most common ways that virus are spread.

I know people that have got fake phone calls claiming to be from Microsoft or their ISP telling them they have a virus and to do x,y and y. Then software that steals the bank logon details is installed if they are fall for it.

Only one in many thousand people have to full for these tricks to give a good return on investment for the people that are doing them.

Backdoors

All “background” antivirus software install backdoors on your machine, as they have to update themselves, the questions is do you trust their vendors not to do something bad with the backdoor and to prevent anyone else using it.

There are “batch mode” antivirus software that you download to a machine and run once before the program deletes itself – these are mostly used when a virus has spread a lot as they can be run as part of a maintenance cycle on all pcs.

At one point (I don’t know if they skill do so) Microsoft used to run such a tool every time windows was updated on your PC, this tool only checked for a few virus that were on a great number of PCs.

Now for the two free AV I have used.

AVG free is given away so that people will buy the full version. As AVG makes lots of money from selling the full version there is no way they would take the risk of doing something with the free version that would stop people trusting them. However every time you upgrade the free version there are a 101 tick boxes you have to get right so it does not try to make you pay for the full version.

Microsoft Security Essentials is produced by Microsoft, as they get “Bad PR” every time a window machine gets a virus, and home users were not installing antivirus software. There is no pay for version, therefore they don’t try to get you to upgrade. As you already trust Microsoft with the monthly upgrades, no more trust is needed to use Microsoft Security Essentials.

Microsoft Security Essentials may only catch say 99% rather than say 99.1% of some test set of virus, but it does a very reasonable job if you are careful how you use the internet.

See Is it worth it to get paid anti-virus software? for why you may wish to pay for antivirus software.

Ian Ringrose
  • 641
  • 1
  • 4
  • 9
2

For commercial software: They could probably make some money somehow by installing a backdoor. On the other hand, if found out, it would destroy their business. And it would be found out. So they don't do it, because the risk just isn't worth the very limited benefits that they could have.

For things on the internet: If you visit a website that finds 73 viruses on your computer, which are all windows viruses even though you are using a smartphone or a Mac or a Linux box, you know that all they want is your money. One thing their software will not do is find and remove any real viruses on your computer. Whether they just take your money and laugh at you, or whether they use their software to put malware on your computer, that's hard to say. Personally, if I could make people pay say $30 for useless software, and possibly convince them to pay another $20 for an upgrade, I wouldn't be bothered adding malware to it.

gnasher729
  • 1,823
  • 10
  • 14
  • 2
    The greed/stupidity of RSA has demolished your first point. :( – Dan Is Fiddling By Firelight Aug 13 '14 at 19:41
  • Didn't it effectively destroy RSA business? It may be hard to extract from EMC annual report, but I'd be pretty surprised if it didn't hurt quite a bit. – Bruno Rohée Aug 14 '14 at 11:06
  • @DanNeely, are you telling me that the USA has not already make Microsoft and Apple install backdoors for them? This risk of that is as great as the risk of the USA getting AV vendors to install backdoors. – Ian Ringrose Aug 15 '14 at 08:53
2

For some non-absolute value of trust, you can trust the intentions of an anti-malware product that has been reviewed -- including testing -- by someone with a reputation you trust (for some value of trust). Other answers have gone into this in more detail.

You can never trust their competence -- even if their product was perfect when released (and no code ever is), and their definitions were complete when released, new vulnerabilities and exploits appear all the time.

This latter point is partly why a defence-in-depth strategy is beneficial (use a more secure browser, restrict what scripts can run on the web, disable autoplay, good passwords, don't run root/admin if you don't understand why you have to, run a firewall...). Some of these tips could also help in the hypothetical case of the AV updates server (or a cache of it) being compromised. Some of them are about reducing entry points, some about damage limitation.

Chris H
  • 4,185
  • 1
  • 16
  • 22
1

You can't trust any software if you can't check the source code. And even when you can, you are still at risk - there might be some old, nasty bug, waiting for years for some hearts to bleed.

rsm
  • 280
  • 1
  • 10
  • To be more precise: You cannot trust any software if you *didn't* check the source code. Just being able to in theory says nothing beyond giving you the tool to start the work of getting there. – Christopher Creutzig Aug 14 '14 at 07:14
  • You cannot trust any software if you a) didn't check the source, b) didn't compile it yourself, c) didn't check the compilers source and d) didn't compile it yourself. As we speak of a)... – atamanroman Aug 15 '14 at 13:28
  • [the thompson paper](http://cm.bell-labs.com/who/ken/trust.html) is a good read on that, of course. – muhmuhten Aug 17 '14 at 00:50