Antivirus Products Have No Place in the Future

27 December 2018

Antivirus products are with us for almost 20 years and it’s always an essential program for both home and enterprise users. But now, we live in 2019 and things are changing. Things are becoming secure by default. We usually don’t use an antivirus program in any devices except Windows PCs. But Windows 10’s built-in security features are so good that people are considering not using an antivirus. So, what is going to happen in future? In this post, I want to summarize my point of view about antivirus products and their future

TL;DR: We need them now but we won’t (shouldn’t) need them in future.

Problems of Antivirus Products

Blacklist Approach: Antiviruses are with us for almost 20 years. In those years, tons of different malware appeared in the wild. Antivirus companies added signatures of those malwares to their database. So in 20 years, they had tons of different malware signatures. They can’t throw away some of them since a good antivirus product should detect a virus from last week or from 10 years ago. So when an antivirus encounters a new file, it calculates file’s signature and compares it with the huge signature database. If there is no match, antivirus flags it as safe.

Let’s imagine that you are throwing a birthday party in your house. Instead of creating an invite list of 20 people, you are creating uninvited list of 79.999.980 people. When a person comes to your house, you are checking your uninvited list to see if that person belongs to it. If there is not match after 79.999.980 checks, you allow that person to enter your house. This approach consumes time and resource. Same thing is valid for antiviruses too. Virus signature database will grow every year and will consume more and more resource. This is unsustainable.

They are creating an additional attack surface: Antiviruses are just some programs developed by some developers. Because of this, they can have their own vulnerabilities. And it happens a lot actually. You can take a look to following articles for vulnerabilities in different antivirus programs:

https://landave.io/2018/06/f-secure-anti-virus-remote-code-execution-via-solid-rar-unpacking/

https://www.zdnet.com/article/eset-software-allows-mac-remote-code-execution-attacks/

https://packetstormsecurity.com/files/143190/Kaspersky-Anti-Virus-File-Server-8.0.3.297-XSS-CSRF-Code-Execution.html

Privacy Issues: Most of the antivirus programs are sending your local files to their servers to analyze them better. If you are doing some confidential shit, this is a big problem for you. Just remember how Kaspersky stole a NSA exploit from an NSA employee’s computer. https://www.theregister.co.uk/2018/09/26/nsa_worker_jailed/ . Besides that, most of the antiviruses are doing man-in-the-middle to your HTTPS traffic to detect malicious websites. So they own your internet browsing history, they own your local files, they own you.

They are expensive: If you run a company which has hundreds, thousands of endpoints, then you have to pay a small fortune for antivirus.

They are not so great at detecting malwares: There are some bad antiviruses. For example when you compile Hidden Tear code and upload it to Virustotal, you will see that over 20 antivirus products are still can’t detect it. So if your product can’t detect one of the most famous ransomware code, what is your purpose, how can you be helpful to anyone?

But also there are some good antiviruses which can even catch APT malwares. But not always. Sometimes APT malwares does their job before antivirus programs realize what’s going on. You have to be in your lucky day.

Why We Need an Antivirus Program in Our PC?

Because PCs can download and run arbitrary programs from internet. For example HR employee can download and run an EXE file. That EXE file can read confidential file contents and send them to a server, or can encrypt files and ask for ransom, or can record your webcam etc. That’s why there must be a security mechanism which can differentiate a good program from a bad program.

Why We Don’t Need an Antivirus Program in an Iphone?

iOS doesn’t let you download and run arbitrary programs from internet. You can only download and install a program from App Store in which applications are audited very well. Also these applications has very limited permissions (sandbox). For example an application can’t access to other application’s data. So your photo editor application can’t read your Whatsapp messages.

What We Need

We need to have a special type of PC with iOS security model. A PC should only download and run a program from an application market which is regularly audited. If this is an employee PC, maybe it won’t be able to download from application market too. Only limited amount of application will be present in the PC like web browser, text editors, office programs etc. So instead of following application blacklist approach (antivirus), we will use application whitelist approach. Therefore, we won’t need antivirus programs.

Will Antivirus Companies Go Bankrupt?

Small ones probably will. But big companies will find a way to sell different products and services.