Former Mozilla Engineer: Disable Your Antivirus Software, Except Microsoft's

[Solarquest]

Antivirus software vendors are terrible; don't buy antivirus software, and uninstall it if you already have it (except for Microsoft's).

This is how Robert "Roc" O'Callahan, a former Mozilla bigwig engineer started a blog post today, in which he details a long list of issues that antivirus software have caused to browser vendors.

O'Callahan's post criticizes antivirus vendors for a series of problems that he experienced first hand while working at Mozilla, but also through his interaction with other employees at other browser vendors. Here are some of his gripes:

• AV vendors don't follow standard security practices, which leads to many security bugs affecting the AV itself. To prove his point, O'Callahan points his readers to the Google Project Zero project, and especially to the activity of Google security researcher Tavis Ormandy, who in the past two years has discovered gaping security holes in the software of many anti-virus vendors, which in many cases led to a complete takeover of the affected system.
• AV products poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security. O'Callahan remembers that when Firefox implemented ASLR on Windows, AV vendors broke the feature by injecting rogue DLLs into the browser's process. Furthermore, several AV products blocked Firefox security updates for no apparent reason.
• It's hard for software vendors to speak out about these problems because they need cooperation from the AV vendors. O'Callahan cites his own experience when he called out an AV vendor about injecting code in Firefox APIs, only to be silenced by Mozilla's PR team, who feared that antivirus vendors might flag Firefox as insecure, as payback, or blame the browser for the user's malware infections.

The only ones for whom O'Callahan seems to have any respect are Microsoft engineers, who he calls "generally competent" and is somewhat accepting to their AV product.



...more ion the link above

 

[509322]

Google security researcher Tavis Ormandy, who in the past two years has discovered gaping security holes in the software of many anti-virus vendors, which in many cases led to a complete takeover of the affected system.

The malicious code has to target the vulnerability present in the AV. If the exploit succeeds the malicious code gains escalation of privilege - SYSTEM - then runs amok.

You have to ask yourself: "How likely is it that I will download and execute a malware that will target my installed AV ?"

I get what Roc and Tavis are saying, but telling people not to use 3rd-party AVs is just plain bad advice on so many levels.

I'll put it to you straight - just about every single software has a vulnerability. Secure coding is not a standard industry practice and is never likely to be so for a multitude or reasons. So, if we follow the logic of "Uninstall it, if it has vulnerabilities," we should simply not use any software - which means never turning your PC on in the first place - because everything from the browser to the OS and everything in-between has vulnerabilities.

For any user that follows this advice - and isn't an advanced user and relies completely upon Windows Defender to protect their system - when it is infected they should call that engineer and tell him to come to their house and remediate their system.

 

[Janl1992l]

I always wished google would make a av for windows. sad it will most likly never happens. it would be so nice, because google knows what it does when it comes to programing.

 

[Evjl's Rain]

the only problem with windows defender for me is that it uses too much disk i/o, CPU usage is also ridiculously high when it scans or detects something, scanning speed is also slow

 

[Tony Cole]

I wouldn't trust Microsoft defender, useless tool maybe with AppGuard and sandboxie, everyday users struggle now with ransomware. Maybe Microsoft paid him to say that, wouldn't surprise me.

Very true, but I was listening to a former NSA worker, who was a cryptology expert and he stated (as he has 12 computers at home searching for vulnerabilities in software and sells them to the US government for $80,000) basically software companies are lazy and need to write proper code then there would be no hacks. Maybe to him and the NSA that's possible - not sure.

 

[XhenEd]

the only problem with windows defender for me is that it uses too much disk i/o, CPU usage is also ridiculously high when it scans or detects something, scanning speed is also slow

I totally agree.

 

[Zero Knowledge]

He has a point. But telling people to uninstall AV is not a wise statement. Recommending Microsoft as the only AV is a poor choice.

Kaspersky/Bitdefender/Norton/Eset/Avast/F-Secure are all legitimate products that I would recommend as AV software for consumers.

 

[motox781]

He has a point. But telling people to uninstall AV is not a wise statement. Recommending Microsoft as the only AV is a poor choice.

Kaspersky/Bitdefender/Norton/Eset/Avast/F-Secure are all legitimate products that I would recommend as AV software for consumers.

I agree. Sounds like he is complaining more about the 'restrictions' on AVs with the product he worked on (Firefox) than the product's effectiveness.

 

[Svoll]

While I understand where Robert O'Callahan is coming from and his point of view. Overall Windows Defender hasn't perform as well as others on testing, reviews, and real world results.

 

[ForgottenSeer 55474]

I agree I think he is on Microsofts pay role:if there where a nuclear explosion on my computer I would not give up on bitdefender

 

[tim one]

Even if I get his point, how is good WD defending my system?
No doubt on the good kernel-side implementation of Windows Defender...of course, but when you are infected, other problems you have.

 

[Tony Cole]

Currently using Symantec Endpoint with advanced hardened policies, AppGuard, Sandboxie and Adguard and I wouldn't give it all up for the crappy windows defender - I trust the above to protect me!

 

[omidomi]

Ok Mozilla worker
already I also removed fire fox product and use none mozilla software because it has bug and make my system vulnerable !
Firefox zero-day: Mozilla races to patch bug used to attack Tor browser users | ZDNet

because fire fox and Mozilla team don't follow standard security practices
So I also recomanded users to use old version of IE

 

[kev216]

I can understand the point he tries to make, however I don't completely agree.
First of all, like others say, Windows Defender isn't really the strongest AV on the market. They improved much and get higher points than before, but there are still other vendors with better detection rates. With that in mind only recommending WD would be not a good advice, but I understand that his point is not in terms of detections.
When he says about blocking security updates and breaking stuff in their browser, I can only say that a good cooperation between security vendors and browser makers is necessary. AV vendors receive millions of new files each day and it's already difficult enough for them to avoid each FP. And even if they have good respons from MS themselves, it is unavoidable that the same will ever happen between firefox and WD.
Also generalising this statement to every AV vendor is not done.
What I do agree with him is that security companies that are know to have vulnerabilities in their code and software really need to patch those as soon as possible, which isn't always the case if you look at more recent and even older news articles. However no software is 100% bulletproof, would it be a browser, an AV, an office suite or even games. Firefox also regularly comes into the news with vulnerabilities related to security, so should I now recommend everyone to use another browser and never install firefox again?
While I do agree with the underlying statement of security products with known and still unpatched holes, in my opinion it is not a good support of his judgment to say that only windows defender is a recommended and good practising product.

 

[_CyberGhosT_]

And lets not forget he is an "Ex Mozilla Employee" meaning
even Mozilla thought he was bat ##### crazy
Cool share Solar

 

[conceptualclarity]

O'Callahan cites his own experience when he called out an AV vendor about injecting code in Firefox APIs, only to be silenced by Mozilla's PR team, who feared that antivirus vendors might flag Firefox as insecure, as payback, or blame the browser for the user's malware infections.

That has the ring of truth.

 

[Ink]

It's true what he says about Third-party security layers can also increase surface layer of attack, as seen in previous reports about insecure third-party browsers and their configuration, among other things.

What I don't understand is, why doesn't he mention Security that does not infiltrate or interfere with how the Browser operates?

Windows Defender is (still) very underrated because it's the AV vendor's business to say Windows Defender is crap, use our products and services instead. The danger arises from the all the extras that come with modern Antivirus software, when it wants to scan your HTTPS traffic, alter certificates, or inject vulnerable web services with extensions and add-ons.

[You'll hear it next from Piriform about AV Vendors force installing their own version of PC Performance and Tuneup tools, and doing more damage to systems. On the otherhand, you don't need CCleaner on macOS or Android, so they should stick with Windows]. - This was a bad example.

I am not saying don't use a third-party Antivirus, but be aware of -unknown to us- the poorly written code that tries to interfere with the Modern Browser, or Bloatware that attempts to replace your Browser with their own version.

My point of view, of course.

 

[Marko :)]

I'm waiting for conspiracy theories like viruses & malware do not exist or if they really exist, they are made to help computer users. /s

 

[RoboMan]

Alright he's got a point. We all know what he states is true, but maybe not all of us share the "Uninstall all antivirus software" quote. Coding bugs and security flaws are real and are present on every single software, the severity here is the ammount of bugs present on software that is meant to provide security and real-time protection against files that threat the armony of a user's system (see Trend Micro thread here). Now i supusse it's very unwise to suggest ordinary users of the internet to uninstall all antivirus software, specially when they unknow other practices such as anti-executables or next-generation software. Moreover, the engineer did not even mention any of this alternatives, which end up on advising against.

On my personal opinion, i do believe sig-based antivirus and general software should slowly be removed from the market, or at least their vendors should update the technology used on them to be able to participate on this new era of security vs cracking. I guess we all can agree on the fact that it's technically impossible with the given worldly knowledge to code and create 100% perfect software, and this is why programmers code their software and link them back to their team to be ready to deliver any necessary update, besides new program versions. If i could amend what the engineer said, i'd tell: "Do not rely on your antivirus as your primary security phase. Be sure to find the adequate combination for you to achieve maximum security and cover all the flaws and vulnerabilities on your system."

 

[509322]

It's all fine and dandy to talk about coding security audits, but no one wants to pay for the expense of manually auditing many thousands of lines of code. If users were willing to pay a big built-in premium as part of the cost for those type audits then sure - vendors would do it. However, vendors struggle to get users to pay just $30 for security softs. Users aren't willing to pay the additional cost, so expensive audits aren't done.