List of apps to compare
Kaspersky, Symantec, McAfee, G-Data, Sophos, Bitdefender, Emsisoft, Dr. Web, Panda, Cylance
What I am most interested about
Exclusive Features & Functionality
Joined
Oct 31, 2018
Messages
86
Operating System
Windows 10
Antivirus
Sophos
#1
Google’s ProjectZero team has found a lot of vulnerabilities in most AVs.
Microsoft made a step in the right direction by adding a sandbox for Defender.

I was wondering, which AV vendors are security conscious with respect to their own products ? There’s little point in trying to further optimize Defender’s good detections & protection if the vendor software introduces new vulnerabilities.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,294
#2
Google’s ProjectZero team has found a lot of vulnerabilities in most AVs.
Microsoft made a step in the right direction by adding a sandbox for Defender.

I was wondering, which AV vendors are security conscious with respect to their own products ? There’s little point in trying to further optimize Defender’s good detections & protection if the vendor software introduces new vulnerabilities.
Tavis Ormandy from Google Project Zero states that Microsoft's Windows Defender is the least vulnerable based upon his own observations.

He states Kaspersky is the fastest at fixing reported vulnerabilities.

Guess what... new vulnerabilities will always be introduced. If you're asking which ones use the method of "secure coding," then the answer is none of them. People (end-users) aren't willing to pay for it. If you aren't willing to pay for it, then I certainly ain't doing it for free. Secure coding is expensive. Really expensive.
 
Joined
Oct 31, 2018
Messages
86
Operating System
Windows 10
Antivirus
Sophos
#3
Tavis Ormandy from Google Project Zero states that Microsoft's Windows Defender is the least vulnerable based upon his own observations.

He states Kaspersky is the fastest at fixing reported vulnerabilities.

Guess what... new vulnerabilities will always be introduced. If you're asking which ones use the method of "secure coding," then the answer is none of them. People (end-users) aren't willing to pay for it. If you aren't willing to pay for it, then I certainly ain't doing it for free. Secure coding is expensive. Really expensive.
They’ve done many non expensive mistakes though, like not paying attention to compilation flags, this is cheap to turn on and pure negligence that they didn’t
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,294
#5
They’ve done many non expensive mistakes though, like not paying attention to compilation flags, this is cheap to turn on and pure negligence that they didn’t
I know what you're getting at, but they just don't do it. No one does audits because it takes a lot of time, which costs money, and software buyers won't pay for it. That is just how it is until people become willing to pay realistic prices.

So vulns will always be there and Google Project Zero will have a never-ending quest.
 
Joined
Oct 31, 2018
Messages
86
Operating System
Windows 10
Antivirus
Sophos
#7
I think Kaspersky and Emsisoft, it is also important the frequency of software updates to solve security issues (self protection, vulnerabilities, etc.)
Does enmsisoft have a track record of auditing, frequently patching their own vulnerabilities etc ?
 
Likes: BryanB
Joined
Oct 31, 2018
Messages
86
Operating System
Windows 10
Antivirus
Sophos
#8
I know what you're getting at, but they just don't do it. No one does audits because it takes a lot of time, which costs money, and software buyers won't pay for it. That is just how it is until people become willing to pay realistic prices.

So vulns will always be there and Google Project Zero will have a never-ending quest.
Some things AV vendors did are software practices straight of the 1990s if not 1980s. They didn’t check if they used strcmp vs strncmp, no aslr, no buffer protection compilation flags.

These cost minimal effort to fix and are done in all software projects that I’m aware of, not even for security reasons, purely for stability ( I don’t work in the security sector, these are just common practices everywhere these days ) - I can’t believe they pushed kernel code without these checks.

Which makes me wonder if they’ve bothered with other low cost checks, like use tools for memory leak detections or even decent test coverage.

If quality of code is that low it’s not a matter of cost, all that I’ve mentioned is either a flag switch-on or a 2 day task to replace strcmp or tweaking their CI to add memory leak detection.

Again all the above is done everywhere for quality & stability reasons - these are not security related adjustments ( though their absence evidently lowers security too )
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,294
#9
Some things AV vendors did are software practices straight of the 1990s if not 1980s. They didn’t check if they used strcmp vs strncmp, no aslr, no buffer protection compilation flags.

These cost minimal effort to fix and are done in all software projects that I’m aware of, not even for security reasons, purely for stability ( I don’t work in the security sector, these are just common practices everywhere these days ) - I can’t believe they pushed kernel code without these checks.

Which makes me wonder if they’ve bothered with other low cost checks, like use tools for memory leak detections or even decent test coverage.

If quality of code is that low it’s not a matter of cost, all that I’ve mentioned is either a flag switch-on or a 2 day task to replace strcmp or tweaking their CI to add memory leak detection.

Again all the above is done everywhere for quality & stability reasons - these are not security related adjustments ( though their absence evidently lowers security too )
It is time. Time is expensive. To you spending 2 days on a task is no big deal. In the industry, that amount of time is simply unacceptable given deadlines and budgets. Plus, the build over top of the existing code base nobody is going to spend the time and money to do a complete audit.

Not to mention the legit reasons why sometimes these things are not use. One I recall was Melih explaining why they didn't use ASLR for a legit reason. It wasn't needed. But anyway, people gave a scathing indictment of COMODO and it got blasted for no good reason across the web. So, just to get people to shut-up, Melih had his people implement the ASLR.

To you it is coding 101, but obviously the industry doesn't see it that way. Or at least they didn't in the past. And I'm pretty sure it is essentially the same today... what was created in the past hasn't been thrown-out. It has just been built-over. They're not going to audit it. That's how it works.

If people want secure coding with all the stops, then they have to be willing to pay for it. They have to be willing to pay for all those cumulative multi-day tasks. However, the vast majority of people don't want to pay anything. I've had discussions about this very thing and it all comes down to time and money (expenses). People don't want to pay. They want to be cheap. Then they get what I am willing to do for the price they are willing to pay.

We can debate about this all day long, but I'm telling you nobody does the kind of audit stuff that you're talking about. If they did, then Google Project Zero would find nothing and Tavis Ormandy would have to do something else.
 
Last edited:

shmu26

Level 71
Content Creator
Verified
Joined
Jul 3, 2015
Messages
6,001
Operating System
Windows 10
#11
If you want a AV with the least vulnerabilities, choose a AV that is not well known. That is the best solution.
The well known AVs are targets, and there will always be more unpatched vulnerabilities, you can't stop it.
 
Joined
Oct 31, 2018
Messages
86
Operating System
Windows 10
Antivirus
Sophos
#15
If you want a AV with the least vulnerabilities, choose a AV that is not well known. That is the best solution.
The well known AVs are targets, and there will always be more unpatched vulnerabilities, you can't stop it.
That’s security by obscurity, I’d rather pick the best written software by a team that follows good practices
 
Joined
Oct 31, 2018
Messages
86
Operating System
Windows 10
Antivirus
Sophos
#16
It is time. Time is expensive. To you spending 2 days on a task is no big deal. In the industry, that amount of time is simply unacceptable given deadlines and budgets. Plus, the build over top of the existing code base nobody is going to spend the time and money to do a complete audit.

Not to mention the legit reasons why sometimes these things are not use. One I recall was Melih explaining why they didn't use ASLR for a legit reason. It wasn't needed. But anyway, people gave a scathing indictment of COMODO and it got blasted for no good reason across the web. So, just to get people to shut-up, Melih had his people implement the ASLR.

To you it is coding 101, but obviously the industry doesn't see it that way. Or at least they didn't in the past. And I'm pretty sure it is essentially the same today... what was created in the past hasn't been thrown-out. It has just been built-over. They're not going to audit it. That's how it works.

If people want secure coding with all the stops, then they have to be willing to pay for it. They have to be willing to pay for all those cumulative multi-day tasks. However, the vast majority of people don't want to pay anything. I've had discussions about this very thing and it all comes down to time and money (expenses). People don't want to pay. They want to be cheap. Then they get what I am willing to do for the price they are willing to pay.

We can debate about this all day long, but I'm telling you nobody does the kind of audit stuff that you're talking about. If they did, then Google Project Zero would find nothing and Tavis Ormandy would have to do something else.

Today these are standard practices in non security software, if the security industry doesn’t want to adapt, then perhaps a disruptor may come along and eat their lunch
 
Likes: BryanB
Joined
Oct 31, 2018
Messages
86
Operating System
Windows 10
Antivirus
Sophos
#17

JM Security

Level 32
Content Creator
Verified
Joined
Apr 12, 2015
Messages
2,106
Operating System
Linux Ubuntu
#19
Thanks for this, it’s good to see they pay attention to it. My only worry with emsisoft would be that being a smaller vendor, less people would be trying to expose vulnerabilities, I only see one in that link. Do they ie have a bug bounty program ?
I don't think Emsisoft is a small company. There are millions of users in all over the world ;)