Battle Least vulnerable antivirus

N

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
2,047
1,368
Google’s ProjectZero team has found a lot of vulnerabilities in most AVs.
Microsoft made a step in the right direction by adding a sandbox for Defender.

I was wondering, which AV vendors are security conscious with respect to their own products ? There’s little point in trying to further optimize Defender’s good detections & protection if the vendor software introduces new vulnerabilities.
 
  • Like
Reactions: Sunshine-boy, amico81, vtqhtr413 and 7 others
Sort by date Sort by votes
notabot said:
Google’s ProjectZero team has found a lot of vulnerabilities in most AVs.
Microsoft made a step in the right direction by adding a sandbox for Defender.

I was wondering, which AV vendors are security conscious with respect to their own products ? There’s little point in trying to further optimize Defender’s good detections & protection if the vendor software introduces new vulnerabilities.
Click to expand...

Tavis Ormandy from Google Project Zero states that Microsoft's Windows Defender is the least vulnerable based upon his own observations.

He states Kaspersky is the fastest at fixing reported vulnerabilities.

Guess what... new vulnerabilities will always be introduced. If you're asking which ones use the method of "secure coding," then the answer is none of them. People (end-users) aren't willing to pay for it. If you aren't willing to pay for it, then I certainly ain't doing it for free. Secure coding is expensive. Really expensive.
 
  • Like
Reactions: dinosaur07, amico81, Sunshine-boy and 11 others
Upvote 0 Downvote
Lockdown said:
Tavis Ormandy from Google Project Zero states that Microsoft's Windows Defender is the least vulnerable based upon his own observations.

He states Kaspersky is the fastest at fixing reported vulnerabilities.

Guess what... new vulnerabilities will always be introduced. If you're asking which ones use the method of "secure coding," then the answer is none of them. People (end-users) aren't willing to pay for it. If you aren't willing to pay for it, then I certainly ain't doing it for free. Secure coding is expensive. Really expensive.
Click to expand...

They’ve done many non expensive mistakes though, like not paying attention to compilation flags, this is cheap to turn on and pure negligence that they didn’t
 
  • Like
Reactions: vtqhtr413, spaceoctopus and Handsome Recluse
Upvote 0 Downvote
notabot said:
They’ve done many non expensive mistakes though, like not paying attention to compilation flags, this is cheap to turn on and pure negligence that they didn’t
Click to expand...

I know what you're getting at, but they just don't do it. No one does audits because it takes a lot of time, which costs money, and software buyers won't pay for it. That is just how it is until people become willing to pay realistic prices.

So vulns will always be there and Google Project Zero will have a never-ending quest.
 
  • Like
Reactions: vtqhtr413, spaceoctopus, Eddie Morra and 4 others
Upvote 0 Downvote
Lockdown said:
I know what you're getting at, but they just don't do it. No one does audits because it takes a lot of time, which costs money, and software buyers won't pay for it. That is just how it is until people become willing to pay realistic prices.

So vulns will always be there and Google Project Zero will have a never-ending quest.
Click to expand...

Some things AV vendors did are software practices straight of the 1990s if not 1980s. They didn’t check if they used strcmp vs strncmp, no aslr, no buffer protection compilation flags.

These cost minimal effort to fix and are done in all software projects that I’m aware of, not even for security reasons, purely for stability ( I don’t work in the security sector, these are just common practices everywhere these days ) - I can’t believe they pushed kernel code without these checks.

Which makes me wonder if they’ve bothered with other low cost checks, like use tools for memory leak detections or even decent test coverage.

If quality of code is that low it’s not a matter of cost, all that I’ve mentioned is either a flag switch-on or a 2 day task to replace strcmp or tweaking their CI to add memory leak detection.

Again all the above is done everywhere for quality & stability reasons - these are not security related adjustments ( though their absence evidently lowers security too )
 
  • Like
Reactions: dinosaur07, vtqhtr413, spaceoctopus and 2 others
Upvote 0 Downvote
notabot said:
Some things AV vendors did are software practices straight of the 1990s if not 1980s. They didn’t check if they used strcmp vs strncmp, no aslr, no buffer protection compilation flags.

These cost minimal effort to fix and are done in all software projects that I’m aware of, not even for security reasons, purely for stability ( I don’t work in the security sector, these are just common practices everywhere these days ) - I can’t believe they pushed kernel code without these checks.

Which makes me wonder if they’ve bothered with other low cost checks, like use tools for memory leak detections or even decent test coverage.

If quality of code is that low it’s not a matter of cost, all that I’ve mentioned is either a flag switch-on or a 2 day task to replace strcmp or tweaking their CI to add memory leak detection.

Again all the above is done everywhere for quality & stability reasons - these are not security related adjustments ( though their absence evidently lowers security too )
Click to expand...

It is time. Time is expensive. To you spending 2 days on a task is no big deal. In the industry, that amount of time is simply unacceptable given deadlines and budgets. Plus, the build over top of the existing code base nobody is going to spend the time and money to do a complete audit.

Not to mention the legit reasons why sometimes these things are not use. One I recall was Melih explaining why they didn't use ASLR for a legit reason. It wasn't needed. But anyway, people gave a scathing indictment of COMODO and it got blasted for no good reason across the web. So, just to get people to shut-up, Melih had his people implement the ASLR.

To you it is coding 101, but obviously the industry doesn't see it that way. Or at least they didn't in the past. And I'm pretty sure it is essentially the same today... what was created in the past hasn't been thrown-out. It has just been built-over. They're not going to audit it. That's how it works.

If people want secure coding with all the stops, then they have to be willing to pay for it. They have to be willing to pay for all those cumulative multi-day tasks. However, the vast majority of people don't want to pay anything. I've had discussions about this very thing and it all comes down to time and money (expenses). People don't want to pay. They want to be cheap. Then they get what I am willing to do for the price they are willing to pay.

We can debate about this all day long, but I'm telling you nobody does the kind of audit stuff that you're talking about. If they did, then Google Project Zero would find nothing and Tavis Ormandy would have to do something else.
 
Last edited by a moderator:
  • Like
Reactions: dinosaur07, vtqhtr413, notabot and 2 others
Upvote 0 Downvote
shmu26 said:
If you want a AV with the least vulnerabilities, choose a AV that is not well known. That is the best solution.
The well known AVs are targets, and there will always be more unpatched vulnerabilities, you can't stop it.
Click to expand...

That’s security by obscurity, I’d rather pick the best written software by a team that follows good practices
 
  • Like
Reactions: vtqhtr413, spaceoctopus and shmu26
Upvote 0 Downvote
Lockdown said:
It is time. Time is expensive. To you spending 2 days on a task is no big deal. In the industry, that amount of time is simply unacceptable given deadlines and budgets. Plus, the build over top of the existing code base nobody is going to spend the time and money to do a complete audit.

Not to mention the legit reasons why sometimes these things are not use. One I recall was Melih explaining why they didn't use ASLR for a legit reason. It wasn't needed. But anyway, people gave a scathing indictment of COMODO and it got blasted for no good reason across the web. So, just to get people to shut-up, Melih had his people implement the ASLR.

To you it is coding 101, but obviously the industry doesn't see it that way. Or at least they didn't in the past. And I'm pretty sure it is essentially the same today... what was created in the past hasn't been thrown-out. It has just been built-over. They're not going to audit it. That's how it works.

If people want secure coding with all the stops, then they have to be willing to pay for it. They have to be willing to pay for all those cumulative multi-day tasks. However, the vast majority of people don't want to pay anything. I've had discussions about this very thing and it all comes down to time and money (expenses). People don't want to pay. They want to be cheap. Then they get what I am willing to do for the price they are willing to pay.

We can debate about this all day long, but I'm telling you nobody does the kind of audit stuff that you're talking about. If they did, then Google Project Zero would find nothing and Tavis Ormandy would have to do something else.
Click to expand...


Today these are standard practices in non security software, if the security industry doesn’t want to adapt, then perhaps a disruptor may come along and eat their lunch
 
  • Like
Reactions: vtqhtr413
Upvote 0 Downvote
  • Like
Reactions: vtqhtr413 and JM Safe
Upvote 0 Downvote
notabot said:
Thanks for this, it’s good to see they pay attention to it. My only worry with emsisoft would be that being a smaller vendor, less people would be trying to expose vulnerabilities, I only see one in that link. Do they ie have a bug bounty program ?
Click to expand...
I don't think Emsisoft is a small company. There are millions of users in all over the world ;)
 
  • Like
Reactions: vtqhtr413, harlan4096 and notabot
Upvote 0 Downvote
You must log in or register to reply here.

You may also like...