Battle Least vulnerable antivirus

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Google’s ProjectZero team has found a lot of vulnerabilities in most AVs.
Microsoft made a step in the right direction by adding a sandbox for Defender.

I was wondering, which AV vendors are security conscious with respect to their own products ? There’s little point in trying to further optimize Defender’s good detections & protection if the vendor software introduces new vulnerabilities.
 
5

509322

Google’s ProjectZero team has found a lot of vulnerabilities in most AVs.
Microsoft made a step in the right direction by adding a sandbox for Defender.

I was wondering, which AV vendors are security conscious with respect to their own products ? There’s little point in trying to further optimize Defender’s good detections & protection if the vendor software introduces new vulnerabilities.

Tavis Ormandy from Google Project Zero states that Microsoft's Windows Defender is the least vulnerable based upon his own observations.

He states Kaspersky is the fastest at fixing reported vulnerabilities.

Guess what... new vulnerabilities will always be introduced. If you're asking which ones use the method of "secure coding," then the answer is none of them. People (end-users) aren't willing to pay for it. If you aren't willing to pay for it, then I certainly ain't doing it for free. Secure coding is expensive. Really expensive.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Tavis Ormandy from Google Project Zero states that Microsoft's Windows Defender is the least vulnerable based upon his own observations.

He states Kaspersky is the fastest at fixing reported vulnerabilities.

Guess what... new vulnerabilities will always be introduced. If you're asking which ones use the method of "secure coding," then the answer is none of them. People (end-users) aren't willing to pay for it. If you aren't willing to pay for it, then I certainly ain't doing it for free. Secure coding is expensive. Really expensive.

They’ve done many non expensive mistakes though, like not paying attention to compilation flags, this is cheap to turn on and pure negligence that they didn’t
 
5

509322

They’ve done many non expensive mistakes though, like not paying attention to compilation flags, this is cheap to turn on and pure negligence that they didn’t

I know what you're getting at, but they just don't do it. No one does audits because it takes a lot of time, which costs money, and software buyers won't pay for it. That is just how it is until people become willing to pay realistic prices.

So vulns will always be there and Google Project Zero will have a never-ending quest.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
I know what you're getting at, but they just don't do it. No one does audits because it takes a lot of time, which costs money, and software buyers won't pay for it. That is just how it is until people become willing to pay realistic prices.

So vulns will always be there and Google Project Zero will have a never-ending quest.

Some things AV vendors did are software practices straight of the 1990s if not 1980s. They didn’t check if they used strcmp vs strncmp, no aslr, no buffer protection compilation flags.

These cost minimal effort to fix and are done in all software projects that I’m aware of, not even for security reasons, purely for stability ( I don’t work in the security sector, these are just common practices everywhere these days ) - I can’t believe they pushed kernel code without these checks.

Which makes me wonder if they’ve bothered with other low cost checks, like use tools for memory leak detections or even decent test coverage.

If quality of code is that low it’s not a matter of cost, all that I’ve mentioned is either a flag switch-on or a 2 day task to replace strcmp or tweaking their CI to add memory leak detection.

Again all the above is done everywhere for quality & stability reasons - these are not security related adjustments ( though their absence evidently lowers security too )
 
5

509322

Some things AV vendors did are software practices straight of the 1990s if not 1980s. They didn’t check if they used strcmp vs strncmp, no aslr, no buffer protection compilation flags.

These cost minimal effort to fix and are done in all software projects that I’m aware of, not even for security reasons, purely for stability ( I don’t work in the security sector, these are just common practices everywhere these days ) - I can’t believe they pushed kernel code without these checks.

Which makes me wonder if they’ve bothered with other low cost checks, like use tools for memory leak detections or even decent test coverage.

If quality of code is that low it’s not a matter of cost, all that I’ve mentioned is either a flag switch-on or a 2 day task to replace strcmp or tweaking their CI to add memory leak detection.

Again all the above is done everywhere for quality & stability reasons - these are not security related adjustments ( though their absence evidently lowers security too )

It is time. Time is expensive. To you spending 2 days on a task is no big deal. In the industry, that amount of time is simply unacceptable given deadlines and budgets. Plus, the build over top of the existing code base nobody is going to spend the time and money to do a complete audit.

Not to mention the legit reasons why sometimes these things are not use. One I recall was Melih explaining why they didn't use ASLR for a legit reason. It wasn't needed. But anyway, people gave a scathing indictment of COMODO and it got blasted for no good reason across the web. So, just to get people to shut-up, Melih had his people implement the ASLR.

To you it is coding 101, but obviously the industry doesn't see it that way. Or at least they didn't in the past. And I'm pretty sure it is essentially the same today... what was created in the past hasn't been thrown-out. It has just been built-over. They're not going to audit it. That's how it works.

If people want secure coding with all the stops, then they have to be willing to pay for it. They have to be willing to pay for all those cumulative multi-day tasks. However, the vast majority of people don't want to pay anything. I've had discussions about this very thing and it all comes down to time and money (expenses). People don't want to pay. They want to be cheap. Then they get what I am willing to do for the price they are willing to pay.

We can debate about this all day long, but I'm telling you nobody does the kind of audit stuff that you're talking about. If they did, then Google Project Zero would find nothing and Tavis Ormandy would have to do something else.
 
Last edited by a moderator:

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
If you want a AV with the least vulnerabilities, choose a AV that is not well known. That is the best solution.
The well known AVs are targets, and there will always be more unpatched vulnerabilities, you can't stop it.

That’s security by obscurity, I’d rather pick the best written software by a team that follows good practices
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
It is time. Time is expensive. To you spending 2 days on a task is no big deal. In the industry, that amount of time is simply unacceptable given deadlines and budgets. Plus, the build over top of the existing code base nobody is going to spend the time and money to do a complete audit.

Not to mention the legit reasons why sometimes these things are not use. One I recall was Melih explaining why they didn't use ASLR for a legit reason. It wasn't needed. But anyway, people gave a scathing indictment of COMODO and it got blasted for no good reason across the web. So, just to get people to shut-up, Melih had his people implement the ASLR.

To you it is coding 101, but obviously the industry doesn't see it that way. Or at least they didn't in the past. And I'm pretty sure it is essentially the same today... what was created in the past hasn't been thrown-out. It has just been built-over. They're not going to audit it. That's how it works.

If people want secure coding with all the stops, then they have to be willing to pay for it. They have to be willing to pay for all those cumulative multi-day tasks. However, the vast majority of people don't want to pay anything. I've had discussions about this very thing and it all comes down to time and money (expenses). People don't want to pay. They want to be cheap. Then they get what I am willing to do for the price they are willing to pay.

We can debate about this all day long, but I'm telling you nobody does the kind of audit stuff that you're talking about. If they did, then Google Project Zero would find nothing and Tavis Ormandy would have to do something else.


Today these are standard practices in non security software, if the security industry doesn’t want to adapt, then perhaps a disruptor may come along and eat their lunch
 
  • Like
Reactions: vtqhtr413

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,882
Thanks for this, it’s good to see they pay attention to it. My only worry with emsisoft would be that being a smaller vendor, less people would be trying to expose vulnerabilities, I only see one in that link. Do they ie have a bug bounty program ?
I don't think Emsisoft is a small company. There are millions of users in all over the world ;)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top