In the realm of security, there are a number of discussions that never seem to be completely resolved and crop up again from time to time. One of these is the age old question: “Is antivirus really necessary”?
To the average PC user, the idea that antivirus (or more accurately, anti-malware) isn’t necessary may seem as crazy and dangerous as suggesting we get rid of seatbelts in cars (let alone keep airbags, antilock brakes and other safety features). For years, PC users have been told to “protect your PC” by running antivirus and keeping it and the system constantly up-to-date. Microsoft made these steps the foundation for its guidance to customers in the wake of the Slammer and Blaster worms in 2003 and that advice took root, helping to better protect PC users since then.
Now More Than Ever
Anti-malware is such a key part of PC computing that Microsoft has integrated anti-malware support ever more deeply into the operating system over the past few years. The company started with the Windows Security Center in Windows Vista, which warned if you weren’t running up-to-date anti-malware. Since 2011, Microsoft has offered a free antivirus solution, Microsoft Security Essentials, to Windows users. And Microsoft has indicated that they plan to include anti-malware capability integrated into Windows 8.
At this point, even if you wanted to run Windows on your PC without anti-malware, the hassle of disabling notifications and warnings plus the availability of a free solution with Microsoft Security Essentials makes downloading and running that the path of least resistance. You would be hard pressed to find someone completely anti-malware free on a modern version of Windows.
But the world isn’t what it was and as more and more people connect to the Internet using something other than a PC running Windows, the age old question is coming up again: Do I really need anti-malware?
As someone with a long history in security, I can say that the answer to this is not only “Yes”, but also “more than ever”.
Two Arguments Against
There are really just two arguments that people make against running anti-malware:
- First, that malware is really only a problem with Windows and that’s because of Windows’ fundamental security design flaws.
- Second, that malware is a fabricated problem, hyped by security companies who are trying to scare you and convince you to buy their products.
In the interest of full disclosure, I have to say here that I was part of Microsoft’s Security group for about ten years. And now, as a consultant, I do work with other security companies in the industry. But my views are my own and it’s my view that facts on the ground refute both of these arguments.
Flawed Windows argument. The argument that the presence of malware somehow indicates an inherently insecure platform and so shouldn’t be a problem on a properly secure one is a logical fallacy. It’s not helped that this point is sometimes made by platform vendors to talk up the security of their products (as Jim Allchin once infamously did regarding Windows Vista, claiming he didn’t need antivirus on his kid’s system).
Any security person worth his or her salt will say that, ultimately, code is code. On any system that’s designed to be extensible (i.e. that you can load new programs and applications on), there’s an inherent risk for what we would call “malware” because code that is “bad” to us (hence “malware”) is neutral to the system that executes it.
Where secure design does play an important role is in limiting and preventing “bad” code access to the system and limiting the scope of actions code can take as much as possible. At most, one can say that a more secure platform creates a higher barrier to attack that deters attackers and drives them elsewhere. Think of it as the “you don’t have to be faster than the bear, just faster than the other guy rule”.
This hasn’t prevented vendors and advocates for other platforms in the past from pointing at the disparity in malware and attacks on Windows and other platforms as “proof” malware is a Windows problem due to poor design. But, the changing world is proving that stance wrong. With successful Mac-based botnets like Flashback, increasing numbers of malicious Android apps, and even some dual-platform Windows and Mac attacks it’s clear that the threat environment is responding to a more diverse world with more diverse targeting and attacks. There’s more than one bear now, and it doesn’t matter who runs faster.
Hyped malware treatise. The argument that malware is a hyped problem is a more nuanced one. The argument got its strongest start back in the early days of 1988 with Rob Rosenberger’s "Computer Virus Myths treatise". Rosenberger made some valid points (and his “False Authority Syndrome” is still a good read). The pressures of the marketplace can and do encourage security firms to talk up threats sometimes to the point of hype. But a look at any week’s online security news shows that incidents like the Global Payments breach do happen with frightening regularity.
The growth of the Internet over the past fifteen or so years has moved a lot of the targets of criminal activity and espionage (state and corporate) from the physical world to the online world. That’s fundamentally changed the malware game. Before, viruses were nuisances that destroyed data and created havoc on stand-alone and network-connected systems (mainly PCs). Today, malware seeks to gain data that is lucrative (either financially or in terms of intelligence) by attacking the point at which users connect to the global Internet (desktops, mobile phone, tablets). In a way, it’s hard to hype the nature of the threat environment these days: the facts themselves put the threat nearly at maximum.
Rosenberger’s points are important: everyone should think for themselves and make their own decisions around threats. But the realities of the threats online today coupled with the way bad actors are responding to a more diverse client base with an equally diverse set of attacks means that no one is truly safe anymore (though it’s arguable if anyone ever really was).
Anti-malware is an inherently reactive countermeasure, yes. And it’s not a silver bullet. But it is a critical layer in a multifaceted approach to meeting the threats that are out there. In a way, heeding the claims of those who say “you don’t need anti-malware on my platform” is falling victim to another type of “False Authority Syndrome”.
Photo Credit: olly/Shutterstock
Christopher Budd is a 10-year veteran of Microsoft, where he oversaw and managed communications around online security and privacy incidents. He left the company in December 2010. Today he is an independent consultant using his experience to help clients in the areas of crisis communications, online security and privacy incidents and social media.