Skip links

No defence for outdated defenders as consumer AV nears RIP

Opinion Game knows game. Thus it came as little surprise that Norton’s consumer security software not only sprouted a cryptominer that slurps your computer’s life essence and skims a cut, but that it’s hard to turn it off.

A marriage not made in heaven but the other place: consumer-grade antivirus software has always had an uneven reputation, much of which it richly deserves. But how did we come to carry such a high parasitical load in 2022?

Some of this is technical. Early generations of PC malware established standard techniques to propagate and protect themselves. Rootkit methods were common, monitoring and modifying operating system calls to defect target files and infect them, and to deflect scans or probes by returning false information. This means sinking hooks into the operating system at its lowest levels and taking control – which is precisely the same techniques early AV software used to detect and nullify viruses while defending itself from attacks in turn.

The knowledge necessary to build viruses was practically the same as that needed for antivirus software, and the conspiracy theory arose that less-than-scrupulous AV vendors were generating viruses as well to spice up the market. The industry certainly had personalities capable of such advanced entrepreneurial antics – witness John McAfee’s self-confessed mass deployment of malware – but whether or not this actually happened, in the end it didn’t matter. The behaviour of antivirus software could approach that of the malware it claimed to deflect.

Code that took upon itself the task of intercepting file operations, holding huge databases of virus signatures and scanning disk drives, has to be peculiarly well-written and reliable to avoid becoming denial-of-service malware itself. It could slow down the user’s PC, increase the frequency of crashes, or misidentify and isolate legal code as containing viruses. Much AV code was not particularly well written.

Oh, and it turns out installing a large chunk of third-party code with deep hooks into your system increases the threat surface area and provides a tempting new target for malware. Did malware take advantage? Of course it did.

Then there was the question of even when it wasn’t broken, did it work? In the pre-internet days, virus signature updates had to be distributed on floppy disk and couldn’t hope to keep up with the propagation speed of the viruses themselves.

Attempts to identify viruses by behaviour instead of signature code stumbled, as there’s no bright line between how malicious and bona-fide code behaves. And because of the constantly changing threat environment, it was never possible to run definitive tests on which package worked the best: this could change from week to week.

After the internet became popular, it became easier to update virus databases – and to build and deploy new viruses.

All this would be bad enough, were it not for the slimeball business models that evolved around antivirus. It became commonplace to ship PCs with “try before you buy” AV packages that encouraged the new user to activate the software for free, only to receive truly terrifying warnings a month or so later about shelling out for continued protection.

If it was so bad, how did the sector make so much money? Some players were and are conscientious and competent, and thrived in enterprise while maintaining a consumer presence. But mostly, end users do not have any way to make an informed decision here, although they do have a deep and very logical desire to defer such decisions to entities that they want to trust. Result? A delicious cash flow with no particular motivation to invest in improving the product.

This ends up in many sins – both Norton and Mcafee got into hot water recently over sharp business practices. The status of consumer antivirus as a channel for commerce can overwhelm the commercial potential for offering a pure security play, and thus we end up with cryptomining served along with your scanner.

At the same time as AV software got worse, computers got better. The first PC virus, 1986’s Brain, may not have had an internet to propagate through, but its hosts were computers with absolutely no immune system. No hardware memory managers, no operating system with any concept of inter-process protection – barely the concept of process – and no concept of privileges, accounts or any form of access restriction to software or hardware. Systems got patched every year or so. By the time the first generation of AV software came along at the turn of the decade, things had barely changed. AV had a plausible reason to exist.

Now? Even the meanest computer has hardware and software architectures that can be, and often are, configured for very high resilience against classic virus attacks. The observant may have noted that data security has not been solved – but the attacks aren’t the sort of thing that resident consumer AV software can do much about.

Endpoint protection managed in the cloud, whether explicit anti-malware services or OS-led protection as seamless as Chrome OS or through aggressive online patching, is as good as it’s going to get. Keep up to date, and third-party security software you have to manage has no right to your system at all.

For much of its life, the consumer AV industry has seemed almost as much of a problem as the stuff it defends against. Now there is no doubt: once a symbiont, it has become a fully fledged parasitic pathogen. Its niche has long gone. It’s done. Say goodbye. ®