June 22, 2017

Announcing a New Blog Series on Anti-Virus Software

In the past couple of years, we have seen quite a few critical security issues concerning anti-virus software. A significant number of bugs has been found by Google’s Project Zero1 2 3 4, but there is also a lot of effort from other companies5 as well as from private researchers6.

Observing those issues, the following question arises naturally:

Does anti-virus software decrease the security of our systems?

This is a question that has been discussed for many years now, and for many experts the answer seems to be clear. One of the most prominent examples is Robert O’Callahan recommending7 to disable all anti-virus software (except Microsoft’s Defender).

Even though removing anti-virus may actually be the best choice, I do not believe that simply shouting out this kind of advice will solve the problem. Think about it. Anti-virus software is not going to disappear anytime soon. Therefore, we really should be thinking about the following.

What needs to change for anti-virus software to increase the security of our systems, and what metrics do we use to evaluate different products?

To be able to reason about this question, we will need more publicly available information about the internals of anti-virus software. We need to obtain in-depth understanding about the difficulty of implementing such a software system.

In order to achieve this, I propose to discuss the architecture, bugs, and design flaws of anti-virus software.

This blog series tries to make the first step in this direction, and I encourage others to do the same.

I will document and analyze (yet unknown) bugs and vulnerabilities that I found in commercial anti-virus products during the last year. Using said bugs, I also intend to shed some light on architectural issues and generally difficult design choices.

© 2017 | about