Is antivirus bad for security?

Browser developers suggest antivirus isn't helping with security

free security software

Is it time to ditch antivirus? With near-constant serious attacks and the threat of hackers targeting your business or personal accounts, it may seem an obvious answer: of course not.

But an ongoing debate about the value of antivirus suggests that the answer may not be so simple to some.

Advertisement - Article continues below

Robert O'Callahan is a former Mozilla developer and in a blog post spotted by The Register he lays out the case against antivirus software, saying: "antivirus software vendors are terrible; don't buy antivirus software, and [un-ininstall] it if you already have it (except, on Windows, for Microsoft's)."

He does stress that for this to hold true your operating system needs to be up-to-date. "If you're on Windows 7 or, God forbid, Windows XP, third-party [antivirus] software might make you slightly less doomed."

Here's his argument against antivirus: O'Callahan says there's little evidence that it offers a real improvement in security, and it at times actually features bugs leaving users at risk he pointed to the vulnerabilities spotted by Google's Project Zero as evidence. "These bugs indicate that not only do these products open many attack vectors, but in general their developers do not follow standard security practices," he said, noting that Microsoft's developers are "generally competent".

Advertisement - Article continues below
Advertisement - Article continues below

On top of that, he argues that antivirus products "poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security." In particular, he mention ASLR which is address space layout randomisation, a feature that helps protect against a specific type of attack called buffer overflowsaying antivirus software often broke it in Firefox for Windows.

His view was backed by Tweets from Justin Schuh, a security developer working on Google Chrome saying "worthless" antivirus code delayed a series of useful protective features and introduced vulnerabilities for users. "I expect it's possible to make an [antivirus] that isn't more harm than good, but none of you are even trying," he concluded.

Better solution?

Simon Edwards, founder of SE Labs, disagrees, arguingthat his antivirus testing lab shows that some antivirus is more effective than others and Microsoft's isn't the best. "You may not trust all of them, and you may have problems with some or all of the ways that they test, but I would suggest that they can't all be wrong," he said. "Our position on the Microsoft anti-malware included with Windows is that it is far better than it used to be, but that commercial third-party packages are consistently stronger."

Advertisement - Article continues below

That said, he said that there may well be good reasons to dislike antivirus, or "anti-malware" software, which he argues is a more appropriate term. While for some, disparaging established antivirus firms is a marketing tool, others will dislike the way such products "embed themselves into Windows in sometimes strange and unusual ways, causing potential havoc with their own efforts and potentially introducing new security vulnerabilities," he said.

But rather than argue wholly against antivirus, he'd prefer a different tactic. "Some testers make it their life's mission to discover technical problems with anti-malware, sometimes apparently taking the position that 'anti-malware is bad for you,' rather than, 'you need it, it's a bit broken but here's how to fix it'," he said.

What should you do?

Independent security analyst Graham Cluley said the "vast majority" of people should stick with antivirus.

"That doesn't mean that anti-virus software is perfect, or that it hasn't sometimes contained its own flaws and vulnerabilities," he said. "But the typical user is much much more likely to be protected by antivirus software than find themselves targeted by a sophisticated attack which exploits a flaw in the security software."

Advertisement - Article continues below

Edwards agreed, and said O'Callahan was right to focus on OS updates."There is no doubt that updating your operating system makes it more secure. We've run tests to prove that this oft-quoted advice is based on real, reproducible data," he said. "But what we've also seen is that adding a decent antivirus package to a good patching schedule raises protection levels even higher."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020