Gizmodo Is Wrong: You Do Need Antivirus Software

Our friends over at Gizmodo today posted a story entitled, "You Don't Really Need an Anti-Virus App Anymore."

Sorry, but that headline is just dumb. If you're running Windows, macOS/OS X or Android, you absolutely do need antivirus software.

Credit: Denis Nata/ShutterstockCredit: Denis Nata/Shutterstock

The Gizmodo piece (which is a bit more nuanced than its headline) correctly says that keeping your system and internet-facing software updated, following best security practices and using common sense will go a long way to protect you. But none of that will save your butt when a brand-new piece of malware comes along and blows right past your system's built-in defenses.

Good antivirus software will at least give you another chance to stop those new threats. There's no good reason not to have it: Many AV programs have little system-performance impact, and many good ones are free.

Windows 10 may be the most secure operating system I've ever used, and Microsoft Edge the most secure browser, but researchers and online criminals keep finding new ways to attack them.

The Gizmodo writer is right when he says that compared to a decade ago, "Windows has much more robust security options built in, browsers are smarter, and, hopefully, so are the users."

Windows 10 may be the most secure operating system I've ever used, and Microsoft Edge the most secure browser, but researchers and online criminals alike keep finding new ways to attack them.

But you know who else is smarter? People who look for security flaws. Windows 10 may be the most secure operating system I've ever used, and Microsoft Edge the most secure browser, but researchers and online criminals alike keep finding new ways to attack them.

Those vulnerabilities aren't always fixed right away, either. Google found a bad one last November, made it public three months later (after Microsoft hadn't patched it), and the problem wasn't resolved until this week.

If you haven't installed the latest Patch Tuesday updates, you're still at risk from that flaw, even with Windows 10 and Edge. If you have installed the patch, there will be another dangerous flaw disclosed soon enough.

Beefing up the browsers

It's also true that web browsers are a lot safer than they once were. Mozilla Firefox and Google Chrome both automatically update themselves on desktop operating systems, and both they and Microsoft's Edge and Internet Explorer 11 will automatically update Adobe Flash Player.

(If your browser still automatically plays Flash videos and ads, that's a big security risk. Here's how to make sure they'll run only upon your approval.)

But so much bad stuff still gets through browsers, especially via exploit kits that bombard browsers with one attack after another, or through malicious banner ads that secretly drop malware into your computer. Antivirus software does a good job at stopping such stuff.

Gizmodo implies that Windows Defender, which comes built into Windows 8.1 and Windows 10, may be the only antivirus solution you need on a PC. That's not true, at least not yet. Defender is slowly getting better, but it still lets much more malware get past it than do most third-party antivirus products, paid or free.

This bring us to another Gizmodo point of argument: AV software is a waste of money. The truth is that you can get perfectly good AV software, such as that made by Avast, Avira, Bitdefender or Sophos, absolutely free. It may not have all the bells and whistles of paid antivirus software, but it's just as good at protecting your PC, and miles better than Windows Defender.

Gizmodo is ignoring the elephant in the room -- the fact that most Android users either can't keep their phones up to date, can't install apps only from the official Google Play store, or both.

Those other operating systems

What about Macs and Android devices? Those present very different cases. Macs rarely get attacked, but that's because few people try to attack it. Macs live in a nice neighborhood while Windows machines live in a war zone. Still, half a dozen new examples of Mac malware were found last year, and experts expect that number to grow in 2017. (We've seen four new ones already this year.)

As for Android security, Gizmodo dodges the question by stating that, "Smartphones are locked down much more tightly than your laptops and desktops, and if you’re keeping your Apple or Google OS up to date, and only installing apps through the official app stores, then you’re most likely going to be fine."

This is totally disingenuous, and is really only true for Apple devices and the few phones that Google itself sells and provisions. Gizmodo is ignoring the elephant in the room -- the fact that most Android users either can't keep their phones up to date, can't install apps only from the official Google Play store, or both.

That's because smartphone makers and wireless carriers have to dissect and approve every new Android update before they push it out to their customers, and because those same entities often stop updating a phone when it's as young as 18 months old. Even fully supported phones may wait months for a new security update from Google.

MORE: Why Apple iPhones Don't Need Antivirus Software

Meanwhile, hundreds of millions of Android users in China can't buy apps through Google Play, due to the Chinese government and Google butting heads. Tens of millions of Android phones in other countries don't use Google Play at all.

Here's a page showing the current distribution of Android versions among devices visiting the Google Play store. (This excludes those Chinese phones and many others around the world.) As of this writing, two-thirds of phones with Google Play installed are running Android 5.1 Lollipop or earlier, which are no longer officially supported by Google.

Phones running Lollipop or Android 4.4 KitKat can still get some security updates, if their makers or carriers let them. Phones running Android 4.3 Ice Cream Sandwich will get none at all. All those phones are ripe for attack in ways that fully patched Android phones aren't.

It's as if two-thirds of Windows users were running Windows Vista (partly supported) or Windows XP (not supported at all), and then wise guys like Gizmodo argued that those PCs didn't really need antivirus software.

You know who does dumb things with their computers or smartphones? Everyone.

We are all morons

Finally, one last point. The Gizmodo argument is that smart people won't get infected.

You know who does dumb things with their computers or smartphones? Everyone. We all click on shortened links in Twitter or Facebook, even when we don't know where those links go. We all install free software we find online, even when we know that's risky. We all open email attachments from the boss, or from people who say we owe them money (or vice versa).

Put it this way: Have you ever been fooled by someone or something online? Have you ever been rickrolled? Then you need antivirus software.

Antivirus software will not solve all your security problems. It's not a silver bullet. Something bad may still get through. But your chances of that bad thing making it to the heart of your computer or smartphone are greatly reduced if you add antivirus software to your rings of defenses.

Create a new thread in the Antivirus / Security / Privacy forum about this subject
4 comments
    Your comment
  • Daekar3
    And the evidence that antivirus by its very nature cannot protect against zero-day threats? And the incontrovertible evidence that the deep hooks put into any OS by AV software presents increased and significant attack surface that directly leads to compromised systems?

    This isn't a black and white issue. If it was, many smart people wouldn't disagree with you about it, including Steve Gibson. You can't just declare a debate over because you've decided you're right.
    0
  • Paul Wagenseil
    Anonymous said:
    And the evidence that antivirus by its very nature cannot protect against zero-day threats? And the incontrovertible evidence that the deep hooks put into any OS by AV software presents increased and significant attack surface that directly leads to compromised systems?

    This isn't a black and white issue. If it was, many smart people wouldn't disagree with you about it, including Steve Gibson. You can't just declare a debate over because you've decided you're right.


    I never said the debate was over, or that it was a black-and-white issue. Going over your points:

    1) Signature-based malware detection indeed cannot protect against zero-day threats, or even against polymorphic malware. But almost all antivirus software is much more than just signature matching these days. The real mark of a good AV suite is how well its various behavioral and code-inspecting tools can stop zero-day malware. Some of our top-rated products stop all of it in lab tests.

    2) AV software does create a huge attack surface, which is why it's very important that AV software makers take care to make sure that their own products don't become the vector for an attack. But you know what's even more dangerous? Web browsers, browser plugins, Java and Microsoft Office software. If you didn't run any of those products, and never connected a PC to the Internet, you could probably live without AV software. But most people definitely need it.
    0
  • Avast-Team
    Anonymous said:
    Anonymous said:
    And the evidence that antivirus by its very nature cannot protect against zero-day threats? And the incontrovertible evidence that the deep hooks put into any OS by AV software presents increased and significant attack surface that directly leads to compromised systems?

    This isn't a black and white issue. If it was, many smart people wouldn't disagree with you about it, including Steve Gibson. You can't just declare a debate over because you've decided you're right.


    I never said the debate was over, or that it was a black-and-white issue. Going over your points:

    1) Signature-based malware detection indeed cannot protect against zero-day threats, or even against polymorphic malware. But almost all antivirus software is much more than just signature matching these days. The real mark of a good AV suite is how well its various behavioral and code-inspecting tools can stop zero-day malware. Some of our top-rated products stop all of it in lab tests.

    2) AV software does create a huge attack surface, which is why it's very important that AV software makers take care to make sure that their own products don't become the vector for an attack. But you know what's even more dangerous? Web browsers, browser plugins, Java and Microsoft Office software. If you didn't run any of those products, and never connected a PC to the Internet, you could probably live without AV software. But most people definitely need it.



    I believe part of the issue is the term "antivirus."

    The truth is, antivirus software -- Avast and AVG included -- needs to have layers in itself to prevent against ransomware, zero-days, and new strains, as Paul mentioned.

    This is why we have next-gen detection and prevention such as CyberCapture (isolate and sandbox unknown files before they do damage) and Behavior Shield (real-time monitoring of processes for malicious behavior) which all themselves employ AI and machine learning to react to ever-changing threats.

    Whew, a mouthful for sure, and apologies if that was too much jargon, but my point is that "antivirus" now means a lot more than traditional signature-based protection, or built-in basic protection :) On a side note, here's the latest real-world test from AV-comparatives, which just came out.
    0