Antivirus Software Isn't Very Secure, Researchers Find

Credit: wk1003mike

(Image credit: wk1003mike )

Even the best antivirus software is often just as insecure as the software it's meant to protect — and running it might make you even more insecure, according to a researcher with Singapore-based security firm Coseinc.

At the SyScan 360 security conference in Beijing earlier this month, Joxean Koret claimed to have found flaws in antivirus engines found at the hearts of many major antivirus software products, including those made by Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda and eScan. (Many of these companies make some of the best Mac antivirus software and best Android antivirus apps.)

Koret also documented several ways that antivirus software could be allegedly compromised or manipulated to make what should be a wall into a door.

MORE: Best Free Antivirus Software

Koret's presentation, the slides from which are available online as a PDF (opens in new tab), began by pointing out that every newly installed program on a computer makes that computer just a little more vulnerable, because it increases the attack surface — it creates that more connections that can be hacked or otherwise exploited. 

The next problem is that antivirus programs often install with high administrator privileges, which lets them perform necessary actions such as  scanning the entire and modifying or removing malicious programs. However, if an antivirus program were compromised, it would have extensive power to abuse the computer on which it was installed. 

Koret said antivirus programs are just as likely to have flaws, even serious zero-day flaws, as any other program, simply because a human being wrote them. For example, most antivirus programs update themselves via insecure HTTP connections, and most of those updates are not cryptographically verified, Koret said.

Koret argues that it would be easy for would-be attackers to stage a man-in-the-middle attack by intercepting an antivirus program's HTTP connection, inserting themselves between the update server and the antivirus software's client machines and thereby gaining access to the antivirus programs on home and business PCs. 

Koret said he had identified bugs in 17 major antivirus programs. Some companies, such as Avast and ESET, had already patched their software by the time of Koret's presentation, but others allegedly had not.

How concerned should regular computer users be about Koret's findings? Not too concerned, said Andreas Marx, CEO of independent antivirus-testing firm AV-TEST in Magdeburg, Germany.

"Insecure code might put the user at risk, as demonstrated in the presentation. However, at the moment, such attacks are more research-oriented (proof of concept) or might be used for targeted attacks," Marx told Tom's Guide. "I'm not aware of a recent widespread virus or other malware which exploited a vulnerability in AV software."

Because there are so many different antivirus programs, none has a commanding share of the market, Marx observed. So why target a single antivirus program when nearly every computer in the world uses other vulnerable products such as Java, Adobe Reader or Adobe Flash Player? 

"With Java, or Adobe Reader, or Flash, you have good targets — if you find a vulnerability, you know that millions of PCs are affected," Marx said. "There are a lot more antivirus products on the market, so you won't easily reach a high infection rate if you exploit a security vulnerability there."

Jill Scharr is a staff writer for Tom's Guide. You can follow her on Twitter @JillScharr and on Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • hotwire_downunder
    What a pile of garbage!, This fellow is taking factual data that everyone in the Security Industry already knows and take a totally single sided, sensationalized view and presents it like it's the gospel!

    His research and test samples are of a very small subset. If I didn't know better I would believe this garbage and put myself at risk. Very irresponsible journalism.

    There are good Malware Products and Bad ones just like any other product we use. That's what the test Labs and Reports are for.
  • f-14
    anti virus only protects from known threats and only if those threats don't run around with an skii/anonymous mask over their programming, so to speak.
  • Ephebus
    Nothing new here, but the number of morons who trust these pieces of crap is astounding.
  • sykozis
    I find this "research" laughable.....
  • beayn
    This just in... humans write shitty insecure code...
  • FloKid
    Why are they always after my cookie jar bits?
  • Haravikk
    anti virus only protects from known threats
    Bollocks, many major antivirus programs now have behavioural threat detection which looks for suspicious program behaviour, not simply signature. Signature-based scanning has been of dubious effectiveness for years, and while it's still a good way to efficiently block known threats, behavioural scanning is what protects you against new ones.

    I agree with hotwire_downunder that this research is very sensationalist, though it does have some useful findings; most important is the continuing reliance by anti-virus software on administrator level privileges. We need better operating system support for anti-virus, and by extension anti-virus programs that don't need lofty privileges in order to function; all they really need is the ability to signal to the OS that a program or file may be infected so that it can restrict it, at which point a user can provide administrator support to fix/remove it, the program shouldn't need that kind of access all the time.