Do you really need antivirus software?

By Ed Bott

If you’re not sure of the answer to that question, then the short answer is yes. The longer answer is that security software is only one piece of what should be a simple, straightforward, and systematic approach to your PC’s health. I’ll outline my recommendations in this post. If you’re visiting the family over the holidays, you might want to take my list along with you.

But first, let me rant a bit. It’s no secret that I dislike the security software industry. In one of my very first posts here, nearly four years ago, I called it a “protection racket” and said, “I can already see the beginnings of an ‘arms war’ among security software companies, with ads and whisper campaigns based on fear.” Back in 2005, I wrote a post arguing, “The security software industry wants you to be afraid.”

I have deeply mixed feelings about antivirus software, especially when it’s part of a big security suite that tries to protect you from every imaginable form of online threat. The companies that sell you that software have an interest in keeping you afraid, and so they publish countless studies proving how dangerous the online world is.
They also have a vested interest in proving that you haven’t wasted your subscription dollars on their product, so they need to occasionally (or continually) pop up messages and alerts and reminders to show you exactly which threats they’ve blocked. Even when those “threats” are trivial or nonexistent.
Just how dangerous is it out there? Here’s what you need to know:

• No computing environment is immune. Every platform can be exploited by an attacker. This month’s Mac OS X v10.6.5 and Security Update 2010-007 included well over 100 fixes to critical security vulnerabilities, many of which could lead to arbitrary code execution. These are exactly the same types of vulnerabilities that Windows malware writers take advantage of. Fortunately for Mac (and Linux) users, their worldwide market share is small enough that malware writers simply haven’t bothered with them. If you use OS X on a Mac, I don’t think you need to install security software, but that recommendation could change someday if Apple’s platform continues to grow in popularity and attracts enough attention from bad guys.
• Good behavior alone is not enough to protect you from attacks. Visiting porn sites and downloading pirated software puts you at a much higher risk of infection, but even legitimate web sites can be compromised, and seemingly innocent results in a search engine can lead to hostile sites.
• Antivirus software is one layer among several. Depending on the type of threat, it can be very helpful, even if you consider yourself an expert PC user. But it is not a magic bullet, and it is no replacement for a well-rounded approach to security.
• No antivirus software is perfect. It is literally impossible for any security product to identify every possible threat, especially when malware writers are constantly updating their products to avoid detection. Most of the leading antivirus programs can identify and block the overwhelming majority of threats you’re likely to encounter online. The fact that they can’t reach 100% protection is why security software is only one part of a layered security strategy.
• Many types of malware are installed voluntarily. Among the most common threats are Trojans, which spread via social engineering. The job of a malware writer is to convince you to run his innocent-sounding program, which secretly does something other than its stated purpose. It might claim to be a new video playback plugin (like the one I saw last week) but actually turns out to be a program that hides on your PC and steals passwords or sends spam. Social engineering explains how an entire class of malicious fake antivirus programs made it onto the top 10 malware list for the first half of this year.
• Malware writers make their living exploiting unpatched systems. One of the top 10 threats found and removed from Windows PCs in the first half of this year was Win32/Conficker. The vulnerability that Conficker exploits was blocked by a Microsoft patch released in October 2008. In fact, that’s true of most of the top PC malware variants found in the wild. Four of the entries on the top 10 list for 2010 are based on vulnerabilities that were identified and patched in 2007 or 2008, and none of the others could have been installed without explicit user interaction on a fully updated copy of Windows.
• It’s not just Windows that needs patching. Some of the most effective malware vectors these days are coming through vulnerabilities in products like Adobe Flash and Reader, in the Java runtime, and in Microsoft Office. In most cases, the vulnerabilities were patched quickly by the software maker, but if you didn’t apply that update, you remain vulnerable. Ironically, most of these exploited programs are cross-platform; in theory, malware authors can add code to their PDF or Java exploits that target Macs or Linux PCs. So far, they haven’t done that. 
• Attacks via zero-day exploits are rare. Zero-day exploits get a lot of publicity, but they rarely have a widespread impact. The worst variants of these attacks are the ones aimed at specific companies, like the targeted wave of attacks against Adobe, Google, and other high-profile companies in early 2010. And even those only succeeded because they exploited unpatched systems using an outdated browser.