Antivirus is not the only problem, the user is too

Martin Brinkmann
May 7, 2014
Updated • May 7, 2014

There is no question about it, antivirus software is not very effective. While tests may highlight that some programs have detection rates of 99% or more, it is not really the case.

The main issue with tests is that they use known samples which are usually older than a day. The real threat however is malicious code that is younger than that, as it will often remain undetected until antivirus companies catch up and add it to the signature database of their application.

But is antivirus really the only problem?

One question that does not get asked nearly enough is how malware gets on the system. Does it make *poof* and it appears magically on the user system?

Not really. While there are attack forms where malware gets downloaded automatically to user systems, drive by downloads come to mind, it often boils down to how users protect their computer systems.

If you check malware statistics, you often find viruses listed there that exploit known vulnerabilities that have already been patched. These kind of attacks are successful because user systems are not patched.

via xkcd
via xkcd

The same is true for third-party exploits targeting Java, Adobe Flash or Reader. While there are certainly attacks that use new 0-day vulnerabilities, the majority uses old vulnerabilities that are not a threat if the targeted plugin is updated to its latest version.

According to research, attacks originate predominantly on the Internet these days and not via email or other means. According to Symantec, 1 in 8 sites had critical unpatched vulnerabilities that attackers could exploit to spread malware.

While antivirus software certainly is not as effective as it should be, a core reason why malware is this lucrative for criminals is that user systems are not protected properly.

This includes updates more than anything else, but does not stop there. Many Internet users lack knowledge when it comes to threats, especially when it comes to knowing what they should and should not do.

Tech savvy users would never open an email attachment from an unknown source, or at least not without proper precaution such as running it in a sandbox or virtual environment to limit the impact it has on the system.

Users who think that security is all about installing antivirus -- and not necessarily updating it regularly -- don't follow what is common sense for tech savvy users.

Phishing and malware attacks would be less effective if all computer users would follow these basic security principles:

  • Always keep the PC and software running on it up to date.
  • Use of limited accounts on systems for most activities.
  • Use of secure unique passwords and two-factor authentication if available.
  • Installation of additional security software, e.g. Microsoft EMET, Malwarebytes Anti-Exploit, Sandboxie or a second opinion scanner.

It needs to be noted that this would not eliminate all malware, but it would render a lot less effective or not effective at all anymore.

What's your take on this?


Previous Post: «
Next Post: «


  1. Gonzo said on May 10, 2014 at 12:47 am


    I think we got our wires crossed. I wasn’t moaning that AV products themselves install toolbars. They allow OTHER applications to install malicious bundleware without warning. At the same time many warn users that a keygen contains a trojan, when in fact it may not.

    Most free AV software has an agenda other than security. Read those cryptic privacy policies. They’re a lot like toolbars, collecting varying amounts data and selling it. Not surprising they allow malicious bundleware to install. Or the parent company is using that data internally to further their DRM’d software. Not surprising they mark keygens as malicious.

  2. mike said on May 9, 2014 at 1:46 pm

    Martin is right, most incidents involve known vulnerabilities, including the user. No longer are viruses teenage pranks, they are tools for criminals. If you want some sombre reading, try microsoft’s page: ‘Anatomy Of A Hack How A Criminal Might Infiltrate Your Network’. It says ‘you cannot clean a compromised system by using a virus scanner’. But you may never know if your system is compromised. At best you have no evidence.

    If there is an incident what will you do? Microsoft say flatten the system, but ‘formatting’ isn’t enough, format resistant viruses have been in the wild for over a decade. Your system cannot tell you, nor can your programmes. How many of you would go back to ‘bare metal’ after an incident? Lose all your data, your backups, your cloud storage and all the devices you connect? How many would clear cmos and flash the bios without the hard drive, then zero the drive? How many would check the bios on the graphics card?

    Antivirus is not ‘an option’, it’s part of the basics that most people can understand, as is a firewall, though they can be circumvented. I would add a VPN to that list but cost is an issue for most people. What Martin points to here is false confidence in security measures, not whether you can discard them. Reading this page everyone seems confident in much the same way an anti-virus says your system’s protected. But confidence IS the user problem. In particular believing in ‘security’ is as much a problem as the naive cynicism that it doesn’t exist.

    Most can only hope to stay connected like any sysadmin, keep the system running, rather than eliminate all risk. Users want ease of use. Security may be ‘a journey’ but it is also inconvenience, to you and your adversary.

  3. Swapnil said on May 8, 2014 at 3:24 pm

    I don’t use sandboxes or VMs, or non-admin user account, or being careful with emails or using EMET. All I have is my AV and common sense at work. The only times where a virus got onto my computer was via others’ infected USB drives (sometimes you have to plug them in – even when you know they are infected; say a school or college project). But those have been fairly easy to remove – and I am confident they are removed (checked with Process Monitor).

    The operating systems do so much on their part, to alert the user about dangers of files download from Internet, but if the users are not going to pay heed to the alerts even once – their fault and they deserve to get infected just to learn an important lesson. Sadly, the number of these people is growing fast as they cross all security barriers to download that fake “free game/app”.

  4. Pants said on May 8, 2014 at 11:25 am

    I have said for many years, that, AV would be about the 20th thing I do to my system to make it more secure. As others above have pointed out, preventative measures are a hell of a lot better that reactionary measures. That said, would I go WITHOUT an AV – hell no (even though the only alerts I have had in the last 10 years have been 3 false positives).

    [NOTE: do not confuse Security with Privacy – they are separate issues]

    “Security is only as strong as your weakest link” used to be bandied about. I beg to differ – I say that “Security is a many layered thing, and the more the merrier). Put it this way – as I said to someone the other day who asked me what was the best AV to make his system secure – my reply was “If your AV finds a virus on your system, then you’ve already lost the battle. Your AV is [probably] your LAST line of defense”. And then I rattled off a dozen things that were more important.

    Top of my head (in no real order)
    – blocking known malicious web sites – eg spyboy search&destroy’s immunization and spywareblaster (hosts for system wide, also adds blocks to web-browser blacklists)
    – [strong] passwording of accounts or turning them off (eg guest)
    – audit/check what services you really need – eg, turn off remote reg, remote desktop
    – sandboxing, virtual machines (eg if you have to visit a site (eg for business) that requires java – as a lot of my clients do)
    – as Martin alludes to, and I have seen some stats somewhere, – most malware/viruses etc come via webpages – so get a decent browser (there is no right or wrong answer here)
    – browser settings – such as click to play, updates
    – browser extensions/add-ons – and this is a whole ‘nother chapter from blocking iframes, ad blocking, third party site requests, script handling and it goes on
    – updating flash/java/silverlight/quicktime etc
    – autoruns disabled via group policies
    – account not having administrator rights
    – software firewall
    – additional blocks such as peerguard if you want
    – router settings – a hell of a lot here can be done too – would need to write a book .. but for starters DD-WRT or Tomato
    – heck you can even easily block entire countries – the ip info is easily available
    – OpenDNSCrypt
    – local proxy (eg Privoxy)
    – enforcing https where possible
    … …
    – COMMON SENSE <– can't stress this one enough
    and last (but certainly NOT forgotten)
    – AV

    Left a lot out … didn't mean to babble .. it's Martin's fault .. he writes too many articles :P

    1. Gonzo said on May 10, 2014 at 12:50 am

      “do not confuse Security with Privacy – they are separate issues”

      Security STARTS with Privacy. They’re NOT separate and there’s nothing confusing about it, it’s obvious.

      1. Pants said on May 11, 2014 at 2:57 am

        “Security STARTS with Privacy. They’re NOT separate and there’s nothing confusing about it, it’s obvious.”

        Bullcr*p :) <– note the smiley There is a lot of overlap – eg blocking ads and ad trackers can also prevent third party malicious scripts. eg If someone hacks into your system and steals all your personal data – that's an invasion of privacy for sure. eg blocking people not on your contact list in IM doesn't just stop the trolls and sexbots, it can also stop file transfers and spammy malicious links. It's complicated, the internet and networks of today are nothing like they were back in say 1999. Social media, data harvesting, big data conglomerates, google, sharing – the "internet of things" and so on only cause to make it more and more complex. And the terms have become "fuzzy", i guess.

        Here's someone else's words (cuz i'm a klutz when it comes to eloquence)
        "While the terms have become interchangeable, there is a difference between privacy and security. Security is the state of being free from danger — no one is maliciously corrupting your system (e.g., Target’s recent credit card system breach that compromised nearly 40 million credit and debit card accounts). Privacy is the state of being free from observation — no one is watching what you are transmitting (e.g., the 2013 NSA spying scandal)."

        Look at it like this: Lets say you use instant messaging to chat with a friend (for argument's sake lets just say that you use pidgin) and that this does not break your security model. That is, the IM client is "secure" – you have set up its settings, including the privacy ones about who can contact you, and what information you share. You have even used an anonymous email account. The client itself is open source and to the best of everyone's knowledge, it doesn't spy on you. So in other words, you have implemented security (vetted software, allowed it thru your firewall, blocked auto receipt of files etc) and privacy (anonymous email, weird nickname/handle, sharing/info settings, who can contact you etc). However, you suspect MSN, windowslive, hotmail, icq, yahoo etc of scanning your messages, even archiving them. So you then start using OTR to enforce end-to-end encryption of your chats – this is to bolster your privacy concerns and has nothing to do with security. OTR did absolutely zero to enhance your system. Now you go further, and decide that you don't even want MSN, Yahoo or whoever even knowing WHEN you chatted and to WHO, and you suspect that they also share your buddy lists with the NSA – so you ditch them and move to a new client/IM provider or method to chat – lets say you decide to use a vetted VPN, log into a keyed channel on irc, and chat in some encrypted method – or you post hidden messages inside jpgs <– again – solutions aimed at PRIVACY issues, not security.

        The way I see it (and this is not a definitive all-in-one answer) is: Security is about protection from external threats (including the ones you introduce into your system – eg virus on a usb stick, attachments/links in email, users on your system, permissions to data). Privacy is about not leaking your data and being observed. A complete overlap here would be permissions of users within a network to maintain privacy of files or access to databases etc. In other words, security measures are used to enforce privacy rules. Privacy and security are two separate items IMO.

        /end of ramble

    2. Martin Brinkmann said on May 8, 2014 at 11:40 am

      I think common sense is number one, or should be :)

      1. Pants said on May 8, 2014 at 2:57 pm

        The problem with that is that common sense isn’t all that common (psst! and I said in no particular order) :)

  5. steven said on May 7, 2014 at 11:52 pm

    I dare to say that signature based av solutions are pure scam knowing how easy it is to change signature so cyber cryminal can work with one malicious program forever.

  6. InterestedBystander said on May 7, 2014 at 8:55 pm

    Perhaps there’s a lesson in some traffic engineers’ ideas. Research shows that when drivers believe a road is safe — wide, clearly marked, with unobstructed visibility — there are more accidents. When drivers believe a road is unsafe — narrow, hemmed in by trees, without fog lines — there are fewer accidents. Presumably because drivers are conscious of danger and drive more carefully. Having antivirus and anti-malware programs should not make you feel safe. As Martin writes, such programs are always reactive, and their capability is limited. The user has to be on the alert and practice “defensive driving” whenever they’re connected.

    Martin, what are the most common attack vectors for malware? Off the top of my head:

    1. Executables embedded in disguised downloads or in email attachments
    2. Website exploits targeting unpatched Java, Flash, and other browser-run applications
    3. Javascripts hidden in websites or ads which attempt to exploit browser or OS vulnerabilities

    Now I’ll go look up some answers.. ;)

    Ha– forgot infected USB devices.

    1. Martin Brinkmann said on May 7, 2014 at 9:37 pm

      I read recently that the majority of attacks are web based now, and that email for instance makes up only a small part overall.

      I think keeping the web browser or whatever tool you use to connect to the Internet secure should be the primary priority, and that includes plugins if you still require them.

      This will get better once Mozilla makes most plugins click-to-play and Google removes them completely.

  7. Rick said on May 7, 2014 at 7:04 pm

    While I think that AV is no longer the primary protection it once was, malware is part of the normal day to day Internet environment. To ignore the fact that AV can stop a percentage of malware would be the same as me leaving my front door open all night. Sure, there is some chance that no one will wander in by why chance it?

    Modern security software that is far better at dealing with the zero days and other attacks is a must for most people. Most don’t fully understand the environment they are playing in and need to have security software that will keep the doors shut and windows locked. It should also be good enough to not require any significant interaction from the user to be effective.

    Getting the user to update their OS and other software is really the key pain point. I know that when my kids drive their car, they almost never think about changing the oil every 5K miles or so. Personal computers are much the same as a car. Either it just works or it doesn’t. If the security software could also have an integrated system audit process then that would be just one more bonus to that and ultimately, provide a level of better security for that system.

  8. Gonzo said on May 7, 2014 at 7:00 pm

    I haven’t run AV for more than 5 years. One thing that turned me off to AV was when they began allowing bundleware including toolbars to install without warning. Yet, if you dare run a keygen (malicious or not) it would throw a warning. This was a clear sign that AV was done. It belongs on mail servers as a courtesy and nothing more.

    Microsoft is to blame. It’s 2014 and Windows still defaults to an Admin account. Simply renaming something to .exe, .bat, etc makes it executable. Windows Update only covers MS products, something like Secunia should be included but it’s not. Windows is an easy target and until this changes it always will be!!

    I realize users are not savvy and tbh you can’t expect them to be. It takes years to get a good grasp on systems and networking administration and that’s if you’re inclined/interested and most aren’t.

    1. Pants said on May 8, 2014 at 11:31 am

      A lot of MS defaults IMO are idiotic – how about hiding known extensions .. lets create a “Quarterly Figures.xls.exe” and embed an Excel icon .. yay .. progress :)

      As for not running an AV for 5 years or so, surely a person of your technical savy’ness should realize that having AV is better than NOT having it (as a last line of defense) and that the toolbars or components for browsers can be removed or disabled – if not, get a different AV

      1. Pants said on May 8, 2014 at 11:57 pm

        “Suggesting a different AV as a solution is bordering on insane (doing the same thing expecting different results).”

        I suggested a different AV if the one you had installed irremovable toolbars in your browsers – because that’s what you moaned about. I said NOTHING about performance

      2. Gonzo said on May 8, 2014 at 9:45 pm

        I recommend AV to all non-tech-savvy users running a Home edition of Windows who insist on using an Admin account. I do so knowing full well that they are NOT secure.

        I use Pro/Ultimate editions of Windows and rely on managing permissions. When properly done, AV is totally unnecessary. VirusTotal/Sandboxie/VM/WireShark are my “last line of defense” before new code is allowed to run on a production machine.

        “64%-90% of all Windows vulnerabilities are blocked simply by not doing your daily work in an ID that has administrator access.” Quote taken from Microsoft.
        When used with SRP/AppLocker this increases to 99.9%. It’s never been exploited in the wild. This could change tomorrow which is why 100% is impossible to acheive.

        Suggesting a different AV as a solution is bordering on insane (doing the same thing expecting different results).

  9. Karl Gephart said on May 7, 2014 at 6:46 pm

    Education (including preventative maintenance) would go a long way, Martin. Unfortunately, most of the people my company deals with (many are local New Mexicans) will flat out tell us they do not want to learn to do anything more on their computers than what they have to do with their jobs. The culture here is in a time-warp. Every time I leave the state, I’m reminded of that. Coming back home almost feels like coming back to the Windows 95 launch era. Many have barely touched a computer in their public schooling. My wife and I were raised with fathers who were both COBOL programmers, and got into BBS’s in the 80’s ourselves, so we don’t understand the apathetic tech mindset. :)

  10. steven said on May 7, 2014 at 1:27 pm

    test 7777 ? have you been hacked Martin?

    1. Martin Brinkmann said on May 7, 2014 at 1:33 pm

      No. I’m testing the subscribe functionality.

      1. Bobby Phoenix said on May 7, 2014 at 4:27 pm

        Ironic that there’s a question about being hacked on an antivirus post. lol

  11. rpwheeler said on May 7, 2014 at 12:58 pm

    The problem is that we are not living in the ideal world. ;)

    As software testing patriarch wrote, ” an error is clearly present if a program does not do what it is supposed to do, but errors are also present if a program does what it is not supposed to do”.

    In our imperfect world updates, limited accounts, complex authentications and security software means “not what is supposed to do”, — risk that something break down, slowdowns. The most secure device is a hard stone: it is very hard to break and you don’t even need a password. But it does nothing of what you want to do, it is not usable for most of your tasks.

    The trend of last years is that big companies are trying to push security down the user’s throat (like it is with most browsers and add-ons), but the more security is imposed, the less is left of “I do with my PC what I want to do with it”. And, of course, the money question: good security tools and updates cost money, and most of the users don’t want to spend on security.

    It ideal world we would have security which is not slowing down your machine, which is not supposed to break something you want to do with it, which doesn’t complicate your life, and has cheap or “hidden” costs. But until that the risks won’t go, like nobody expect human bodies to be secure from different biological viruses in the wild, and nobody expects vaccination and prevention being done by unorganized mass of ordinary users. It just not going to happen.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.