One of the reasons I’m such an untouchable leper in the world of computer professionals is that I believe that "anti-virus" may possibly be hokum. Or worse. Though it is an extreme heresy (similar to saying that vaccines may not always promote optimal health) I have always believed in the possibility of anti-virus programs being a worse problem than viruses for certain classes of users.

First of all they are lulling you into a sense of security which may be false. Once you feel that the problem is handled, you may be less likely to address spontaneous security issues that would be apparent to an engaged defender. There’s even a bit of the old infinite regress in committing to scrupulously attend to the software (updates and licensing and so on) which attends your actual security. Second, the typical form of malware scanning software really only picks the low hanging fruit of well-known unobfuscated common malware. Third, the harder a malware scanner tries to catch bad things, the more hassle it causes the rest of the system the rest of the time; think of airport "security". Fourth, a very large portion of successful exploits target sketchy browsing and use phishing. In other words, no malware, per se, is really needed these days.

These problems still don’t actually imply that a proactive computer operator should avoid anti-virus software and perhaps one should use these things.

My apostasy is more profane than that of course. You should do what you think you should do and you should not listen to advice from me, but I will avoid these "anti-virus" products. To begin with, they smell a little too much like extortion, quite literally a protection racket. And who are these good Samaritans? They are huge companies that stand to profit more as the problem worsens. That kind of conflict of interest never seemed right to me. Most of these products, and indeed any that will be taken seriously (regardless of their actual merits), are proprietary and shrouded in secrecy. How they are controlling things at the very core of your computer’s operation is, by design, a complete mystery. Are they protecting you or abusing you? You’ll never know.

I believe that doing your best to not understand what is going on with your computer is not the best way to protect it.

Usually, by popular consensus, I am wrong and that’s just something I have to live with. But today I am heartened to find this incredible account of some light being shone onto the crawling things which hide deep within these systems.

Do check out CVE-2016-2208.

Here is a highlight.

This is a remote code execution vulnerability. Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.

On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get.

(Note that the "wtf!!!" was not even added by me but it’s completely appropriate.)

If you’re a normal person, apply patches, etc., and carry on with your "anti-virus" agenda. Have a nice day. But if you fancy yourself a computer security sophisticate, you must at least grant me that such things as described in this report are theoretically possible. And maybe more.