2003: anti-virus software defends against 80% of threat agents
2013: anti-virus software defends against malware spreading
2023: anti-virus software in some cases should not be considered as it creates additional high-privileged attack surface. Especially free AV software
Let’s define the final idea more clearly. If we calculate cumulative risk as the sum of risk-likelihood compositions of all attack vectors within the 1-dimensional attack surface, the following conclusions are true:
- Because AV increases the attack surface by itself, it increases the possible number of issues and therefore increases the cumulative security risk.
- Because AV decreases the likelihood of selected attacks, it decreases security risk.
Therefore, there are contexts in which AV conceptually brings more costs than profits.
Examples
– Some cases of FTP and web file uploads. If it’s a single web form, there are cases when you can’t get shell through a file upload. But you can get RCE by exploiting CVE-2023-20052 or CVE-2023-20032. If it’s a publicly available web file storage, the likelihood for this service to run malware is minimal so no need to decrease it. But by increasing of attack surface you also increase the risk. So AV in such a situation will lead to money losses in terms of risks.
– Some cases of AV in email attachments. Generally speaking, it might be useful to check email attachments, as a lot of malware comes from this point. However, this is one of the most easily reachable attack vectors. If you can completely disallow some employees to receive files – you will reduce the likelihood, but will not increase the attack surface. Also, AV might increase risks when it’s implemented as centralized scanning of all email attachments on the remote server.
If AV creates the additional attack surface, can we completely eliminate AV as a concept right now?
More and more issues are disclosed in ClamAV, AVG, Avast, and other AVs, proving that AV increases the attack surface. Less amount of issues is disclosed in commercial AV, as it usually happens with commercial products – like with SAP which is commercial and has a lot of low-hanging fruits. I, Sam Lyhin, personally reported 0 days to SAP software and it was not hard. But, generally speaking, we don’t aware of the issues in commercial software as much as we know about open-source software.
These days we follow the defense-in-depth approach, which is a holistic approach that uses specific countermeasures implemented in layers to create an aggregated, risk-based security posture (1). As it’s a risk-based approach, the first natural instinct on anything that creates an attack surface is to look for a way to get rid of it completely. But if we remove AV completely, we lose the value of AV.
People report that AV still catches 25% of the incidents. We cannot drop anything that catches 25% of incidents. Moreover:
- Every day, there are 560,000 new malware pieces detected.
- There are more than 970 million pieces of malware circulating the internet right now.
- Antivirus and firewall software market is worth over $37 billion.
- Half of all malware attacks target the United States
Thus, society will lose a lot if we immediately drop AV as a concept.
We know that AV is conceptually useful. How to sense its value?
There are contexts in which the attack surface is not a concern. Particularly, when we do Local Privilege Escalation, the attack surface is nearly unlimited, so it might be reasonably estimated that AV will decrease the risk. Even though there are cases when AV leads to critical security issues (2) – we have many more in the context of Local Privilege Escalation.
What will happen with the value of AV over time?
The main value of any Anti-Virus is that it catches viruses. Statistic tells us that we still benefit from AV a lot. But are there any strategic conditions in which we can see the situation could be different?
It might be reasonably estimated, that the value of AV will decrease a lot with time because the AV bypassing process is easy and straightforward. When more attackers will know it, AV will find its place in the museum of outdated concepts.
AV Bypassing Process
The concept to create an AV bypass is a pretty simple idea.
1. You create a vulnerable software
2. You execute the vulnerability
A simple example – you create an assembly shellcode and run assembly through C++. Or – you create a vulnerable PHP code and deploy it on the server. Then:
3. You test the malware. Put simply, you send the malware to Virustotal
4. You chaotically make your code to be more and more strange until the AV stops detecting it
This process is straightforward. So AV could be trivially bypassed now – but this still requires some effort. If you think it’s hard to create vulnerable software – look at NVD and you’ll see hundreds of high and critical software security issues per week – when we speak about accidentally created vulnerabilities.
So creating of AV-bypass is a junior-level task. As for now, AV still works as junior hackers do mistakes. But what if we have a gamechanger?
AI-Generated Malware will change the positive impact of AV
AI will take jobs. Not all jobs, but mostly junior-level jobs. Like the creation of pictures. Or AV bypass creation.
AI already creates Fully UnDetectable (FUD) malware. Read more: 3 and 4 and 5 and …
When the costs of AV bypass will decrease, more malware suppliers would be able to economically benefit from AV bypasses. Not all suppliers can spend 4 hours doing a simple task, but how many new suppliers will benefit from AV bypasses when the related costs would be just about 30 minutes of their time? The elasticity of the related supply curve should lead to a significant increase in AV bypasses in the wild.
Conclusion
With that said, I assert that the positive effect of AV is going to decrease with time, and the negative effect of using AV continues to grow. Decision-makers should consider the mentioned factors to granularly choose the scopes where AV should be enabled and where it should not be enabled.