Virus scanner – panacea or risk factor?

Even controversial issues must be discussed. The current blog post is dedicated to one particularly controversial topic:

Virus scanners are currently ubiquitous (at least on Windows systems) and are seen as a standard security measure. Users are so used to them that hardly anyone dares to doubt their usefulness. Virus scanners themselves however can have potential risks, such as

System failures due to so-called false positives
An example: The virus scanner deletes legitimate system or program data because it classifies it as harmful due to incorrect check signatures, with the result that the operating system or a critical application program no longer functions. Incidents in which industrial PC systems no longer function due to incorrect verification signatures or compatibility tests occur repeatedly in the shopfloor environment.

Virus scanner as weakness
In order for a virus scanner to work effectively, it must be granted certain system privileges, because otherwise the view into program sequences would be denied. This means that the virus scanner can potentially open a gate for any malicious codes or attackers if the virus scanner itself has vulnerabilities..

Virus scanners may interfere with security measures of the systems
For example, you can intercept HTTPS connections and replace the intensively tested validation mechanisms with self-developed ones. This facilitates so-called man-in-the-middle attacks. This means that the hacker places himself – or his malicious tool – between the actual user and the resource he is targeting (a bank website or an e-mail account). The hacker can then read along or even pretend to be the owner of the message and thus request or intercept information. These attacks can be very effective and are often difficult to detect.

When does a virus scanner make sense?
In a typical office environment, which is more frequently exposed to virus attacks from mails and Internet surfing, virus protection can still be regarded as a good measure because the advantage over the disadvantages described above outweighs the disadvantages. While protection against mass-produced malware is still reasonably assured, the use of classic virus scanners to protect against targeted attacks can be regarded as negligible.

Where might one consider to go without a virus scanner?

On highly regulated systems that are equipped with additional measures and sufficiently isolated from the outside world (e.g. isolated PC systems for control systems), the protection provided by a virus scanner is maybe somewhat less than the potential risk posed by the virus scanner. This applies in particular to systems in which only software cleared by a supplier/integrator is introduced in a controlled update process.

Limes recommends: Check for other effective protective measures apart from virus scanners as well

On systems that meet certain requirements, the implementation of the following points should be given higher priority than the installation of a classic virus scanner:

  1. Patching of security vulnerabilities in the platform and applications, as quickly as possible and in coordination with the system supplier
  2. Controlled software update process, with exclusive introduction of software changes by the defined system owner (internal or system supplier)
  3. No use of data transfer mechanisms such as Internet surfing or retrieval of e-mails on the system
  4. For data transfer via external data carriers or transmission via network: virus scan on specially designed data gateway systems before the storage medium may be plugged in, for transmission via network use of jump hosts
  5. Use of application whitelisting (e.g. in current Windows operating systems using Applocker) supported by the system supplier, to block any unknown, unapproved software and generally harden systems
  6. Isolation of less well protected systems by e.g. firewalls or ACLs (microsegmentation)
  7. Restrictive assignment of user rights to personal and service accounts
  8. No interactive access via remote desktop or other remote access means, except to administer the system.

With these systems, which – as described above – are protected against malware by suitable other measures, the probability of a virus infection is reduced to an appropriate level even without a virus scanner. The appropriate protection tool should always be evaluated depending on technology, constraints and risks.