Google security expert says antivirus apps don’t work

It's time to switch to whitelisting instead of intrusion detection

Google security expert says antivirus apps don’t work

A senior security engineer at Google told a hacker conference that traditional antivirus apps that use intrusion detection are useless and companies should switch to meaningful methods such as whitelisting applications. 

At Kiwicon X, the New Zealand equivalent of the Black Hat conference held in the United States, Darren Bilby called many existing tools ineffective "magic" that engineers are forced to install for the sake of compliance but at the expense of real security. 

"Please no more magic," he said, according to The Register. "We need to stop investing in those things we have shown do not work." 

"Antivirus does some useful things, but in reality it is more like a canary in the coal mine. It is worse than that. It's like we are standing around the dead canary saying, 'Thank God it inhaled all the poisonous gas,'" he said. 

The antivirus blacklist technology, referred to as definitions by antivirus vendors, is basically a catalog of known viruses that are used to check against unknown apps or code on the computer. 

The inherent problem with that is you don't know what you don't know, so a new virus is not readily recognized against the current definitions until antivirus vendors get a sample and make a definition to detect it. Some of the better antivirus products have what are called heuristic detection, which looks for suspicious code and lets you isolate it and submit it for testing. This is how unknown or undiscovered viruses are sometimes caught. 

Focus on whitelisting

Bilby wants security types to focus on tools such as whitelisting, hardware security keys and dynamic access rights efforts like Google's Beyond Corp internal project. Whitelisting is the opposite of how antivirus apps work. It only allows apps to run from a list of approved apps. Anything else is denied execution. 

Whitelisting has been around for a while, but it wasn't very practical before ubiquitous internet connections and before cloud apps. Back in the 1990s when the shareware market was healthy, I had all kinds of obscure apps on my PC. Trying to keep a whitelist of all the shareware/freeware on places like Tucows would have been a nightmare. 

These days, though, everything is on the web or in the cloud, and I have hardly anything except major apps such as Microsoft Office installed on my PC, so whitlisting seems more feasible. 

Bilby argued that safe internet use is a "horrible" idea, and telling users not to click on phishing links or download strange executables effectively shifts responsibility to them and away from those who manufactured hardware and software that is not secure enough to be used online. 

"We are giving people systems that are not safe for the interne, and we are blaming the user," he said.

I must take issue with that. You are absolving the user of any responsibility. Security hardware and software won't catch every phishing attack, and people need some common sense when it comes to an email from an unknown source that has a link in it. You know the basics of automobile maintenance and how to care for your car so as not to be a menace on the road, why should computer use be any different? 

But I agree with Bilby's basic point: The whack-a-mole method for antivirus isn't working any more.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.