
Why Developers Hate Antiviruses - jitbit
http://blog.jitbit.com/2012/01/why-developers-hate-antiviruses.html
======
jasonkester
Excellent timing. I just alt+tabbed away from writing an email to McAfee
because one of my users sent me a screenshot of s3stat.com with a bright red
"Dangerous Site Warning" from McAfee's SiteAdvisor.

Evidently, "We tested this site and found it very risky". Even though it's the
public site for a 5-year-established (and popular) SaaS product. Even though
it has no downloadable executables of any description. Even though it has no
non-moderated user-generated content.

But it's got this: <http://www.siteadvisor.com/sites/www.s3stat.com>

... which is a page saying that their automated somethingorother scraped the
internet and decided that my site is crazy dangerous, listing reasons such
as... well, nothing actually. But look at it. It's RED! Must be bad.

So even if you don't actually write software that could possibly contain
viruses, you can still end up on the wrong side of the antivirus companies.

nice.

~~~
dhimes
Holy shit! Seeing your comment, I checked out two of my own sites. One hosts
software that I no longer sell (www.egorg.com), and it checked out ok.
Interestingly, Yahoo (my host-- hey, it was my first! And paypal integrated
easily! Besides, pg built the tech so...) flagged it last week during one of
their auto-scans. They couldn't explain why- they just flagged it.

But here is something that is peculiar: my main company site. When I went to
vlesolutions.com (ie, <http://www.siteadvisor.com/sites/www.vlesolutions.com>)
I saw this message:

    
    
      We've tested millions of websites, but we haven't tested this one yet. Be the first one to submit feedback on it!
      
      

Maybe it is possible to wreck someone's reputation by submitting bogus
feedback to a site they haven't scanned yet. I would be curious how they
answer you, because I see _nothing_ that would cause a red flag in their
"tests" for your site.

------
jconley
The business of antivirus, especially, has a huge incentive to shove it IN
YOUR FACE that the software is detecting things whether they're false
positives or not. This scares people into re-upping their subscription. Most
computer users don't understand there can even be such a thing as false
positive. For all those support calls you get, there are probably 10x that
number that simply take the security software on its word and let it
delete/block your application.

An aptly timed popup from the antivirus vendor will appear shortly thereafter
asking the user to pre-purchase 2 more years of complete computer protection!
Oh, the business of fear mongering. . .

EDIT: This is one of those very hard problems startups should be solving.

~~~
jgmmo
It's flat out wrong of you to say that antivirus companies don't care about
FP's.

There are over 25k new malware samples coming out daily, and everybody is just
trying to cut through them as fast and efficiently as possible. Yes there are
innocent casualties of this -- False positives -- but these are sincere
mistakes .

False positives are very embarrassing for the security company. It is
something that can even cause people their jobs. Don't you think for a second
that these are not looked at.

I make malware definitions for a living, and you can trust me when I say that
I check the FP reports first thing every morning, several times during the
work day, & I check our forums every night at home to make sure we don't have
any FP's rolling in.

At most security software companies, FP's taken very seriously & I know that
personally I would love to be able to educate Indie developers about what
triggers detections and ways we can both work together to reduce them. It's
easier said then done, however, and also it is delicate info that you don't
really want to yell off the rooftops - because malware creators could really
use the same info to their advantage.

~~~
pnathan
I wrote a Windows program for my dad about a year ago. It would have worked
great. I was thinking about selling it, actually!

Except, the antivirus flagged it. I called the AV vendor and they (probably
the first-line tech support) said unless that my dad called the vendor, they
could do _nothing_.

The _only_ false positive that might be remotely reasonable is my executable
name is identical to a virus. rte.exe or something similar, as I recall.
Whatever. A binary difference should have demonstrated substantial difference
between my exe and the virus.

So, my dad didn't get his program, and I got left with a renewed awareness
that AV vendors are ruinously unhelpful, and I'd rather work on moving my
family and friends to Linux or OSX.

~~~
jff
So you spent the time to write a program, one good enough to consider selling
it even, but couldn't be bothered to try changing the executable name? Or ask
your dad to call the AV vendor?

Am I mis-reading you?

~~~
pnathan
I did ask my dad to call. Nothing seemed to come of it. I was working in a
hurry and didn't think to simply change the exe name, making the presumption
that such a simple thing _shouldn't_ influence the AV decision.

~~~
jgmmo
The name of the .exe certainly matters.

When going through airport security, do you think it matters at all if your
name is Osama Bin Laden? Such a person is going to experience a much larger
degree of scrutiny from TSA then a person named John Smith.

~~~
drucken
If a mere _name_ alone is enough to create a false positive and changing this
is a living nightmare, why are you in the least bit surprised that customers
and developers are _livid_ at having to deal or workaround the closed and
disparate world of AV?

Neither is it the least bit surprising that support personnel and developers
consider the shear number and consistency of false positives as "fear-
mongering".

It would only take a further small step to then consider, what is the point of
having AV at all in the first place since the best it can do is fill an
increasingly small hole in prevention for ordinary user behaviour and a static
role for precursor forensics (actual forensics would not need the service).

TL;DR. AV industry has a LOT to answer for, to the point where it maybe should
not exist in its current form.

~~~
jgmmo
I think it can be justified. It's not common, it's known as being one of the
more crude methods of detecting malware -- but hey -- we use what works and
what fixes peoples machines. That is why it is in use by some vendors today.

Here's an example:

Some companies block anything named 'svchost.exe' that isn't in system32.
Create a txt doc and name it svchost.exe and drop it on your desktop and some
antivirus software will detect and remove that item.

Why? Because there is no good reason for someone to have svchost.exe anywhere
other than SYSTEM32 and also because svchost.exe is one of the top 10 most
common names for malware. So, at risk of some FP's -- some companies have a
rule that simply removes these if found anywhere else.

------
naner
Oh, man. I use Linux for my day job but keep a Windows 7 install should the
need arise. An old friend sent me a link to try out a video game he and a
buddy made in college. I downloaded the program, Norton deletes it
immediately. It didn't recognize the application signature. (Actually, it
recognized it but it wasn't popular enough -- about 100 people had apparently
downloaded this game that also used Norton.) After dicking around with Norton
for about 30 minutes (nearly drowning in a sea of check boxes and vaguely
titled program options), and reaching the boundaries of my Google-fu I just
gave up and removed Norton.

Problem solved.

I'm glad I'm not a startup or small company trying to ship Windows
executables.

~~~
danudey
My first call when doing tech support at a local ISP was someone who couldn't
get online. It said he was connected, his network device was working fine, he
was on the WiFi and it said he had great signal, but nothing worked.

I walked him through getting to Add/Remove Programs and asked him if he saw
Norton Internet Security. Told him to uninstall it. Everything works.

He asked if that made his computer less secure. I said 'Technically yes, but
only because you can actually use the internet now.'

I worked at that ISP for a week, had the same problem come up three times. My
mother had the same issue, and I've had two other friends who had it.
Thankfully, I knew how to deal with it because it had happened to me when I
bought a Dell laptop years ago.

------
mdaniel
I was expected the article to discuss how much the HDD on your machine
thrashes (and the fans sound like a jet engine) from scanning every .class and
.jar file on your machine, of which there are usually tens of thousands.

And I wish I had a Euro for every client site we've had to manage where some
javascript scanner thinks it's _so_ smart and drags the performance of a web-
app to a crawl.

~~~
GeoffWozniak
Or the SVN repositories of binaries that are 4G just on the trunk branch. The
HDD basically never stops.

------
bwarp
I've come to the conclusion that AV software gets more attrocious the more you
pay for it or the more it requires advertising every 5 minutes on television.
They push it on you via scaremongering every day at least once.

HOWEVER, I've been using Microsoft's _free_ security essentials package for
Windows 7 for about 2 years. It never pokes you in the eye, never lets a
single thing through and doesn't screw your system resources. It just keeps
out of your way. As I said, it's $0 which is how much it should cost and is
supplied by the vendor which knows their own security problems the best.

With respect to Linux or MacOS X, I never have installed an AV package ever.

~~~
finnw
The only trouble I've ever had with MSE is that if you edit your hosts file to
block the Facebook "like" button, MSE will pop up a warning and delete the
www.facebook.com entry.

~~~
bwarp
That's MSE thinking that something has modified the hosts file and resetting
it.

I'd go for an ad blocker rather than a hosts file hack.

Adblock plus works fine on Firefox and Chrome. There are TPL subscriptions for
IE that block everything (google around for them).

~~~
tadfisher
Privoxy works everywhere a proxy will, and can use Adblock filter lists.

~~~
barrkel
Adblock (or rather, AdBlockPlus) can hide elements within web pages. Killing
images and the like is only the beginning of a decent adblocker.

------
icehawk
_Oh, and all your EXE-files will also be marked as viruses by the way (since
you're most likely using a "self-executing-unpacker-code + data" architecture,
which is considered a risk-factor by most antiviruses, no idea why)._

Because most malware does this exact thing to obfuscate its payload. Here's a
good example of the relative entropy distribution of malware executables
versus non-malware executables on page 26 and 27:
[http://www.virusbtn.com/pdf/conference_slides/2007/CaseyShee...](http://www.virusbtn.com/pdf/conference_slides/2007/CaseySheehanVB2007.pdf)

------
mey
As an former Windows user who never ran A/V because of the stated reasons, in
my old age I've finally broken down started using one as rebuilding a box is
no longer high on my priority list. If you are a home user on windows, I
highly highly recommend [http://windows.microsoft.com/en-
US/windows/products/security...](http://windows.microsoft.com/en-
US/windows/products/security-essentials)

It's free, it stays the hell out of the way, doesn't slow the system down, and
works.

Edit: I do not work for Microsoft, and this post was written on a netbook
running Ubuntu.

------
kruhft
I was trying to install netcat on a work windows box to transfer some files
(long story). Every attempt at copying the executable out of the zip file
would throw up an error about the file not existing, no explanation as to why
or who was causing the error. After an hour I removed the antivirus. File
copied just fine after that. I guess netcat is a 'hacker tool' and not allowed
on protected windows system; too bad I had work to do.

------
someone13
There seems to be a lot of hate for antiviruses here on HN. I have this
question, then - what kind of features would YOU want from an antivirus? If a
startup was to launch tomorrow with some sort of antivirus or similar product,
what would it need to have for you to buy/subscribe/etc.?

~~~
redthrowaway
Basically, be MSE: unobtrusive. I haven't written anything for windows since
high school, so I don't know how it stacks up for devs, but it's great from
the user's pov. Free, lightweight, and invisible: everything I want in an
antivirus program.

~~~
X-Istence
From a developers standpoint, MSE is pretty damn awesome. Never had an issue
with it :P

------
bkyan
Is there really a reason to even run anti-virus software all the time as long
as you don't try to open executables and macro-containing documents that
didn't come from a reputable source?

~~~
dangrossman
Yes, because you don't even have to be using the computer to acquire new
malware -- if Windows isn't patched and you don't have a properly configured
firewall in front of the system. Simply browsing the web with fully patched
Windows behind a firewall is a risk as well.

Among other things, I review orders for an advertising service, 20-30 a day.
Some of these orders are purposely placed to advertise sites with malicious
code that installs malware. My fully patched Windows 7 system behind a
firewall, running antivirus and the latest Google Chrome, gets infected with
something or other on a regular basis -- at least once a month -- without me
ever downloading any files.

Last week it was one of those fake antivirus programs that terminates all your
real antivirus programs and pops up a window saying you're infected and need
to upgrade for $29.99 every 20 seconds.

That one was probably a Java plugin vulnerability.

~~~
danudey
I knew a university professor who was installing Windows XP onto a workstation
that was connected to the university network. The machine ended up infected
with Blaster before he'd even finished the installation.

~~~
kgo
Heh, I worked in big oil at the time, and they couldn't kill blaster because
IT people kept on imaging new computers on internally exposed networks. We
probably could have killed the outbreak a week or two earlier if everyone just
stopped imaging for a day.

------
Nelson69
I see this a couple ways. If you pull binaries off the internet, it's hard to
say you can just ignore it and don't need any protection. That is exactly the
kind of thinking that got us to where we are with malware in the first place.
I just can't see a downside to scanning your system once a week after hours or
something like that; most of the time it will find nothing but if it ever
finds anything it's probably worth it.

Then I look at the products out there, there are a lot of them and they all
seem terrible. We've got giant computers compared to 10 years ago and this
software still takes them to their knees at times and you just want the crap
to be invisible. In part I think it has to do with the all encompassing
"security suite" concept where they try to be all things to all people. It
does seem ripe for some disruption.

I mean, like maybe using some virtualization software to have multiple "zones"
or something, trusted, suspect and untrusted and some clever reverting and
snap-shotting to let you run programs in untrusted environments fairly
seamlessly or something. Scan it with some uberscanner and then promote it to
trusted. Or something, the OS vendors will have to help and MS has created an
AV cesspool.

~~~
jff
Qubes (<http://qubes-os.org/Home.html>) sort of aims to use virtualization to
separate out all your software. It's Linux, though.

------
malkia
On Windows one can compile a DLL or EXE in such way that you can overwrite the
executable while it's still running.

With the Microsoft Linker this is achieved by adding /SWAPRUN:CD,NET - it
means that the image might be running of CD-ROM or Network - and both can lose
media connection, so copy the image in memory beforehand.

This could be useful, only if it wasn't for certain Anti-viruses that treat a
lot of my executables as viruses once any of these two flags are on (CD, NET
or both).

You can actually edit the flags on existing executable, using EDITBIN (or LINK
/edit - it's the same - linker is a bit like "busybox" here).

Another reason is that the antivirus we currently have installed at work slows
down copying off the shared network. And because it's off the network, the
antivirus has to check it everytime (unlike HDD, where it can keep some cache
of what was checked).

------
phzbOx
For me it's not so much that it's not always accurate but more than it always
make my computer soooo slow. And also, that I don't believe in antivirus..
Precaution is everything; One you've got the virus, unless it's a trivial or
unoffensive one, better to format.

~~~
InclinedPlane
I don't run anti-virus, the cons are too big and it's not actually a good
protection over just taking common sense precautions. I've only been bitten by
infections on 2 occasions over 20+ years, and anti-virus wouldn't have helped
with either.

------
yason
Aren't modern Windows capable of installing everything as root and keep the
user account from infecting anything that is on the system level?

That effectively solves the virus problem since the worst that can happen is
that something unwanted runs as the user privileges or deletes/infects files
in home directory. The machine itself stays clean and you can avoid full
reinstalls.

If the user gets a virus then all you need is restore his home directory from
a clean backup. And if you want, possibly run some antivirus on anything that
gets backed up, to try to make yourself feel good about backups being clean.

------
gnu8
> _Because if your software has some kind of copy-protection built-in
> (encrypts and stores serial numbers, hides and encrypts parts of the source
> code to protect from reverse engineering etc.) - an antivirus will most
> likely detect some "very dangerous" trojan._

Don't waste your time with this crap. You don't have any secrets on my
computer. I will crack your DRM and reverse engineer as I please.

------
justncase80
Anti-virus is a flawed idea in general. The incentives are all wrong in the
business model for one thing, the other thing is that it literally cannot
possible protect you from new viruses. It's just a completely flawed idea, and
in practice it is a net loss.

------
johngalt
IT guy here:

Anti-virus tools are a net loss, but we can't remove them without appearing to
be irresponsible.

~~~
bad_user
Sure you can.

Replace it with a simple app that randomly shows fake notifications for
threats, with a clickable button called "remove threat" that doesn't do
anything. Upon clicking, show some stats on how many fake threats were dodged.

(1) you won't be seen as irresponsible anymore

(2) since users will constantly receive threat warnings, they'll be more
careful than usual, improving security

~~~
polymatter
Great idea, but like many similar ideas (eugenics, human experimentation,
doctors prescribing placebos, licence to breed) too 'unethical'.

------
learc83
When I worked at Geek Squad during college, we used to joke that Norton
Internet Security had decided the internet was too dangerous and automatically
disabled it.

You have no idead how many internet connection problems I solved with the
Norton removal tool.

------
powertower
The bigger issue here is that people think there is a "perfect" world out
there, that someone is obviously preventing you from reaching...

There isn't.

It's all about either keeping some type of a balance going or shoveling enough
shit as to not get buried in it.

------
AndrewDucker
I hate them because every time I compile my code dozens of DLLs get copied
from folder to folder and they all get scanned _every time_.

Why it can't keep a list of known good DLLs and then not rescan them, I don't
know...

------
derleth
On a related note, 'personal' (that is, software) firewalls are worse than
useless:

[http://web.archive.org/web/20100204074441/http://samspade.or...](http://web.archive.org/web/20100204074441/http://samspade.org/d/firewalls.html)

------
Craiggybear
Well, if you will dabble away in Windows, this is bound to happen. Stop
writing for it and it'll go away.

Man: "Doctor! Doctor! It hurts when I do this!"

Doctor: "Well, stop doing that ..."

~~~
politician
Doctor: Furthermore, start doing the same thing (developing software) to the
other one (Linux) because it's .. Er.. fresh.

Man: Wait, but won't the other one start hurting because I'm using it more?

Doctor: Oh right, I guess if everyone switching to use Linux tomorrow, then
the malware authors would begin targeting it more aggressively. I supposed my
anti-Microsoft rant was misplaced.

~~~
Craiggybear
Just wrong on so many levels, I don't know where to start.

------
Nima2712
Hahahahaha. --> EVERY. FUCKING. WEEK.

