
“AV is my single biggest impediment to shipping a secure browser.” - zdw
https://twitter.com/justinschuh/status/802491391121260544
======
cmiles74
I'm leaning towards the browser vendors on this one, AV software has been
sloppy and has been known to enlarge the attack surface area. Here's an
example from earlier this year.

[https://securityintelligence.com/news/bad-medicine-
symantec-...](https://securityintelligence.com/news/bad-medicine-symantec-
antivirus-comes-with-easy-exploit/)

@VessOnSecurity whines about a lack of hooks for AV to hang on in Google
Chrome, but kind of laughs at the hooks that Microsoft Office offers (we
didn't need them anyway, we read before Office opens the file, etc.) That
cavalier attitude makes me uncomfortable.

~~~
wyldfire
> @VessOnSecurity whines about a lack of hooks

I think that "Antivirus" arrived as a bandaid during the decades when security
was taken seriously by some consumers but not by the OS/app software vendors.
It started out as "inspect the system for signatures of malicious executables"
and evolved to include "clever active mechanisms to avoid infection."

I think that there should be no need for the "active mechanisms to avoid
infection" part and that is ultimately the responsibility of the OS/app
vendors.

Unfortunately, through their inaction, OS/app vendors have allowed an industry
to arrive. This industry will be reluctant to forfeit their position. Clearly
if they think they're entitled to some consideration in the browser design,
they will not go away without a fight.

~~~
integricho
This is an interesting point. Could AV become obsolete in the future, provided
the security of OSes becomes good enough?

~~~
0xfeba
MS seems to think so, they have been pushing their own security product in
Win8+

[https://movietvtechgeeks.com/microsoft-antivirus-cant-
defend...](https://movietvtechgeeks.com/microsoft-antivirus-cant-defend-new-
anti-trust-cases/)

~~~
jdmichal
Since XP / Vista, actually. Windows 8 is when they integrated Microsoft
Security Essentials into Windows Defender as a full OS component.

[https://en.wikipedia.org/wiki/Microsoft_Security_Essentials](https://en.wikipedia.org/wiki/Microsoft_Security_Essentials)

------
blauditore
For everyone else who was lost like me (mined from this comment section and
some googling):

\- AV: Anti-virus software

\- Vess: Security, AV expert, loves AV

\- Justin Schuh: Chrome dev (security-related), hates AV

\- AV needs deep access to the OS, opening the door for attacks if managed
poorly

\- Deep OS access is often hacky (due to lack of APIs?), thus potentially
unsafe

\- Vess and Justin Schuh both have bad manners

Is this about right?

Also, how is AV a (direct) impediment to a shipping a safe browser? It seems
to me that a browser should be mostly agnostic toward AV.

Edit: It seems like the problem is that AV tries to penetrate browsers in a
similar hacky way as for the OS, resulting in similar issues.

TL;DR: AV tries to help by supervising browsers because they're allegedly not
safe enough, but browsers think they're already safe and want AV to gtfo.

Edit 2: Are there any AVs that don't tamper with browsers at all? I've always
been using Avast and switching off all browser-related features, but maybe
there are better options.

~~~
jfindley
Vess has been in the AV industry a LONG time. A really long time. So long that
I don't think he's really able to see the state of the industry for what it is
anymore.

In the days of windows 95/8, the desktop landscape was very different to how
it is now - OSes and browsers were horribly insecure, and readily compromised
with little effort. Attacks were plentiful, and infections common. AV really
did add useful additional security.

These days that's less the case - an up to date windows 10 or OSX desktop is
reasonably secure by default - it can still be infected, but generally not
without some action taken by the user (of course there are still 0-days, but
they are generally treated seriously and patched at least moderately quickly.
Unauthenticated RCEs are now a rarity, thankfully).

The AV industry hasn't really caught up with the idea that the OS/apps they
are messing with are now in general fairly well written and audited pieces of
code, and haven't really got institutional awareness that they are making
things worse, much of the time.

This is frustrating for the OS/app devs, who rightly get annoyed at having AV
vendors actively removing protections built into the browser, but also I feel
that the AV industry is getting defensive at the bad press generated by things
like project-zero, when at least in their own minds they are trying to do
something useful. Hence the heated words. ALso, infosec tends towards being a
profession of heated language, a lot of the time...

~~~
astrodust
He might know what AV technology is like today on a theoretical basis but he
seems utterly clueless on a granular technical level.

His comment that AV is necessary today seems completely out of touch. There's
two things more important than anything else these days: Keeping patched as
you mention, but also _never_ , ever giving clueless users administrator
access on the machine.

I'm not sure any AV package will protect a sufficiently stupid user from a
targeted spear-phishing attack, and that's the real threat to worry about.

~~~
dublinben
An adblocker in your browser will mitigate your actual threats better than any
AV running on your system.

------
rcthompson
I think this exchange (pulled from one of the other threads linked in the
comments here) perfectly captures the general argument:
[https://twitter.com/taviso/status/800061052964651008](https://twitter.com/taviso/status/800061052964651008)

Tavis Ormandy: "Kinda like how a lightbulb that sets things on fire is still
high quality, so long as you only measure lumens?"

Vess: "It's certainly of better quality than a lightbulb that doesn't light
the room at all."

I think I know which lightbulb I would prefer.

~~~
drzaiusapelord
Everything electric in your house can start a fire, yet I imagine you don't
live like an Amish person. You make a rational gamble with yourself to allow
this tech and deal with extremely rare edge cases because of the greater
utility this technology gives you.

Vess's point is that yes you can find defects in AV, but that doesn't
invalidate AV the same way finding defects in the linux kernel or openssl
doesn't mean we'll stop using linux or ssl.

Also, if you look at some of Tavis's work you'll find scary things like buffer
overflows but also disclaimer comments on how tough it would be to actually
exploit it due to OS-level protections or other protections. I'm fairly
certain we haven't seen any in-the-wild exploits that actually compromise AV.
If it was practical to do, it would be the defacto exploit considering you get
to take down the gatekeeper and get to run your code at the same time.

I think a lot of people interpret Tavis's work in a hysterical manner and it
leads to thinking about tossing out the baby with the bathwater. I also think
there's a pretty major disconnect between devs and everyday end user habits.
Sure, you can live without AV, probably, but get rid of it wholesales at every
Fortune 500 company or in a major city and then tell me how you think things
will play out. I imagine not well regardless of how 'more secure' Chrome or
Firefox can be made.

~~~
rincebrain
I think you may be going too far the other direction, WRT "[you'll] also
[find] disclaimer comments on how tough it would be to actually exploit" \-
there have been several findings that were quite bad even without being
properly weaponized. [1][2]

The remark about wholly getting rid of AV is also at least partially
disingenuous, since I think most (all?) of those advocating it were suggesting
that the built-in protections of Windows Defender/MSE were sufficient for most
use cases.

[1] - [https://bugs.chromium.org/p/project-
zero/issues/detail?id=82...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=820)

[2] - [https://googleprojectzero.blogspot.com/2016/06/a-year-of-
win...](https://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-
kernel-font-fuzzing-1_27.html)

------
dblohm7
AV is also the biggest impediment to shipping a stable browser. I'll be
spending some quality time next quarter adding mitigations to Firefox to
prevent AV software injecting code into our process.

~~~
wfh
Contact me if you want to collaborate on this.

------
ams6110
A twist of de Raadt's take on virtualization:

 _You are absolutely deluded, if not stupid, if you think that a worldwide
collection of software engineers who can 't write operating systems or
applications without security holes, can then turn around and suddenly write
antivirus software without security holes._

------
payne92
The full tweet has the best putdown ever to fit in 140 chars with room left
over:

    
    
        "You misunderstand your own ignorance".

------
tcoppi
He's not wrong, most traditional AV is complete hacked-up shit. Some of the
"Next-Generation" AV(I think they are trying to rebrand this as Endpoint IPS
too) like Cylance, CrowdStrike, Webroot are better in that they do a lot less
crap on the endpoints to begin with, so there is less to screw up.

------
abetusk
AV = anti-virus

~~~
btschaegg
I really like the fact that "Apparent Vulnerability" also works here ;-)

------
busterarm
I worked in/with AV for 5 years and I'm 110% in agreement with Justin Schuh
here.

------
tyingq
The rhetoric back and forth seems a bit strong when both sides are arguably
representing their companies.

I can't imagine saying something like _" You misunderstand your own
ignorance"_ to someone at say, an industry conference.

~~~
ptk
It appears there is some history with this Vess character being wrong and
particularly obstinate about his position too. So while we all jumped into
this conversation without that background, I'm not surprised that these
developers are being harsh with him. He seems to have made a long-term habit
of ignoring the crux of their argument (which is a super strong argument IMO)
and continues to put forth his own ignorant views.

~~~
smilekzs
> ... habit of ignoring the crux of their argument ... and continues to put
> forth his own ignorant views

Exactly. It was not even a debate --- it's downright refusal.

------
protomyth
Are the AV vendor's code having the same problems that the old version of the
file command had that lead to a rewrite on OpenBSD[1]? It seems that way with
not doing the fuzzing of inputs comment, or is there a second problem because
its the browser?

1)
[https://news.ycombinator.com/item?id=9439778](https://news.ycombinator.com/item?id=9439778)

~~~
masklinn
AV vendors are even worse, they don't just play fast and loose with incoming
files they also fuck up other processes in the system, bundle de-secured
versions of other software (e.g. Chrome) or enable security holes (remotely
accessible local debuggers) by default.

Check out issues reported by taviso on Google Zero:
[https://bugs.chromium.org/p/project-
zero/issues/list?can=1&q...](https://bugs.chromium.org/p/project-
zero/issues/list?can=1&q=reporter%3Ataviso%40google.com)

Examples: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=67...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=675) or [https://bugs.chromium.org/p/project-
zero/issues/detail?id=77...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=773) or [https://bugs.chromium.org/p/project-
zero/issues/detail?id=70...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=704)

~~~
Already__Taken
FYI on the project zero link, change issues from open to all.

~~~
masklinn
Ah yes fixed, I trimmed the URL a bit too much.

------
pritambarhate
A little bit off topic. Which AV do you use on Windows? Do you run AV on Linux
and Mac in the background, just like most people run on Windows?

There is relatively less malware which target Mac or Linux. So it generally
doesn't affect them so often as it happens on Windows. But if any of you can
recommend a good lightweight AV for Mac and Linux, it will be great.

~~~
moogly
I don't. Haven't for, I don't know, 15 years? Before that I tended to do
passive scans a few times a year, and I never had any viruses so I don't even
bother now.

Here's a secret: You don't need AV on Windows if you're remotely tech savvy,
and it doesn't mean you need to be paranoid about what you download either,
only use some common sense.

The AV's I've come in contact with (friends, family, work) are worse than the
viruses they purport to defend against anyway. Just the other day the IT
department installed some undisableable Webroot extension in Chrome that
injects some godawful green checkmarks throughout Google Search's HTML. That's
a virus to me.

~~~
untoreh
webroot is quite decent but I definitely don't enable the browser extensions,
at best they just slow down browsing, at worst...eh. It also does another
"funny" thing, basically whenever it meets a process it does not like, it
starts dumping hundreds of MBs of data into its ProgramData folder, and I
wonder, how are you gonna upload all that stuff with my 0.5Mbps tx speed ? :)

------
nickpsecurity
He's right about AV code being shit. He's wrong on that being biggest
impediment to shipping secure browsers. CompSci already created numerous
secure browsers. Chrome architecture was even a performance, not security,
enhancing modification of OP Secure Browser. The problem holding back secure
browsers is none of the browser companies are using the proven techniques
despite a number integrating with existing code. ;)

List of them was in this old comment:

[https://news.ycombinator.com/item?id=9962444](https://news.ycombinator.com/item?id=9962444)

Note: Illinois Browser Operating System (IBOS) and OP2 definitely worth
looking up.

------
rarepostinlurkr
I see someone else loves IBM Trusteer/Rapport too! "It's cool guys we are
logging your keystrokes and everywhere you go for your safety!"

------
outworlder
“To know your Enemy, you must become your Enemy.” ― Sun Tzu

AV software nowadays is as hostile as the threats they are supposed to be
preventing.

------
LeoPanthera
I would love to know how many Hacker News readers run AV. Pity HN doesn't have
polls.

~~~
jakub_g
You _can_ create a poll:

[https://news.ycombinator.com/newpoll](https://news.ycombinator.com/newpoll)

HN has quite a few not-so-discoverable features:

[https://gist.github.com/jakub-g/803ad2c074ad1fbe2af5](https://gist.github.com/jakub-g/803ad2c074ad1fbe2af5)

------
pdog
Why isn't this a blog post? I gave up reading after the first tweet because
it's in such a horrible format.

~~~
Ar-Curunir
Conversations don't normally occur via blog posts...

------
Kenji
People who think AV is good or even necessary are delusional. Never has there
been software that was worse than the AVs I came in contact with. They pose
more of a stability problem than malicious programs themselves.

------
edblarney
Perhaps we should point fingers at the OS vendors themselves.

Perhaps it's possible to build an OS that runs apps in a more 'sandboxed'
fashion, with clean, secure APIs to the OS?

Like iOS/Android, but without the business restrictions of App Store?

~~~
TheDong
We can call it "qubes" or "systemd with cgroups + other features" or "nixos"
or "GuixSD"

Or OpenBSD with its pledge stuff and jail awesomeness

Or fedora with SELinux and default policies.

Believe me, distros are trying to do this, and honestly they're doing a pretty
okay job. The kernel could help a bit more (and is starting to with
namespacing)

~~~
edblarney
It's great that some open-sources are leading the way.

But Mac/Win are 99% of consumer desktops, so it's up to them to make the
change.

------
blowski
Two well-respected people who seem to take diametrically opposed views.

All I can do is get some popcorn and dream of knowing who's right.

~~~
0xfeba
Well, I see his point. 3rd Party AV vendors have hacky hooks into the kernel
to do what they need to do. And at that point they become kernel-level so they
are a juicy target.

Symantec and other AV vendors have had stupid flaws (someone else linked to it
in the comments) that allowed remote access and privileged escalation from
just knowing the host has a certain AV installed.

All AV seems hacky--except for Microsoft's own, which is what I use and
suggest all my friends use rather than shelling out for those subpar products.

~~~
ionised
Windows Defender was shown to be pretty piss poor in general detections. The
only thing it has going for it is its low resource footprint.

~~~
anonymfus
Looks like survivorship bias: malware detectable by Windows Defender does not
spread so it is not included in comparisons.

