Antivirus software is blighted by major flaws and meaningless certification


There are big problems with antivirus software from major security firms, and the certification they receive is a meaningless and ineffective rubberstamp, according to one security expert.

Tavis Ormandy – who is part of Google's Project Zero team, and has uncovered flaws in the likes of Malwarebytes software, Trend Micro, Sophos and many more – wrote a blog post about his most recent revelations of vulnerabilities in Comodo Antivirus.

He noted there were multiple flaws which were trivial to find – in his words, there's plenty of "low hanging fruit" like this out there which is "endangering billions of users worldwide" – and he observed that in general, antivirus vendors just aren't interested in vetting or improving their products.

Ormandy said: "I don't think the antivirus industry is going to make even a token effort at resolving these issues unless their hand is forced," and he further noted that despite the vulnerabilities he easily located, Comodo received an 'Excellence in Information Security Testing' award from Verizon.

Testing times

According to the certification methodology (which Verizon publishes), 'excellence' apparently consists of, among other things, being able to detect malware, and having a function to enable (or disable) malware detection.

Of course, rather than indicating any excellence in the field of combating malicious code, these are obviously very basic requirements for a package to even be defined as antivirus. Ormandy thus calls certification processes "meaningless tests", adding: "Perhaps the first step in improving the situation throughout the industry is making sure these certifications actually test something worthwhile".

On Twitter yesterday, Ormandy observed that while mainstream AV products may prevent untargeted malware, they can actually enable targeted attacks because of their poor coding and implementation.

He warns that something must change soon when it comes to these products, and that "all of the major security vendors are using ancient codebases with no awareness of modern security practices".

Via: Network World