Even controversial issues must be discussed. The current blog post is dedicated to one particularly controversial topic:
Virus scanners are currently ubiquitous (at least on Windows systems) and are seen as a standard security measure. Users are so used to them that hardly anyone dares to doubt their usefulness. Virus scanners themselves however can have potential risks, such as
System failures due to so-called false positives
An example: The virus scanner deletes legitimate system or program data because it classifies it as harmful due to incorrect check signatures, with the result that the operating system or a critical application program no longer functions. Incidents in which industrial PC systems no longer function due to incorrect verification signatures or compatibility tests occur repeatedly in the shopfloor environment.
Virus scanner as weakness
In order for a virus scanner to work effectively, it must be granted certain system privileges, because otherwise the view into program sequences would be denied. This means that the virus scanner can potentially open a gate for any malicious codes or attackers if the virus scanner itself has vulnerabilities..
Virus scanners may interfere with security measures of the systems
For example, you can intercept HTTPS connections and replace the intensively tested validation mechanisms with self-developed ones. This facilitates so-called man-in-the-middle attacks. This means that the hacker places himself – or his malicious tool – between the actual user and the resource he is targeting (a bank website or an e-mail account). The hacker can then read along or even pretend to be the owner of the message and thus request or intercept information. These attacks can be very effective and are often difficult to detect.
When does a virus scanner make sense?
In a typical office environment, which is more frequently exposed to virus attacks from mails and Internet surfing, virus protection can still be regarded as a good measure because the advantage over the disadvantages described above outweighs the disadvantages. While protection against mass-produced malware is still reasonably assured, the use of classic virus scanners to protect against targeted attacks can be regarded as negligible.
On highly regulated systems that are equipped with additional measures and sufficiently isolated from the outside world (e.g. isolated PC systems for control systems), the protection provided by a virus scanner is maybe somewhat less than the potential risk posed by the virus scanner. This applies in particular to systems in which only software cleared by a supplier/integrator is introduced in a controlled update process.
On systems that meet certain requirements, the implementation of the following points should be given higher priority than the installation of a classic virus scanner:
With these systems, which – as described above – are protected against malware by suitable other measures, the probability of a virus infection is reduced to an appropriate level even without a virus scanner. The appropriate protection tool should always be evaluated depending on technology, constraints and risks.