Walt.Gregg.Juneau.AK.US (December 29, 2020)

Is Your Windows AntiVirus Software Dangerous?

Disclaimer. I am not a security expert. I know just enough to be dangerous. So take this essay for what it is: my opinions based on limited expertise, limited research, and limited testing.

AntiVirus software has permission to scan through all your private documents as well as your programs. It can automatically quarantine and even delete anything it deems suspicious or dangerous. Often, it can silently transmit anything it deems interesting home for analysis. Sometimes, it hijacks HTTPS to monitor your sessions and prevents you from determining if the remote site is who they say they are. If you blacklist the companies with known issues, there really isn't much left.

Potentially Acceptable Home AntiVirus for Windows

Immunet (free) and EmsiSoft (about $30/year for home use). I haven't yet tested EmsiSoft. Immunet, however, I've installed and it is working here.

Immunet. This is based on ClamAV. ClamAV itself usually scores under 60% detection in tests. But that's 60% more than no protection. And in Immunet it's supplemented by cloud malware detection and the detections of other users who have elected to upload suspect files. It was trivial to install: download the file, set the Firewall to allow outgoing connections, run the file. When it opens, whitelist by window. And thereafter, it just works. Like a Timex, or a Toyota. In my case, its first scan found two potential pieces of malware other programs ignored. They weren't, actually, but they do exhibit strongly unusual behaviors (one alters the screen brightness and color; the other scans for open ports). I have elected to have it ask me what to do when it finds suspect/malware files, instead of automatic quarantine. That lets me double check a detection by uploading to VirusTotal. For the time being, I am not letting it upload suspect files automatically to the cloud.

Dangerous Free Home AntiVirus

In my opinion, you should not use Microsoft Security Essentials; Microsoft Defender; the British Sophos, the Chinese 360 Total Security; the Czech Avast; the Czech AVG; the German Avira, the Russian Kaspersky; or the Romanian BitDefender. My reasons are explained below.

Avoid Microsoft Security Essentials, because it doesn't work any more. On January 14, 2020, signature updates for this optional Windows 7 anti-virus protection ended (). Keizer, Gregg. 2019. Microsoft to end updates to Windows 7's free AV software, Security Essentials. Computerworld, Dec 9. [Keizer 2019 @archive.org.]

Avoid Windows Defender. It doesn't work well enough even on Windows 10 (). Anderson, Sophie. 2020. Is Windows Defender Good Enough in 2020?. SafetyDetectives.com, May 15. [Anderson 2020 @archive.org.] For Windows 8.1, signature updates will end January 10, 2023. For Windows 8, signature updates ended January 12, 2016 (). Microsoft. 2020. Windows Defender for Windows 8 and 8.1 - Microsoft Lifecyle. July 28. [Microsoft 2020 @archive.org.] For Windows 7, it wasn't even anti-virus, only anti-spyware (). Blakemore, Eve. 2011. Why Does the Action Center say I don't have antivirus software?. Microsoft Blog. Nov. 10. [Blackmore 2011.]

Avoid The British Sophos. In the first place, it's only a free trial version. And the trial was a trial. It wouldn't install on my system because of the Firewall. But the procedure they describe for letting it through the Firewall is so convoluted that it takes more than a page of HTML instructions -- and their second page wouldn't even print. It's definitely not worth the trouble. I think it's just possible that they may place themselves in the middle of HTTPS connections, as many of these programs do, to intercept and monitor that traffic. That would explain the complexity. But it would also be disqualifying, as mentioned under BitDefender, below.

Avoid the Chinese 360 Total Security. In June 2020, the maker, Quihoo 360, was added to the U.S. Entity List of export restrictions (). 85 Fed. Reg. 34495. 2020. Addition of Entities to the Entity List..... Jun. 5. The reason is that the U.S. government determined that they pose a significant risk of becoming involved in activities that are contrary to the national security interests of the United States. That makes it inadvisable for a U.S. person to rely on this software. That's unfortunate. While often disparaged in computer magazines, the software includes the highly regarded Avira antivirus engine, is lightning fast, and has useful optimization features.

Avoid the Czech Avast. This company was caught selling easily de-anonymized highly senstitive end user data -- including search terms and visits to porn sites -- to third parties including Microsoft and Google (). Cox, Joseph. 2020. Leaked Documents Expose the Secretive Market for Your Web Browsing Data.. Vice.com. Jan. 27. [Cox 2020 @archive.org.] After they were caught, they stopped collecting browsing data from their browser extensions but started doing so from the antivirus software itself. This history makes it inadvisable for any privacy- seeking person to rely on their software ever again.

Fool me once, shame on you. Fool me twice, shame on me.

Avoid the Czech AVG. This is a subsidiary of Avast. Need I say more?

Avoid the German Avira. My initial impression had been that this might be one of the only safe and effective free home antivirus products for Windows. At first, it seemed to work fine here. But later, I tried an on-demand scan. It hung at 37%. By hang, I mean it totally froze the laptop. The mouse pointer wouldn't move. Control alt delete wouldn't even regain control. Only holding the power button down for 4-6 seconds, to force the laptop to shut down, regained control. I thought it might be a Firewall issue. The Avira site suggests that you whitelist all the executable files. But if you go look, there are 101 EXE files. That's impractical to whitelist, and it's unwise to punch that many holes through a firewall. What can they be thinking of? TinyWall suggested that you just whitelist the Avira processes -- there are fewer than a dozen, as I recall. I tried that. It didn't help. It still hung at 37%.

Avoid the Russian Kaspersky. From 2017, this software has been banned from the computers of all U.S. government departments over national security concerns (). 82 Fed. Reg. 43782. 2017. Issuance of Binding Operational Directive 17-01..... Sep. 19. The real trouble here is that Kaspersky anti-virus is so effective that it found highly classified NSA Equation Group spyware. It had been illegally taken home by an NSA contractor. Kaspersky anti-virus, doing its job, sent it home to Russia for analysis (). Wright, Rob. 2017. Kaspersky Sheds More Light on Equation Group Malware Detection. TechTarget.com. Nov 16. [Wright 2017 @archive.org.] Uncle Sam was shocked -- shocked -- that this is how anti-virus software works. So they shot the messenger -- Kaspersky -- and so far as is known, let the contractor walk. It's extremely unfortunate. In independent tests for protection, performance, and usability, Kaspersky software beats Avast, AVG, Avira, and BitDefender (). AV-Test.org. 2020. The Best AntiVirus Software for Home Users. Oct. [AV-Test 2020 @archive.org.

Avoid the Romanian BitDefender. This company hijacks HTTPS. It replaced my bank's green corporate name, identity verified by a certificate authority, with a plain padlock verified by Bitdefender. A plain padlock means they might not be who they say they are. This damages the HTTPS chain of trust beyond repair.

But Mom, everybody's doing it. Yep, 45% of antivirus products tested intercepted HTTPS. And all but one weakened connection security, some dramatically. Security researchers from Google, Mozilla, and CloudFlare have urged antivirus vendors to stop this practice (). Tung, Liam. 2017. Google and Mozilla's message to AV and security firms: Stop trashing HTTPS, Feb. 8. ZDNet.com. [Tung 2017 @archive.org.]

BitDefender Free's HTTPS hijacking causes denial of service for most HTTPS sites. I didn't find this mentioned in the PC press, but it's not uncommon if you check discussion forums (). Knuddelz. 2019. Bidefender Free blocks most https connections on my PC, Feb. Community.Bitdefender.com. [Knuddelz 2019 @archive.org.] I found this so severe that it was nearly impossible to browse the web. Practically every non-commercial HTTPS site was unreachable without clicking through the security warning (). Bitdefender 2020. Bitdefender has blocked this page. The certificate used to encrypt your connection to this website could not be verified. Proceed with caution, attackers might try to steal sensitive information from you, such as passwords or credit cards. (I understand the risks, take me there anyway)

Finally, BitDefender invites scores of foreign hosts to reach right through your router and touch your PC. These are mostly incoming connections from content distribution networks to your operating system. In my case, TinyWall blocked these connections. Perhaps that's related to the denial of service, above. But whatever it is doing, BitDefender turns HTTPS on its head. I think you should avoid it like the plague.

Conclusion

Of the free for home use Windows anti-virus products I found and tested, the only one that actually worked here and is at least modestly effective is Immunet.com. I haven't yet tested it, but it's just possible that the $30/year EmsiSoft.com. may also be suitable. The two together might be a formidable defense. The other products, however, may be a cure worse than the disease.