Antivirus Fallacy

Antiviruses are one of the most widely installed classes of software. They are supposed to provide protection from various types of malicious software, but in reality they are not very useful nor required for this. This article is about principles of antivirus operation, why you likely don't need one and the situations in which an antivirus is indeed useful.

There are two primary working principles behind antiviruses: signature detection and heuristics. Signature detection works based on comparing a file against a database of known malicious samples. This method is fast, simple to implement, but is only able to detect malware that already has been discovered and added to database. The other malware detection method is heuristics. It is based on analysis of the suspected program's behaviour, and includes, but is not limited to running the program in a sandbox environment, looking at system calls made by the program, and using machine learning techniques to classify software as malicious. This method can be used to detect malware that is absent from signature database, but requires significant computing resources.

So, why is an antivirus not always needed?

The main reason is that protection provided by the antivirus comes with certain drawbacks, and can generally be achieved without using an antivirus. The first and most obvious problem is performance: an antivirus is constanly running in the background and using valuable system resources. Another problem is false positives and negatives: antiviruses often fail to recognize malicious files as malware, as well as falsely detect malware in non-malicious programs. One more problem is the fact that the antivirus may contain security vulnerabilities, which can cause system damage and malware execution, something that an antivirus is intended to prevent.

In order to protect the computer from viruses without an antivirus, certain measures have to be taken:

Who does actually need an antivirus?

File sharing services, email providers

Malware is often distributed via email attachments and file sharing and transfer services. Running an antivirus on an email or file sharing server is a great way to suppress propagation of malware.

Large commercial companies

Commercial companies are targeted by malware a lot more than individuals, either by attackers who use malware to extort money from these companies, or by other companies who hire attackers to harm their competitors. It is worth for companies to invest into an antivirus to protect themselves from malware which could lead to massive losses.


Available as a video here


2020/11/13