Wednesday, July 09, 2008

The great antivirus scandal of 2008

This report is pretty scary. It's understandable that everybody overlooks the fact that virus scanners can be vulnerable, especially when they're built with lots of 3rd-party plugins (e.g. upx/zip/arj/rar/etc unpackers).

But the fact is, you can become automatically infected by a virus without running the infected program/trojan yourself; the virus scanner scans it automatically, but the file is designed to exploit a vulnerability in your virus scanner and you become infected.
That's a lot more dangerous than having no AV software and just being careful which programs you run...

Symantec is among the worst here, with about 32 vulnerabilities listed compared to 6 or 7 in FProt, AVG and BitDefender.
Personally, I think it serves AV vendors right for coding their products in languages as dangerous as C and C++, which are so vulnerable to buffer overflow mistakes. And nobody can code without mistakes. And the frequency of mistakes increases with code size, of course. They should have written their scanners/plugins in a better programming language (e.g. Lisp).


  1. AVG doesn't surprise me, but I really expected ClamAV to at least do better than average, not top the chart.

    But yeah, it's pretty silly to be writing this stuff in a language prone to overflows and suchlike.

  2. Yeah I was surprised too. You'd expect that someone would fix some of the problems since it's open source, but then, maybe it'll sit there untouched for a while. That's one of the things with open source - you can't really trust or predict what the current maintainers will do. With commercial products, it's reasonable to assume there'll be a stable team that'll keep working on it without getting bored and abandoning ship.
    Also, maybe the closed-source projects were more inclined to reinvent wheels and not re-use vulnerable decryption/parsing libraries (re-use normally being a good thing, of course...).