June 26, 2009, 12:32 PM — To the average IT security practitioner, the idea of disabling antivirus on new machines might seem blasphemous. After all, weren't we all told in IT Security 101 that everyone needs AV to keep the malware and data thieves at bay?
Perhaps, but for some who moved beyond IT Security 101 eons ago, AV is more than simply obsolete. It's an obstacle to a more perfect defense. And so they've chosen to disable it.
Among those who feel that way is David Litchfield, a leading database security expert who has authored such books as "Oracle Forensics," the "Oracle Hacker's Handbook," the "Database Hacker's Handbook" and "SQL Server Security." [Related: Researcher Finds New Way to Hack Oracle Database]
Like the media players and toolbars he also chooses to disable, such as Real Player, Adobe Acrobat/Flash and toolbars from Google and Yahoo, Litchfield simply doesn't trust the AV programs out there.
"As an experienced security guy, I have no faith in most of the AV packages out there because they're completely reactive, offer little advance protection, massively increase the attack surface and have a long history of vulnerable ActiveX controls," Litchfield says. "I've never used AV software and I've never once been infected with a virus."
For Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, it's not simply a matter of distrusting AV. It's just that security practitioners who have been in the game as long as he has have found better controls that make AV obsolete.
"I don't use AV on most of my systems, and most high-level security types use only limited AV," he said.
Mogull believes AV is quite useful at the e-mail gateway/provider level, and he does have AV on a Windows XP VM (virtual machine) left over from his last job. But there's no AV to be found on his Mac, or on his Vista VM. He points out that he uses "a lot" of other controls that provide him with adequate security, including limited Web browsing, maximum security in the browser, e-mail filtering and other lock-downs on the system.
All that said, Litchfield and Mogull agree this isn't something the security novice should be doing. "Knowing what is and what isn't safe to do on a computer is 90 percent of the battle," Litchfield said.
Ken Pfeil, executive director and head of information security for the Americas Region at financial services company WestLB AG, said he can see both sides of the argument.
"Litchfield is right in a lot of respects. AV and personal firewalls are pretty much useless unless you are the average end user," he said. However, he also noted that "It still doesn't matter when it comes down to policy in the corporate world because you can't effectively enforce two different sets of standards." In other words, in the enterprise setting, it's AV for everyone. And Pfeil thinks that's okay, noting that even experienced race car drivers wear their seatbelt even though the odds are slim that an accident will happen on their way to the store.
Zach Lanier, senior network security analyst at Harvard Business School, noted the debate over AV effectiveness isn't new, but the past few years have been increasingly difficult for traditional approaches to malware protection. Most of the current AV options lag behind in updates, have detection engines that are trivial to bypass, and sometimes are themselves vulnerable, he said. He also considers himself savvy enough to skip antivirus on his own systems in favor of other security options like sandboxing and mandatory access control.
But Lanier echoed the point that in the larger environment, AV remains a necessary weapon in the security arsenal.
"While I support efforts to scrutinize the efficacy of AV and fix it, it's what we've got to work with right now, and I'd be remiss not to utilize antivirus/antimalware as a tool in my arsenal to help protect non-tech-savvy end users," he said.
