Ex-Mozilla Engineer: Uninstall Third-Party Antivirus Software Now
Ashley Allen / 4 years ago
A former engineer for Firefox developer Mozilla has advised PC users to avoid installing third-party antivirus software on their systems. Robert O’Callahan felt comfortable making this bold assertion following his departure from Mozilla last year. The reasoning for his extreme position is that antivirus programs, as well as being “slow and bloated”, are hurting security and making it more difficult for developers – especially internet browser vendors – to deliver a truly secure product. The only exception, according to O’Callahan, should be Microsoft’s antivirus software for Windows – either Windows Defender or Microsoft Security Essentials.
“I was just reading some Tweets and an associated Hackernews thread and it reminded me that, now that I’ve left Mozilla for a while, it’s safe for me to say: antivirus software vendors are terrible; don’t buy antivirus software, and uninstall it if you already have it (except, on Windows, for Microsoft’s),” O’Callahan declares on his blog.
“At best, there is negligible evidence that major non-MS AV products give a net improvement in security. More likely, they hurt security significantly; for example, see bugs in AV products listed in Google’s Project Zero,” he explained. “These bugs indicate that not only do these products open many attack vectors, but in general their developers do not follow standard security practices. (Microsoft, on the other hand, is generally competent.)”
O’Callahan cites the following Twitter conversation between Chrome security engineer Justin Schuh and security expert Dr. Vesselin Vladimirov Bontchev from last year to highlight misconceptions of the efficacy of AV software, even within security circles:
You misunderstand your own ignorance. AV is my single biggest impediment to shipping a secure browser.
— Justin Schuh ? (@justinschuh) November 26, 2016
“Furthermore, as Justin Schuh pointed out in that Twitter thread, AV products poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security,” O’Callahan writes. “For example, back when we first made sure ASLR was working for Firefox on Windows, many AV vendors broke it by injecting their own ASLR-disabled DLLs into our processes. Several times AV software blocked Firefox updates, making it impossible for users to receive important security fixes. Major amounts of developer time are soaked up dealing with AV-induced breakage, time that could be spent making actual improvements in security (recent-ish example).”
“What’s really insidious is that it’s hard for software vendors to speak out about these problems because they need cooperation from the AV vendors (except for Google, lately, maybe),” he concludes. “Users have been fooled into associating AV vendors with security and you don’t want AV vendors bad-mouthing your product. AV software is broadly installed and when it breaks your product, you need the cooperation of AV vendors to fix it. (You can’t tell users to turn off AV software because if anything bad were to happen that the AV software might have prevented, you’ll catch the blame.) When your product crashes on startup due to AV interference, users blame your product, not AV. Worse still, if they make your product incredibly slow and bloated, users just think that’s how your product is.”