Warning! Don’t run Anti-Malware Software on Your Research Machine

I do not run any anti-malware software on my primary workstation. It's a habit I got into way back when I was doing penetration assessments. I showed up at the site, fired up ye olde laptop, and went to run some tool. …went to run some tool. Hey, where did that tool go? It was there when I left home?!? Turns out the anti-malware software that the company shoved down on my laptop had removed the tools I needed to do my job because they were deemed to be malware. Today I had another reminder of why this is probably a good policy for me.

On a whim I decided to run the latest beta of the OneCare Live Safety Scanner on my primary laptop. I was very surprised when the scanner actually found some malware on my computer. This was the first time any anti-malware had found any malware on any of my computers since some free anti-virus for the Macintosh found a virus on a floppy disk I put in my Mac II Se, in 1991. After a 17-year hiatus, I finally managed to contract some malware!

After the scan was finished I had my explanation:

The infection was in my dev projects directory, in a directory call moztests. That's where I put the files I wrote when I was working on what Mozilla eventually patched as MFSA2007-27. OneCare just cleaned my research off my computer!

Do not misunderstand me. I am not saying that you should not use anti-malware software. I am not even saying that you should do as I say, not as I do, as many security "experts" tend to say. All I am saying is that you need to consider the consequences of all software you install. While it is true that I do not see much malware on any of the computers I manage, that is not a reason to not run anti-malware on them. You need to consider the risks of not doing so. I would never leave our kitchen computer, the closest thing to a kiosk that we have in my house, without anti-malware. Likewise, I find it wise to run it on the kids' computer. My laptop, on the other hand, is used for all kinds of work where the anti-malware would get in the way, so I refrain from it, accepting the risk that I may, inadvertently, one day click on something I shouldn't. To at least minimize that risk I run as a standard user in Windows Vista.

Furthermore, there is one additional thing you should consider. If we took the advice of some authorities and stopped running anti-malware software, would the status quo – the state where we really do not find much active malware – remain? Of course not. Right now the malware purveyors are mutating their software at extremely rapid rates, producing, literally, millions of new malware every year. At an event last week I heard a figure that we are on track to see 5 million unique pieces of malware again this year. Yet, most people I talk to say their anti-malware solution never finds any of it on their computers. More than likely that is due in large part to the fact that the vast majority are mutations of earlier versions; created to stay ahead of the anti-malware software. If we remove anti-malware software from the eco-system we would make it that much easier for the bad guys to control us. They could stop the mutation arms race and focus instead on getting fewer versions deployed to more computers, and we would have no hope of catching any of it. Therefore, the advice to not run anti-malware is unsound at best. It has simply become a cost of using a computer these days; a cost of keeping the eco-system as sound as is possible with a technology-only solution.

However, you may want to think twice about anti-malware on a computer you use for vulnerability research.

Leave a Reply

Your email address will not be published. Required fields are marked *