Vess is asserting that AV vendors can write their own versions of the most complicated parts of the browser & OS (including parsing & rendering HTTP/HTML/CSS/JS/PNG, JS runtime, etc), then add more code on top of that to detect bad things, and do all of this while adding no significant bugs and with tolerable performance overhead. The reality is that browsers are insanely complicated, the people working on the major browsers are extraordinarily skilled, and there is a mountain of evidence that AV vendors routinely ship software that by design exposes users to huge security risks on top of all of their bugs.
Meanwhile security by isolation is proven effective at protecting users. Two good examples are the process-per-tab isolation in Chrome and the app sandboxing on iOS. Some holes into the sandboxes are necessary (for example you need to get keyboard input in and rendered images out) but every additional hole you open adds significant risk. The downside to this approach is it reduces the market for AV and other third party utilities.
> Vess is asserting that AV vendors can write their own versions of the most complicated parts of the browser & OS (including parsing & rendering HTTP/HTML/CSS/JS/PNG, JS runtime, etc), then add more code on top of that to detect bad things, and do all of this while adding no significant bugs and with tolerable performance overhead.
Don't forget they usually try and run all of that right in the kernel, because if there's one thing you want more than hardly tested unsafe reimplementation of the most complex and dangerous parts of a browser, it's to run them in ring0.
I'm not a security expert, but always had a feeling that browsers mostly just need to sandbox websites, so websites cannot do any critical operations that would require AV supervision.
"Soft" vulnerabilies like files downloaded and executed are critical outside of the browser, and that's where AV makes sense to me. But I don't want an invasive plugin telling me "this link is safe" with a green, flashing icon.
So I've always been trying to just switch off all browser-related features of my AV, but are there AVs that are less aggressive in this matter by nature?
>are there AVs that are less aggressive in this matter by nature?
Yes, if you are on windows, just use Windows Defender (AKA Microsoft Security Essentials).
You'll read how it doesn't detect as much as the others and it doesn't have any fancy features, but all that means is that it won't have a ton of false positives (i've only ever had one false positive with it ever), it won't try to upsell you to a premium service, it can be disabled/turned-off with one click, and most importantly it won't weaken the security of your whole system.
browsers mostly just need to sandbox websites, so websites cannot do any critical operations that would require AV supervision.
That's the way it ought to work. But it's so tempting to launch stuff from the browser, from Adobe Reader to Flash to Microsoft's "protocol types" which launch apps.
The proper role of antivirus programs is as a "guard". When you download a file, a program looks at it and decides if it should be allowed in. This at least gets rid of all those attack .zip files that show up in email attachments. It also has a well-defined interface with the application.
> But it's so tempting to launch stuff from the browser, from Adobe Reader to Flash to Microsoft's "protocol types" which launch apps.
The latter (MS protocol types) is not at all MS specific.
Let's list some well known examples:
- Apple's itms "protocol", itms:xxx opens either iTunes or the App Store, also on OS X (this is how "Download from Mac App store" works)
- MS Communicator/Skype for Business (one of them is the successor of the other, I always forget which one) uses this to start conferences after you installed the respective app
- Spotify does something even worse, the client appears to launch a http server, and e.g. when you log in to facebook on your browser, it supplies the used port to their oauth redirector - which in turn gives the auth token to Spotify via calling http://localhost:xxx/yyy.
- all major mail programs use the "mailto" protocol; the OS loads the user-defined MUA with options for pre-fill (body, subject, recipient(s))
It's a Lync client, according to Wikipedia. One of the customers of my company uses it.
The amount of different apps and solutions for teleconferences is just astounding. One might think that there is a common standard or something... but no, I have at least four distinct communication apps on my Mac. m(
The whole isolation thinking is spreading "downwards".
Just look at recent hoopla in the Linux world about using "containers" on the desktop to isolate different processes from each other, and from the users files.
Vess is asserting that AV vendors can write their own versions of the most complicated parts of the browser & OS (including parsing & rendering HTTP/HTML/CSS/JS/PNG, JS runtime, etc), then add more code on top of that to detect bad things, and do all of this while adding no significant bugs and with tolerable performance overhead. The reality is that browsers are insanely complicated, the people working on the major browsers are extraordinarily skilled, and there is a mountain of evidence that AV vendors routinely ship software that by design exposes users to huge security risks on top of all of their bugs.
Meanwhile security by isolation is proven effective at protecting users. Two good examples are the process-per-tab isolation in Chrome and the app sandboxing on iOS. Some holes into the sandboxes are necessary (for example you need to get keyboard input in and rendered images out) but every additional hole you open adds significant risk. The downside to this approach is it reduces the market for AV and other third party utilities.
(I used to work in security)