/ Malware

Why free AntiVirus is better than no AV and worse than paid AV

This article will detail the differences between free AntiVirus and paid AntiVirus. AntiVirus is used to protect from all kind of threats (commonly referred to as malware), but the greatest risk to home users are ransomware and banking trojans.

Note: This is a multipart article, Part 2 is available here

Before diving into the details, allow me to summarise my views on AV:

  1. Free AV is better than no AV
  2. Paid AV is usually (but not always) better than Free AV

Issues with free AntiVirus Software

Although free Antivirus has the advantage of zero cost, there are some downsides when it comes to free stuff. The most popular free AV products are Microsoft Defender, Avast Antivirus, Panda Antivirus, Bitdefender Antivirus.

Lack of features

Almost all free Antivirus lacks advanced features implemented in the paid full versions. Some of these features might not be useful for the average user, but others might.

Paid versions can include features such as:

  • A 'safe' internet browser, which can prevent theft of sensitive information. AV can also install browser plugins to check the reputation of a website, and warn if the website has a low or bad reputation. This can also be used to block phishing attacks.

  • Sandboxing: it allows the analysis of unknown threats in an isolated environment. The advantage of sandboxing is that the suspect sample is executed in a safe environment, so even if it evades signature based detection, it can be blocked by detecting malicious behaviour.

  • An outbound firewall which can be used to control which applications can communicate with the Internet. This might protect against malware which uses outbound command and control channel.

  • Advanced exploit protection against in-memory attacks that attempt to avoid detection by not writing to disk storage. Detecting in-memory only attacks is hard, but the loading of the malicious code can be blocked at exploit stage. Flash plugin, Internet Explorer, Office applications and Firefox is commonly exploited by malicious actors.

  • Ransomware protection based on application behaviour. You only have to lose your files once to know how important ransomware protection is.

  • VPN access which helps keep your internet use hidden and secure from the local ISP, untrusted WiFi operators or neighbouring script kiddies.

Lot of marketing and upselling

Free Antivirus usually pushes a lot of advertisement to the user. It can be about buying the full version or cross-selling some other product. For some people, this might be annoying.

You are paying with your data

By offering free Antivirus vendors benefit by collecting telemetry data. The more users the Antivirus companies have, the better visibility they have on the current threat landscape. Whether you trust your Antivirus with your data or not is up to you. Be aware that this data might include your browsing habits, what applications you use, the identities of those you communicate with, etc.

For example, Microsoft collects telemetry data on newly executed files, and even the command line parameters are sent to Microsoft. The diagram below shows how Microsoft used this collected information during the NotPetya analysis. This diagram created by Microsoft shows the command line parameters, how the perfc.dat file (NotPetya) was started on the hosts, and which were the parent processes. Command line parameters might include sensitive information.

Microsoft Defender

Microsoft Defender did not have the best malware detection rates in the past, but it is getting better based on multiple recent tests. Detecting less than 80% of the samples means 1 in 5 infection attempt will be successful, which is a lot when it comes to ransomware or banking trojans.

For more information, refer to these tests:

A word about SmartScreen

SmartScreen is a hash based reputation system used in recent Windows versions. It can warn the users of unsafe downloads, or it can even block the start of an unsafe application. Combining Windows Defender with exploit defences in the Edge browser and the Windows 10 SmartScreen download and start protections, the total protection of the Windows 10 OS is developing into an effective, integrated AV solution. But Defender has one huge issue when it becomes the Nr. 1. used AV by popularity. And this issue is called diversity.

You may know from elementary grade biology lessons that the more diverse a population is, the more immune it is against viruses and diseases. This statement also holds true in the AV world. Competition between AV vendors helps makes the Internet a safer place, though at the moment it seems Microsoft is doing everything it can to be the only AV vendor in the market. Microsoft is blocking access to key defensive features (e.g. exploit protections only implemented in Edge), it blocks access to the browser, and hooks which were used previously are not allowed to be used anymore. But this also has stability improvements, so there is always to side to the story.

Not everyone needs AV, but you probably do

While it is true that there are certain instances where installing AV will make a system less secure, your situation is likely not one of them. For example if whitelisting is used in your environment and the computers are air-gapped with external storage device connectivity disabled, installing AV probably makes no sense. But as more than 99% of the computers are attacked by common malware, you are probably on the safe side with a common AV. It is rare that malware targets the Antivirus itself, so even though the total attack surface increases with AV, but the total risk is reduced greatly by AV.

Based on years of independent tests, currently the following vendors provide solid, constant above average protection (in alphabetical order):

  • Bitdefender (or other AV using Bitdefender engine)
  • Kaspersky
  • Norton (Symantec)

Zoltan (@zh4ck) is a full-time AntiVirus bypasser and public speaker from Hungary. He frequently rants on Twitter about how people should try things harder. He has experience from both blue and red side, and enjoys the cat and mouse game between attackers and defenders.

Peer review: AC

Photo courtesy of Caroline Davis2010

Zoltan Balazs

Zoltan Balazs

Zoltan is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing

Read More