Anti-virus Software is a Scam

You're The Biggest Security Threat To Your Computer

Image: butler_bomb Your orders, madam?

You don't need anti-virus software . Whether you're on Windows , Mac , or Linux . It's a huge scam.

Wait, what? Surely the whole Stuxnet thing you've heard about recently is evidence that computer viruses are becoming more common and dangerous than before. What about that Ghostnet thing that was making big news a while back?

Nope. Just, nope.

Before I tell you why you don't need ant-virus software, let me introduce you to the biggest threat to your computer:


Many of my friends think of their computer as this kind of tempermental bratty child. Sometimes it does what they want, but one wrong command will send the thing into a hissy fit that will possibly destroy all the data they have ever put on the computer. I've seen friends recoil from error messages as if one more keystroke will cause the computer to explode immediately.

Computers and the programs on them can be finicky, and why they fail at doing what we ask is a whole other topic. Here, all you need to know is that even if the results we get out of computers aren't what we hoped for, the intention is for them to be our servants. That's where the security threats begin, and end.

Imagine for a moment you have a servant, one of those very proper old British butlers, in a black suit with coat tails and a crisp white shirt. He will do anything you ask, without hesitation.

Every day he picks up the mail for you. One day, someone mails you a gun, with a note tied to it that says, "shoot yourself." The gun and the note are inside a package wrapped in plain manilla paper, so you don't know what it is until you open it.

Your butler says, "Sir, there's a package in the mail for you." And you say, "Okay, well, open it and use whatever is inside." Your butler unwraps the package, finds the gun, reads the note, and without a second of hesitation, puts it to his temple and blows his brains out.

Now you're sitting there covered in your butler's blood asking, "what the hell did he do that for?" From a human perspective, it's completely obvious that once the butler saw the note and the gun, he should have said, "wait a second...". However, your butler is a robot programmed to be obedient no matter what , so as far as the butler was concerned, he was doing exactly what you commanded. He's that loyal.

That's how computers are. They do exactly as you say. The problem most users have is that computer designers have failed to convey to computer users the set of assumptions that computers use when following commands. (Yes, I believe the blame lies with people who build computer hardware and, even more so, computer software).

One key problem is that software designers assume that you know that the word "open" has different implications depending on what kind of file you are "opening". But there is a world of difference between "opening" an .exe file and "opening" a .txt file. When you "open" a .txt file or a .jpg image, you are just looking at it. When you "open" an .exe file, you are telling your computer to do a bunch of stuff. Stuff you may not fully aware of, like telling your butler to shoot himself before you knew there was a gun in the package.

If you don't already do so, it would be good for you, and for everyone, to start making a distinction between the two main actions you do on your computer. "Open" is too broad a term. Some things, like text files, images, and movies, you "view". You just look at them, and that's all. Other things, like programs and applications, you "run". This means making the computer execute commands and perform tasks, which can be dangerous.

It's when you run things that problems can happen. And the key word there is "you". Any operating system can be compromised by its owner. Windows, Mac, or Linux, or even Amiga, or Atari, or whatever else, it doesn't matter. If someone writes a program to destroy your computer, and you run it, then that computer will be destroyed.

Anti-virus programs don't protect you from you. They can tell you that the email coming in has a virus or program or something on it. It might delete that mail before you see it, but that's all it's doing.

Here's the catch that the people who want you to buy into anti-virus software don't want you to know:

You're safe if you just don't run anything you don't trust.

If you downloaded something directly from , for example, it's sure to be safe. After all, you chose to download it.

It's an important point to notice that when you install that software from Adobe, your anti-virus program is going to pop up and ask you, "Are you sure?" In other words, your anti-virus software doesn't really know that much more about the software you want to run than you do. If you really want to run something, you can, whether you use anti-virus software or not.

Which raises the question... if I am going to over ride the anti-virus program when I choose to anyway, what good is it?

Most people don't worry about getting a virus from a program they sought out on the web and voluntarily downloaded, though. It's viruses that come in through the back door, primarily through email and accidentally stumbling on a malicious web site. Both cases, though, are equally easily handled.

For email, follow this advice: Never run anything sent to you by email. Never. I never do, and never have to. In the decades I've been using computers, never once has a friend sent me a program out of the blue that they just wanted me to run, just because.

They have however, sent me pictures, videos, and sound clips. This comes back to the difference between "run" and "view". It's perfectly safe to view things.

Here is a list of the files you can open on your computer and YOU CAN NEVER GET A VIRUS FROM THEM. EVER.

Image files (.jpg, .png, .gif), text files (.txt, .odt), archive files (.zip, .rar), movie files (.avi, .mpg), sound files (mp3, .flac, .ogg), and I think we can say spread sheets as well (.xls, .ods, .csv).

That's not a complete list by any means, but it's a good starter kit. I bet a lot of users will never have to stray from that list. The point, though, is that all those files are viewed by your computer, not run . Looking at them is like looking at a poster on a wall. There is no action involved for your computer, it just shows them to you.

You can look at pictures of your mom's cat, see the video of your brother's new baby, read the report from work, and never, ever, ever, fear that they will give the Chinese security agency access to your computer. You won't be missing out on the world of multimedia computer fun by exercising caution.

It's like your butler getting a magazine in the mail. He's an especially helpful butler, so he holds it up for you and reads it aloud, but you can't hide a working gun in a photograph, so he can't hurt himself.

There have been sensationalized reports of viruses being sent through images , like one called W2.Perrun, that was supposedly embedded in .jpg files . However, it's all bullshit. Note in the report I linked to that the supposed .jpg virus required a crucial step of installing certain software first.

More generally speaking, when you get a situation where someone claims a viewable file contains a virus, the problem is not the file, but with a bug in the program that views it. It's kind of like someone had accidentally instructed the butler to shoot himself if he ever saw a picture of a purple kitten. The purple kitten is still just a picture, but the error in the butler's thinking made it seem like it was the picture that did it.

This is why you need to keep your software updated. Problems like this come and go, and when they arrive, your anti-virus software might be able to do a scan for pictures of purple kittens, but it's much better to fix the butler.

This is another problem with the concept of anti-virus software. Most security threats are because of problems in the software. Not to dump on software designers, because the programs that users expect these days are huge, complex projects that are bound to have problems. The point is that when a problem is exposed as being the kind of vulnerability that can be exploited by a virus, then the solution should be to change the software.

Take Stuxnet, for example. It hops onto your computer via USB stick. The way it can do that is because when Windows detects a USB stick, it does some things automatically for you, like make an icon on your desktop that lets you know the USB stick is connected. Somewhere in that automated sequence of events, when Windows is trying to be helpful, there is a flaw that the virus exploits.

Image: purple_kitten Red-rum! Red-rum!

This is a picture-of-a-purple-kitten type situation. There's nothing about USB sticks that makes your computer do bad things. It's the problem in the Windows software that can be triggered to start a sequence of events when a USB stick is inserted.

Really, the responsibility is on Microsoft to close the problem, not for anti-virus software to start blocking stuxnet.

Anti-virus software companies might say that the problem is that Microsoft might not be able to respond quickly enough to fix the problem, so it's better to have their anti-virus products to block stuxnet in the meantime. Sure, except that they can only block stuxnet, not any other virus that uses the same security hole. The makers of stuxnet only need to alter it a little in order to stay ahead of the detection curve.

Hell, you can bet that the people who made stuxnet weren't stupid enough to put all their eggs in one basket anyway, so odds are good that there are already multiple versions doing different things already. So again, how much value does the anti-virus software provide?

Here I will, though, back track a little. Stuxnet was targetting very specific computer systems that are used in nuclear and chemical fascilities. If you are running one of those, it might make sense to have many layers of virus protection, including somewhat redundant anti-virus software.

However, the average user at home takes way too much of a performance hit on their computer to protect themselves against the very unlikely event that they will be the target of a highly sophisticated cyber-attack.

For most people, maintaining a sufficient level of security is as easy as this: If you don't recognize file, don't touch it. Delete immediately. The policy is that unless you know for sure that it's a viewable file, then you always immediately delete it. Simple as that.

If you do that, then you simply won't need anti-virus software. Seriously. I'm going on decades now without ever having used anti-virus software, and never have I had a virus get on my computer. Even when I use Windows.

Hang on, though. What about all the geeks who go on about how Linux is more secure than Windows, or that Mac is secure, or that there are no viruses on Linux and all that kind of debate. If any computer system can be compromised by you running the wrong program, then is all that debate just noise?

No, there is some merit to that debate and the claims in it.

First, that Linux is safer than Windows. It is, and here's why. Windows, in an attempt to make things "easier" for you, has essentially built into it's system the ability to sometimes run things without you saying so.

Imagine that beside your butler is a maid, an old maternal type busybody maid (I know some of you wanted to imagine a hot young thing in a skimpy French maid outfit, but stay focused). When the mail comes in, she looks through and tries to make some decisions about what to do with the mail before you see it.

Why would you want this additional help? Because it can be useful sometimes. For example, lets say she knows where you keep your schedule book. When someone sends a mail with the date written on it in the right way, she takes it and writes stuff into your schedule book automatically. Saves you the work of copying and pasting it yourself. It's the kind of thing intended for people who are, or want to believe they are, high powered business people on the go with important schedules that are so active they need some kind of automated help.

The problem is, the busy body maid can be decieved. It's as if she was told to always obey instructions that come in packages with red wrapping paper. One time, she gets a red package, and inside is a gun with a note that says, "automatically shoot yourself". She hands it to the butler and says, "Your master wants to use this". The butler blows his head off without a moment's hesitation.

When you hear the noise, you come running into the room yelling, "Why the hell did you do tell him to do that?!" She says "Oh, I just assumed. If you don't want me to tell him to do those things, then you should hire this security guard I know who checks for that kind of thing." Then she picks up the gun and uses it on herself.

At this point you might be thinking, "I have to pay more money for my servents to not make dumb ass decisions?"

That busy body maid is what you get with Windows. They've built into Outlook, Exlporer, and other programs with automated features that are intented to help you by making decisions for you, but come with security risks. Their intentions were good. They just wanted to provide "features", like the ability to automatically access your schedule. In doing so, though, they opened up the possibility for the computer to do things without your explicit instructions.

It doesn't even have to be with email, which brings us to the second avenue through which most people encounter malicious software that I mentioned before. If you're running Internet Explorer (before version 9, at least), and if you unknowingly go to a web site made by someone evil, they may be able to install nasty software on your system without you even realizing it. It's because they know how to talk to the busybody maid to get her to accept instructions without "bothering" you.

This is probably where most people get zapped, because they didn't realize that simply going to a web site could be dangerous. I sometimes help out with IT support for a small office of six or so people, and for the first half a year I would get called in about once a month because some virus or malware had crept on their system and was causing it to slow down, and sometimes force pop ups that would never go away. They would swear that they didn't open or run anything that could have opened the door to the virus, and I believe them. They probably just visited a web site that exploited Explorer's busy body maid "features". (Eventually I made them all switch to Firefox, and I have not got a single support request since).

Linux and MacOS are more locked down because they don't have a busy body maid built in. Essentially, nothing that comes in through your email can ever automatically run without you agreeing to it. And definitely no web site can either. It's just you and the butler. And, if you're like me, whenever the butler shows me an email that has a package I don't know what it is, I tell him simply, "delete". I don't look at it, I don't open it, I just chuck it.

You will never get anything sent to you by email that you need to run. Ever. I promise. Am I driving this home enough?

To be more specific, the only time you'll ever get sent some kind of program you will want to run, you will know for certain what it is. Are you wondering why your sister sent you a small program called, "happy_birthday.exe"? Stop wondering. She didn't send it. Delete it. Immediately. If, for some bizarrely weird reason, your sister did actually send you a program, then you can talk to her and confirm. Just like you would do even if you had anti-virus software anyway.

What about the other claim, that there are no viruses written for Linux, or for Mac? That's more or less true.

Some people say that viruses don't get written for Linux and Mac simply because they aren't as widespread as Windows, and so the hackers simply aren't as interested in the small players. There's probably some truth in that, but there is also a technical reason you'll see less successful hacks into Linux and Mac.

Technically, you could write viruses for Linux and Mac. I could write a program that turns your Linux or Mac computer into a zombie that does my bidding, or destroys your files. The problem is that I have to get you to run it. Not only that, though, Linux and Mac have a concept of user priveleges. Meaning that sometimes, to do certain things, you have to type in a password, so there's no chance you might just accidentally click something with dangerous consequences.

It's as if your own butler said to you, "I'm sorry sir, I'd like to carry out your request, but I'll need to see your identification first". Yes, he works for you, and it can be frustrating sometimes to be confronted with security protocols on your own computer. That's the price for higher security though. The benefit is that it is damn hard to run things on your Linux or Mac computer that do damage.

When it comes down to it, there are two things you need to keep your computer safe. One is a firewall. What a firewall does requires a whole explanation of it's own. For now, just know that you need one. It's a program that comes standard on most operating systems these days, so all you need to do is make sure it's enabled. Ask your local computer guy that you're always bothering for how to make sure it's on.

The other thing you need to know is the difference between "run" and "view". When you understand that, you've pretty much eliminated the need for anti-virus software.

I use Linux at home, and pretty much never worry about security. But even when I've run Windows computers for work or whatever, one of the first things I do is uninstall the anti-virus software. Oh, and I remove Explorer and put on Firefox.

The reason I remove the anti-virus software is that the performance difference is usually pretty incredible. Anti-virus software is a huge resource hog. A useless resource hog, in my opinion. If it weren't, I'd probably just let it run and consider it a bonus level of security. As it stands now, though, the cost to benefit ratio does not justify itself.

Is Mac as safe as Linux? Mac is now based on a system called "FreeBSD", which is like a cousin of Linux. It's probably quite safe. However, the difference is that there is someone who can still gain access to your computer without your knowledge: Apple. On the iPhone, for example, they have a "remote kill switch", that can turn off applications on your phone without your consent.

Why would they do that? For your benefit, of course. To keep you safe in case they find a malicious application. But when you think about it, the reason Microsoft put the busybody maid into their system was for people's benefit. Even my chosen operating system, Ubuntu, has recently started down the busy-body-maid path, doing things that have intended benefits but come with consequences. The road to hell is paved with good intentions, so it's up to you how you evaluate the kind of help an operating system provides.

Anyway, if you look closely at the reports of the "Ghostnet" hacks, like how they managed to get into the Dhalai Lhama's computers, it's because at some point, someone opened an "enhanced email" (To quote one report, the Ghostnet hack was " ...installed invisibly as users clicked on attachments or links " in the emails).

Enhanced with what? Enhanced with a busybody maid who started running programs written by Chinese security agents without telling you.

Get rid of the busy body maid by choosing software that doesn't user her. Use Firefox or Chrome for web browsing. For email, if you are forced to use Outlook or other software that has busy body maid "features", disable them as much as possible and never, ever, run anything in an email.