Google is a pretty important company. So this week, when it came out and said that certain antivirus awards were misleading and meaningless, it created a stir in the industry.
That announcement didn’t actually come from Google itself: it came from one of the company’s best security researchers, Tavis Ormandy, who published a blog post criticizing antivirus certification programs for providing consumers with false confidence about flawed security products.
Tavis was specifically responding to this year’s RSA Security Conference, which took place at the start of March. At that conference, Verizon’s ICSA Labs awarded antivirus maker Comodo with the 2016 Excellence in Information Security Testing award.
Comodo, however, was far from “excellent” when it comes to information security testing.
Why Comodo is Bad
The issue that sparked this whole response is related to the fact that Comodo forcibly installs an insecure browser that disables SOP, or Same Origin Policy.
SOP is a critical security feature in modern web browsers. Disabling it is a very bad idea.
Tavis also found that Comodo’s scanning processes did not enable ASLR protection. Making things worse is that the entire antivirus software was found to be running incorrect Access Control Lists, or ACLs.
As if that wasn’t bad enough, Tavis trashed Comodo once again when he found that one of Comodo’s tech support tools (which is bundled by default with certain Comodo software) was found installing an insecure VNC server with weak authentication.
Comodo Responds by Fixing All Issues
In Comodo’s defense, they quickly fixed all of the issues.
However, based on a quick look at Tavis’s Twitter feed, there are still a number of unresolved issues that he has found.
One critical security feature that still exists lets an attacker exfiltrate keystrokes simply by scanning a file.
Here’s how Tavis outlined that flaw:
Working on an unusual exploit for Comodo Antivirus, just *scanning* a file can exfiltrate keystrokes. #wtf pic.twitter.com/NKmPGh2DMW
— Tavis Ormandy (@taviso) March 10, 2016
Ultimately, it’s easy to see why Tavis took issue with the fact that Verizon gave Comodo an award for “Excellence in Information Security”, since giving away keystrokes simply by scanning a file is pretty much the opposite of “information security”.
Some Antivirus Certification Tests Are a Complete Joke
Some antivirus certification tests are legitimate performance tests that accurately gauge the ability of an antivirus program to defend itself against threats.
Most, however, are not.
As Tavis Ormandy points out, antivirus tests like the one performed by Verizon are basically a joke: half the test is related to UI functions, while the other half simply involve a description of basic antivirus functions (they don’t actually test how well those antivirus functions perform).
When over half the test is related to how easily you can use a software, it’s clear to see what there’s an issue with antivirus certification tests. And that’s the issue Tavis was bringing up when he complained about Comodo’s antivirus certification victory.
