Ex-Mozilla developer recommends you to disable third-party anti-virus tools

Former Mozilla developer Robert O'Callahan, who was one of the company's most senior engineers, is rattling the cages by making some bold claims on his blog about the anti-virus market. In his post, O'Callahan recommends users to disable third-party anti-virus tools because they are terrible and there's "negligible evidence that major non-MS AV products give a net improvement in security".

He explains that these days, if you run a modern OS like Windows 10, the only anti-virus tool worth having is the one provided for free by Microsoft. It's not a statement you expect from a former Mozilla developer, but O'Callahan point out that in general, Microsoft is quite competent in following standard security practices.

Third-party security vendors receive harsh criticism from O'Callahan, he claims their developers poison the software ecosystem and often make your system less secure. He points to Google's Project Zero, which shows anti-virus tools often have bugs that open up new attack vectors.

O'Callahan blames anti-virus makers for making the life of software developers harder and points out that a lot of time is wasted on fixing AV-induced breakage. For example, he claims AV vendors made Firefox less secure by breaking the Firefox address space layout randomization (ASLR) security feature:

Furthermore, as Justin Schuh pointed out in that Twitter thread, AV products poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security. For example, back when we first made sure ASLR was working for Firefox on Windows, many AV vendors broke it by injecting their own ASLR-disabled DLLs into our processes. Several times AV software blocked Firefox updates, making it impossible for users to receive important security fixes. Major amounts of developer time are soaked up dealing with AV-induced breakage, time that could be spent making actual improvements in security (recent-ish example).

It's a message the anti-virus makers don't like and O'Callahan claims that as a software vendor, it's hard to speak out about how bad the situation is because nobody wants to infuriate the major AV makers because they can make your life miserable:

What's really insidious is that it's hard for software vendors to speak out about these problems because they need cooperation from the AV vendors (except for Google, lately, maybe). Users have been fooled into associating AV vendors with security and you don't want AV vendors bad-mouthing your product. AV software is broadly installed and when it breaks your product, you need the cooperation of AV vendors to fix it. (You can't tell users to turn off AV software because if anything bad were to happen that the AV software might have prevented, you'll catch the blame.) When your product crashes on startup due to AV interference, users blame your product, not AV. Worse still, if they make your product incredibly slow and bloated, users just think that's how your product is.