Image: Microsoft

Former distinguished engineer at Mozilla, Robert O'Callahan, has told users on Windows 8.1 and up to ditch any antivirus (AV) that isn't Microsoft's own Windows Defender.

O'Callahan, a Mozilla veteran who departed the non-profit last year, says there's little evidence non-Microsoft AV improves PC security, while recent bugs discovered by Google's Project Zero team show that many widely-used AV products create a greater surface for attackers to exploit.

Cases in point are over 200 flaws in 11 Trend Micro products discovered by two researchers since mid-2016, as reported by Forbes last week. While Trend was quick to fix the bugs, it did raise the question why the company hadn't found them during an audit.

"Don't buy antivirus software, and uninstall it if you already have it (except, on Windows, for Microsoft's)," O'Callahan writes.

O'Callahan isn't the first to question the value of antivirus. Even Norton maker Symantec has admitted that antivirus was failing to protect users.

However, more researchers are prodding antivirus software, in part because its processes run with high privileges, but also because product features can undermine browser security features.

For example, Project Zero's Tavis Ormandy recently outed Kaspersky for the way it implemented its scanning service for SSL/TLS connections, which resulted in browsers not flagging an error if a user connected to the wrong site.

In recent years Ormandy has found numerous critical bugs in products from just about every major vendor, including McAfee, Symantec, Sophos, and Comodo.

One reason such products can create risks, according to O'Callahan, is that antivirus vendors don't follow standard security practices and sometimes break browser code designed to protect users from exploits, such as when Mozilla introduced Address Space Layout Randomization for Firefox on Windows.

"Many AV vendors broke it by injecting their own ASLR-disabled DLLs into our processes," O'Callahan said.

"Several times AV software blocked Firefox updates, making it impossible for users to receive important security fixes. Major amounts of developer time are soaked up dealing with AV-induced breakage, time that could be spent making actual improvements in security."

The ex-Mozilla engineer decided to warn users against AV after Chrome security engineer Justin Schuh blasted AV vendors for introducing numerous security issues to Chrome, breaking its security features, such as HSTS pinning, and "piling dodgy format parsing and other unsafe code into the kernel".

The only circumstance that non-Microsoft AV might help is for PCs still running seven-year-old Windows 7, or unsupported Windows XP. In these cases, third-party AV "might make you slightly less doomed", according to O'Callahan.

Read more on security