Why installing and running two antivirus programs at the same time in the same computer is bad idea ?
Normal people think that “two is always, better than one”. Well not in the case of antivirus for industrial applications.
Al we all know that, most of the latest SCADA, ICS and instrumentation systems are working based on programmable systems. Many of these systems are open to many vulnerbilities and are easily exploitable for an intruder. Which means not only recovering and re-engineering of the technology, it can be even used for even distructive purposes.
ISO standard 27019:2017 covers the basics of implimenting Security for ICS systems. Even though standard doesnot recommend for installing an antivirus engine in these ICS system, which may cause relaibilty issues, the datahandling is recommeneded through a scanning mechnism. Which implies the importants of an antivirus scanner for the Disks and drives that we are going to use with these ICS systems.
Now the queation will come which antivirus in the market does give the best applicable solution. Each different vendor gives their own recommendations. Running all these antivirus at the same time in a single PC was not recommeded by most of these antivirus vendors.
Here are some of the issues which i came across.
1. Report from Kaspersky : (reference 1)(reference 2)
If there are two antivirus programs running on a single computer, they will each try to install interceptors into the same part of the system kernel. This is likely to result in conflicts between the antivirus monitors – probably with one of the following consequences:
a. One of the two antivirus programs will fail to intercept system events.
b. Each antivirus program’s attempts to install parallel interceptors will cause the entire computer system to crash.
2. Report from Symantec -Norton : (reference)
The use of third-party antivirus solutions, concurrent with a Symantec solution that contains antivirus protection, such as Symantec Endpoint Protection (SEP), may cause unexpected behavior and undesired results, and is not supported.
3. Incident report from Dell : System Locks With Multiple Antivirus Programs (reference)
The use of multiple anti-virus programs may cause your system to lockup. Antivirus programs come pre-installed on most Dell Computers, so customers sometimes install other antivirus programs without realizing that there is already a system installed. If you decide to install an alternate antivirus software, it is important that you first uninstall any other antivirus programs that may be running on your computer.
4. Cisco report : Multiple Antivirus Products Base64 Encoded MIME Filter Bypass Security Vulnerability (reference)
Multiple Antivirus products contain a vulnerability that could allow an unauthenticated, remote attacker to bypass scanning procedures, allowing an attacker to deliver malicious binaries to an end user. This could allow the attacker to bypass e-mail attachment scanning.r
5. Report from Microsoft : Accidently loaded 2 antivirus which caused shutdown – reference,
6. Report from Microsoft : accidentally installed a second anti-virus onto my computer and now MS will not let me uninstall either. (reference)
Why one antivirus engine in not enough ?.
Multiple virus engines are needed to reduce time lag between virus outbreak and signature update
Vault 7 data, dumped on March 6, 2017 by WikiLeaks, is a document detailing bypass techniques for 21 security software products. The list covers almost all major antivirus vendors, including Comodo, Avast, Kaspersky, AVG, ESET, Symantec, and others.
So it is always recommended to use more than one antivirus engines (installed in different PC)
