[atoav]

A fundamental problem that plagues many security solutions can be understood by analogy:

Imagine a incredibly secure castle. There are thick unclimbable walls, moats, trap rooms, everything compartmentalized, an attacker that gains control of one section didn't achieve much in terms of the whole castle, the men in each section are carefully vetted and are not allowed to have contact or family relationships with men stationed in other sections, so they cannot be easily bribed or forced to open doors. Everything is fine.

But the king is furious, the attackers shouldn't control any part of the castle! As a matter of principle! The architects reassure the king that everything is fine and there is no need to worry. The king is unconvinced, fires them and searches for architects that do his bidding. So the newlyfound architects scramble together and come up with secret hallways and tunnels, connecting all parts of the castle so the defenders can clear the building in each section. The special guards who are in charge of that get high priviledges, so they could even fight attackers who reach the kings bed room. The guard is also tasked to keep in touch with the attackers so they are extra prepared for when they attack and understand their mindset inside out.

The king is pleased, the castle is safe. One night one of those guards turns against the king and the attackers are sneaked into the castle. The enemy is suddenly everywhere and they kill the king. A battle that should have been fought in stages going inwards is now fought from the inside out and the defenders are suddenly trapped in the places that were meant for the very enemies they are fighting. The kingdom has fallen.

The problem with many security solutions – including AV solutions – is that you give the part of your system that comes into contact with the "enemy" the keys to your kingdom, usually with full unchecked priviledges (how else to read everything that is going on in the system). Actual security is the result of strict compartmentalization and a careful and continous vetting of how each section can be abused and leveraged once it has fallen. Just like in mechanical engineering where each new moving part can add a new failure point, in security adding a new priviledged thing adds a lot of new attack surface that wasn't previously there. And if that attack surface gives you the keys to the kingdom it isn't the security solution, it is the target.

[jiggawatts]

The difference here is that A/V scanning and security vulnerability scanning can be done from the “outside” using read only privileges.

Many clouds now support scans of snapshots, removing the need for direct access to the read/write internals of a workload.

This is where your analogy falls flat a bit.

[atoav]

So you give another kingdoms access to your castle, but they are not allowed to touch things? Or they get details like your blueprints and who is stationed where?

Just kidding, I know there are ways to do this in a more complex and secure way, e.g. with self hosting services etc., but that is why I tried to not make it about all AV products.

The fact remains that this kind of layer can (and repeatedly does) introduce weak points that will be attacked. I am not saying there aren't ways to implement this well, with trade offs that are worth it. What I say is that: "Just add AV-product X" is likely a doomed approach.