Should antivirus vendors block state malware?

For those that don't know, the man quoted, Mikko Hypponen is a really smart guy, and completely wrong.<p>Antivirus solves a specific problem: compliance. AV demonstrates that you're taking steps to reduce the likelihood of you infecting another person's computer. In our experience at Mandalorian, Antivirus has roughly a 20-40% success rate at stopping malware. That's a wide margin, but still the wrong side of 50%. To put things into perspective, in the past several hundred penetration tests, there has not been one where the AV stopped our attack, subsequent compromise or persistence mechanisms. Let me clarify:<p>In the past 18 months the total number of simulated attacks by us on customer engagements that have been stopped by Antivirus is: 0.<p>I'm fairly confident that we've never had an AV stop us, but I don't have data going that far back. Now if that's what a commercial penetration testing outfit can do, what can governments do?<p>There's no real such thing as 'state malware' per se (well there is, but I'll come to that in a minute). When defending against state level attack you need to understand your adversary and their capabilities. A government attacking you or another government is not a technology, it's a threat group. They will have a specific goal in mind and it's up to you to identify it and defend accordingly.<p>Now assume that to develop something like Stuxnet is expensive. A government is going to require a lot of resources to create ordinance to use in these attacks. They'll start with things like metasploit because if they can get in with that they don't risk blowing their own code. Then you'll start seeing zero day exploits, botnet toolkits and more before you start seeing specifically developed targeted code.<p>The reason is simple - it takes months to develop the attack and the exploits and persistence are a massive part of that. If you can detect it, block it and share the indicators, that work is now burnt.<p>Antivirus vendors are not targeting that space (or if they are, they won't win - unless they're receiving the indicators of compromise, also known as IoCs).

Yes. The hole that the state malware use couldn't be kept secret, therefore it's not safe to not patch everything. Plus, the state has no right to free access to our computers without warrants. There are many sides to this argument.

The answer to this seems obvious to me: much like a lawyer, the interests of a security vendor must align with those of its customers, even when some of those customers might be doing bad things.