But anyone who has developed commercial software for even a short time will have bumped into quite a different side of Antivirus software. A side that silently blocks apps from running, pops up erroneous and borderline libellous statements, randomly terminates both network connections and processes and randomly deletes files from a software installation.
When software is handling restrictions at the operating system level the restrictions are clear and (mostly) predictable. You can try to open a file for writing and your request may be denied, maybe there isn't space on the disk or maybe your app doesn't have permissions. You can try to open a socket to a remote machine and perhaps it will fail to connect. You can anticipate these issues because they are built in restrictions, they are part of the API you are using and you can handle them gracefully. Your app might not be able to continue doing what it intended to but it can report this to the user and/or change its behaviour appropriately. The end user can get a meaningful message which will help them to understand what the underlying issue may be (maybe they have a firewall and your message will give them the hint they need to open it up) and in the worst case the developer can get a useful message and explain to the user how to rectify the issue.
Anticipating these restrictions and handling them well is part of good software development, but what do you do when things happen to your app that are entirely inexplicable?
Bringing stability to your computer, by adding unexpected and unanticipatable failure to any app
The problem is, virus and trojan creators know that antivirus tools work this way. Viruses and trojans are no longer simple bolt-ons that attach themselves to software, instead they will employ a wide variety of tricks to hide themselves and make themselves undetectable by Antivirus software. Seeing the world as executable files that have been modified in an easily detectable way by viruses no longer works.
To counter this, antivirus software now often relies heavily on heuristics - algorithms and rule sets which look at other aspects of the software, such as what it does, what files it accesses, where it came from, where it runs from and anything else you can think of, to determine whether it is maybe malicious.
The problem is that this is using rules to analyse software behaviour in this way with zero high level understanding of what that software is for and what it should be doing is doomed to failure. Heuristics therefore either are too lenient and fail to do anything except for the most bluntly malicious software or are much too strict and create false positives causing problems for perfectly valid, trustworthy software. This leads to popup messages like "Warning! Malicious Software Detected!" when actually it is a failure of a rule set within the Antivirus software.
The steps antivirus software take to counter this malicious software are similarly fraught with problems. Antivirus software can't always know when an app is being installed, what constitutes the various parts of an app installation or whether it is possibly malicious before it has been installed or even before it has run.
This often leads to the Antivirus software detecting just parts of apps and falsely tagging them as malicious, then deleting, terminating, blocking or otherwise interfering with in an unpredictable way, those parts of an app which it has falsely determined to be malicious. This is again because the rule set and heuristics lack any higher level understanding of what constitutes the app or its expected function or behaviour.
In extreme cases they can even attack the very operating system they are running on. In 2007 for example a Symantec Antivirus update caused it to interpret critical operating system files as viruses and delete them. Similarly in 2010 McAfee VirusScan detected svchost.exe, a normal part of windows, as a virus on Windows XP causing the machine to lose all network access and enter into a continuous reboot cycle.
Even more incredibly in 2012 Sophos Antivirus identified itself as malicious software and deleted its own critical binaries. (Antivirus heuristics have probably never been more accurate).
These random interferences can cause real headaches for developers trying to understand why a customer is having an issue. If the app launched then why did it suddenly fail? If the install looks fine in other ways then why are those specific files missing? Has the customer deleted them? Disk corruption? Did something go weirdly wrong in the installer?
Coming to the correct conclusion that some other software has effectively attacked and broken your own software is never a logical path unless you are already well versed in the whims of Antivirus apps.
Antivirus software could do much more to make its actions cleaner and their implications clearer. It could at least try to quarantine (delete) an entire app instead of one library file or executable. It could pop up a message explaining exactly what it has done and how this might make app X, which may also be called Y, (since that is its directory in Program Files or /opt) to operate in an unexpected way, produce corrupt files or fail to run altogether.
But when an affected app fails to run, the customer reaches out to the provider of that app, not the Antivirus software. Since the headaches are directed at the affected app vendor and not to the Antivirus software provider there is no real incentive to improve the software or even make it more clear what its breaking. In fact there is a disincentive; right now the mess made is someone else's problem, the more clear the Antivirus software is that it is the cause of the problem the more likely the headache will come back to them.
Protecting your network, by closing the gate after the horse has bolted
Again since we are in a turing-complete world there aren't simple rules to separate the good apps from the bad. Antivirus software will again often fall back on heuristics that either do nothing or that identify reasonable behaviour as malicious and trigger various unexpected and unanticipatable reactions like terminating processes or network connections.
Again the mess is left for the developer and end user to work out. Maybe the app is crashing? Is this a failing router or switch? Maybe a problem with the network card or its driver? Or maybe its a problem with the app somewhere in its use of the network?
Hours and days of support can pass by trying to resolve problems and failures that, for those unaware of the potential actions of Antivirus software, can appear inexplicable and totally illogical.
Whats worse is that in many cases these actions are taken in the name of 'securing' your network and your computer, but in reality they do anything but. If a malicious app creates a network connection to try to upload your credit card details to some criminal network then it would seem like an obvious idea to try to terminate that network connection.
The problem is your credit card details are very small, and by the time you have analysed the data passing through, determined that it isn't what you expect and then terminated it the details could have passed through a thousand times over. The average credit card number consists of just a 16 digit number and maybe an expiry date, maybe even an address. At the most it might be 100 bytes of information but even an ancient dialup modem could transfer 7,000 bytes every second. A fairly slow ADSL connection today might transfer 100,000 bytes per second, equivalent to 1000 credit card numbers every second, or a credit card number in 0.001 seconds.
If you are terminating the network connection even after just 5 or 10 seconds then this has no impact on security. Further if you then allow the app to keep creating these connections that you terminate after 5 or 10 seconds (yes, we have seen this a number of times) then you actually don't restrict it at all, it can just pick up where it left off and keep uploading.
This type of behaviour is what security experts would refer to as 'security theatre'.
Increasing your security, by failing to prevent basic MITM attacks
Koret identified many top Antivirus software providers that download unauthenticated updates over a plain HTTP connection, providing an attacker an easy route to perform a man-in-the-middle attack and replace the update with any malicious software they like.
Like flu or the common cold, until some magical and much desired cure comes along Antivirus software is just a fact of life and a cost of business. Knowing what the issues could be in advance can save you a lot of going round in circles and following logical paths only to find out, after much wasted time, that the real cause of the issue is far more absurd than you would imagine.