Antivirus programs need to be able to inspect a lot of data and file types from a variety of sources: the Web, email, the local file system, network shares, USB attached storage devices, etc. They also have a large number of components that implement various layers of protection: drivers for intercepting network traffic, plug-ins that integrate with browsers and email clients, graphical user interfaces, antivirus engines with their subsystems that perform signature-based, behavior-based and cloud-based scanning and more.

This is what security researchers call a very large attack surface, meaning there is a lot of potentially vulnerable code that attackers can reach in a variety of ways. Furthermore, when it comes to antivirus products, much of this code runs with the highest possible privilege, something that researchers argue should be avoided as much as possible.

1–1 (1)