I know your position when it comes to AV, but I don't understand why you persistently promote the idea that they are completely unnecessary and that they will not detect all those viruses/malware that are already in the database of such AV?
This topic regarding AV is popping up quite often.
To not repeat myself, i regularly provide shorter or more detailed answers.
Usually, its something along the lines:
[...]
They can just detect already publicly known malware by checking the signatures.
Another approach would be to use runtime analysis, which also can be circumvented.
[...]
I could have at least be more detailed, i agree with you.
AV's will definitely detect known malware which they have in their database (and this database is huge).
But in this case (clipping board malware), it simply won't be detected because:
1) This is extremely simple code which will not be in the database of AV's and
2) Sandboxing and testing by the AV will not trigger any action from the malware since the user first has to manually copy an address.
3) It won't trigger any behavior analysis, since after all.. it just changes the clipping board. An AV software wouldn't detect that as malicious.
If we accept your idea that any well-designed malware is impossible to detect, then almost all computer users (especially those using Windows OS) are infected.
It is not like that very well written malware is impossible to detect, but its almost always possible to circumvent AV measures.
Some things are harder than others. Ransomware, for example.
If a software start to access a huge ton of files and creates a massive amount of files which seem to be random (a.k.a. encrypted files), any AV will stop the process.
This wasn't the case when the first few ransomwares were detected.
It's a race between the AV engines and the malicious actors. The latter ones are always slightly ahead.
If a 13y old script kiddy is playing around with kali linux and metasploit, this malware most likely will always be detected by most reputable AV engines.
But if we look at organized crime (which a lot of dangerous malware is coming from), that's a totally different story.
[...] but I will never agree that they are completely unnecessary and useless.
They aren't.
And that's not what i meant.
It is just that they are useless in this specific case (clipping board hijacking malware) and one shouldn't completely rely on it in terms of "the AV didn't detect anything, so it has to be fine".
It is also worth to be mentioned that AV's have been exploited quite often in the past to run malicious code with administrator privileges.
There are by any means not worthless. But they can not secure a device on its own.