Tuesday, 6 May 2014

Anti-virus keeps dying

"AV is Dead."

Three easy words that make an almost guaranteed route to headlines in the technical press.

But what do they actually mean?

That anti-malware software is useless?

Let's dig down into this thorny issue and separate the facts from the marketing messages.

For some reason anti-virus technology seems to divide experts into barely-rational groups of those who think it is completely useless and those who think it (or rather, their preferred brand) is a panacea.

A journalist asked me today about some recent "AV is Dead" headlines. Here's my response.

--

The claim that “AV is dead” is guaranteed to make headlines in the technical press. This is why the claim is made so often, sometimes by companies that actually have anti-malware solutions within their own products.

I think there are three main issues worth exploring:
  1. AV signatures
  2. Business vs. consumer requirements
  3. Post-event protection

AV signatures

Anti-malware products that use only signatures of known malicious files are very limited. No decent AV product designed for endpoint systems works that way. They all have additional protection layers to support this most basic function.

It would be rather remiss to omit the signature system entirely (you’d risk ignoring well-known malicious files, which seems rather silly), but to rely on it is clearly a bad idea.

That’s what the “AV is dead” line always comes down to. It should really be:
“AV products that rely solely on signatures are relatively useless in isolation.”
The FireEye report is clearly focussing on “signature-based AV”, although that is not made clear initially. It also resurrects the diabolically-misjudged Imperva report, which made some basic errors and so suffered a lot of criticism.

In real-world tests run by DTL and other testing organisations anti-malware products are rarely 100 per cent effective but neither are they usually completely useless. Microsoft Security Essentials often appears to be quite weak and, in our tests, always appears at the bottom of the ratings - yet it still seems to stop more than 50 per cent of threats.

The best products stop in excess of 90 per cent of threats, most of which are really nasty things like ransom-ware. That does not sound like “dead”/obsolete.

Business vs. consumer requirements

When making general statements about the effectiveness of AV, commentators usually focus on the needs and resources of large businesses.

I am sure that Symantec’s Brian Dye will do a marvellous job with his response team, but I doubt he’ll be sending those guys into your house or mine to help with a ransom-ware infection. They will be focussed on very large businesses.

Similarly, see how companies that focus on white-listing handle AV in the media. It’s always “dead” but… what about consumers? Can they handle white-listing products?

There are very few such products available for consumers and these are hard and annoying to use. They may scale well for businesses in which a small team handles white-listing for many thousands of employees, but you as an individual are not going to want to handle the white-listing needs of your extended family, even if it’s a large one.

Have you ever tried even the most basic parental control software? It’s very labour-intensive to use in the real world, where very real people (small, demanding children) provide feedback that one cannot ignore.

So anti-malware-based products are clearly one of the few options available for consumers and, as long as those products are not entirely signature-based, they should do a reasonable job of protecting people.

They will be better than nothing, at least, which does not sound like “dead”/obsolete.

Post-event protection

Currently businesses seem to be facing far greater threats than consumers. They are being attacked relentlessly, if we believe the stories, and so malware is likely to infect a system on the network at some point. It may then spread, one way or another, through that network and into others.

This is why products from companies like FireEye, Palo Alto Networks and Cisco don’t just try to prevent the initial infection – they have to be able to detect when an infection has occurred and should alert technical staff that something needs to be investigated. At least a few will use signature-based AV as part of that process (in fact I know that some do).

And why not? We have seen a file appear on Fred’s PC and we can take a signature of that and search the other files on the network for other copies.

That makes a lot of sense and does not sound like “dead”/obsolete.