Death of antivirus software greatly exaggerated

15.12.2014
An executive at a company whose name is synonymous with antivirus software raised eyebrows earlier this year when he pronounced the death of that form of system protection. Nevertheless, while the effectiveness of that software may have waned over the years, security experts say the pronouncement by Symantec's senior vice president for information security Brian Dye was premature.

Certainly the growth in sophistication of malware has made untenable the use of signature-based antivirus software as a standalone source of protection for systems. "More than half the threats we stop aren't stopped by our AV software," said Chandra Rangan, vice president for product marketing at Symantec.

"We're trying to educate people," he added. "We're saying that if you just have signature-based antivirus, it's not enough."

While signature-based antivirus software alone doesn't provide enough protection in today's threat landscape, it's still making a significant contribution to system security. "If you went to any of the Fortune 1000 companies and said, 'Antivirus is dead; remove it from all your systems,' you would find a lot of security officers laughing at you," said Brian Kenyon, chief technical strategist with Intel Security (formerly McAfee). "The reality is -- even in its current form -- AV stops a lot of stuff today."

Kenyon added that blocking threats is only one part of antivirus's job in protecting systems. "It's not just about stopping things," he said. "It's also about cleaning things and eradicating them from a system."

"But," he continued, "if you asked, 'Is the current AV architecture and capability the future of our industry' I would definitely say, 'No, not in its current form,' but I don't believe it's dead.

Limiting the definition of antivirus to signature-based software may be doing an injustice to the technology. "AV is not defined by signatures; it is defined by protection against malicious software," said Randy Abrams, a research director at NSS Labs, an independent testing service. "Products that only protect against viruses and only with signatures have been dead since the 90s."

Malware fighting antivirus software continues to have value in the enterprise, even as powerful new defense platforms come online, like breach defense systems (BDS). "These systems are designed to quickly detect and contain security breaches that every enterprise has or will have experienced," Abrams explained. Initially BDS products performed their role as described; however, IT personnel were left cleaning up the problem.

"AV vendors began to seize on the opportunity and offer a complete end-to-end solution," he continued. "The result has been that the pure play BDS vendors have had to add malware detection and remediation functionality to their systems."

Pronouncing antivirus's death is nothing new. In 2006, for example, Hurwitz & Associates released a report titled "Anti-virus is dead." In it, analyst Robin Bloor maintained that antivirus would be replaced by tools that used whitelisting to wipe malware from the computing scene. Whitelisting is used effectively today in some environments, but it has its drawbacks.

"White listing is a great solution for controlled environments, like retail POS systems, manufacturing and health systems," Intel's Kenyon said. "You say what applications can run and anything outside that list fails to run so malware never activates."

When whitelisting is brought to the consumer or end-user corporate environment, its maintenance can be burdensome because end-users are constantly adding apps to their devices. "That's why we haven't seen a huge amount of whitelisting in the user environment," Kenyon noted.

"It's been great on servers, great for data centers, great for controlled retail environments, but it's been a challenge on your traditional desktop/laptop," he added.

Like apocalyptic prophets, though, antivirus's detractors continue to forecast the technology's demise. "Brian Dye was correct," said Gaurav Banga, co-founder and CEO of endpoint security vendor Bromium. "AV is dead."

Banga cited a survey his company conducted in June of 300 information security pros as evidence of dissatisfaction with antivirus. A hefty number of the pros -- 85 percent -- don't believe that antivirus can stop targeted attacks, like Advanced Persistent Threats and spear phishing, which are a substantial part of the current threat landscape.

Moreover, Banga argued, antivirus is ineffective against polymorphic and Zero Day attacks, also popular among intruders. Both those methods exploit systems before signatures to combat them are immediately available.

"It takes security researchers days to detect new threats and write new signatures, giving a polymorphic attack more than enough time to change its code," Banga said. "When advanced attacks can be executed at a moment's notice, the signatures to detect them are still days away."

Antivirus software's inability to deal with sophisticated threats isn't the only criticism leveled at it in recent times. In July, a researcher at Singapore-based COSEINC maintained many antivirus programs contain vulnerabilities that actually make the systems they're installed on more susceptible to attack.

Researcher Joxean Koret explained that antivirus engines typically run with the highest system privileges possible. Exploiting vulnerabilities in them will provide attackers with root or system access, he continued. Their attack surface is very large, because they must support a long list of file formats. To deal with all those file types, the software uses file format parsers, which typically have bugs.

Nevertheless, Bromium's Banga noted, "AV software may likely continue to serve consumers, who generally have less need for robust protection or the savvy to manage more featured products."

"However," he added, "security-conscious organizations have already started to transition away from AV solutions."

There are those, though, who maintain antivirus isn't as impotent as its critics say it is. Jaeson Schultz, a threat researcher with Cisco System's Security Business Group, asserted that antivirus software has evolved over the past five years to provide greater protection. Not only has antivirus software added more heuristic functionality -- which enables it to deal more effectively with non-signature threats -- but it blocks an assortment of malware, such as rootkits, remote access trojans (RAT), keyloggers, spyware, adware, and even "potentially unwanted applications." It will even protect users against malware vectors like email, social media and files transmitted via the web.

"It is an arms race," Schultz said. "As new avenues for exploitation arise, new counter-functionality is being built into AV software."

"Certainly it is a bit hyperbolic to claim AV software is dead," he added. "Many people still depend on anti-virus as an integral part of their multi-layered defense."

While it's unlikely that dire assessments of antivirus software will go away, it's also unlikely that those assessments will be fulfilled any time soon. As Chris Doggett, managing director of Kaspersky Lab North America, observed, "Cyber attacks will continue to grow in number and complexity, and AV software will always be a part of the bigger security solution that is fighting against them for both users and organizations."

"Without AV software as part of future securities," he continued, "we'd be giving up the idea of protecting endpoints and mobile devices, leaving millions of people at the mercy of cyber criminals."

(www.csoonline.com)

John P. Mello Jr.

Zur Startseite