Vendors are claiming that the end of antivirus is upon us. Antivirus scans have proven to be very ineffective but are the traditional way of identifying new viruses, with many of the most popular antivirus programs detecting 50-70% of the viruses and only 2% of viruses are detected by all antivirus scan types. This leaves everyone in a very vulnerable position. Others say it is far too early to write off antivirus software altogether as although antivirus may not be the perfect solution it is all we have to rely on presently, new defences are only at the start up stage of evolution.
The problem we face is the speed at which malware is being developed and with great sophistication. The previous malware being developed as a joke or to impress others is no longer the case, the development of malware is now pursued by established, professional and purposeful entities and have grown as crime-ware. The malware our antivirus is now up against is refined and intentionally coded to escape detection from the various antivirus suites available.
Most antivirus systems will detect common malware threats however they are powerless at detecting the new targeted malware which is increasingly found in business networks today. Antivirus is a reactive technology meaning the virus first needs to be studied to identify its ‘signature’ before a program can be developed to remove it. This ‘reactive’ process is part of the problem as it can take from a couple of hours to many years to resolve, leaving a gap for excessive damage to occur.
The reality of antivirus in 2013
It is no secret that antivirus is very ineffective when it comes to detecting malware. Some may work slightly better than others however none are perfect.
Most antivirus programs have all the features to enable the recognition of threats but they just don’t work effectively. Accuracy is poor with many false negatives or false positives. When new threats are thrown into the mix accuracy worsens even further. Most antivirus companies have done a poor job at defending against these many threats or are just overpowered by the continuous flow of ever-changing malware and just can’t keep up with the fight.
With this in mind recent evaluations into the antivirus market has shown that antivirus software is still around and will still be used by most businesses in 2013 despite its questionable protection.
Reasons businesses still choose to use antivirus
- Most businesses continue to use licensed antivirus software to conform to company compliance mandates.
- Free antivirus is aimed at consumer use and rarely offers the business deployment and management capabilities needed by the business
- Most businesses lack a proper understanding of the threat vectors thus hindering the move to a more effective security technology
- Most businesses rely on general IT for security and believe that antivirus and a firewall are enough. This means that most businesses don’t have the essential threat knowledge to implement accurate risk assessments and the appropriate security measures.
- Businesses are held in a rut. They fail to advance their defences because most of them don’t see a need to change, antivirus and a perimeter firewall have worked in the past so a different approach is not a necessity. It will just relate to extra ‘unnecessary’ cost.
- Few businesses adopt a defence in depth strategy.
Where is antivirus being used?
Research shows that on average 70% of organisation say that they will continue to purchase and use antivirus technologies in 2013. Majority still choose antivirus as an essential part of their security regime.
3% of organisations have chosen not to use antivirus at all. 5% have chosen to reduce their use of antivirus and 1% is looking to discontinue the use of antivirus. This is proving to be a mistake as many of these organisations are spending their days cleaning up the mess that is left behind after an infection.
Antivirus spending is 90% of the time allocated to desktops and 84% of the time to servers, with 38% of the antivirus spending being allocated for mobile devices. With mobile environments so abundant you’d expect the antivirus in this area to be much greater than it is.
What alternatives do we have?
A variety of technologies are been developed to improve antivirus security and companies are becoming creative when it comes to developing new forms of security.
Some of the routes being explored include the following:
- Behaviour-based blocking looks at file characteristics, including the time of development and the locations where it’s been installed, before allowing it to run. 75% of the time malware is detected through alternate technologies such as these.
- Building defences into programs such as browsers that block software flaws which would potentially be exploited by malware as a rout into the machine
- Instead of blocking the ‘bad’, as antivirus and perimeter firewalls are meant to do, another technology monitors access to servers, databases and files looking for suspicious activity
- Whitelisting is an approach that only allows traffic through that the system knows is safe, not allowing unknown files to run on the machine.
- Investigating the source of attack, the threat source, enabling issuing of early warning signs so that businesses are prepared for the potential threat
- Web crawlers that search web pages to find executables that are malware. Once identified a warning can be issued or the malware blocked
- Monitoring and spotting unusual behaviour and clean up after attack seems to be the alternate approach in the future
- Isolating business apps in a virtual environment, inspecting it for suspicious activity, before taking an informed decision whether to let the traffic through or not.
Polymorphic malware adopts a range of techniques to disguise itself to avoid detection, including mutation each time it starts up. This type of malware is designed to evade the traditional antivirus countermeasures.
The traditional way of the antivirus company is such that once a new virus has been detected its signature is identified and stored in the signature database for future detection, however with polymorphic malware the signature is always changing.
Many are beginning to question the use of signatures as new variants will infect multiple systems before the new signatures even reach the database. It is a continuous issue as the virus continues to mutate.
Some are doing away with the signature approach altogether. Rather focusing on file behavioural characteristics rather than a copy of the malware.
The nature of signature use in security is changing. Signature based defence is not enough; however there is still a place for signatures within the security layer. Signatures still play an important part. They are valuable for detecting and cleaning up viruses on the system and also play an important part in investigation and forensics. They may be moving from being utilised as a blocking tool however still have their roles.
Many businesses still view antivirus as an essential layer in their security but are looking to invest in other technologies to strengthen their security and meet today’s threats.
Antivirus still has an important role to play, guarding against common threats however businesses need to ensure that they have a multi-layered approach to information security as there isn’t a single technology offering complete protection against targeted attacks.
With new virus strains growing exponentially, from under 10 million to 49 million in 10 years, and the incapability for antivirus to keep up other options must be explored.
With the advance of computing into the world of mobility malicious apps are now compromising our mobile devices too. The ‘Baddies’ are continuing to get better at what they do whereas antivirus is lagging behind. We desperately require an all-inclusive solution.
Antivirus used alone merely offers us an illusion of security. The arms race continues…