Is AV the old dog?

Over the last few years I have noticed a marked increase in the number of people discussing the ‘death’ of anti-virus – predominantly citing that it’s no longer fit for purpose as it’s too slow or too reactive.

Recently, I heard a speaker misquote a global report suggesting that anti-virus picked up less than 1% of all breaches. If they were highlighting the breaches that were successful, this may be true. However, there are many factors that could lead to an attack being successful – for example, systems security controls may be misconfigured or out of date, and there are multiple other high-risk scenarios that we often come across in the practical business environment.

But the apparent confusion doesn’t end there. Recently, I was reviewing submissions for a prominent international security conference. As I read through the abstracts, I saw statements referring to ‘floundering AV solutions’ and their ‘reliance on signature-based detection’, neither of which I believe is fair or true.

So why is anti-virus getting such a hard time? In some respects I believe it’s the result of to being the ‘old dog’ on the street. It is the tried and tested technology that has served us well for so long. The new boys on the street are looking to discredit it as a means to increase confidence in their own solutions.

Attackers have long understood the concept of signature-based detection and worked on methods to circumnavigate it – such as polymorphism, obfuscation techniques, and recently packers. In each instance, the anti-virus industry has responded by adding new capabilities – techniques such as generic decryption engines, heuristics, family-based and packer detections. So, if anti-virus is the ‘old dog’, it has certainly learnt some new tricks along the way.

Over the years, the fundamental challenge has been one of time. Ensuring signatures/updates keep pace with the speed and volume of new attacks and with the fact that attackers are able to test their code against online tools before they launch their attacks. Again, the anti-virus industry has responded by utilizing the cloud as a method of real-time checking or applying reputational checks against the file and/or the source that move heuristic/behavioural capability to another level.

I believe that anti-virus is here to stay. It’s one of the few technologies that uniquely identifies the threat and lets us know what it is and what it does, and more importantly, has the capability to remove/repair the attack.

There are some very interesting new technologies coming to market that are far more proactive, but in general, the more you look to block based purely on behaviour, the less you get to know about the attack. Anti-virus provides a great complement to the strengths and weakness of each new technology – for example, proactive lockdowns (whitelisting) work well for single or simple function systems, but typically in the diverse complex world of desktop computing they are too complex to apply and maintain.

Finally, there is another false concept we must get over, which is that any one solution or technology can be infallible. Anti-virus does a very good job, but it seems that in the binary world of technology, missing once is seen as failure in general. We have recommended layered defences for decades just for this reason.

So, is anti-virus dead? No, I certainly wouldn’t say so.

Is anti-virus purely a reactive technology? It hasn’t been for many years, and for those who still believe that it is, I would encourage them to look again at the current capabilities of leading anti-virus solutions. Is anti-virus the perfect solution? No.

While the security industry continues to fight amongst itself, end-users are becoming ever more confused as to what is the right approach to take. So the next time someone suggests anti-virus is, or is becoming obsolete, we should encourage them to refresh their knowledge, recognize the evolution of anti-virus, utilize its strengths and look to complement its shortcomings.

Latest articles:

Bulletin Archive