relevance of antivirus software

INDUSTRY INSIGHT

Is antivirus software still relevant?

Federal agencies are big users of antivirus software, and regardless of their technical competence, government security professionals still find themselves victims of malware. Unfortunately, simply installing antivirus technology does not protect today’s endpoints.

In a 2014 Lastline Labs study on the effectiveness of antivirus scanners, much of the newly introduced malware went undetected by nearly half of the antivirus vendors. After two months, one third of the antivirus scanners still failed to detect many of the malware samples. The malware dubbed "least likely to be detected" went undetected by the majority of antivirus scanners for months or was never detected at all.

For those malware samples that initially eluded all of the scanners, the average time for at least one of the samples to achieve detection was two days. None of the antivirus caught every new malware sample. 

Some significant drawbacks to antivirus software include:

  • Antivirus software can impair endpoints.
  • An incorrect decision may lead to a security breach when inexperienced users don’t understanding the prompts.
  • False positives can be as destructive as false negatives. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives.
  • Antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack.

No matter how useful antivirus software can be, its drawbacks are causing information security professionals to take a second look at antivirus protection – and the alternatives.

Several years ago, the Milnsbridge Corporation sponsored case studies focused on a new approach, called CloudAV  that moves antivirus functionality into the network cloud and off personal computers.  The study focused on virtualizing the detection functionality with multiple antivirus engines, significantly increasing overall protection.

Traditional antivirus software that resides on most PCs checks documents and programs as they are accessed. Because of performance constraints and program incompatibilities, only one antivirus detector is typically used at a time.  CloudAV, however, can support a large number of malicious software detectors that act in parallel to analyze a single incoming file.  Each detector operates in its own virtual machine, so the technical incompatibilities and security issues are resolved.

Some of the drawbacks deal with speed in handling the volume of data. While CloudAV stores previously screened data, processing time is an issue. There is also the concern of the cloud provider’s level of security in and of itself. Regardless, several CloudAV providers are available in today’s market.

Many of the existing operating systems come with antivirus software built in.  Others may use application whitelistings (AWL) – as opposed to blacklisting – as an integral part of the OS. 

Most people in the IT field are familiar with blacklisting because it is the technology used in almost every antivirus product in existence. It simply checks every new file on a system to see if it contains malware. If malware is detected, it is blocked from executing and carrying out any damage.

AWL is just the opposite. It will deny the execution of any application not previously and explicitly identified as “not malicious.” AWL offers more security primarily because it denies malicious code that has never been seen before (zero-day issues) and code that blacklists won’t recognize immediately. Security professionals must keep in mind that there is considerable expense in the AWL game, not only with the initial purchase but with the internal man-hours required to make changes and test new patches and application updates on the servers. Additionally, AWL will not permit IT managers to use their  systems the way they like because it blocks non-malicious code such as new applications. Therefore, most users have traded security (whitelisting) for ease-of-use (blacklisting).

Another reason information security professionals are taking a second look at antivirus protection is the “cost vs. rewards” to their respective organizations. The advent of malware insurance has offset the cost incurred by damages from malware; however, there are also losses to one’s reputation and possibly even regulatory fines to consider. Couple this with the premise that no antivirus technology will guarantee 100 percent security, and government security professionals find themselves in a conundrum when faced with the task of providing cost-effective advice to senior executives.

So, what is an agency to do? While the drawbacks of using antivirus are all valid, many agree that the technology should still be used as part of a “security-in-depth” approach. Maintaining an arsenal of sophisticated security tools that protect the enterprise network from the “outside-inward” is still the preferred, balanced approach to security. Equally important, antivirus technology must be complemented with a good security education and awareness program along with other information security policies and procedures.

About the Authors

Members of the (ISC)2 U.S. Government Advisory Council Executive Writers Bureau include federal IT security experts from government and industry. For a full list of Bureau members, visit https://www.isc2.org/About/Advisory-Council#

Lou Magnotti, Executive Writers Bureau member, was lead author of this peer-reviewed article.

inside gcn

  • prisoner using a cellphone (FBI)

    Cellphone jammer targets illicit calls by prisoners

Reader Comments

Fri, Jan 9, 2015 Jake

The LastLine Labs "test" used VirusTotal, a service which makes it clear it should not be used for detection testing purposes and which uses specially-configured, command-line versions of basic malware scanners, not proper "anti-virus" products. Any product marketed as anti-virus these days will almost certainly be some sort of internet security suite, and just about all of them include "cloud" components as well as a range of other protective layers on top of the simple static file scanning component which LastLine so dismally failed to properly test. All but the most basic (or fake) include at least some sort of dynamic monitoring or intrusion-detection systems to complement the signature/heuristic combo provided by the static file scanners.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group