Is antivirus now useless?
Debates over the state of antivirus technology and tools has resurfaced yet again after the executive in charge of Symantec's information security business was quoted as saying antivirus is dead.
Debates over the state of antivirus technology and tools have resurfaced yet again after the executive in charge of Symantec’s information security business was quoted in the Wall Street Journal a month ago as saying antivirus is dead.
Now, that should be a big deal, since Symantec has made its reputation and fortune off the back of the antivirus business, and it still makes up some 40 percent of its revenue. According to Symantec’s Brian Dye, the company no longer thinks of antivirus as any kind of money maker. Antivirus catches less than half of the cyber attacks that now occur, he said.
However, this is only the latest in a series of announced deaths of the venerable technology, which has for so long been a keystone of enterprise security. In 2012, the Flame malware was discovered to have infected systems around the world and to have been resident on those systems for up to two years without having been detected by antivirus software. It was seen as a huge failure for antivirus, and the potential death knell for the technology.
None of this is news to most security professionals, who have been preaching the vulnerability of “traditional” security for some time and the need for layered, in-depth defense. Symantec now certainly believes that, since it has a new philosophy (and new products and solutions to sell) which emphasizes this approach.
But, is antivirus now really useless? That would be bad news for many government organizations, which still rely to a great extent on legacy systems such as antivirus for the core of their security. Lastline Labs, which looks at these kinds of issues, is one outfit that isn’t ready to toll the bell for antivirus yet, though it does say it’s staggering badly.
The main problem, it believes, is that antivirus takes too long to catch up with malware. From tests run for over a year, from May 2013 to May 2014, it found that, on any given day, at least half of the AV scanners it tested failed to detect new malware. Even after two months, a third of the scanners were still not detecting it.
Eventually, AV scanners do start to catch up. Two weeks was the common lag time. But, even after a year, according to Lastline, there were malware samples that still evaded 10 percent of the scanners tested.
Source: Lastline. Click chart for larger view.
As the graph shows, there’s a major problem with the 1 percent of malware that consistently evades capture by antivirus systems. That likely represents advanced malware that more sophisticated criminals use to persistently target and infiltrate organizations, Lastline said. Unfortunately, unlike more opportunistic cyber events, attacks that use such malware are the ones that usually cause the most serious security breaches.
Traditional antivirus is not dead, Lastline believes, but it does need to be complemented with other approaches, such as those based on dynamic analysis of samples and network anomaly detection. The National Security Telecommunications Advisory Committee came to a similar conclusion in a report to the president last year, and it’s the basis of many of the next generation of security tools that are now being unveiled.
Meanwhile, until budget-constrained agencies can catch up with this flow, many will have to persist with the AV systems they already have while being aware of their limitations.
Which brings up another point.
In February of this year, a Senate report on the federal government’s cybersecurity track record found that agencies that had recently suffered major breaches had consistently failed to patch security software, including antivirus, with some as many as two years behind on their updates.
Even the admittedly limited effectiveness of traditional antivirus systems won’t survive that.