RIP Anti-Virus (Again)

SC Magazine's Dan Raywood and I were talking about a claim by Nir Zuk, CTO of Palo Alto Networks, that "Anti-virus is dead because it is unable to detect attacks properly and is incapable of working on mobile devices…" As you might expect, I don't by any means agree that AV is a dead parrot, though I'm not going to claim that it detects everything (or anywhere near that) either.

Reading Dan's article, which came out this afternoon (in our part of the world), it occurs to me that something I said could have been a little clearer:

"The fact that anti-virus is focused on malicious binaries does make it less effective in attack scenarios that are more generic in nature, but that's why you need multi-layering."

When I mentioned "more generic scenarios" I had in mind issues such as binary-non-specific vulnerabilities, which AV may not consistently address. Of course, the other main issue in the discussion, targeted malware, is anything but generic, and it's an issue that should be taken very seriously. I don’t believe that a threat can be measured purely in terms of the volume of attacks or infections, and if that’s what Nir Zuk was getting at, I’m in agreement.  It is a key threat (meaning that it could have very serious consequences indeed), and it’s one that tends to put AV at a disadvantage, if it’s done “professionally”. It’s just not the only threat.

[Update: I notice that SC Magazine is inviting people to comment on its LinkedIn group. Or, of course, feel free to comment here, but try to keep it polite. ;-)]

[Update 2: A nice Dr Seussian observation by Kurt Wismer on unrealistic expectations of automated detection: http://www.secmeme.com/2011/06/seussian-security.html]

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

  • Martijn Grooten

    Possibly the most prominent APT attack this year was the one on RSA. The email was actually blocked and put into quarantine. Then the user was able to take the email out of quarantine and open the attachment. So anti-virus (or anti-spam, I don't know which of the two was responsible for the blocking of the email) did its work. The problem was what the user was then allowed to do.

  • Ken Bechtel

    I remember when integrity checkers came out in the early days. People were claiming scanning was dead in the late 80′s early 90′s So I suspect it’s just as Kirk pointed out, unrealistic expectations. Anti-Virus is the current best tool for the specific task of detecting neutralizing and repairing KNOW THREATS. Any professional worth their salt will tell you, you need to perform defense in depth, layered approach, and that doesn’t mean just throwing another software package on the wire and saying you’re protecting something. You need to be comprehensive, integrated, and overlapping (jeez I sound like a marketing buzzword) but if your protection doesn’t work together, cover known gaps, and address multiple vectors, you’re just wasting your money and time. Please use the right tools for the right jobs, and you will be well served by your investments.

  • kurt wismer

    @ken bechtel
    it goes a bit beyond that. when you're dealing with targeted attacks you're dealing with an intelligent attacker. no automated tool is a good fit when there's an intelligent attacker involved. intelligent attackers call for intelligent defenders. tools won't do any good without skilled personnel actively looking for the right things.
    automated tools may get lucky from time to time and stop malware involved in a targeted attack, but a proper defence against targeted attacks can't be automated.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

20 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.