It was back in the 1990s when someone told me that operating systems like Windows NT were getting so safe that AV would soon be out of business. And I hear on a regular basis that AV is so ineffective it's not worth having. Because I get some of my income from the anti-virus industry, no doubt you'd expect me to disagree. I do, but that's not why.
Kevin Townsend asked my opinion of a Wired article quoting several security people at RSA saying that they don't use anti-virus (also summarized here). You can read some of my response in a good, balanced article in Infosecurity Magazine, which shares my concern that non-experts will be misled into assuming that because some security people say that, it's fine for everybody to take it off their machines. But I'm going to expand on those points because I think this is important.
As it happens, there was a time back in the 90s when I didn’t use AV on my own machines except for test purposes. But I do now, and I probably know more about malware than most of the guys outside the AV sector who are now saying that AV is unnecessary. Originally, because I envisioned a rise in 0-day-type compromises where the security of an OS or an application was beyond my control – and I wasn’t wrong – and more recently because sometimes I have to look at URLs or files that may be risky, AV software doesn’t guarantee my safety from malicious code, or anyone else’s, but I’m not going to refuse an extra layer of security: AV still detects a substantial amount of malware (and other unwanted code) proactively. And I'd be using AV software even if all I had was the machine I do my writing on and didn't do any hands-on research.
AV is not The Answer, or any sort of 100% solution, but nor are whitelisting, or detailed DIY log analysis, or the other panaceas du jour. I agree that the man in the street shouldn’t think that because he has AV or a personal firewall, he’s Safe: it’s perfectly true that AV can’t detect everything. Though it’s not true to say that AV relies on static signatures and detects only known malware, and all the other stuff that's parroted year after year by people who should know better. In the real world, a decent AV scanner (or, better, an internet security suite) and some common sense are still a lot better than nothing. In fact, for most people they're better than a guru-friendly but consumer-hostile security program that isn't installed and maintained properly…
And no, checking a malicious file against VirusTotal doesn't give you a fully accurate picture of what is and isn't detected, contrary to a suggestion in the Wired article: that isn't what the site is for. In fact, VT's Julio Canto and I put together a presentation on that topic last year for a forensics conference: I'll see if I can make that available for those who are interested.
But you should be aware that most individuals and many companies don’t know the technology well enough or simply don’t have time or capacity to use the sort of complex tools that security experts do. I doubt if the average Windows user is going to play with open source security software (good though some of it is) or go poring through incomprehensible logs.
And you should also bear in mind that some of the security experts who are denigrating AV en masse right now have their own commercial agendas to push, in favour of other technologies that are not the 100 Per Cent Solution either.
Believe me, if there was a viable, 100% effective solution, I'd be very happy to tell you to use it and then go and do something else with my life.
David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow
Author David Harley, ESET