RIP Anti-Virus (Again)

RIP Anti-Virus (Again)

As you might expect, I don't by any means agree that AV is a dead parrot, though I'm not going to claim that it detects everything (or anywhere near that) either.

As you might expect, I don’t by any means agree that AV is a dead parrot, though I’m not going to claim that it detects everything (or anywhere near that) either.

SC Magazine's Dan Raywood and I were talking about a claim by Nir Zuk, CTO of Palo Alto Networks, that "Anti-virus is dead because it is unable to detect attacks properly and is incapable of working on mobile devices…" As you might expect, I don't by any means agree that AV is a dead parrot, though I'm not going to claim that it detects everything (or anywhere near that) either.

Reading Dan's article, which came out this afternoon (in our part of the world), it occurs to me that something I said could have been a little clearer:

"The fact that anti-virus is focused on malicious binaries does make it less effective in attack scenarios that are more generic in nature, but that's why you need multi-layering."

When I mentioned "more generic scenarios" I had in mind issues such as binary-non-specific vulnerabilities, which AV may not consistently address. Of course, the other main issue in the discussion, targeted malware, is anything but generic, and it's an issue that should be taken very seriously. I don’t believe that a threat can be measured purely in terms of the volume of attacks or infections, and if that’s what Nir Zuk was getting at, I’m in agreement.  It is a key threat (meaning that it could have very serious consequences indeed), and it’s one that tends to put AV at a disadvantage, if it’s done “professionally”. It’s just not the only threat.

[Update: I notice that SC Magazine is inviting people to comment on its LinkedIn group. Or, of course, feel free to comment here, but try to keep it polite. ;-)]

[Update 2: A nice Dr Seussian observation by Kurt Wismer on unrealistic expectations of automated detection: http://www.secmeme.com/2011/06/seussian-security.html]

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Discussion