Schrödinger’s antivirus: The immortality of antivirus software

The question of antivirus software being dead is one that doesn't seem to go away. Why is that? Distinguished ESET researcher Aryeh Goretsky explores.

The question of antivirus software being dead is one that doesn’t seem to go away. Why is that? Distinguished ESET researcher Aryeh Goretsky explores.


There are certain subjects that are the equivalent of scraping fingernails across a chalkboard for antimalware researchers, raising their digital hackles and causing grimacing normally associated with phrases like “root canal surgery” and “income tax audit”. In the case of antimalware, it’s being told that “antivirus is dead”.

That’s why I gave a webinar a few days ago titled Is AV Dead? on ESET’s BrightTALK channel, looking not just at the many times I’ve heard this tired canard over the years, but the reasons behind it as well, delving into the many times the “death of AV” has been announced, as well as looking at the new – and old – technologies used to protect against threats.

Please note that a free registration is required to view this presentation, as well as others by myself and my fellow researchers. If you’re not up for that, or don’t have an hour to spare, you can download the slide deck from the White Papers section of We Live Security.

After a fashion, this presentation is the obverse to the webinar I gave at the beginning of the year on Advanced Persistent Threats: Using multi-layered detection to defend against APTs, where I looked at all of the new techniques being used by antimalware companies to protect against espionage by businesses and governments.

The Many Lives and Deaths of AV

The antivirus industry – or as it is now known, the antimalware industry – has a rich and somewhat tiring history of being told that “antivirus is dead”. The first time I heard this was 26 years ago at McAfee Associates in 1989, when the 1260 virus first appeared, targeting computers that ran DOS. Also known as the V2P1 or Chameleon virus, this was the first computer virus that was polymorphic. That is, it varied the order in which its instructions were executed in an attempt to avoid detection. And it did, for about four hours, until one of the programmers developed an algorithm to scan for it.

Over the intervening two and a half decades I have heard the same pronouncement, time and again, from malware authors, sundry journalists, pundits and bloggers. Sometimes, it’s not even from outside the antimalware industry, but from within, when one company or another is the one to say it, for various self-serving reasons.

“Why do people keep proclaiming that antivirus is dead?”

Yet, here we are, as 2015 comes to a close, and the majority of the software protecting peoples’ computers from viruses, worms, and sundry other threats is still called antivirus or antimalware software. So, why do people keep proclaiming that antivirus is dead?

When reading these kinds of (often self-congratulatory) pronouncements, it is important to apply some critical thinking skills. In particular, it is critical to ask one question:

Cui bono?

Which literally translates to “to whose good?” in Latin, but basically means to ask who profits from such a claim or action. A little dose of skepticism can go a very long way when one is simply glancing through news stories about the state of computer security.

Adaptive Antimalware

Of course, that’s not to say that antimalware (né -virus) software hasn’t changed over the years, either. Just as the threats and threat actors have changed, antimalware software has had to reinvent itself numerous times over the years to face these new adversaries.

“Antimalware software has had to reinvent itself numerous times over the years to face new adversaries.”

The truth of the matter is that today’s modern antimalware software is as different from previous generations of antivirus software as today’s threats are from those old file and boot sector infecting viruses that plagued the DOS era.

Today we stand on the cusp of another sea-change, as mobile devices such as smartphones and tablets are used more and more for banking, shopping and other uses that draw the interest of criminals.

For more information on that, I refer you to the recently published feature article: ESET denies claims antivirus is dead as mobile malware threats rocket. At about five or six pages, it is a bit of a long read, but it contains great information from some of ESET’s top researchers about how ESET is protecting you not just from today’s threats, but tomorrow’s as well.

Here are some links to additional pronouncements on how “AV is dead” along with rebuttals explaining how antimalware software has evolved over the years to protect you against not yesterday’s threats, but those of today and tomorrow as well:

As you can see, it appears reports of the death of antivirus software appear to have been greatly exaggerated.

I would like to thank my colleagues Bruce Burrell, Stephen Cobb, David Harley and Thomas Uhlemann for their assistance with both my presentation and this article.

Lastly, for those who might be wondering about the title to this article, it is a reference to Schrödinger’s Cat, a thought experiment by physicist Erwin Schrödinger in which he puts forward a hypothetical scenario where a cat in a box might be, according to the Copenhagen interpretation of quantum mechanics, both alive and dead until the box is opened.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center