Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: So, how dead is antivirus exactly? - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
So, how dead is antivirus exactly?
Symantec recently made a loud statement that antivirus is dead ( ) and that they don’t really consider it to be a source of profit. Some companies said the same afterwards; some other suggested that Symantec just wants a bit of free media attention. Some companies just silently recommend using advanced information protection ( ) and press is full of data on antivirus efficiency being quite low. A notable example would be the Zeus banking Trojan and how only 40% of its versions can be stopped by antiviruses ( ). Arms race of protection and malware developers is probably not going to stop, so this situation will remain.

On the other hand, nobody was thinking too much of antivirus anyway for a long time already ( ), so it’s hardly surprising. It’s not a panacea; the only question that remains is just how exactly should antivirus operate in modern security solutions. Should it be one of the key parts or protection solution or it should be reduced to protection against only the easiest and already well known threats?

It’s not only about dealing with threats, too, there are also performance concerns. Processors get better and interaction with hard drives becomes faster but at the same time antiviruses require more and more of that power. Real time file scanning, constant updates and regular checks on the whole system only mean one thing – as long as antivirus is thorough, productivity while using this computer go down severely. And this situation is not going to change, ever, so we have to deal with it.

But how exactly? Is the massive migration of everything, from workstations to automatic control systems in industry, even possible? Or maybe using whitelisting protection on windows-based machines is the answer? Or we should all just sit and hope for Microsoft to give us a new windows with good integrated protection like windows 8 is stated to have? Any other ways to deal with it?

2 Posts
Not dead at all. A lot of the reason why they think it's dead is because the nature of infections is changing. But we've heard this before. Back in the 90s it was all pattern analysis, which quickly flew out the window when polymorphic and encrypted/obfuscated payloads started becoming the norm. Then heuristics became important, looking for anomalous behavior rather than direct patterns. And now the same is true again...we're dealing with even faster-fluxing systems which makes heuristics hard, and pattern analysis a losing game.

But like even in the 90s and early 00s, the biggest defense against new threats is user awareness and planning. Back in those days, a clueless user could still get hit with new strains even with an up-to-date AV package.
Darron Wyke

19 Posts
I agree, it's not dead at all. Perhaps in the past it was more important than today, but it is still an integral part of a sound security "defense-in-depth" strategy. IMO, the 4 most critical elements for protection against malware are:

1) Proxy (to detect and block communications to blocklisted IPs/domains which indicates a host on your network is infected)
2) IDS/IPS (signatures to detect malware communications)
3) Antivirus
4) SIEM - continuous monitoring of firewall logs, events, etc. to detect what 1-3 may have missed (this is your fail-safe)

In my experience, malware usually gets caught by one of the three defenses above. Not always by antivirus, not always by IDS/IPS, and not always by the Proxy. But with the three combined, the malware will likely be caught by one of them. And if 1-3 fail, then you should be able to detect malicious or abnormal communications in your SIEM - if you have it setup properly and you can detect abnormal communications or anomalies.

Just the other day I had a malware incident that IDS/IPS and the Proxy did not catch - but AV did. So it's not dead by any means, it's one of the essential tools in a comprehensive security defense strategy.

Bottom line: I wouldn't rely on AV alone, but I wouldn't want to be without it either.

69 Posts
Also, IMO the reason that Symantec declared AV "dead" is purely a business reason - they aren't making money on it anymore. On the consumer side, there are several free products that are just as good as any paid AV solution (Avast, AVG, Sophos, etc.). So yes, the revenues have been in decline for quite sometime now.

But that leaves me wondering on the state of security at Symantec. Will they only support security solutions that can "make them a buck" while tossing other valid solutions (live AV) aside? If that's the case then that's not good... but at the same time it's OK since there are many other companies that are happy to fill the void.

Also, the statement about antivirus causing performance issues I know from experience isn't true for all antivirus clients. Yes, there are bloated AV clients out there that cause your system to run slow. However, there are also AV clients that are streamlined and have a minimal impact on system performance. For example, between my testing with Avast, AVG, Sophos, and Symantec:

Avast: ran without any noticeable impact on performance. This includes when a full system scan was running.
AVG: similar performance to Avast.
Sophos: A little bit of lag.
Symantec: Noticeable lag.

So if you're worried about performance, it really depends on which AV solution you're running. Some are programmed better than others - and there are many comparisons and tests available on the web if you want to research this further:

69 Posts
This isn't a good test of true baseline (without AV) performance since Windows Defender is an AV product of sorts and it clearly states it was turned on for baseline "without AV" measurements. This comparison therefore while very useful for the performance comparisons of various AV solutions doesn't tell us how much the fastest solution is drawing from the system performance. Logic dictates that having to scan the contents of each file as it is read and compare it to a massive list of signatures can not exist without a performance impact. The CPU load to create a pattern from what it is scanning compare patterns to code plus the disk I/O and memory to load those patterns and/or keep them in memory is an undeniable fact.

From my own experience running Macs on similar hardware without AV (and a few internal throw away Windows VMs without AV) I can tell you there is definitely a moderate impact. This is of course unscientific but there is no doubt it is there and not trivial. It is very true that newer hardware and more memory will reduce the visible impact but the amount of resources used is just a smaller percentage of the whole, not actually reduced in real terms.

We need better technology than AV, security of the core software is the first place to start. The more you allow external changes from an untrusted source to occur without confirmation the higher your risk. The more any solution depends on constant updates like this the more likely something bad will slip in masquerading as something good and you are toast. If the barrier is a wall with a steel door that you control instead of a fence then you will stop almost all of it beyond the uneducated. Make it easier for non-techies to understand what they must do and then you will have a nearly complete solution. We make the average end user have to understand far too technical info to protect themselves which causes many of them to just give up and pray their AV vendor can protect them. Great for the AV vendor but bad for everyone else including us.

23 Posts
It's not dead, it's just resting. ColumPaget

2 Posts

Sign Up for Free or Log In to start participating in the conversation!