Is anti-virus dead, yet again?
Malware hits the Mac but is it worth worrying about?
It's a rare week when anti-virus doesn't get a beating somewhere for being ineffective or useless against catching viruses.
Earlier this year, it was questioned whether the end of the anti-virus would be caused by the inability to detect the Flame worm, while researchers have questioned the role it plays alongside gateways, intrusion detection systems and next generation firewalls.
In one report, David Gorodyansky, CEO of AnchorFree claimed that 'anti-virus is no longer enough 'as the 'cloud [is] driving security [the] imperative shift from device to online interaction'.
Its report claimed that businesses can no longer rely on anti-virus software alone to protect them from malware and other security threats, as companies and consumers increasingly conduct their business in the cloud and use mobile devices has vastly increased, including the-difficult-to-secure Apple iPhone, 'so the need to protect the device has been overshadowed by the increasing need to secure our online interactions'.
Gorodyansky said that if both the web and email are protected by cloud security, the devices in question are likely to be safer than ever. “As more and more businesses and consumers entrust reams of precious and highly confidential data to the cloud, direct threats to devices become less relevant than the threat of compromising our identities or personal data – via Google docs, Dropbox files, passwords, search activities or sites visited online,” he said.
“I'm certainly not encouraging businesses to scrap their anti-virus protection, but it's essential that companies pay more attention to securing their online activities and looking at what else they can do to protect their business.” He recommended businesses and individual consumers should switch to using a virtual private network (VPN) to protect themselves.
Another report, this from Imperva, collected and analysed 82 previously non-catalogued viruses against more than 40 anti-virus solutions, and it found that less than five per cent of anti-virus solutions in the study were able to initially detect previously non-catalogued viruses, and that many solutions took up to a month or longer following the initial scan to update their signatures.
Amichai Shulman, CTO of Imperva, said that the reality is that every single newly-created virus may subvert these solutions. “We do not believe that enterprises are achieving the value of the investment of billions of dollars in anti-virus solutions, especially when certain freeware solutions in our study outperformed paid solutions.”
The findings of the report stated that 'anti-virus solutions have a difficult time detecting newly created viruses' due to the low rate of detection and solutions being unable to provide complete protection as they were unable to keep up with virus propagation on the internet.
It also said that there was a lag in updating signatures, with some solutions taking up to four weeks following the initial scan to detect a virus. Finally, in a week where Microsoft's free Security Essentials anti-virus software failed to detect 36 per cent of zero-day threats when running under Windows 7, the report also claimed that there was a real benefit in 'freeware' solutions as certain freeware solutions in the study proved equally or more effective than paid solutions, including the solutions that had the best detection rates.
Like Gorodyansky, Imperva did not recommend completely eliminating them from an effective security posture 'despite the inadequacy'. It said that instead, security teams should focus on detecting abnormal behaviour, such as unusually fast access speeds or large volume of downloads and adjust their security spend on modern solutions to address today's threats.
Defending the sector, Righard Zwienenberg. senior research fellow at ESET, criticised the failure to use Anti-Malware Testing Standards Organisation (AMTSO) guidelines and using VirusTotal, and 'having the different products run with different parameters, resulting in different levels of heuristic paranoia'.
He said: “VirusTotal is self-described as a tool, not a solution: it's a highly collaborative enterprise, allowing the industry and users to help each other. As with any other tool (especially other public multi-scanner sites), it's better suited to some contexts than others.
“Why is anti-virus not a waste of money? The service, the support, the timely updates, the research into (future) threats, etc. There is no such thing as a free anti-virus. Because of the work that is put into those ‘free' products, the developer needs to get some return on his investment.
“Most often this is done by installing 'complementary' toolbars, utilities containing adware-like functionality and so forth, where the client is monitored and served with information 'you need'. Additionally, once an anti-virus company includes a toolbar with their 'free' offering, they may be pressured by the toolbar vendor to exclude detection of other products bundling the toolbar vendor's software, which may be more intrusive in nature and cross the line from grey into black.
“There is an unfortunate tendency to believe, especially amongst consumers, that anti-virus software serves as a magic forcefield which protects their computer from goblins and other things which go bump in the night. While this sometimes is the case, anti-virus software is more often like car insurance: you may not like purchasing it, but when an 'accident' occurs, you'll be glad that you bought the plan with the best support.”
Using a layered approach to security is what any integrator, reseller or analyst will tell you – you don't rely on one thing to protect you, hence why other technologies have flourished in this sector. Of course anti-virus is not perfect, that is why threats such as Flame succeeded but in another vein, security vendor Bit9 was able to protect users against that particular worm.
I am not going to draw a conclusion here, as I am sure both AnchorFree and Imperva research papers were done professionally, but I doubt that the sector is dead as has been prescribed many times before. I'll let you decide what the answer to this debate is.