This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Palo Alto Networks CTO: anti-virus technology can't stop targeted attacks

Share this article:

Anti-virus is dead because it is unable to detect attacks properly and is incapable of working on mobile devices, according to Nir Zuk, founder and CTO of Palo Alto Networks.

Zuk told SC magazine that the "15-year-old technology is unable to detect everything on the network" and "does not run on mobile devices".

He added: “Why does it not detect? Because attacks are very different, they are so widespread and, because of that, vendors see them and assume they are bad.

“This was good a few years ago when anti-virus vendors would see an attack and assume that it was propagated to as many machines as possible. But now they are targeted and the attacks are against a small number of companies and to a single user, so anti-virus cannot detect them.

“The attacker can pick up targets by finding out who works for a company via LinkedIn, what they like from Facebook and make them go to a website or receive an attachment from a trusted person - and there is nothing that anti-virus can do about it.”

Zuk said there is a gap in the mobile security market and solutions will come from new companies. “In the same way that Microsoft leads on the OS but is not a mobile or internet player, [mobile] is ruled by Apple and Google. But the market is so big that new vendors will come in,” he said.

David Harley, chief executive of Small Blue-Green World, said it was hard to defend the position that "anti-virus doesn't detect anything", and a more reasonable argument would be that "anti-virus doesn't detect everything".

“Then I would have agreed with [Zuk] and so would every other researcher in the anti-virus business. But then, I have yet to see any '100 per cent' solutions. A totally generic solution may get close to blocking 100 per cent of threats, but will discard some ‘true positive' objects,” he added.

“Personally (and in principle) I'd rather advocate a sound combination of defensive layers than advocate the substitution of one non-panacea for another, as vendors in other security spaces sometimes seem to. Actually, a modern anti-virus solution is already a compromise between malware-specific and generic detection, but I still wouldn't advocate anti-virus as a sole solution, any more than I would IPS, or whitelisting, or a firewall.”

Harley also disagreed with the assumption that anti-virus technology does not bother to block non-generic, targeted attacks.

He said: “The sheer number of malicious attacks does mean that anti-virus labs have to prioritise to some extent, but that prioritisation is rather more complex than that and it is far from the only factor in detection. The relationship between a given binary and other malware families, for instance, is a big factor in determining whether that binary is detected at a time when there is no malware-specific detection for it.

“It's quite possible that a single, targeted attack won't be detected initially by many or any anti-virus solutions, especially if it involves the combination of a zero-day and the use of multi-scanning to tweak the binary until no common engine detects it, but to dismiss anti-virus on those grounds is to throw out a whole generation of babies with a very small quantity of bathwater.

“The fact that anti-virus is focused on malicious binaries does make it less effective in attack scenarios that are more generic in nature, but that's why you need multi-layering. Horses for courses.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.

Password recovery made too easy

Password recovery made too easy

A senior malware analyst has slammed the availability of a `password recovery' utility from Freehostia, noting that the software actually uses network admin utilities to take credentials from the users' ...

Belgacom says alleged GCHQ APT attack cost firm £12 million

Belgacom says alleged GCHQ APT attack cost firm ...

One year on from a nation-state APT which 124 systems at telecom operator Belgacom and the firm has detailed the cost and manpower involved in the clean-up operation.