Why Antivirus Isn’t Dead

Antivirus software has been declared dead by some industry watchers who contend this form of protection can’t keep pace with rapidly changing malware. The technology, however, remains relevant and MSPs can expect to work with antivirus products for a while.

As an MSP plugged into the market, you’ve probably heard or read about the demise of antivirus (AV) software.

In a recent example, Symantec pronounced AV dead in a Wall Street Journal article, which described the company’s new approach to cyber attacks. Those who believe that AV is on the way out often focus on the technology’s traditional, signature-based malware detection methods. The knock on signatures: viruses evolve faster than vendors can develop the means to identify them, leaving consumers and enterprises vulnerable.

Imperva’s December 2012 report on the effectiveness of AV solutions contended that most AV products “can’t keep up with the rate of virus propagation on the Internet.” Even though vendors attempt to update their detection methods, the “initial detection rate of new viruses is nearly zero,” the report stated. Gartner described signature-based AV as “limping along on life support for years” back in 2010.

More recently, FireEye in May published the results of its analysis of half a million malware samples. The company said it discovered that most malware disappears in a couple of hours, noting that “rapidly developing iterations of malware is becoming the de facto way of hacking.”

FireEye describes AV signature development as “inherently behind the curve” since malicious parties can iterate new versions of malware much faster than vendors can collect samples and create signatures.

The Case For AV

AV’s portrayal as a hopelessly ineffectual technology sounds discouraging. But MSPs shouldn’t abandon AV.

Here’s why. The critique of signature-based detection ignores the other mechanisms that endpoint security products currently employ. Webroot’s SecureAnywhere solution, for instance, offers an alternative to conventional signature-based security. The product features a vast malware detection net — Webroot Intelligence Network (WIN) — that resides in the cloud and pulls in billions of pieces of information from customers, test laboratories and security vendors. In contrast, conventional AV products depend on signature databases that run on client devices and are confined to the storage limitations of PCs and laptops.

In addition, Webroot employs predictive intelligence to monitor the behaviors of applications and executables running on customers’ systems. When the Webroot client software detects anomalous behavior, it queries WIN to suss out whether the behavior has been previously observed.

For more information on Webroot’s specific approach, please see this previous post.

Another argument for AV: signature-based methods, while given to weaknesses, will at the very least block the more obvious viruses that reappear from time to time. A business clearly wouldn’t want to stake its operations on AV as its sole line of defense. But it can still play a role as a component functioning within a comprehensive set of protections.

That all-encompassing security vision is what MSPs should be pursing for their customers anyway. No single technology will fend off every conceivable attack. A defense-in-depth deployment will usually include such elements as endpoint security, firewalls, web gateways, and IDS/IPS among others.

AV can still play a role in an organization’s security strategy. The signature-based detection aspect of AV may be down, but the broader technology surrounding endpoint security is not out.

Monthly guest blogs such as this one are part of MSPmentor’s annual platinum sponsorship.