Anti-Virus Software Is Dead, Long Live Anti-Virus Software

Eset LogoThe anti-virus (AV) application is dead, right? This often bloated, resource intensive application has to scan every single file on a computer; but still misses that one malicious application that brings your network to its knees. What are we to do now that viruses have become so sophisticated and agile? Change the way we approach security, or tell everyone that anti-virus software is just misunderstood?

For those that trumpet AV software, like David Harley of Eset, those in the media and technology industry are simply lost on the value that anti-virus software provides. In a paper released on the company’s  We Live Security blog, Harley goes about crushing all arguments for AV obsolescence in favor of level-headed acceptance of failure – because, “perhaps that’s inevitable”. The fact is, every once in a while, a testing site or  company comes along with a provocative report saying anti-virus software doesn’t work.

You might expect, for an industry that has been around for decades, they’d have licked this problem. In fact, the reverse is true. While malware is become more sophisticated, and indeed more malicious, AV software appears to be getting worse at detecting threats. What do I know? I simply support the myriad of potentially infected machines on a regular basis, not design AV software.

Here’s what has become rather common sense:

1. With the speed of creation and distribution, AV detection based on signature is no longer a valid defence. Tools and abilities far outstretch the resources of even the most diligent AV vendors.

2. Malware continues to step up the after-infection damage. Case-in-point: Cryptolocker. Since this malware may hurt you more if AV software removes the infection, the second half of it’s usefulness (remediation) is becoming moot[1].

3. In the age of desktop computers (late 1990’s, early aughts), resource-intensive, on-demand file scanning was acceptable to a degree. Today’s power hungry, but limited resource, mobile devices are much less tolerant to such things[2].

4. AV scanners are horrible at knowing what real malware is. This is based on my experience, but it doesn’t take many examples to see that infections touch more than just files. Malware often uses legitimate software and components and make changes to core system components. Fixing these problems is much more than most AV software can do. Often, infections are cleaned, but files, registry settings and other tools are left behind.

In his paper, Harley asks rather rhetorically: “But when does less effective become ineffective?”. He goes on to cite testing methodology as the “real” reason AV software appears to have become less effective. When the basic test of your software rests on whether is stops an infection [3], both less effective and ineffective are the same to the lowly infected user. Harley can blame testing methodology, Microsoft for insecure Windows, and even users for not taking good enough precautions; But, AV software must live in the real world, not a constructed world.

Further, Harley spends a considerable amount of time shooting down VirusTotal as a means of testing malware samples. While I feel his approach is fundamentally wrong; It’s important to say that VirusTotal is probably the only way a mere mortal can tell how multiple AV scanners might react to a particular file. This presents an opportunity for basic automation. Does any AV vendor provide the same sort of tool for the support person seeking a second opinion? Not at all. He can go on about how VirusTotal chose to treat defaults, etc, but handling Malware is more than just defining a file as malicious.

But then, why would a person with a vested interest in propping up a failing industry want to tear down tests? Oh, right, to justify their existence. When you consider an argument, consider the motivation. In Harley’s case, his motivation is to make us feel better about AV software. In my case, my motivation is to see clients happy (and lose less resources). A technology consultant/journalist/enthusiast has, at least, a more logical reason to be agnostic in this argument.

To his core question: “Is AV software still useful?”, I say, yes. It is important to mention, though, that this type of software is shuffling off into the great unknown, or into something we probably won’t likely call AV software. Less desktop computers are being sold, security software isn’t adapting well to mobile and cloud platforms and malware is getting worse. AV software is an also-ran commodity best left to free (or highly commoditized) tools these days. It’s time for what’s next.

And what is that? I don’t know the future, but I get the sense that as operating systems merge into a quasi-unix center, the devices and objects we use will become further abstracted from their technical underpinnings. This is an important distinction, because the security software may take on a data-centric approach. In a world like that, our data becomes “tough as nails” and it won’t matter where it is, what device it’s on, or how secure the devices is – either a smart door lock, or heads up display in your prescription glasses. The data that moves back and forth is protected, not the platform.

Anti Virus software can now rest in peace.

1. If everything you have is destroyed and unretrievable at infection, do you really care how nicely AV software cleans the malware?
2. I don’t want to even imagine how slow an Android app scanning everything in the background would be.
3. Uhm, that’s a boolean test.