The evolution of anti-virus

Eric Domage, IDC research manager for security products and services
Eric Domage, IDC research manager for security products and services
Isard's concern is the guy with the USB stick
Isard's concern is the guy with the USB stick

Could it be true that the same anti-virus technology that spawned the massive might of Symantec and McAfee, together turning over nearly US$25 000 million in 2007, is in decline, reaching the end of its shining career? Could the stalwart PC security technology of the 90s really be finished, dead, buried, kaput?

At a first glance, it would seem so. Of all the sectors of information security, only enterprise anti-virus decreased its market share in 2007, according to Gartner who describe the technology as “decreasing as a stand alone purchase in favour of broader endpoint security platforms, where anti-virus is only one of the required components.”

Virus evolution

Such an outcome was, perhaps, inevitable. When data passed via floppy disk or rudimentary networks, protecting the PC with a regular scan for the few thousand known viruses was an easy and cost effective option. Now however, protecting against nearly one million new malware samples per day - including encrypted, polymorphic and otherwise obfuscated malicious code - is stretching research labs to breaking point.

Identification through signature is becoming impossible, says Eric Domage, IDC research manager for security products and services. Labs are now “mostly basing their research on behaviour,”he says. “Why is the machine behaving abnormally? This is much more accurate. You don’t have to understand if you’ve been hit by a virus. People are still looking at the virus [definitions] but they are more accurately looking at the impact of viruses.”

Understanding abnormal behaviour means specific, one-off malware – such as a trojan keylogger that has never been reported to an AV lab – can be stopped. “As soon as the machine begins to behave abnormally you can do something very quickly,” says Domage.

Far from being dead, the AV scanner lives on, but like any long-lived species it has been forced to adapt to circumstance

But this points to another reason why anti-virus is not the same as it was 10 years ago. The fight against viruses has broadened to include any kind of malware. Domage says actual viruses – attaching to an executable file then delivering the payload and replicating whenever that file is run – amount to just 5% of total malware.

“Any security product which only scans for viruses would not be able to exist commercially in today’s marketplace,” says Graham Cluley, senior technology consultant at Sophos. “Companies expect their ‘anti-virus’ products to also defend against spyware, adware, trojan horses and other forms of malicious attack. It’s therefore technically inaccurate to call such solutions ‘anti-virus’. However, the term has entered popular lingo and is unlikely to go away”.

One-stop shop

The consumer market is based on suites providing protection against all the various types of malware, explains Domage. But in the business world “people have web threats, external threats, HTML based threats etc. Anti-virus is a commodity, for sure, and there is a generic idea of having threat mitigation tools that includes anti-virus”.

Brett Isard, operations director at safety equipment manufacture E2S, illustrates what the changing threat landscape means in practice. Although E2S is a small business, Isard’s key applications of enterprise resource planning and customer relationship management maintain information vital for the business and must be secured while still being accessible to the remote sales force.

His unified threat management (UTM) device from Esoft includes gateway (at the network entry point) anti-virus, anti-spam, intrusion prevention, firewall, web filtering and a VPN (Virtual Private Network for secure remote connection). It’s easy to see why such a device is attractive when the alternative is a host of separately configured servers and software solutions.

Isard says the unified threat management is theoretically all he needs to secure his IT infrastructure, but his recurring nightmare is the USB device. “My concern is the guy with the USB stick, because the gateway doesn’t do anything to help me with that. It will tell me if somebody sends something out that is infected, but it won’t tell me at the point the guy sticks the USB into his laptop and starts uploading files from his brother-in-law.”

For this reason Isard installs a Sophos AV product – which also includes desktop anti-spam and anti-spyware checks etc. – on each desktop and laptop that can attach to the network. He has also recently moved VPN to a Juniper SSL device. “The main check is domain membership. If the [connecting] machine is a member of our domain, then it’s already been set up with the Sophos [anti-virus] client or its content has come through the Esoft anti-virus gateway,” he explains.

Companies expect their 'anti-virus' products to also defend against spyware, adware, trojan horses and other forms of malicious attack.

Graham Cluley, Sophos

Isard is concerned that he is doubling-up on protection, paying for multiple layers where perhaps one would do, but the approach helps him to sleep soundly. “The cost of it versus the risk of not having protection is negligible. There’s always a risk one device will let something through, so you end up building layers in a deliberate fashion.”

The user is the perimeter

At gateway device vendor Finjan, Yuval Ben Itzhak, CTO, agrees the desktop must always be protected, largely because of USB devices, “You can never avoid protecting the desktop,” Domage says, but he also agrees signature based scanning is not enough. “Some malicious code today is encrypted differently every time it is downloaded. You cannot match a signature to it.”

Finjan’s solution is to inspect the computer code and really understand what it intends to do. “Is the content trying to access the local disk, is the content trying to read the registry? I can block it because of that [suspect code], I don’t need a signature,” explains Itzhak.

It might seem then that anti-virus has been assimilated by the gateway appliance. But IDC’s Domage is adamant that the user must be protected at all times, and smart gateway solutions must be replicated on the device. “We used to ask ‘what is security if you don’t know where your perimeter is?’ Now we say, ‘The user is the perimeter.’ We must put the basic anti-threat mitigation tools at the device level, because the device is mobile.”

Domage believes attempting to control the proliferation of devices and connectivity options will ultimately be futile, but still “The user should have in his luggage a full security suite that replicates online and offline the security policy of the organisation.” It follows that if a device cannot replicate the policy, or cannot be determined as secure at the point of connection, it will be prevented from accessing the network.

These are ‘endpoint’ security solutions, administered in a single console and able to download or upgrade endpoint devices, as needs be, whenever a connection to the network is requested.

The end-point game

“The top 500 companies have already made this move,” says Domage, referring to endpoint security solutions. “But SMEs still rely on consumer optimised solutions or sometimes hardware.”

He is hopeful that endpoint security solutions will be largely adopted by the end of 2009. “It is the story of being protected or not,” he adds.

Further on, the commoditisation and standardisation of information security leads inexorably to delivery as a service. Already, Gartner reports, “In messaging security controls, such as malware and spam detection/exclusion for email and instant messaging, cloud-based services account for 20% of revenue in 2008.” By 2013 this will increase to 60% of revenue, says the analyst.

Cloud computing is where IT capabilities are provided as a service using internet technologies. It “will enable security controls and functions to be delivered in new ways and by new types of service providers. It will also enable enterprises to use security technologies and techniques that are not otherwise cost-effective,” says Gartner.

This may be the fate of the humble anti-virus scanner; delivered, from who-cares-where and as required, by network services, silently working to protect your business.

Far from being dead, the anti-virus scanner lives on, but like any long-lived species it has been forced to adapt to circumstance. It may be only part of an increasingly complex security mix, but it is just as essential as it ever was, even if it is not the scanner that it once was.

What’s hot on Infosecurity Magazine?