Anti-virus Lives to Fight Another Day

Catching or blocking malware is just part of the security challenge
Catching or blocking malware is just part of the security challenge

Anti-virus is dead. Again. No-one, it seems, loves the industry except those it employs: even many of its customers see it as a necessary evil. Other elements of the security industry have never quite understood how it works and what it does, but see it as competing for dollars that should go to them. Dismissing anti-virus as a ‘commodity’ implicitly assumes that detection technology is a staple requirement but that anyone (testers, OS providers, other security industry sectors) can do it better than the anti-malware industry.

There are certainly companies getting some great publicity (usually timed to coincide with the RSA Conference) by drawing conclusions based on pseudo-testing statistics, derived from cherry-picking a handful of samples and ‘testing’ by submitting them to VirusTotal. Cherry-picking? Well, yes. A company that focuses on specialist targeted malware may do better on its own turf than a generalist company, but it’s unlikely to be as effective across the board. (Do you really believe that only targeted malware matters?) In any case, VirusTotal cannot be an accurate measure of AV detection performance, and has gone out of its way to discourage such pseudo-tests.1

Behind the salesmanship, there are glimmers of truth that the anti-malware industry actually tends to agree with.2 Virus detection isn’t dead because there are still viruses, but most malware isn’t self-replicative, which is why ‘anti-virus’ survives only as sloppy shorthand for malware detection technology. Self-replicating code was (is) comparatively easy to detect heuristically, but malicious intent in the form of a trojan is less so.

Exact identification by static signature is rarely achievable in the face of the hundreds of thousands of samples processed daily by anti-malware labs. Signature detection of known malware is primarily a fallback technology that helps with remediation where something evades detection before it infects, rather than a primary layer of protection. Heuristic analysis based on ongoing examination of an astonishing range of malicious programs remains effective but is unlikely ever to reach the same levels of effectiveness as when self-replication and malice were almost synonymous. But while AV’s deficiencies are well-known (if sometimes overstated), there is no 100% solution. Unfortunately for the consumer, no other security technology has been tested to destruction so often and so publicly.

Catching or blocking malware is just part of the security challenge, at home or in the workplace: in that sense, AV is dead. Which is why so few vendors now offer only a ‘virus scanner’, even though the virus scanner long ago evolved into something that detects all kinds of malware – granted, with significantly less than 100% efficiency – using heuristics, behavior analysis, reputation, traffic analysis and so on. Indeed, the only sensible reason for using a ‘pure’ malware scanner now is to mix and match with other kinds of security software; otherwise, you should be using a security suite. Unless you’re in a highly secure network environment where you can rely on perimeter defenses to catch everything else, or a complex, multi-layered enterprise infrastructure.

So should customers go on paying for discrete anti-malware? A free scanner is better than nothing, but it can’t meet expectations of (near-) complete protection; it doesn’t come with a support package or entail any contracted obligations on the part of the vendor; it isn’t usually legally usable by businesses; and if the bottom fell out of the commercial market that underwrites it, free anti-malware would at best consist of a few well-meaning but resource-starved volunteer efforts.

Anti-malware technology moved on long ago. Customer and media perception, though, has lagged way behind, perhaps influenced by misleading commentary unable to admit or perhaps recognize that while other researchers also perform deep malware analysis, the anti-malware industry’s research base is uniquely wide. Even on mobile platforms where operating system providers go out of their way to restrict the functionality of third-party security vendors, a world without the mainstream anti-malware industry’s research community would be a more dangerous place to live.

David Harley, CITP, FBCS, CISSP, is an IT security researcher, author and consultant living in the UK. He has worked in IT since the 1980s, increasingly focused on security and anti-malware research, and is a Fellow of the BCS Institute. Harley also blogs for Infosecurity magazine, Mac Virus, AVIEN, ESET (where he holds the title Senior Research Fellow), (ISC)², and numerous other websites.

What’s Hot on Infosecurity Magazine?