He was blogging in response to an article by Robert Lemos in Dark Reading last month. Is it time to dump anti-virus as endpoint protection, asks Lemos: “The shortcomings of anti-virus software are well known in the security industry, where the programs are typically considered an eminently fallible last line of defense.” In fairness, Lemos doesn’t suggest abandoning AV – but for the AV industry the damage is done in the title.
Anti-virus is the father of computer security – it was the very first third-party security industry that evolved to protect users even in the days before the internet. It remains probably the best known and most widely used line of defense. But because it is so widely used, and evidently not infallible, alternative solutions can sometimes feel they are blocked simply because security budgets are first directed toward anti-virus. The danger is that to prove their own worth, they must first disprove that of their competitors – and for years now, anti-virus has faced criticism from detractors.
Now Raimund Genes, CTO at Trend Micro, has responded. Lemos had quoted a research paper by Google that demonstrated a detection rate of just 25% or less in four leading AV products. This is a common ‘accusation’ delivered against anti-virus – but the problem is that it treats AV as if it is simply a signature detection system. Lemos quotes Brian Foster, CTO of Damballa: “The attackers just build a new version, run it by VirusTotal, and as soon as they get it past all 43 vendors there, they know they are golden – at least for the next 24 hours.” (In reality, the attackers will use their own versions of VirusTotal, since VirusTotal immediately circulates the new ‘sample’ to the AV industry; thus defeating the purpose of the test.)
It’s old news, says Genes. “As early as 2008 we stated that standard detection technologies need to be combined with other methods like reputation services, whitelisting and so on. We’ve invested heavily in the technology needed to detect malicious infrastructures and ecosystems.” Put simply, anti-virus is far more than simple signature detection; but AV detractors only measure that one aspect.
Luis Corrons, CTO at PandaLabs, confirmed this to infosecurity. “If we just take a blacklist approach,” he said, “then the battle against malware is more than lost.” A different approach to just signature detection is required, “and a number of anti-virus companies already do this – for example, adding whitelisting and reputation, or using in-the-cloud technologies that can take advantage of shared knowledge and keep protection one step ahead of the attackers.” All of this is now found in mainstream anti-virus products.
ESET’s David Harley is equally concerned. “I'm not sure I trust Google's figures,” he told Infosecurity, “particularly as they made the rookie error of using VirusTotal.” Harley had earlier produced a paper on this ‘error’ that was published by VirusBulletin. “The fact is,” he wrote, “VT was never intended as a mechanism for testing AV, and that is made very clear. A VirusTotal report doesn’t tell you which solutions know about a specific threat sample. It tells you which (if any) solutions will flag it as a threat under very restricted conditions that don’t reflect real-world conditions. If VirusTotal was meant as a tool (or a substitute) for comparative testing, it would be a very bad one.”
And then there’s the size of the Google test. Google, says Genes, “claimed that their system makes millions of reputation-based decisions every day, and that it identifies and blocks about 5 million malware downloads every month.” But, he wrote, “Trend Micro blocks 250 million threats per day (files, websites, and spam), and our systems process more than 16 billion requests per day.” And other AV companies will be doing similar.
The anti-virus industry doesn’t suggest anti-virus is a panacea. “Having an anti-virus isn’t enough," said Corrons. “Sadly, having every possible security product on the market still won’t guarantee that your computer won’t be infected and your data stolen. It will be less likely, but just that.”
The reality is that endpoint security requires adding to anti-virus; not removing it.