I began this piece when I was reading generic comments by people who felt antivirus utilities were a waste of money, and not effective. This week, the debate intensified with well-publicized cries that “antivirus is dead.” Here, I’d like to address whether or not it is a dead technology.
Let’s look at what anti-malware should be doing for you. The mission of anti-malware applications should fall into three categories: prevention, detection and remediation. As early as 2003, people were discussing Defense in Depth on computer networks. This works by leveraging the concept of using the best-of breed-tools for their designated purpose. Due to the effectiveness of this, we no longer see the mass outbreaks like LoveLetter; rather we see low-traffic targeted attacks.
Since the beginning of the antivirus scanner, people have been claiming the antivirus scanner is dead. In the early 90s, none less than Peter Norton declared, “Computer viruses are like alligators in the New York sewer: just an urban legend.” Recently a major player in the antivirus industry also made this claim. These claims are often uninformed, short sighted at best and dangerous at worse. These maligned utilities have changed, and continue to change, the face of computer security practices as well as the way attackers assault our networks and endpoints.
Antivirus utilities were designed in response to self-replicating code. The initial problem was boot sector and file infecting viruses. Viruses are parasitic code that attaches itself to host code in order to both replicate and in some cases hide its presence. The other family of self-replicating code was worms, which are self-contained, self-replicating software, requiring no host code to execute. When people were concerned about Trojans, the early virus researcher asserted that they shouldn’t fall into the realm of antivirus. The reason was that in many cases a Trojan is in the eye of the beholder or the execution of the application. The case could be made that the command “delete” or “format” can be a Trojan when it’s used in a malicious manner.
Anti-malware is still king in categorizing and remediating known attacks. However, in today’s environment, prevention and detection are performed more efficiently, with less named accuracy (you’ll know an attack is happening but won’t know what the attack was) by other tools. For a long time, it has not been the queen of the endpoint security suite list for the users or the vendors. That doesn’t mean it doesn’t do its task.
Just as a surgeon doesn’t replace his scalpel for a bone saw, and a mechanic’s X-Acto knife isn’t replaced by tin snips, it will be a long time before it is replaced in that task by other tools. The day that any security professional advocates not deploying antivirus is not in sight, nor should it be. We should not discount effective specialization tools in our tool kit because they don’t solve all our problems. Instead, we need to have an understanding of their most effective utilization.