"Anti-virus is no good" - discuss.

Security professionals, analysts, journalists and people in the pub: there's a vocal minority in all those groups which likes to be heard to say, "Anti-virus isn't good enough for today's threats." They don't need to propose an alternative in order to get a look-in: the claim itself is bold enough to muster plenty of attention. But is it true? Are you wasting your time with a modern anti-virus? Paul Ducklin has his say.


Introduction

When computer viruses first became a problem, some time in the mid 1980s, a common early response was that viruses themselves didn't even exist.

They were nothing but an urban myth - like "alligators in the New York sewers," according to Peter Norton in 1988. (By 1990, he was, of course, selling Norton Anti-Virus under his own brand.)

But in about 1989 or 1990, when the first polymorphic (self-changing) viruses appeared, we started hearing that "anti-virus is not good enough to handle today's threats".

This is a mantra which some security professionals feel compelled to trot out to this day.

In most cases I've seen, this dismissive condemnation of anti-virus technology is based on wishful thinking: the assumption that anti-virus is explicitly about individual signatures for known malware samples, and thus that any anti-virus is, by design, reactive.

Of course, decent anti-virus products haven't relied on known-malware signatures since about 1989 or 1990, because polymorphic viruses made it obvious that a list of every so-far-known infectious file would not be enough, even if your goal was to detect existing virus families only.


Viruses and Trojan Horses

In truth, a modern anti-virus deals with viruses only occasionally.

We still see self-replicating threats - true viruses, such as Conficker and Linux/Rst-B - but most modern malware is of the one-shot variety.

These are Trojan Horses: inconspicuously malevolent programs, most commonly delivered over the internet, and designed to co-opt your computer for criminal purposes, such as sending spam, stealing passwords, attacking third parties or holding your data to ransom.

Thanks to the magic of the cloud, crooks can generate and deliver a brand-new sample of a single Trojan to each potential victim, using what is called server-side polymorphism. Every sample is different, just as in a polymorphic virus, but the polymorphic engine - the program code which performs the sample-by-sample permutation - is secret.

In a world in which every sample of a new malware family might be unique, an anti-virus which could only deal with previously-seen samples would, indeed, be of little use.

Fortunately, that's not how good anti-virus software works.

To be sure, exact identification of specific objects can be useful - enumerating commonly-seen known-bad components of various malware families, for instance, helps with blacklisting (aka blocklisting); maintaining a list of known-good operating system libraries allows for whitelisting (aka allowlisting).

But decent anti-virus software isn't really just plain old anti-virus any more. It isn't just an enormous blocklist of checksums.


More than just anti-virus

A good anti-virus will analyse the potential behaviour of a file - both statically, before it is used, for true preventative blocking, and dynamically, after it is loaded, for a second chance at heading off malicious behaviour.

A good anti-virus solution will automatically monitor and control newly-arrived files (and by all possible routes, from web downloads to inserted USB keys); the behaviour of newly-started processes; the network traffic associated with running programs; and more.

A good anti-virus will not only allow you to detect and block malicious programs, but also allow you to control legitimate-yet-risky software, such as outdated browsers. It will help you to identify and eliminate dangerous web browsing, both by URL and by analysing returned content. It will spot unpatched or vulnerable software, as well as potential files and network traffic which might trigger those vulnerabilities.

In fact, a really good anti-virus - which is competent at unravelling complex compound objects such as DOCs, PDFs, HTML pages and more - will help you look not just for malevolent and risky content coming into your organisation but also for confidential or personal content going out. Better yet, it will do this "on-access" or "real time" - heading off risky behaviour before it happens, rather than simply detecting breaches after the fact.


Defence in depth

Where does this leave us in respect of the assertion that "anti-virus is not good enough to handle today's threats?"

In some ways, that statement is a truism. You can apply it to any individual security technology, considered all on its own. For example, you wouldn't rely entirely on a packet-filtering network firewall to protect you from viruses, for example. (Removable media, QED.) You wouldn't rely entirely on a spam filter to stop inbound malicious documents. (Web downloads, QED.) And so on.

Anti-virus isn't a panacea, and if you are faced with a vendor who is trying to sell it as one, I suggest you shop somewhere else.

Nevertheless, anti-virus in its modern form is a jolly useful part of any defence-in-depth strategy.

In particular, a decent endpoint anti-virus is agnostic about the source of a threat - incursions by email, web, USB, P2P etc. are all handled in a similar way. A decent endpoint anti-virus actually keeps watch for much more than just known malware - helping you with patch assessment, exploit prevention, data leakage and risky network traffic, too.

And, most importantly, a decent endpoint anti-virus really helps you to put the Prevention into your multi-layer IPS (Intrusion Prevention System).


Stand together and fight!

The truth is that no-one in computer security, except perhaps the crooks themselves, can predict what tomorrow's malware, tomorrow's dodgy domain names, tomorrow's botnet command and control servers, or tomorrow's illegal money-making scams are going to be.

But we can guess what tomorrow's cybercriminality will be like, if we are well-informed about what has happened so far. (The fancy name for this is "heuristics".)

This, paradoxically, is why the rate of appearance of new malware is increasing.

Not because the crooks are getting smarter, but because today's anti-virus products are making life harder for them.

The cybersecurity glass is not half-empty, as some might like you to think. It is at least half-full, and filling.

We'll fill the glass even faster if the various subsects of the computer security industry stop pointing fingers at each other, and writing off each others' technologies as "no good" without fair cause.

We have a common enemy. Let's stand together and fight that enemy, not each other!


-

Peter Norton book-cover image from Wikipedia.

Trojan Horse image from Wikipedia.

Glass half-full image courtesy of Shutterstock.