"Anti-virus is no good" - discuss

Filed Under: Featured, Malware

Security professionals, analysts, journalists and people in the pub: there's a vocal minority in all those groups which likes to be heard to say, "Anti-virus isn't good enough for today's threats."

They don't need to propose an alternative in order to get a look-in: the claim itself is bold enough to muster plenty of attention.

But is it true? Are you wasting your time with a modern anti-virus?

Is the anti-virus glass really half-empty?

Or is this sort of dismissive criticism the result of the ill-informed presumptions made by a few influential observers whose understanding of "anti-virus" is rooted back in 1986?

Read this thought-provoking essay by Paul Ducklin (direct link - no gates), in which he puts the case for modern anti-virus software, argues for defence-in-depth, and urges us all to stand together to fight cybercriminality, rather than taking petty pot-shots at each other.


Glass half-full image courtesy of Shutterstock.

, , , , , , , , ,

You might like

14 Responses to "Anti-virus is no good" - discuss

  1. guestus · 1285 days ago

    A virus is a program that might cause harm to your computer while making it perform badly.

    An anti-virus is a program that will make your computer perform badly in order to maybe catch the viruses that were a threat 3 months ago.

  2. dante · 1285 days ago

    Thanks for sharing this info, I personally use Comodo AV and it acts good for my pc.

  3. Conrad Longmore · 1285 days ago

    "Defence in Depth" is a military doctrine (see http://en.wikipedia.org/wiki/Defence_in_depth). It's almost a perfect analogy for how to defend your network. A lot of corporations still rely too much on their corporate firewall and endpoint security only, without anything in between.

    In theory, if you have enough in-depth defence (e.g. spam and web filters, good patch management, IDS and IPS systems and decent user education) then you could dispense with the endpoint security completely. I say "in theory" because I'm not rushing off to uninstall my endpoint protection right now..

  4. lewis Paul · 1285 days ago

    Its always good to have an upto date AV on your computer an automatically jhave updates enabled for all the latest definitions e.t.c

    But i tell people all the time "just because your antivirus is uptodate and says you have no virus's doesnt meen you dont".

    There are several very active public hacking sites that have crypters readily available to purchase and even offer a money back gurantee that if your virus gets detected you get your money back.

    A crypter for people who dont know (in short) is a rogue piece of software that protects/cloaks mainly .exe files from being detected by AV's. Some even scan your files every hour with 37 common AV's and update it as soon as its dectected, this is usually an optional extra.

    The common hacker term for a undetectable virus is~: (FUD) which is short for "fully undetectable".

    These crypters start from as cheap as $10, and some users offer single crypts for as little as $0.50

    This is has been around for years now, and the only reason i download only from trusted sites, and always run applications on a virtual machine running sophos although this still is not 100% safe.

  5. CNAM · 1285 days ago

    Thinking that antiviruses are useless is a trend among people who don't really get security. While I don't thing any AV today is that great the idea is to detect malware through a blacklist or heuristics - this is a decision making process handled by the computer and that's why it's so important.

    Without an AV you're stuck with HIPS that either require the user to set them up or the user to answer prompts. Awful.

  6. Dan · 1285 days ago

    You're not wasting your time with a modern anti-virus, but you also aren't as well protected as you once were. I have to clean up computers with fully updated anti-virus products quite often due to nasty malware infections. A few years ago it wasn't so bad, but times have changed indeed.

  7. Jim Hillier · 1284 days ago

    Is is time for a name change? The name 'anti-virus' is a misnomer today. Viruses are no longer the major concern, spyware and trojans constitute today's major threat. And good anti-virus products have adapted accordingly. I think it's totally irresponsible for anyone, and especially those involved in security, to suggest that a good anti-virus is a waste of time.

    I utilize a simple yet highly effective security strategy involving just three products; Avast Free, WinPatrol Plus and Sandboxie (free). I can't even remember the last time my machine was infected. Of course, user awareness is an extremely important ingredient - security starts between the ears!

    @Dan - Disagree with your comment mate, I believe today's anti-virus products are far superior and improving all the time. The problem is being exacerbated by a shift in the malware paradigm, now that malware is decidedly in the hands of cyber-criminals it has become much smarter and better organized.

    • Paul Ducklin · 1284 days ago

      I think we're stuck with "anti-virus" - for example, even though we talk about "Sophos Endpoint Security", the popular name remains "Sophos Anti-Virus", even though that's technically just a subset of our protective technology.

      I'd also love to change our "endpoint firewall" to "endpoint application network connection analysis, control and remediation", or some similarly catchy name :-)

      (In my book, a firewall is _by definition_ a physically separate, dedicated security device which sits between two pieces of machinery, or between human and machinery, to prevent the spread of danger.)

  8. ascension2020 · 1284 days ago

    Saying that anti-virus isn't good enough for today's threats is not the same as saying anti-virus is no good. I'm sure the majority of individuals making that claim are still running anti-virus on their Windows machines.

    It's true though that anti-virus on its own isn't good enough. No anti-virus program can have a 100% success rate, especially against unknown threats. Obfuscation is just too easy to do. Heck, there are programs that will do it for you with no programming knowledge required. A few months ago I saw a demo where someone took Back Orifice and uploaded it to a site that will scan files using the most popular virus scanning engines. Every engine detected it, as it should. Then he ran back orifice through a small utility designed to attempt to hide the virus signature and then uploaded it again. The success rate then, from the most popular anti-virus engines? 50%.

    So no, anti-virus on its own just isn't good enough. It's a critical part of security, but it should be the last line of defense, not the first. Keeping third party programs like Java and Flash patched, keeping your browser patched, minimizing use of browser add-ons, using something like NoScript (Firefox) or NotScript (Chrome) to limit your use of javascript, using an ad-blocker, and using an email provider or client with good anti-spam and anti-phishing capabilities or all things that should keep the majority of viruses from ever reaching you at all.

    • Paul Ducklin · 1284 days ago

      Oh, boy. The "Virus Total" (or similar online service) test. Sadly, the test your "expert" conducted in his demo doesn't count, since it doesn't tell you how any of the endpoint anti-virus products would have behaved in real life. It just tells you he was able to create a file which wasn't detected by a one-shot static scan in an on-demand test.

      To quote Virus Total, "we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses...using VirusTotal for antivirus testing is a bad idea."

      As for defence-in-depth, I agree with you. (I discuss this explicltly in the opinion paper itself.)

      If you can arrange that the majority of viruses never actually get close to you in the first place, you're in a safer condition than if you rely on your PC/head/anti-virus to deal with each and every one.

      • ascension2020 · 1283 days ago

        I don't recall which Web site he used. The expert was a real expert, though, not an "expert." He was one of a couple of security experts hand selected by Global Knowledge to teach the first run of CEH v7 classes, which I happened to be a part of and is where he gave the demo. I happened to see a list of his credentials and I'm sure anyone would qualify him as an expert. It's why they flew him across the country to evaluate and teach the course.

        You're correct that an on-demand scanner is probably not going to behave the same as an anti-virus program doing active scanning. That wasn't the point of the exercise. The point is that it is becoming easier and easier to take a known virus and change it to slip past anti-virus software. Tools like the ones we were playing with don't even require programming knowledge to use. Will they have a 100% success rate? No. I would be very surprised if they had a 5% success rate in the field. But if you've thrown a net through phishing, hacked Web sites, etc, that will hit, say, 100,000,000 people then even a 1% success rate is pretty good. On top of that, if you're targeting a particular organization that you know uses a particular anti-virus solution then all you have to do is make sure your malware isn't detected by that one engine.

        That's why the ultimate goal should be to not get hit at all.

        But forget point-and-click tools. As Krebs reported back in June of last year, cyber crime rings are just starting to hire programmers to obfuscate the viruses for them.

        • Paul Ducklin · 1283 days ago

          Let me see if I've got this straight - as part of a Certified Ethical Hacking course, the trainer deliberately created a new piece of malware and distributed it via an on-line service?

          We know it's easy to create new malware, especially by modifying an existing strain. We've known that since about 1987 (ever since Ralf Burger's "Computer Viruses: a hi-tech disease" book published a disassembly of the Vienna virus for anyone to modify).

          Surely the most ethical way to make that point would simply be to state it?

  9. Chipbuster · 1284 days ago

    Antivirus is no good if you're using it like a mystical shaman shield against bad juju viruses.

    On the other hand, if you use it along with some sensible security practices, it can bolster your defenses a good bit.

  10. Oddblob · 1281 days ago

    I half agree, becasue modern viruses don't tend to be caught on infection and if not they can harm your computer and add more viruses, however on the other hand if its not a massive toolkit or something ridiculous then its good to know your safe and you have got rid of it :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog