Is Desktop Antivirus Dead?March 8, 2008 – 6:47 PM
Some industry analysts are proclaiming the traditional antivirus method for detecting and eradicating viruses, trojans, spyware and other baneful code by matching it against a signature to be “dead.”
They say signature-based checking can’t keep up with the flood of virus variants manufactured by a criminal underworld that is beating the antivirus vendors at their own game. And they are arguing it’s time for companies to adopt newer approaches, such as whitelisting or behavior-blocking, to protect desktops and servers.
“It’s the beginning of the end for antivirus,” says Robin Bloor, partner at consulting firm Hurwitz & Associates, in Boston, who adds he began his “antivirus is dead” campaign a year ago and feels even more strongly about it today. “I’m going to keep beating this drum. The approach antivirus vendors take is completely wrong. The criminals working to release these viruses against computer users are testing against antivirus software. They know what works and how to create variants.”
The fundamental problem “isn’t about viruses, it’s about what should be running on a computer,” Bloor says.
Instead of antivirus software, he says, users should be investing in whitelisting software that prevents viruses from running because it only allows authorized applications to run.
Whitelisting products are available from SecureWave, Bit9, Savant, AppSense and CA, the first traditional antivirus vendor to see the light, in Bloor’s view.
Others are joining Bloor’s way of thinking. Andrew Jaquith, a security analyst at Yankee Group, in December published a research paper entitled “Anti-Virus is Dead: Long Live Anti-Malware.” Yankee Group’s research indicates that there’s an “explosion” in cumulative malware variants, with 220,000 cumulative unique variants expected in 2007, a tenfold increase over 2002 levels.
The antivirus vendors simply can’t keep up, Jaquith says, noting that some antivirus lab managers privately complain this flood of virus variants, which force signature changes every 10 minutes, adds up to the equivalent of a denial-of-service attack against them.
“Most antivirus labs work the same way; they get more samples than they can handle on a daily basis,” Jaquith says. “They triage based on severity. The antivirus people are like folks with nets trying to catch the big fish, so if you’re a bad guy, you want to be a minnow and get through the driftnet.”
The best thing about antivirus signatures is that “they’re accurate and the false positives are very low,” Jaquith says. But the purpose in writing the “Anti-Virus is Dead” paper is to “bust everybody’s bubble that this stuff is keeping people safe and the notion it will solve your malware problem.”
Jaquith says he’s enthusiastic about behavior-blocker technology incorporated in Sana Security’s Primary Response or Prevx’s Prevx1.
Behavior-blocking antimalware software works by observing the behavior of applications running in memory, and blocking those deemed harmful. Sana Security’s CEO Don Listwin says Primary Response looks at 226 software characteristics deemed to be bad behavior and stops code trying to execute.
“We indict them and take them out,” Listwin says. But he acknowledges there can be false positives, adding that antivirus scanning is “complementary” to what Sana Security provides in behavior-blocking.
Not all analysts are ready to jump on the antivirus-is-dead bandwagon.
“Antiviral on the desktop is certainly still a must have, though mostly as a removal tool,” says Gartner analyst John Pescatore. He says his firm advises clients to buy antivirus integrated with some host-based intrusion-prevention system (IPS), noting McAfee, Symantec and others have started adding IPS to block malware where signatures don’t exist.
When is the funeral?
If antivirus is dead, the question is when to hold the funeral.
Jaquith’s paper points out that “antivirus products enjoy a privileged position in enterprise budgets” and “no other security product boasts nearly 100% penetration.”
Research firm IDC estimates the antivirus market today accounts for US$2.1 billion on the consumer side and $3.1 billion for the enterprise. That’s expected to grow to $3 billion and $4.5 billion respectively by 2010.
While traditional antivirus vendors are willing to acknowledge there could be improvements, they are somewhat taken aback to hear industry analysts proclaim antivirus is dead.
“That’s a bit radical,” says John Maddison, general manager of network security services group at Trend Micro, which has no immediate plans to adopt whitelisting or behavior-blocking. Trend Micro is innovating with what it calls reputation services to check IP addresses and e-mail to determine if incoming code originated at a reputable source.
“If you asked people to give up antivirus, you’d find few that would do that,” Maddison says.
Many corporate security managers concur.
“I wouldn’t let go of our signature-based control,” says Doug Sweetman, State Street’s senior technology officer in corporate information security, who adds State Street has licenses with five antivirus vendors because the competition is beneficial during negotiation time. But he adds: “It’s a commodity.”
Sweetman also says State Street has embarked upon a “desktop lockdown” that will not allow unauthorized applications on employee computers to run.
Kathy Larkin, director of information security at Prudential Financial, said she doesn’t find the argument that desktop antivirus is dead to be convincing. “I think antivirus is worthwhile and will be around for a long time.”
However, some antivirus vendors, when asked how fast it takes to turn around a virus signature, acknowledge it’s tricky.
“It takes two to four hours to turn around a signature for a severe rating,” says Brian Foster, Symantec’s senior director of product management. He adds that he can’t say how long it might take for anything else. The majority of antivirus malicious code tracked by Symantec are variants “where someone has tweaked it, changed the payload,” Foster says.
While Symantec’s antivirus software can catch and stop variants through heuristics, a signature is needed to eradicate the specific variant code from the machine.
Foster says Symantec is adapting by incorporating new technologies, such as IPS, into its products and notes the antivirus products of the future will be working through far more than signature-based eradication.
Jaquith is ready to give credit where he thinks it’s due, and his paper cites McAfee and Symantec as traditional antivirus vendors that are moving to augment signatures with adjunct technologies that include behavior-blocking.
Taking the plunge
While most network executives probably wouldn’t be willing to jettison traditional antivirus software for alternatives such as white-listing or behavior-blocking, there’s evidence a few are taking the plunge.
“There is that thought, that you still need antivirus and it’s something you should have,” says Brent Rickels, senior vice president at First National Bank of Bosque County, in Valley Mills, Texas. “It’s been around so long but it’s no longer adequate in this fast-changing world.”
The bank, which has about 6,000 customer accounts, still uses gateway-based antivirus filtering and restricts Web surfing among employees to reduce risk of downloading malware.
But the bank jettisoned its Symantec desktop antivirus about a year ago in favor of SecureWave’s Sanctuary product for the desktop, which Rickels says is less expensive.
“It builds a whitelist of [Dynamic Link Library] files allowed to run, and if it hasn’t authorized the file, it won’t run,” Rickels says. The only downside he has found in using it for more than a year is that it takes administrative time to adjust the Sanctuary software to recognize the propriety bank applications or software patch updates from Microsoft.
But Rickels says the tradeoff is worth it. “We go through those drills, but I can control that vs. the unknown of viruses. Signature-based antivirus is like using a shield with holes in it.”