Antivirus Software: Is it Effective Anymore?
Antivirus software has long been a security staple. It is the first thing you turn to when under attack by a virus or malware. Over the last two decades, it has saved businesses billions of dollars by staving off security attacks and keeping computers secure. Understandably, creating, updating and selling antivirus software is big business. For instance, Symantec, which sells the Norton suite of computer security programs, is valued at over $16B and had revenues of $6.7 billion in 2012.
Despite its overwhelming success, doubts persist whether antivirus is effective anymore. Security threats are becoming more sophisticated and security companies are finding it hard to keep up. In this article, we'll learn more about the current state of antivirus software, its scope, capabilities, and possible alternatives.
The Current State of Antivirus Software
In early May this year, Symantec's VP of Information Security, Brian Dye, sent shockwaves through the security world when he said that antivirus software is "dead" and that the future of computer security lies in detecting and thwarting hacks.
This was nearly two years following the publication of an influential op-ed piece in the MIT Technology Review which argued that the "antivirus era is over".
Given how Symantec failed to detect malware on the New York Times website for nearly 4 months after it was hacked by Chinese hackers goes to show that while the antivirus era might not be over, it is certainly headed in that direction.
Security Threats Getting More Advanced
The antivirus was born at a time when hack attacks were relatively straightforward. Hackers would release viruses through different distribution channels, which would then be picked up and removed by antivirus software.
Today, security threats have become a lot more complicated. Some of the new methods hackers use to infect computers today include:
- Server-side polymorphism (SSP): Polymorphism is the process by which malware continuously changes its code to make it difficult to detect any readily identifiable patterns. This is a technique hackers have used for years to evade detection. With SSP, however, they have another trick up their sleeves. SSP hides all the code on a remote server, which means that antivirus software can't even access it, let alone detect identifiable patterns.
- Managed malware crypting services: Malware creation is now an entire industry with thousands of well-funded cybercriminals colluding together to create increasingly sophisticated malware. With managed crypting services, hackers can get direct access to malicious code that has the best chance to infect a particular target, which makes detection through antivirus extremely difficult.
- Better malware cryptors: Malware cryptors are pieces of code designed to make malware difficult to detect. Better malware cryptors available today can keep on changing on their own and growing until they are completely unrecognizable to antivirus programs.
In addition, most users today use multiple interconnected devices - desktops, laptops, mobiles, tablets, etc. This means that an enterprising hacker has to only one of these devices and he can get access to the entire network. It makes the job of antivirus software even more difficult. After all, your computer may be protected by antivirus, but your smartphone might not be, leading to security problems.
Alternatives to Antivirus
Given the nature of security threats and the inability of antivirus software to deal with it effectively, you can consider the following alternatives to keep your networks secure:
- Education: The easiest and perhaps most important thing you can do for your network's security is to educate your employees about malware and lay out some ground rules on online behavior. This should include direction on what kind of websites, files, etc. to open and staying vigilant on social media.
- Emphasize isolation: The latest security trend is to place all potentially malicious code in an isolated virtual machine. Once placed inside this virtual machine, the code cannot interact with or harm any other part of the computer. Isolation is extremely effective in battling security threats, and companies like Bromium offer solutions for creating virtual machines on a large scale to isolate threats.
- Use blacklists and whitelists: A blacklist is a list of banned websites that harbor malicious code. A whitelist is the opposite - a list of trusted websites and online sources. Blacklists are usually used by antivirus software to improve security. Some tools, such as MalwareBytes, takes a crowdsourcing approach to creating blacklists, using data gathered from thousands of users. At the same time, you can consider creating a whitelist of selected sites considered "good". Users on your network will not be able to access or download files from any website outside the whitelist. This can affect usability, but it will also ensure a high degree of security.
- Better firewalls: The firewall is an oft-neglected part of the security infrastructure. A number of companies such as Palo Alto Networks, are building powerful firewalls (called 'WildFire') that utilize cloud-based, crowdsourced engines to detect and isolate threats. These can be very effective in reducing security risks.
Antivirus is Still Important
Despite all the above, fact remains that antivirus software is still the best (and the only) first line of defense against malware, viruses and other security threats. While it may struggle to keep up against more advanced security threats, it is still crucial for every firm to have some sort of antivirus protecting its IT infrastructure. What's changed is that the antivirus software now needs to be complemented by a capable suite of security software, some of which we discussed above.
As Brian Dye of Symantec put it, "antivirus alone is not enough anymore". What you need to be completely secure today is a robust security system that involves multiple security tiers, starting with a firewall, antivirus, blacklists/whitelists, and advanced threat management to isolate and remove malicious code. Adopt all these methods, and you should have no problems in keeping your networks secure!