Three easy words that make an almost guaranteed route to headlines in the technical press.
But what do they actually mean?
That anti-malware software is useless?
Let's dig down into this thorny issue and separate the facts from the marketing messages.
For some reason anti-virus technology seems to divide experts into barely-rational groups of those who think it is completely useless and those who think it (or rather, their preferred brand) is a panacea.
A journalist asked me today about some recent "AV is Dead" headlines. Here's my response.
--
The claim that “AV is dead” is guaranteed to make headlines
in the technical press. This is why the claim is made so often, sometimes by
companies that actually have anti-malware solutions within their own products.
I think there are three main issues worth exploring:
- AV signatures
- Business vs. consumer requirements
- Post-event protection
AV signatures
Anti-malware products that use only signatures of known
malicious files are very limited. No decent AV product designed for endpoint systems works that
way. They all have additional protection layers to support this most basic
function.
It would be rather remiss to omit the signature system entirely (you’d risk ignoring well-known malicious files, which seems rather silly), but
to rely on it is clearly a bad idea.
That’s what the “AV is dead” line always comes down to. It
should really be:
“AV products that rely solely on signatures are relatively useless in isolation.”
The FireEye report is clearly focussing on “signature-based
AV”, although that is not made clear initially. It also resurrects the
diabolically-misjudged Imperva report, which made some basic errors and so
suffered a lot of criticism.
In real-world tests run by DTL and other testing
organisations anti-malware products are rarely 100 per cent effective but
neither are they usually completely useless. Microsoft Security Essentials
often appears to be quite weak and, in our tests, always appears at the bottom
of the ratings - yet it still seems to stop more than 50 per cent of threats.
The best products stop in excess of 90 per cent of threats, most of which are
really nasty things like ransom-ware. That does not sound like “dead”/obsolete.
Business vs. consumer requirements
When making general statements about the effectiveness of
AV, commentators usually focus on the needs and resources of large businesses.
I am sure that Symantec’s Brian Dye will do a marvellous job with his response team, but I doubt he’ll be sending those guys into your house or mine to help
with a ransom-ware infection. They will be focussed on very large businesses.
Similarly, see how companies that focus on white-listing
handle AV in the media. It’s always “dead” but… what about consumers? Can they
handle white-listing products?
There are very few such products available for consumers and
these are hard and annoying to use. They may scale well for businesses in which
a small team handles white-listing for many thousands of employees, but you as
an individual are not going to want to handle the white-listing needs of your
extended family, even if it’s a large one.
Have you ever tried even the most basic parental control
software? It’s very labour-intensive to use in the real world, where very real
people (small, demanding children) provide feedback that one cannot ignore.
So anti-malware-based products are clearly one of the few
options available for consumers and, as long as those products are not entirely
signature-based, they should do a reasonable job of protecting people.
They will
be better than nothing, at least, which does not sound like “dead”/obsolete.
Post-event protection
Currently businesses seem to be facing far greater threats
than consumers. They are being attacked relentlessly, if we believe the
stories, and so malware is likely to infect a system on the network at some
point. It may then spread, one way or another, through that network and into
others.
This is why products from companies like FireEye, Palo Alto
Networks and Cisco don’t just try to prevent the initial infection – they have
to be able to detect when an infection has occurred and should alert technical
staff that something needs to be investigated. At least a few will use
signature-based AV as part of that process (in fact I know that some do).
And why not? We have seen a file appear on Fred’s PC and we
can take a signature of that and search the other files on the network for
other copies.
That makes a lot of sense and does not sound like “dead”/obsolete.
No comments:
Post a Comment