Has antivirus outlived its value?

A story yesterday about badly-configured AV reminds me of a discussion I once had with some infosec pros who no longer use it. Is AV truly obsolete, or are we simply doing it wrong?

After reading a story this morning by John E. Dunn about how antivirus programs are often misconfigured, I remembered a story I worked on three years ago in which those interviewed were no longer using the security software.

From Dunn's story:

Using numbers crunched from PC's running the company's OPSWAT's AppRemover tool (140,000 installations), MSE systems had realtime protection enabled in 94.6 percent of cases, slightly ahead of Avast, McAfee and Avira.

By contrast, Kaspersky Lab's Internet Security users only activated this important setting 65.5 percent of the time, with Norton Internet Security and Norton AntiVirus users not much better.

OPSWAT shows 'virtual desktop' security system | Free antivirus grabs more market share, claims Opswat survey

MSE users were also the best at updating frequency, with 94 percent updating in the previous week. Just under 65 percent of For Norton AntiVirus and McAfee VirusScan users had updated in the previous 60 days, something that would render the protection offered by the software moot.

When it came to systems scans, MSE again led the field with 74.5 percent of users having run one in the previous seven days while only a quarter of McAfee VirusScan users had done the same.

A lot of very smart people in the security community have been panning AV for some time now. Their main gripe is that AV programs are constantly behind the times, unable to keep up with an always rapidly changing threat landscape. In the story I wrote three years ago, security pros cautioned against average users ditching AV because it was still better than nothing. But they had found a way to nix AV in their own environments. From that story:

To the average IT security practitioner, the idea of disabling antivirus on new machines might seem blasphemous. After all, weren't we all told in IT Security 101 that everyone needs AV to keep the malware and data thieves at bay?

Perhaps, but for some who moved beyond IT Security 101 eons ago, AV is more than simply obsolete. It's an obstacle to a more perfect defense. And so they've chosen to disable it.

Among those who feel that way is David Litchfield, a leading database security expert who has authored such books as "Oracle Forensics," the "Oracle Hacker's Handbook," the "Database Hacker's Handbook" and "SQL Server Security." [Related: Researcher Finds New Way to Hack Oracle Database]

Like the media players and toolbars he also chooses to disable, such as Real Player, Adobe Acrobat/Flashand toolbars from Google and Yahoo, Litchfield simply doesn't trust the AV programs out there.

"As an experienced security guy, I have no faith in most of the AV packages out there because they're completely reactive, offer little advance protection, massively increase the attack surface and have a long history of vulnerable ActiveX controls," Litchfield says. "I've never used AV software and I've never once been infected with a virus."

For Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, it's not simply a matter of distrusting AV. It's just that security practitioners who have been in the game as long as he has have found better controls that make AV obsolete.

"I don't use AV on most of my systems, and most high-level security types use only limited AV," he said.

Mogull believes AV is quite useful at the e-mail gateway/provider level, and he does have AV on a Windows XP VM (virtual machine) left over from his last job. But there's no AV to be found on his Mac, or on his Vista VM. He points out that he uses "a lot" of other controls that provide him with adequate security, including limited Web browsing, maximum security in the browser, e-mail filtering and other lock-downs on the system.

All that said, Litchfield and Mogull agree this isn't something the security novice should be doing. "Knowing what is and what isn't safe to do on a computer is 90 percent of the battle," Litchfield said.

Of course, much has changed since I wrote that story. Attackers have changed their tactics a hundred times over, and new products have come along, some more effective than others.

I don't have a specific opinion on the matter, because my skills are not even close to those of the experts I interviewed. For me, imperfect AV software remains better than none at all. I don't trust myself to go without it, and my company wouldn't allow it anyway.

But I am interested in where you stand on the matter, so the floor is now open for discussion.

Copyright © 2012 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022