Better off without AV? Not yet

A story we ran today — originally published on sister site Techworld — offers a blistering verdict against antivirus software, declaring it a useless waste of money. From the story:

Antivirus software is now so ineffective at detecting new malware threats most enterprises are probably wasting their money buying it, an analysis by security firm Imperva has concluded. Reports questioning the protection offered by antivirus suites has become a staple theme among researchers in recent times and the study Assessing the Effectiveness of Anti-Virus Solutions, carried out for Imperva by the University of Tel Aviv, is another addition to that sobering collection.

The team ran a collection of 82 new malware files through the VirusTotal system that checks files against around 40 different antivirus products, finding that the initial detection rate was a startling zero. The company then ran the same scan a number of times at intervals of a week apart to see whether detection improved over time, discovering that even the best-performing products took at least three weeks to add a previously undetected sample to their databases.

Across products, 12 files that were poorly detected when new were still not detected by half of the software when scanned at later dates. In some detections, files were simply marked as “unclassified malware,” a designation that would harm the effectiveness of malware removal. It is hard to say which individual products did best from this bad job (readers can judge for themselves on Imperva’s website) but there appeared no connection between popularity and success.

That AV struggles to keep up with the always-shifting malware landscape is not new. Security experts have been saying it for as long as I’ve been writing about information security (closing in on a decade). The big AV vendors have long since acknowledged it by working a host of other security technologies into their product portfolios to supplement the AV offerings that first put them on the map.

But it’s important to remember that we’re still in a transitional period for security technology and that most us us shouldn’t be ditching AV just yet.

I’m reminded of a story I wrote three years ago where some infosec practitioners told me they had stopped using AV. From that story:

To the average IT security practitioner, the idea of disabling antivirus on new machines might seem blasphemous. After all, weren’t we all told in IT Security 101 that everyone needs AV to keep the malware and data thieves at bay? Perhaps, but for some who moved beyond IT Security 101 eons ago, AV is more than simply obsolete. It’s an obstacle to a more perfect defense. And so they’ve chosen to disable it.

Among those who feel that way is David Litchfield, a leading database security expert who has authored such books as “Oracle Forensics,” the “Oracle Hacker’s Handbook,” the “Database Hacker’s Handbook” and “SQL Server Security.” [Related: Researcher Finds New Way to Hack Oracle Database] Like the media players and toolbars he also chooses to disable, such as Real Player, Adobe Acrobat/Flash and toolbars from Google and Yahoo, Litchfield simply doesn’t trust the AV programs out there.

“As an experienced security guy, I have no faith in most of the AV packages out there because they’re completely reactive, offer little advance protection, massively increase the attack surface and have a long history of vulnerable ActiveX controls,” Litchfield says. “I’ve never used AV software and I’ve never once been infected with a virus.”

For Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, it’s not simply a matter of distrusting AV. It’s just that security practitioners who have been in the game as long as he has have found better controls that make AV obsolete. “I don’t use AV on most of my systems, and most high-level security types use only limited AV,” he said. Mogull believes AV is quite useful at the e-mail gateway/provider level, and he does have AV on a Windows XP VM (virtual machine) left over from his last job. But there’s no AV to be found on his Mac, or on his Vista VM. He points out that he uses “a lot” of other controls that provide him with adequate security, including limited Web browsing, maximum security in the browser, e-mail filtering and other lock-downs on the system.

All that said, they agreed at the time that this wasn’t something the security novice should be doing. “Knowing what is and what isn’t safe to do on a computer is 90 percent of the battle,” Litchfield said. Much has changed since I wrote that story. But in the grand scheme of things, I think the point still holds true today: You need a higher level of infosec experience to go without AV. For everyone else, faulty AV remains better than none at all. Someday I suspect technology will advance far enough to make AV obsolete for everyone. But we’re not there yet. Not too long ago, I revisited the issue after we ran a story about businesses using antivirus programs that are often badly misconfigured. I asked readers for feedback and got back some good perspective. I’ll end by sharing a couple:

Don Faulkner: Collapse: I agree that for now antivirus is still needed on most platforms, especially the desktop of the average user. The day is fast approaching, however, where today’s antivirus will be outmatched. Recent work in advanced malware, including gadget-based systems like Frankenstein, make it clear that AV will have an ever harder time identifying a block of malicious code, while malware authors have an ever expanding toolbox to work with. Marcus Ranum calls this “Enumerating Badness,” and gives very good reasons for why we shouldn’t do it. Antivirus has survived this long because the alternative has been perceived as harder.

Dave Marcus: In truth, its the OS-centric model that AV uses that has become obsolete. Hardware-assistance (using functionality within silicon) needs to be better understood, investigated and developed toward. Look at the upcoming 4th Gen Intel platform and you will see there are a variety of functions that can be used in ways that OS-based detection CANNOT approach on its own.