• United States



Bob Violino
Contributing writer

Antivirus doesn’t work. So why are you still using it?

Apr 06, 20157 mins
Data and Information SecurityViruses

For years, companies have relied on antivirus (AV) software to help detect, prevent and remove malicious code before it becomes a problem.

But standalone AV is no longer effective at stopping today’s increasingly sophisticated barrage of key loggers, backdoors, rootkits, Trojan horses, worms and spyware.

“It is clear that traditional signature-based anti-malware solutions are increasingly ineffective,” says Gartner analyst Neil MacDonald. “In cases where an enterprise is subject to an advanced targeted attack, it may provide no protection at all. [And] in cases where the end user is targeted directly, runs with full administrative rights on their PC and is tricked into running some kind of Trojan, traditional anti-malware solutions are of little value.”

So why do companies still use it?

There are several reasons why AV is still deployed on enterprise endpoints. The first is simply because antivirus is required for legal and compliance reasons.

+ ALSO ON NETWORK WORLD: New weapons offer hope against advanced cyberattacks +

All companies “still need to have something they can call ‘anti-virus’ on their checklist,” says Adrian Sanabria, senior analyst in the Enterprise Security Practice at 451 Research.

“Regulated businesses simply have no choice, as compliance requires it. Unregulated companies would look irresponsible and might face lawsuits and could have problems collecting on breach insurance if they didn’t use AV,” he adds.

Secondly, even though AV doesn’t catch everything, it still provides some level of protection.

Gartner analyst Neil MacDonald

AV is still required “because there is so much malware out there,” says IDC analyst Charles Kolodgy. “Microsoft has done studies to show that computers without any AV are infected at a much higher rate than computers with AV—irrespective of what brand.”

If a PC user with no AV software normally surfs the Internet for a week, “I would expect that there is a high probability the computer will become infected with a basic piece of malware that would be easily stopped by AV,” Kolodgy says. 

He recommends that “standard signature AV should be one part of a more comprehensive endpoint security solution.”

Another scenario where AV is appropriate is “when you believe the risk to your endpoints is very low because of the purpose of those devices, how they are connected to a network and what additional security solutions are around those devices,” adds Kolodgy.

MacDonald agrees that AV still has a role to play. “If you have a signature that can identify an attack and can prevent it, by all means use it. What is clear is that won’t always be the case. You must assume that some percentage of attacks will get past traditional signature-based defense mechanisms so additional protection capabilities are needed—most notably the ability to monitor for unusual behaviors at endpoints that would be indicative of an attack.”

How are traditional AV vendors adapting?

The key question going forward is what new capabilities providers of AV will build into their products to make them more comprehensive.

“I don’t think in terms of just anti-virus any more,” adds Kolodgy. “Yes, there are still just pure AV products, but they are not what the vast majority of people are looking for.

AV software is becoming more about suites that include desktop AV, host intrusion detection, desktop firewall, applications control and vulnerability monitoring, Kolodgy says.

Although much of the change in the AV market is being driven by newcomers, the established vendors — Symantec, McAfee, Kaspersky, Bitdefender, Sophos and Trend Micro – aren’t sitting idle.

“The traditional AV players are working very hard to incorporate advanced endpoint security technology into their existing products,” Kolodgy says. “The challenge for the existing vendors is they have to incorporate the changes into their existing code base and make it manageable, again tied to their existing management consoles.”

+ ALSO: Death of antivirus software greatly exaggerated +

The incumbents “have all made efforts to evolve with the changing industry,” Sanabria says. “I think they need to do more to disassociate with traditional AV though, and leave that old moniker behind. In some cases, it isn’t that the newer vendors are the only ones using new approaches and techniques to detect and stop malware, it is that their marketing and brand doesn’t associate them” with traditional AV products.

What are the alternatives?

Sanabria divides the AV market into three main categories: traditional, endpoint protection and incident response. “The traditional stuff can’t keep the bad guys out, because the bad guys have access to traditional AV,” Sanabria says. “They simply make sure it doesn’t catch their malware before they release it.”

Endpoint protection products are much more effective at stopping malware, Sanabria says, “but mostly aren’t as good at removing it, so most of them don’t claim to replace traditional AV yet.”

Similarly, products focused on incident response aren’t that effective at remediation, so they’re seen as being complementary to other AV offerings, he says.

“We don’t yet know exactly how the anti-malware market is going to play out, but I think it will be a combination of AV morphing into something more effective—either through internal development work or acquisitions,” Sanabria says. “We have definitely seen the end of AV as we know it, though in this new age we’ll still see the old techniques and signatures being used by some vendors as complementary to newer techniques.”

Experts say much of the innovation in the market is being driven by players, such as Webroot, Bit9/Carbon Black, Bromium, Triumfant, Invincea, Countertack, Cylance and Crowdstrike.

“One of the more successful vendors at this point has been the merger of Bit9 and Carbon Black, with Bit9 providing the more traditional application control solution and Carbon Black with the EDR [endpoint detection and response] component,” MacDonald says.

“Combined, they provide both a prevention and detection capability.”

Other technology advancements in the field are sandboxing, memory monitoring, virtual containers and machine learning. “The nice aspect is with the variety of potential technologies it becomes more difficult for attackers to create malware that is undetectable,” Kolodgy says.

Some of the newer vendors are making new anti-malware technology available to consumers and not just businesses, Sanabria says. That will help address the security needs of growing BYOD programs.

What should your strategy be?

Regardless of what the AV vendors are doing and what happens in the marketplace, IT, security and risk managers need to take a more proactive, layered approach to protecting their organizations against today’s advanced security threats.

They need to do this by using technologies that address the expanding attack surface present on many employee endpoints and servers, says Chris Sherman, an analyst at Forrester Research.

In a 2014 report he authored on the AV market, Sherman recommends that companies consider layering multiple endpoint tools to minimize the attack surface and meet the different demands of servers and endpoints.

A growing number of organizations are looking to replace their third-party AV tools with native operating system AV augmented with third-party alternatives such as application whitelisting, application privilege management, application integrity protection, endpoint execution isolation, and endpoint visibility and control, the report points out.

By re-evaluating the role of AV within their overall information security strategy—without necessarily eliminating it—companies can best prepare themselves for today’s and tomorrow’s threats.

Violino is a freelance writer. He can be reached at