• United States



by John Breeden II

Traditional anti-virus is dead. Long live the new and improved AV

May 11, 201511 mins
Advanced Persistent ThreatsData and Information SecurityNetwork Security

Despite its flaws, anti-virus remains an indispensable part of endpoint security protection

Over the past several months, Network World has reviewed a host of security programs designed to protect networks from modern advanced persistent threats. These programs run the gamut from continuous monitoring applications that observe everything to those that simply watch for suspicious network traffic.

But even with those advanced programs in place, enterprises still need to protect their endpoints from intrusion – and that includes everything from laptops and desktops to iOS and Android devices. For most individual users as well as businesses, this protection will come in the form of an anti-virus security suite. In fact, the proliferation of mobile devices coupled with BYOD programs makes anti-virus even more necessary in today’s enterprise environment, regardless of what programs are protecting the core network. (Read Network World’s product test: Old-school anti-virus vendors learn new tricks.)

According to several leading anti-virus companies, these days there is little difference between an endpoint sitting on a corporate network, a personal computer being used at home, or even a mobile device being used as part of a BYOD program. The protection that all of those devices need is nearly identical, and the anti-virus software deployed for them is almost exactly the same across the board.

+ ALSO ON NETWORK WORLD: Anti-virus doesn’t work. So why are you still using it? +

And, it’s not just anti-virus acting alone any more. (Watch a slideshow version of the product review.)

“Although as an industry we are still called anti-virus companies, the truth is that what we do these days is necessarily so much more sophisticated than that,” says ESET Director of Product Marketing Jeff Chen. “We offer defenses in depth, where traditional anti-virus is just one part of the picture.”

For ESET, that means adding several components to their Smart Security suite including an exploit blocker to close holes in programs with known security problems, a vulnerability shield that scans for programs trying to take advantage of things like remote desktop protocol, anti-phishing protection, an advanced memory scanner that can detect unknown malware when it tries to uncloak, and standard signature-based anti-virus. “The lines between the consumer side and business are increasingly blurred,” Chen says. “We are seeing up to 80 percent of the companies we work with having someone working outside of the office at least some of the time. Our software is designed to protect both environments.”

ESET is one of the few companies that still offers a straight anti-virus package through its NOD 32 product, though Chen said it is mostly being purchased by specialty groups like gamers who want pure performance on their game machines and nothing else. Most other consumers or businesses buy the Smart Security product and implement layers of protection.

Symantec, one of the companies that has been in the anti-virus space for the longest through their Norton products, is also consolidating most of its offerings into a single package, and offering that total protection to both consumers and business enterprises. At one point, Symantec had nine different versions of its security suite available, all doing slightly different things and all available at different costs. They have been folded down into a single offering, Norton Security, for 2015. “We didn’t want to offer different levels of protection to people based on what they could pay,” says Norton Senior Product Manager Jordan Blake. “Now all you need to know is how many devices you want protected and we’ll provide those licenses for complete protection.”

For Norton, one of the only differences between its consumer and enterprise offerings is the fact that the enterprise software includes backup. The protection suite is exactly the same, and includes a layered defense that goes well beyond the simple signature-based anti-virus of yesteryear.

That protection includes being able to fortify mobile endpoints just as easily as a Windows desktop. It also includes the flexibility to expire licenses for devices that are being removed from a network, and then adding the remaining time to a new one coming online so that no money is lost. And the software doesn’t care if those licenses are spent adding protection to a PC, Mac, Android phone or iOS device. In fact, other than a few features like the ability to use a touch screen, the Norton interface is consistent throughout all platforms, helping local enterprise administrators or over-taxed end users with lots of devices learn and understand their protection levels from a unified interface.

AVG Technologies came into the anti-virus market in almost the complete opposite way as Symantec and many of the others. Instead of starting with the enterprise and expanding to help consumers, they started with consumers and then slowly began to expand into the enterprise. Their newest offering, AVG Zen, is aimed at capturing the middle ground between the two, helping small and midsized businesses, as well as consumers, face the dangers of APTs and other harmful malware.

“We believe that with trends like the Internet of Things, small business is getting a lot more complicated to try and protect,” says Tony Anscombe, Senior Security Evangelist for AVG. “Even a small business with 25 employees might have hundreds of devices that they need to manage and protect.”

And Anscombe points to the yearly Verizon Data Breach Investigations Report that shows that as far back as 2013, up to 72% of small businesses surveyed had experienced some type of data breach or attack. Anscombe says that most successful attacks are phishing-based, which is difficult to defend against. “From a security perspective, what we can’t do is stop someone from taking an incorrect action,” he says. “But we can protect from that damage by layering protection.”

AVG Zen provides an interface that allows administrators to see everything happening security wise on every PC and device within the network. This includes things like seeing that a firewall has been turned off on a PC, or that an Android phone does not have the latest virus definitions. Administrators can fix those problems from the interface on managed devices. If a notebook isn’t powered up, but needs something done to it like turning a firewall on, updating definitions or even running a full system scan, that command is sent to the cloud and triggered the next time the device comes back online.

With both businesses and enterprises using social media, it becomes another possible channel for malware to jump onto systems. Of the 250 million new virus variants that Trend Micro finds every single day, many are designed to be distributed using Facebook, Twitter or other social media sites. This presents yet another new area for anti-virus companies to protect, and one that Trend Micro concentrates on with its Premium Security product.

“Due to the proliferation of threats, the social media scanner was added,” says Brook Stein director of product management at Trend Micro. “It will find links that attempt to take people to bad places from Facebook, Google+, Twitter, Pinterest and others and remove them to protect your network. As you scroll through the page, it will tell you which links are safe to click on, just like you see with the search engine results.”

Stein admits that the old version of signature-based anti-virus has been outflanked by many advanced threats these days, though it’s still necessary to stop the millions of known threats that people run into every day. Instead, anti-virus companies are building a defense-in-depth behind that basic protection and offering it to both consumers and enterprises. “Our defenses first look at the source of the file, preventing users from even going somewhere that hosts known malware,” Stein says. “Then we look at the file itself. After that we monitor its behavior to see if it’s trying to exploit certain programs and use heuristics to detect specific behaviors.”

Kaspersky Lab is known in the industry for the many reports the company produces. Senior Director of Partner Services for Kaspersky Elliot Zatsky says writing those reports is part of their effort to share security information with partners and even competitors. Many of those reports are penned by their Global Research and Analysis Team, which is charged with going out and finding APTs, dissecting them and then sharing that data with Kaspersky’s Research and Design team. “Anti-virus is evolving, but what makes our software so good is our research,” Zatsky says. “We are able to detect threats as early as possible and understand how they are able to get on and stay on these machines and how we can prevent that from happening, or find and remove them, which is often based on heuristics.”

Kaspersky’s newest antivirus offering is Total Security, which offers the same core protection as its business software. That includes real-time protection of PCs, Android phones and iOS devices. In addition to the layered levels of defense that most companies are deploying these days, Kaspersky additionally offers the ability to roll-back a device to a previous state as a last resort if an infection can’t be defeated using all the other layers. “It’s not a full roll-back, but we can roll back files to a pre-infection state,” Zatsky says.

Another innovative feature is a safe money mode, which activates automatically when someone visits an online banking or shopping site. This safe mode drops all browser transactions into a sandbox that makes it impossible for keyloggers to work. In fact, you can’t even capture a screenshot of what is going on while dropped into safe mode. Users can tell that safe mode is engaged because it puts a green border around the screen. Because this mode is highly resource intensive, it only activates when banking or shopping activities are detected.

In addition to layering protection on desktops and laptops, anti-virus companies are making a real effort to protect mobile devices. Blake said that Symantec scans 25,000 new Android apps every single day and maintains a database of over 13 million, including 3 million malicious apps that could harm devices that install them. Beyond just malware, Symantec looks for poorly programed apps that do things like leak privacy data, use too much battery power or spike data usage, and lets users know the dangers of installing or continuing to use those programs.

Most anti-virus companies interviewed also had added anti-theft protection for Android and iOS devices as part of their overall security package. This included things like real-time GPS tracking of lost or stolen phones, secret “mug-shot” recordings of unauthorized users and activating lock-out, alarm or data wiping modes.

Finally, most officials said that anti-virus companies were hard pressed to change user behavior, which makes things like phishing campaigns some of the most successful attack types. ESET is trying to change that by offering user education as part of their security package. “Within the user interface there is an option to go into the education module,” says ESET’s Chen. “We try to make it fun, with users creating superheroes and trying to save their city from cyber-attacks. Along the way they learn what the proper actions to take are to protect themselves from phishing and other dangers.”

Chen says that adoption and use of the new educational module varies by platform, with iOS users embracing the training with almost 50% participation. Ten percent of Windows users also used the program, with Android users bringing up the rear with only 5% participation. Regardless of platform, Chen believes that helping to educate users on how to protect themselves is a noble goal that will ultimately lead to better cybersecurity.

Even though the successes of advanced threats are getting a lot of publicity these days, anti-virus companies are not giving up the field to them. Layering protection to catch threats at various stages of deployment, offering the same level of protection to business, consumer and enterprise customers, consolidating packages, extending protection to mobile devices and even educating users about security are all efforts to give defenders a leg up over the bad guys.

John Breeden is an award winning reviewer and public speaker with over 20 years of experience. He is currently the CEO of the Tech Writers Bureau, a group of influential journalists and writers who work in government and other circles. He can be reached