Patrick Lambert looks at the shortcomings of antivirus solutions and takes a practical look at what you can expect to get out of them.
If your company or business is anything like most, each computer is likely to run an enterprise antivirus solution, something that costs significant amounts of money each year. But do you know if that antivirus is worth it? How can you test something like that, and would these tests have any meaning in a real world situation? Finally, how easy is it to make a worm or trojan that would bypass all that expensive security software? The sad truth is that those are very hard questions to answer, and a lot of what we're told when we shop around for security solutions are rumors and statistics. Because worms and viruses evolve on a daily basis, and new types of malware get introduced constantly, it's extremely hard to properly test an antivirus solution, and anything you throw at your own system in order to see whether your security works is already last year's threat model.
How antivirus has evolved
It used to be that antivirus software was a very basic solution, a simple program that would run in the background and scan every file on the system on a scheduled basis. Right away, malware authors found a large number of ways to bypass this type of security, and it took years for antivirus to really become anything close to robust. It was trivial to get on a system because back then, there was no real-time protection. The ability to scan emails and downloads was thus added by all the security software vendors. Also, there were many ways to simply disable or remove anti virus software, and malware authors exploited those for a long time. Now, any modern security software has multiple methods that it employs to make sure this doesn't happen. Finally, the hardest problem to overcome was the fact that in order to find a virus, the antivirus needed to have a signature for that specific threat. Since there's new malware being written all the time, that was a huge problem.
Thankfully, one of the biggest advances in antivirus technology was the introduction of heuristic scans. This is something most modern security vendor offers, and is a way that your antivirus can detect new threats even if it never knew about them before. Heuristics simply means that the software looks at behavior and other factors to find out whether something is malware or not. Unfortunately, it's not perfect. You may have heard about some recent cases where some security software would flag itself, or even important Windows files, as malware. This is where heuristics go wrong. But for the most part, it's a good technology that does more good than bad.
Don't expect miracles
There's little doubt that security software can and does block a lot of the bad stuff that comes in from the Internet, but the big question is, how much of it will it catch? The truth that many vendors don't want to admit is that it's a race. It's always been a race, between the security vendors and the malware authors, but while many would try to claim it's almost won, the fact is the opposite. The reason why antivirus software is often on the losing end of this race is that malware is no longer the domain of sophisticated hackers. Now, there are kits available for anyone to download, and those things are constantly updated to evade security solutions. In fact, a security researcher at the InfoSec Institute wanted to know just how simple it was to avoid modern day security, and he found out that it's trivial. Researcher Soufiane Tahiri wrote a simple piece of assembly code, using knowledge he already knew from working in the computer security field, and managed to make a piece of malware that avoided the five most well known antivirus vendors. So when we heard earlier this year how security software completely missed the high profile Flame worm, because it used clever techniques, it really wasn't much of a surprise. If a single researcher can do it in his spare time, then obviously your antivirus has no chance against any type of serious spear phishing, much less against enemies with deep pockets.
So the takeaway to this is that all the antivirus tests that are performed on a regular basis are meaningless. The point of any of these solutions is to block the lowest common denominator.--the malware that's old and lingering on the Internet, trying to get in. And for that, it's doing a good job, so you don't have to compare each solution with a fine-tooth comb. But don't expect miracles. In fact, if you administer a large, high profile network, this may not be news to you. Any kind of direct attack is unlikely to be detected. And this is why security is never about using a single product. Computer and network security is something that's done in layers, using firewalls, intrusion detection and prevention systems, trained IT administrators, and good policies. Your antivirus is just one piece of a larger puzzle. So in the end, is it worth spending a large amount of money for an enterprise solution? Some people spend thousands of dollars on this, while others simply use the free Microsoft security software. Is there any real world way to tell whether the price difference is worth anything at all? Probably not.
What is your antivirus strategy these days at your organization?