Antiviral software isn’t doing the job

In a sensational quote to the WSJ weeks ago, a Symantec official declared anti-virus to be dead. Well, it’s about time. Antivirus has been kept on artificial life support for too long now and it’s finally been put out of its misery.

Twenty five years ago anti-virus was an emerging technology. It was basically software that looked for string patterns within computer files that were identified to be part of a previously identified “virus”. Many did not believe it was necessary and some even speculated that the sporadic viruses (as malware was called at that time) that surfaced from time to time were actually created and magically distributed by the new startup companies that tried to push AV technologies.

Those trying to avoid the unnecessary expense on a strange technology said that by using a calendar of expected virus outbreaks (which they obtained from an obscure BBS) they could avoid the potential damage by just turning off their computers on certain days. Soon enough though, everyone had to acknowledge that AV was in fact the best technology at hand to avoid malware damages incurred by (almost) harmless pranks like Ping Pong or more serious BIOS obliterating programs like CIH.

Believe it or not, but the first AV updates were pushed to customers by physical media through standard ( non-“e-” ) mail.
Twenty or so years passed, enterprise computers are all connected to enterprise networks, enterprise networks are all connected to one another through the Internet and lo-and-behold there are those sneaky devices that constantly jump from one network to another (we fondly call them mobile devices and BYOD).

AV solutions have adapted to many of these changes over the years. Vendors are now able to process huge amounts of files and almost automatically find the distinguishing patterns that will become part of the next AV signature update. Pattern matching engines have become more powerful (to accommodate the larger set patterns) and complex (to look inside different file formats like compressed archives).

But in its basis the technology remains the same – looking for string patterns of previously observed software that was somehow identified as malware.

In a simple study we performed in the second half of 2012, we tested the ability of 40 different AV solutions to detect a random set of malware samples collected from random places over the web. We repeated the experiment with the same set of samples on a weekly basis for 6 weeks.

Results were depressing to anyone who relied on AV as their primary protection for enterprise data. Only one of the products used was able to detect all samples AFTER 6 weeks. None of them would detect all samples in the first week. Other parameters we measured in our study just contributed to this dismaying picture. It turned out that AV software was simply not adapting to the change in the threat model.

AV technology was effective in a world where virus coding was the practice of a few, most malware relied on self-replication within networks and most infections and most infections were through physical interaction. It was crucial for a computing model that was end-point centric – where most valuable data was always residing on a user’s workstation.

Today’s threat landscape is quite different. Malware variants are generated ad-hoc by programs and servers all over the world and distribution is achieved mostly through infected hosts or through email messages. Attackers almost never use the same malware sample twice so detecting its signature becomes useless at the same moment it was created – which is usually hours or days after infections have already occurred. However, this is not the saddest thing that could happen to AV software. BYOD is and unmanaged end-point is. If it wasn’t bad enough that AV software lost its effectiveness for managed devices, it has (inherently) no value for unmanaged devices connected to your network. In a threat landscape where most of your valuable assets are not tied to a specific end-point but rather stored in your data center – physical or virtual – a solution that does not affect the threat coming from unmanaged devices has a reduced effectiveness.
Modern security solutions operate on the basis of the assumption that some end-points within the organization network have been compromised by malware. Some try to identify infected machines within the network and some try to mitigate the effect of such compromise by protecting closely the data repositories. At times, such solutions even interact together in order to isolate infected machines from sensitive data repositories in a fast and effective way.

AV has served us well for 20 years but it’s time to say goodbye and move on. Enterprises must re purpose much of their AV budgets into a modern solution.

Written by Amichai Shulman, chief technology officer of Imperva, and originally published on