Sorry Symantec - Antivirus Is Not Dead

Each time someone reports that antivirus is dead, a hacker gets his wings (and I get furious). With our industries becoming increasingly data-driven, the need to protect our networks, devices, and archives has become more important than ever. In a world of weaponized emails and polymorphic, self-replicating malware, entertaining the idea that endpoint antivirus protection is dead is both ignorant and dangerous.

Image courtesy of Randy Abrams at NSS Labs

Brian Dye, vice president of Symantec and Norton, told The Wall Street Journal that traditional antivirus software is dead because they only detect roughly 45 percent of all attacks, and that of threats detected, most are so dynamic that containing them is too difficult. Furthermore, security provider FireEye was quoted saying, "the function signature based AV serves has become more akin to ghost hunting than threat detection and prevention." Ghost hunting? Really? - C'mon.

Industry Traditions Need Innovation

Yes, we are aware of the new challenges affecting those in the cybersecuity community, but neither I nor anyone at OPSWAT are as defeated as those at Symantec. We know the internet isn't exactly a small space, and that the rate at which mass amounts of data travelling this space is increasing exponentially. This has raised the importance (along with the challenges) of having up-to-date threat detection software. David Harley, senior researcher at ESET, discussed the glory days of anti-malware protection by describing how the:

"Speed of [malware] spreading was restricted by the fact that the internet was a far smaller place, and that restriction also meant that once a malicious program had been identified, an AV customer who diligently updated his antivirus as soon as signatures were available was likely to see his signatures before he saw the malware (if at all)."- Harley (2013).

Today even the most diligent AV customer may still fall victim to malware threats, which can be taken to support Dye's belief that the antivirus industry may be dead. However here at OPSWAT, we aren't so quick to throw in the towel. We agree with Dye up to the point that traditional AV software may be out of pace to keep up with advanced persistent threats (APTs), but we have a new innovative solution- and there's nothing "traditional" about it. Traditional, or stand-alone AV software, lacks the multi-layered protections necessary to keep up with polymorphic threats. Harley reiterated Pierre Vandevenne's (an ex colleague of Harleys) views on the future of AV in his article; Vandevenne says that:

"Traditional stand-alone AV (essentially the scan-detect-protect-clean paradigm) should definitely be dead. Multi-layered protections with web browsing protection, DNS monitoring, in the cloud file checks and heuristics, real time analysis of new and/or infrequent or unique executables (of all kinds) are definitely needed but won't ever reach the near perfect protection levels the AV industry offered at very specific and short lived moments in the history of malware."

Traditional antivirus may be dead, and Dye's pessimism might be alluding to how the industry can no longer market itself on 100% protection, 100% of the time; because perfection is simply no longer a reality for the challenges the cybersecurity industry faces. However, just because no single antivirus software can offer complete perfection, does not mean there are no security solutions available. Utilizing multiple scanning engines, with layers of network check points, can offer the kind of multi-layered protections that both Harley and Vandevenne have prescribed.

New Threats Require New Protections

Truth is, the Internet is still not a safe place (surprised? - didn't think so). What's worse is that it isn't getting any safer. Criminals, as with any crime, will seek out the path of least resistance. They seek out your network's weakest link, manipulate your software, and can rob you blind of highly valuable information. By infiltrating the networks of healthcare facilities or financial institutions, cybercriminals can use the sensitive personal information of your employees, patients, or customers to make themselves a fortune overnight. And with the rise of high-tech exploit kits (crimeware), the bar for being an effective cybercriminal continues to get lower. Crimeware has allowed near novices (maybe even AOL users?) the ability to become cybercriminal "masterminds". Which is why the need to protect all of your network's endpoints has become so important. As long as there are highly valuable sets of data and personal information, you can count on some desperate hacker trying to make a fortune off of it. Hackers of all levels believe that if there's a will, there's a way through your 20th-century windows defender firewall- and they're right.

Now, attacks targeted at big corporations with APTs may make the headlines (Target, Home Depot, Sony and Anthem breaches to name a few), but there's still a vast array of 'everyday' malware out there infecting personal computers. These infections have been spreading, and overall data-theft incidences have increased year by year. IBM just released a study that estimated that over 1 billion data records were leaked in 2014 alone; a significant jump from 2013. An article in Security Week also reported that of those attacks, "the most commonly attacked industries were computer services (28.7%), retail (13%), government (10.7%), education (8%), and financial markets (7.3%)."

These type of infections have continued to spread throughout our home, banking, and healthcare networks, rendering our personal information exposed and up for grabs. The CERT/CC is still tracking these malware breaches for PUAs, which is expected to raise the 2014 infection toll from 8,000 to 30,000. Techtarget attributed this increase in reach, source, and damage to their ability to lay dormant within your network and self-replicate to any desktop, server, mobile device, or printer (yes, even your printer). This has made detecting advanced threats both a high priority and a complex task for any serious network security administrator. In order to detect advanced threats, you need to utilize all of the resources you have at hand. Maintaining control of all devices in your network in order to prevent PUAs from being downloaded is your first line of defense. Our Gears software utilizes advanced multi-scanning technology, and strict endpoint configurations to detect and protect your devices from being another IBM statistic. Our January market share report shows how OPSWAT Gears found that 3.3% of devices contained previously undetected malware and PUAs. Based on this data, it is safe to assume that no single antivirus software can provide complete and comprehensive network security (Okay, so maybe Dye was kind of right). In order to prevent the unwanted spread of malware, all network devices should utilize our multi-scanning technology and endpoint management system to secure each device entering their network.

APT protection is good and necessary for enterprise-level companies, but it shouldn't come at the cost of a well-managed and enforced endpoint security policy. Think of it this way, a brand new luxury car may come with a fancy high-tech alarm that disables the ignition, has GPS tracking, etc. all to deter theft — but the owner will still lock the doors and roll up the windows as a general best practice. APT protection is like the high-tech alarm, while endpoint anti-malware protection is the less-sexy but equally important door locks. I would even argue that locking your doors and rolling up your windows is the most important line of defense against theft. OPSWAT provides these "door locks" for free with our Gears software for up to 25 devices.

Now, anti-malware is much more than just antivirus. Spyware, grayware, exploit kits, and all manner of PUA/PUP can be just as dangerous to an organization. These types of malware seek to phish out valuable user data for their own monetary gain. That is why protecting against viruses alone is only a fraction of what good endpoint anti-malware software can do. Think of it this way, if you went to the doctor for a terrible sinus infection, and you were only given Dayquil, you would only be addressing the surface symptoms and not the problem (problem is you also have a terrible doctor). With anti-malware software, you can zero in on the source of the infections, and protect yourself from future phishing scams by managing your devices in the same way you would enforce your immune system with proper diet and exercise.

Antiphishing precautions across the industry are growing in importance as a response to how advanced malware have become. Phishing scams have often operated under the guise of a fully functional website, with their sole purpose being to extract sensitive personal information such as passwords, usernames, and banking information for monetary gain. This has lead web browsers like IE, Firefox, and Chrome to take these security threats into consideration, as it was leaving their customers completely vulnerable. Today, Google Chrome users will definitely notice the new built-in security features. Chrome has essentially made it so that any known phishing sites are completely blocked unless the user actively goes through and disables the security features altogether (why anyone would do this is completely beyond me).

These features are intended to add an additional layer of defense against endpoint infections from untrustworthy websites, but the fact that a user can disable these functions can be disconcerting for IT admins. With Gears, an IT admin can monitor or enforce that each and every device uses a browser with antiphishing features enabled. Thereby making the browsers themselves another "door lock".

How to Secure Every Device in your Network:

Door locks and medicine may sound simple enough, but how do you secure a car or immune system that isn't yours? Now things get tricky. BYOD policies that allow employees to bring their personal devices like phones, tablets, or laptops to work typically come with a vast array of different anti-malware products installed, in varying states of configuration (as if things weren't tough enough). The more devices and software running through your networks means more variables to control, and this can make it hard for IT admins to secure their network with confidence. With an endpoint management tool like Gears, admins will be able to configure security policies that must be met by any visiting device. With Gears, IT admins can enforce compliance policies, and run full system scans using OPSWAT's Metascan technology. Providing comprehensive, real-time protection for your private office or public network. 90% of the devices included in our market share report had antivirus software that had not run a full system scan within the past week, while 15.1% of that same group had out-of-date virus definitions. Clearly, relying on one antivirus software's scanning features or virus definitions is unwise since no single AV software is capable of detecting all threats. Gears utilizes multiple antivirus and anti-malware services into one cohesive and comprehensive security solution. For IT and security departments that have implemented (or plan to implement) network access control or SSL-VPN endpoint posture controls, they may find that some products on the market lack comprehensive detection of endpoint security software, give vague or incomplete remediation instructions to users, make debugging a hassle for admins, and also lack quality coverage of Mac antivirus products.

OPSWAT Gears is designed specifically to address all of these issues. Gears can replace your appliance's host checker, handle guest and BYOD devices, and be the endpoint agent for agentless solutions like PacketFence. Gears is also cloud-based, so it is always up-to-date and will provide the best possible detection amongst other endpoint anti-malware software. Even if you currently have an endpoint posture assessment program in place, it probably can't find and stop all infected devices. Gears can accomplish this in three unique ways:

  1. Interrogates the installed anti-malware program's entire scan history to see if any threats were found recently, and prescribes security actions to be taken (e.g. quarantined, ignored, deleted, cleaned, etc.)
  2. Inspects the installed anti-malware program's scan history for any repeating threats. For example, one piece of malware may be reported as 'cleaned', but it still appears three times in the last week. It's likely that the anti-malware software has not completely dealt with this persistent threat (or "infection" as we like to say).
  3. Because no antivirus is perfect, Gears performs a daily cloud anti-malware scan with over 40 anti-malware engines, ensuring that all threats are detected as soon as possible.

Are we saying the Gears or any other OPSWAT product is a silver bullet? No. In Infosec, there is no silver bullet, but that doesn't mean you should give up on lead bullets altogether.

To see for yourself how Gears can detect what your "traditional" antivirus didn't, download OPSWAT Gears for free today. With the free version, you can manage up to twenty-five endpoints. Give it a shot, and see whether or not you believe 'antivirus is dead'. After all, what do you have to lose? (Besides your data).

Special thanks to Brian Dye for his near infamous quote that has spawned numerous articles like this one.

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.