Is the bell tolling for desktop antivirus technology?
Some industry analysts say the traditional antivirus method for detecting and eradicating viruses, trojans, spyware and other baneful code by matching it against a signature is “dead”.
They say signature-based checking can’t keep up with the flood of virus variants manufactured by a criminal underworld that is beating the antivirus vendors at their own game. And they’re arguing that it’s time for user organisations to adopt newer approaches, such as whitelisting or behaviour-blocking, to protect desktops and servers.
“It’s the beginning of the end for antivirus,” says Robin Bloor, partner at consulting firm Hurwitz & Associates, who adds he began his “antivirus is dead” campaign a year ago and feels even more strongly about it today. “I’m going to keep beating this drum. The approach antivirus vendors take is completely wrong. The criminals working to release these viruses against computer users are testing against antivirus software. They know what works and how to create variants.”
The fundamental problem “isn’t about viruses, it’s about what should be running on a computer,” Bloor says.
Instead of antivirus software, he says, users should be investing in whitelisting software that prevents viruses from running because it only allows authorised applications to run.
Whitelisting products are available from SecureWave, Bit9, Savant, AppSense and CA. The latter is the first traditional antivirus vendor to see the light, in Bloor’s view.
Others are joining Bloor’s way of thinking. Andrew Jaquith, a security analyst at Yankee Group, recently published a research paper titled Anti-Virus is Dead: Long Live Anti-Malware. Yankee Group’s research indicates there’s an “explosion” in cumulative malware variants, with 220,000 cumulative unique variants expected in 2007, a ten-fold increase over 2002 levels.The antivirus vendors simply can’t keep up, Jaquith says, noting that some antivirus lab managers privately complain that this flood of virus variants, which force signature changes every ten minutes, adds up to the equivalent of a denial-of-service attack against them.
“Most antivirus labs work the same way; they get more samples than they can handle on a daily basis,” Jaquith says. “They triage based on severity. The antivirus people are like folks with nets trying to catch the big fish, so if you’re a bad guy, you want to be a minnow and get through the driftnet.”
The best thing about antivirus signatures is that “they’re accurate and the false positives are very low,” Jaquith says. But the purpose in writing the Anti-Virus is Dead paper is to “bust everybody’s bubble that this stuff is keeping people safe and the notion it will solve your malware problem.”
Jaquith says he’s enthusiastic about behaviour-blocker technology incorporated in Sana Security’s Primary Response or Prevx’s Prevx1.
Behaviour-blocking antimalware software works by observing the behaviour of applications running in memory, and blocking those deemed harmful. Sana Security CEO Don Listwin says Primary Response looks at 226 software characteristics deemed to be bad behaviour and stops code trying to execute.
“We indict them and take them out,” Listwin says. But he acknowledges there can be false positives, adding that antivirus scanning is “complementary” to what Sana Security provides in behaviour-blocking.
Not all analysts are ready to jump on the antivirus-is-dead bandwagon, however.
“Antiviral on the desktop is certainly still a must have, though mostly as a removal tool,” says Gartner analyst John Pescatore. He says his firm advises clients to buy antivirus integrated with some host-based intrusion-prevention system (IPS), noting that McAfee, Symantec and others have started adding IPS to block malware where signatures don’t exist.
If antivirus is dead, the question is when to hold the funeral.
Yankee Group’s Jaquith’s paper points out that “antivirus products enjoy a privileged position in enterprise budgets” and “no other security product boasts nearly 100% penetration.”
Research firm IDC estimates the antivirus market today accounts for US$2.1 billion (NZ$2.8 billion) on the consumer side and US$3.1 billion for the enterprise. That’s expected to grow to US$3 billion and US$4.5 billion respectively by 2010.
While traditional antivirus vendors are willing to acknowledge there could be improvements, they are somewhat taken aback to hear industry analysts proclaim antivirus is dead.
“That’s a bit radical,” says John Maddison, general manager of Trend Micro’s network security services group. Trend Micro has no immediate plans to adopt whitelisting or behaviour-blocking, he says. It is innovating with what it calls reputation services to check IP addresses and email to determine if incoming code originated at a reputable source.
“If you asked people to give up antivirus, you’d find few that would do that,” Maddison says.
Many corporate security managers concur.
“I wouldn’t let go of our signature-based control,” says Doug Sweetman, senior technology officer in corporate information security at financial services provider State Street, who says the company has licences with five antivirus vendors because the competition is beneficial during negotiation time. But he adds: “It’s a commodity”.
Sweetman also says State Street has embarked upon a “desktop lockdown” that will not allow unauthorised applications on employee computers to run.
Kathy Larkin, director of information security at Prudential Financial, says she doesn’t find the argument that desktop antivirus is dead to be convincing. “I think antivirus is worthwhile and will be around for a long time.”
However, some antivirus vendors, when asked how fast it takes to turn around a virus signature, acknowledge it’s tricky.
“It takes two to four hours to turn around a signature for a severe rating,” says Brian Foster, Symantec’s senior director of product management. He adds that he can’t say how long it might take for anything else. The majority of antivirus malicious code tracked by Symantec is variants “where someone has tweaked it, changed the payload,” Foster says.
While Symantec’s antivirus software can catch and stop variants through heuristics, a signature is needed to eradicate the specific variant code from the machine.
Foster says Symantec is adapting by incorporating new technologies, such as IPS, into its products and notes the antivirus products of the future will be working through far more than signature-based eradication.
Yankee Group’s Jaquith is ready to give credit where he thinks it’s due, and his paper cites McAfee and Symantec as traditional antivirus vendors that are moving to augment signatures with adjunct technologies that include behaviour-blocking.
While most network executives probably wouldn’t be willing to jettison traditional antivirus software for alternatives such as white-listing or behaviour-blocking, there’s evidence a few are taking the plunge.
“There is that thought that you still need antivirus and it’s something you should have,” says Brent Rickels, senior vice president at First National Bank of Bosque County in Texas. “It’s been around so long but it’s no longer adequate in this fast-changing world.”
The bank, which has about 6,000 customer accounts, still uses gateway-based antivirus filtering and restricts web surfing among employees to reduce the risk of downloading malware.
But the bank jettisoned its Symantec desktop antivirus about a year ago in favour of SecureWave’s Sanctuary product for the desktop, which Rickels says is less expensive.
“It builds a whitelist of [Dynamic Link Library] files allowed to run, and if it hasn’t authorised the file, it won’t run,” Rickels says. The only downside he has found in using it for more than a year is that it takes administrative time to adjust the Sanctuary software to recognise the propriety bank applications or software patch updates from Microsoft.
But Rickels says the tradeoff is worth it. “We go through those drills, but I can control that versus the unknown of viruses. Signature-based antivirus is like using a shield with holes in it.”