I first heard that the antivirus scanner was dead in December 1989. Experts had postulated that the increase in the number of different computer viruses, which at the time numbered almost 200, would quickly outpace the ability of antivirus scanners to keep up.
That seems a laughable prediction now: Antivirus scanners and vendors are adaptable, and they only have limited performance problems even when faced with 50,000 or 100,000 threats. Despite this flexibility, the premature announcement of the death of the antivirus scanner still seems to herald every new malware threat. File executable viruses were going to kill them. Then macro viruses, script viruses, polymorphism, and now root kits.
As a two-decade security veteran, I’ve always chuckled at the thought of antivirus programs becoming useless. Now, I find myself writing about them. Has the end of antivirus scanners’ useful life finally arrived?
Over the last two years, malware has become professional crimeware. No longer coded by kids hoping to impress their friends, crimeware is big business. It’s more sophisticated, hides better, and contains more tricks; instead of one attack vector, it contains ten. The professionals intentionally code their malware programs to escape detection. Often, the latest crimeware bug is nothing but the same old Spybot or Sobig variant malformed just enough to escape antivirus scan detection.
There are several websites — for example, virusscan.jotti.org or www.virustotal.com — where users, rogue and legitimate alike, can submit their malware program to find out which of the top antivirus scanners detect it. These days, most of the malware programs I find go undetected by any of the scanners or, at best, are detected by maybe one out of five.
Several recent studies, including one by Consumer Reports, conclude that antivirus companies aren’t doing a great job in detecting slightly modified malware threats.
The best antivirus program only detected 87% of the newly modified threats; many of the most popular programs were in the 50-to-70-% range. Virustotal reports that only 2% of submitted viruses are detected by all antivirus scanners.
In my experience, the most popular antivirus programs are only about 20% accurate against new threats. I can’t tell you how many times I’ve heard my customers say, “But I’ve got an up-to-date antivirus program!” when I find an infection on their PC. It’s about all I ever hear these days when cleaning up a system after a malware attack.
It’s not as if antivirus programs can’t recognise new threats. Most of them have behavioural checkers (heuristics), but these mechanisms don’t work very well or they minimise behavioural checking or turn it off entirely. Either they aren’t accurate (giving you false negatives) or they cause too many false positives. And when they are turned on, they slow down the user’s system. The end result is that most antivirus scanners are inaccurate at detecting new threats.
Accuracy problems get even worse when other threats are added to the mix. Antivirus companies came late to the antispam and antispyware battlefield, and half a decade later, most still do a poor job defending against those threats.
Aside from becoming less accurate, antivirus scanners are more frequently cited by administrators as a major cause of downtime. They are buggy, often falsely flag common operating system and application files, and frequently contain exploitable holes themselves. Add the predatory nature of their update schemes, and the antivirus industry — whether it realises it or not — is headed for a consumer precipice.
It all begs the question: is the antivirus scanner necessary?
At first, I thought this would be an easy question to answer: it would be crazy to not have an up-to-date anti-virus program running, right? Then it occurred to me — I’ve never used an antivirus program, and neither does my family. In the last two decades we’ve had a single malware infection. Well, two, if you include the Cascade virus that broke out of my virus lab in 1989, but back then my lab was a single, un-networked PC.
You might think that I have an uber-technical family that’s highly aware of malicious programs and that they can easily spot rogue code. You would be wrong. My three teenage daughters are blissfully unaware of anything computer and technical beyond Microsoft Office and instant messaging. When I asked if any of them planned to follow in their father’s footsteps and enter the field of computer technology, you would have thought I told them they were going to be served liver for dinner.
The reality is that I deploy defences that don’t allow malicious code to get to their desktop. I convert all email to plaintext; I block most file attachments and spam; I use perimeter and host-based firewalls. I keep my systems patched, and tightly controlled. I approve all software installs. I harden configurations. That’s it. No secrets.
Despite all this, I’m not sure if antivirus software should be completely removed from a company’s security infrastructure. Scanners are responsible for blocking more threats than any other computer defense program available, and they are great at detecting known threats. For that alone, they are often worth their weight in gold.
Unfortunately, the landscape has changed, and the prevalence of new, undetectable malware is quickly headed toward a tipping point. If antivirus vendors don’t take a serious look at the state of their products as compared to the current threats and build a better mousetrap, it’s clear to me that they won’t last another five years.