1

Symantec recently made a loud statement that antivirus is dead (http://online.wsj.com/news/article_email/SB10001424052702303417104579542140235850578-lMyQjAxMTA0MDAwNTEwNDUyWj ) and that they don’t really consider it to be a source of profit. Some companies said the same afterwards; some other suggested that Symantec just wants a bit of free media attention. Some companies just silently recommend using advanced information protection and press is full of data on antivirus efficiency being quite low. A notable example would be the Zeus banking Trojan and how only 40% of its versions can be stopped by antiviruses (http://www.bankinfosecurity.eu/banking-malware-new-challenger-to-zeus-a-7006/p-2 ). Arms race of protection and malware developers is probably not going to stop, so this situation will remain.

On the other hand, nobody was thinking too much of antivirus anyway for a long time already, so it’s hardly surprising. It’s not a panacea; the only question that remains is just how exactly should antivirus operate in modern security solutions. Should it be one of the key parts or protection solution or it should be reduced to protection against only the easiest and already well known threats?

It’s not only about dealing with threats, too, there are also performance concerns. Processors get better and interaction with hard drives becomes faster but at the same time antiviruses require more and more of that power. Real time file scanning, constant updates and regular checks on the whole system only mean one thing – as long as antivirus is thorough, productivity while using this computer go down severely. And this situation is not going to change, ever, so we have to deal with it.

But how exactly? Is the massive migration of everything, from workstations to automatic control systems in industry, even possible? Or maybe using whitelisting protection on windows-based machines is the answer? Or we should all just sit and hope for Microsoft to give us a new windows with good integrated protection like windows 8 is stated to have? Any other ways to deal with it?

Safensoft
  • 47
  • 1
  • Interesting question. I think antivirus are overrated. It's easy for the virus developer to check if its virus can avoid all mainstream antivirus, but the reverse it not true since the antivirus developer doesn't know every single virus out there. The best use of an antivirus is probably to warn you when your system get infected that you need to wipe everything and restart from scratch. – Gudradain Aug 20 '14 at 13:13
  • 1
    The only point of having an AV is to avoid claims that you were negligent by not having one. i.e. it's CYA security – CodesInChaos Aug 20 '14 at 13:36
  • 1
    AV's do significantly reduce the damage done by viruses, just none of the dangerous, cutting-edge ones - similar to how a flu shot will help avoid people getting the flu, but they may still get colds, and it does nothing to stop Ebola. It's not even close to 100% effective, but that does not mean that it's a bad thing to use either. – user2813274 Aug 20 '14 at 18:15

2 Answers2

0

This is kind of an opinionated question. I also think antiviruses are overrated, but its an interesting topic.

I think that malware/virus behavior is where things will go. Creating signatures based on behavior rather than the binary itself. So I think some kind of analytics will be the way antiviruses will go, whether it be in the cloud or not.

Essentially automating malware analysis by doing analytics on registry accesses, function calls, system file accesses. Obviously this would take a lot of processing power if you're doing live scans. So whether nightly logs of these get uploaded to a cloud for analysis, or you just have a ridiculous machine and run it anyway it'd be an interesting metric. I'm not sure how much of this is going on in current antivirus software, and if it is please comment and let me know.

But signatures based on binaries is pointless in the ever changing/obfuscating malware world. Looking for common behavior patterns is an interesting topic to go down.

RoraΖ
  • 12,457
  • 4
  • 52
  • 84
0

That really depends on what you mean by antivirus. As raz point out in the other answer, signature based antivirus has long been considered inadequate. These days, antiviruses do both heuristic and behavioural analysis. However, they can only do so much before falling foul of the easily annoyed user. This is more about user experience than performance (I've never had a performance issue caused by an antivirus), but it's easy to see how preventing something from running would annoy the user and eventually cause the user to disable the antivirus. Heuristics, for example, could be far more in depth without causing significant performance issues, but the false positives this would cause would definitely annoy a user.

Any antivirus is as fallible as any other security product. It's caught up in an arms race against malware, and neither side will ever win except temporarily, and that's the whole point. We can't prevent all possible future attacks, we can only secure our systems against attacks known today. Which is why it's so important to keep your software up to date!

Chris Murray
  • 1,295
  • 11
  • 17