Why Anti-Virus Is Not Dead (Again)

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

If even anti-virus detractors like FireEye use the technology, it must be very much alive. Tom Brewster takes its temperature

Another year, another debate over whether anti-virus’ demise is imminent. This time, a surprising voice joined the anti-AV crew: Symantec, one of the world’s biggest anti-virus sellers. It said that whilst the technology still had a place in stopping some threats, it wasn’t going to be a money maker anymore (despite the fact 40 percent of Symantec’s revenue comes from anti-virus).

Others soon gleefully waded in to declare that AV has indeed been dying for some time and is very nearly a goner. One of them was FireEye, one of the fastest-growing security companies around that has been bashing the “AV is dead” drum since it was founded.

Anti-virus lives – FireEye uses it

security malware - Shutterstock: © Marcio Jose Bastos SilvaThere is some irony here: FireEye actually uses a basic open source anti-virus package in its offering, ClamAV. It’s used for “static analysis of objects in the engine to do early detection typically for crimeware”, says FireEye product strategy exec Jason Steer. That basically means FireEye uses AV in the traditional way: to stop pieces of malware, even if it misses a lot of the modern threats swimming around the Internet.

Steer told us over email that it works “approximately 15 percent of the time”. So even the most rudimentary AV does work to some extent, even according to one of the technology’s chief detractors.

Many so-called “advanced threat detection” firms likely use some kind of signature-based anti-virus tools, says Simon Edwards, technical director of Dennis Technology Labs, an independent testing facility. “And why not? We’ve seen a file appear on Fred’s PC and we can take a signature of that and search the other files on the network for other copies. That makes a lot of sense and does not sound like dead or obsolete,” he adds.

The likes of FireEye are laying into this signature approach as it only finds malicious kit after the fact. But no respectable AV firm is using solely signature-based detection anyway. That includes Symantec, McAfee, Kaspersky, the whole anti-virus crew.

“Anti-malware products that use only signatures of known malicious files are very limited and that’s why no decent AV product works that way. They all have additional protection layers to support this most basic function,” adds Edwards.

“It would be rather remiss to omit the signature system (you’d risk ignoring well-known malicious files, which seems rather silly), but to rely on it is clearly a bad idea.

“That’s what the ‘AV is dead’ line always comes down to. It should really be: ‘AV products that rely solely on signatures are relatively useless in isolation’.”

Anti-virus seems to stop rather a lot of malware anyway, says Edwards. Whilst few products are 100 percent effective, the best products stop in excess of 90 percent of threats, according to Dennis Technology Labs tests. “Again, that does not sound like dead or obsolete.”

And what of consumers? What else can they rely on to protect them from nasty threats like ransomware? Anti-virus appears to be the only viable option.

“Have you ever tried even the most basic parental control software? It’s very labour-intensive to use in the real world,” Edwards adds.

“So anti-malware-based products are clearly one of the few options available for consumers and, as long as those products are not entirely signature-based, they should do a reasonable job of protecting people. They will be better than nothing, at least, which, again, does not sound like dead or obsolete.”

Anti-virus is very much alive then. It’s just not as good at its job as users would like it to be.

Are you a security pro? Try our quiz!