Antivirus solutions - modern snake oil?
In the IT security scene, the discussion about the effectiveness of anti-virus products is a perennial topic. Most recently, it was spurred on by statements from Robert O'Callahan, a former Mozilla developer, and Justin Schuh, Director of Chrome Security at Google.
They claimed that anti-virus solutions are in many cases a stumbling block in the development of more secure browsers and could possibly even reduce effective security. They referred to Tavis Ormandy, security researcher at Google, who had shortly before discovered security gaps in some anti-virus solutions.
However, the affected vendors patched them so promptly that even Ormandy praised the speed. Nevertheless, O'Callahan went so far in a blog post as to even advise users to uninstall their anti-virus solution!
In addition, numerous "studies" can be found online that purport to prove that signature-based solutions achieve malware detection rates of only 30 to 40 percent and extrapolate that the gain in security is marginal at best.
It is undisputed among security experts that purely signature-based malware detection alone does not provide sufficient protection, especially for interactively operated desktop systems where web surfing and email remain the main infection vectors.
The sheer number and high volatility of malware that is in-the-wild is simply too great. It is also true that simple pattern-matching techniques fail conceptually for complex malware with mutating, polymorphic code.
However, it is also a fact that the majority of malware does not display such a high level of complexity. Furthermore, it does not do justice to security manufacturers if modern virus scan engines are reduced to pure pattern matching.
All vendors have long since enhanced pattern recognition with heuristics, numerous decoders, whitelists and variant detection to such an extent that it is becoming increasingly difficult - though not impossible - for even "custom malware" to remain undetected.
Allow me to use a comparison to show that PR-effective, provocative statements like O'Callahan's do a disservice to ordinary people. It should be clear that a normal cylinder lock will not stop a savvy burglar from breaking into a house.
If, from the burglar's point of view, the prospect of the loot justifies the risk and effort, the said lock will be a hurdle, but one that can be overcome.
However, this fact does not justify dispensing with a door lock. This reduces the effort for the burglar to virtually zero and shifts the effort-benefit calculation for the burglar in favor of the burglary.
In the same way, systems without virus protection become the point of least resistance for attackers and conjure up attacks. Security manufacturers whose products do not meet the requirements of secure software development should in no way be taken to task. Customers must hold the manufacturers accountable here.
With their purchasing decisions, they have considerable leverage to demand improvements and quality from those manufacturers who want to secure their share of the enterprise endpoint security market (according to Forrester, a market volume of $5.9 billion annually by 2021).
Similarly, I don't think signature-based malware detection alone is adequate to comprehensively protect any type of endpoint against malware.
Very much so, however, I believe that modern anti-virus protection must remain an integral part of any serious, multi-layered security strategy for the foreseeable future. These solutions are the only line of defense where malware is not executed, but merely dropped. This means central distribution points in the corporate network that are accessed by numerous internal and external users - such as storage, document management and, last but not least, SAP systems!