Advice for security decision makers contemplating the value of Antivirus
Over the last 12 months there has been an increasing amount of analysis on the effectiveness of desktop AntiVirus and its ability to detect and stop the reality of targeted attacks (I refuse to use the APT banner). This critique has been covered in pieces such as:
- The death of antivirus software (Infosec Island, January 2012)
- Is the death knell sounding for traditional antivirus? (Tech Republic 2012)
- Is the era of anti-virus over? (SC Magazine, November 2012)
- Antivirus systems fail to detect unknown viruses, study shows (Computer Weekly, December 2012)
- The demise of desktop antivirus (IOActive, January 2013)
These analyses are based on a growing body of research coming out of academic institutions such as Georgia Tech and The Technion – Israeli Institute of Technology.
Ironically before the most recent hoopla around the joint Imperva / The Technion – Israeli Institute of Technology research we had started work on a paper in October 2012 titled:
‘The Demise in Effectiveness of Signature and Heuristic Based Antivirus: “Or has the death of AV been wildly exaggerated?”‘
We had set out to show where, how and why certain types of AV are failing organisations in detail. We also looked to provide practical guidance on how to address the risks if organisations decide AV is no longer worth their investment.
This post is to announce the availability of this paper.
In the paper we provide a detailed analysis of the challenges faced by signature based AV. We also discuss how software security products such as AV can actually introduce vulnerabilities into the systems they’re designed to protect. Additionally we also cover in detail why mobile AV can in some guises be seen as snake oil.
In the second half of the paper we outline practical defense and prevention strategies including whitelisting, threat behaviour detection and data loss prevention and detection.
Published date: 28 January 2013
Written by: Ollie Whitehouse