Advice for security decision makers contemplating the value of Antivirus

Over the last 12 months there has been an increasing amount of analysis on the effectiveness of desktop AntiVirus and its ability to detect and stop the reality of targeted attacks (I refuse to use the APT banner). This critique has been covered in pieces such as:

These analyses are based on a growing body of research coming out of academic institutions such as Georgia Tech and The Technion – Israeli Institute of Technology.

Ironically before the most recent hoopla around the joint Imperva / The Technion – Israeli Institute of Technology research we had started work on a paper in October 2012 titled:

‘The Demise in Effectiveness of Signature and Heuristic Based Antivirus: “Or has the death of AV been wildly exaggerated?”‘

We had set out to show where, how and why certain types of AV are failing organisations in detail. We also looked to provide practical guidance on how to address the risks if organisations decide AV is no longer worth their investment.

This post is to announce the availability of this paper.

In the paper we provide a detailed analysis of the challenges faced by signature based AV. We also discuss how software security products such as AV can actually introduce vulnerabilities into the systems they’re designed to protect. Additionally we also cover in detail why mobile AV can in some guises be seen as snake oil.

In the second half of the paper we outline practical defense and prevention strategies including whitelisting, threat behaviour detection and data loss prevention and detection.

Published date:  28 January 2013

Written by:  Ollie Whitehouse