Antivirus is 'completely wasted money': Cisco CSO

Antivirus is 'completely wasted money': Cisco CSO

Summary: Companies are wasting money on security processes — such as applying patches and using antivirus software — which just don't work, according to Cisco's chief security officer John Stewart.


Companies are wasting money on security processes — such as applying patches and using antivirus software — which just don't work, according to Cisco's chief security officer John Stewart.

Speaking at the AusCERT 2008 conference in the Gold Coast yesterday, Stewart said the malware industry is moving faster than the security industry, making it impossible for users to remain secure.

"If patching and antivirus is where I spend my money, and I'm still getting infected and I still have to clean up computers and I still need to reload them and still have to recover the user's data and I still have to reinstall it, the entire cost equation of that is a waste.

"It's completely wasted money," Stewart told delegates.

Read This:

AusCERT 2008

Check out all the highlights from AusCERT 2008, Australia's biggest security conference.
Read More »

He said infections have become so common that most companies have learned to live with them.

"There are too many companies in the world that actually believe infection is just a cost of doing business and are getting used to doing it — as opposed to stopping it completely. That's dangerous," he said.

A better way of dealing with the unknown is to use whitelists — where only authorised or approved software can execute, said Stewart.

"I'm sick of blacklisted stuff. I've got to go for whitelisted stuff — I know what that is because I put it there," he said.

Security software vendors did not agree.

Gavin Struthers, regional director for McAfee Australia and New Zealand, said that although installing antivirus and updating patches are not a perfect solution, they certainly aren't a waste.

"I disagree that it is a complete waste of money... Against today's sophisticated attacks, antivirus and patching won't stop these threats, so you need a layered approach and defence in depth," he told

Chris Thomas, technology specialist for CA's Internet Security business unit, said that antivirus alone did not provide enough protection.

"It's not a complete waste of money. If it's the only level of protection that someone has, it's probably not going to be enough. The arms race between the malware writers and antivirus researchers is a constant race," he said.

Thomas agreed, however, that whitelists are a good idea: "The way security is moving now is, as John Stewart said today, whitelisting, as in 'trust what you know', as opposed to the black list signatures."

Topics: Cisco, Networking, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Oh geez

    Or you could just use reliable operating systems such as Linux or BSD and sidestep the issue entirely.
  • Well said !

    Give that man a penguin!

    For the vast majority of office users all that's required is a word processor, email and calendering.

    I'd suggest that you could drop a nicely skinned KDE desktop running OpenOffice in front of most users and they wouldn't know the difference, or if they did they'd need minimal retraining.
  • Indeed.

    OpenOffice/ Evolution running under Linux Thin Client Server.

    All your problems trhen would go away, well, your virus problems at least.

    For other problems, buy support from IBM or Novell or Sun or someone.
  • word processor, email and calendering?

    If all your office workers need is a word processor, email and calendering, I'd like to see what it is they actually do all day... that may be true of most home users, but I don't believe it in an office.

    I've never met a SINGLE office worker that only uses the "simple" office applications. Most of them have *at least* one other application that only runs on Windows.

    Whether that's MYOB or some custom-built in-house application, it's all the same, really. If you want to set up MYOB to run in WINE or whatever, then go ahead.

    The fact is, a properly configured Windows machine will run *ALL* the software you need to run a business, and it'll be safe from viruses and malware. The first step is to stop running as Administrator...
  • you're kidding right?

    To suggest that linux/bsd are invulnerable to attack is naive and ignorant. There again, the suggestion that we completely abandon antivirus software just because someone works out a way around them is ludicrous too. What about the thousands of kids out there still using old techniques that they picked up off the internet - do we just throw the door open to them?

    Talking about doors, lets not bother locking them either since it has been known for burglars to break a window.
  • Mestara

    Exactly right. It may be playing catch up but it is blocking known exploits used by script kiddies or drone computers trying to gain access. While it is not the be all and end all it is no doubt better than nothing.
  • Definately not a waste

    I hardly believe antivirus software is a waste of money, especially when one considers the vast amounts of malware out there that gets blocked.

    I do agree though, that a layered approach is the only way to keep a system/network safe from malware threats.

    Still one of the big reasons systems get infects is users opening up applications and email attachments that aren't safe. User education is key to system security.
  • Recurring theme

    Taking John out of context a bit to stir up the A/V vendors I think.

    A recurring theme throughout AusCERT, at least the sessions I attended, are that what is really needed is an OS that is not vulnerable to these types of problems in the first place, instead of all this constant patching and A/V band-aiding. Or to paraphrase one speaker today, you can't build a house on a foundation of swiss cheese.

    And don't think its just a windows problem. I'm a big time Mac fanboy, but I have no illusions about the exponential increases in various types of attack we are going to see on our side of the fence as Apple gain more market share, not to mention the increase in attacks that don't target the OS directly. The average user is usually dumb enough to get his/herself into trouble.
  • Javascript

    I guess the solution is to block all known freeware download sites, and switch everyone to Firefox with the NoScript plugin.

    Then they will browse safely...and the NoScript plugin has a whitelist so you can enable Javascript for the sites that you trust, while blocking ALL known types of scripting for the sites you casually visit.

    Then it will just be email attachments left that we have to fear...
  • MAC is awesome...

    MACs can't be broken. They are superior to Windows. I have never been breached by malware.
  • linux on the desktop? pffff

    I've been running Linux on my desktop, laptops, and servers for over 12 years. Linux on the desktop doesn't pass the mom test. Ubuntu is almost there but not all the way.

    And Openoffice blows. Compatibility issues aside, its not as powerful as MS Office. I'm not saying MS Office is good, it just sucks less.
  • Cisco + Linux

    Considering that Cisco are moving their routers to a Linux platform base I'm a bit suspicious of this kind of talk coming from them. Especially the part about an OS built up from non swiss cheese. That said I don't think antivirus software is the way to go. Whitelisting does work. It assumes everything is bad except what you've chosen is good and is a long standing best practice in security.
  • Javascript

    All of which can be done with Windows using IE Security Zones.
  • Are you serious?

    Linux has far more patches that come out for it's distributions than windows does. Mainly because of all the bundled products in it, however hardly anyone ever says, I don't want this or that or the other thing and they go with the standard install. I've been running Linux since Slackware was pre 1.0 beta and it's hardly more secure. Is it more "virus" proof and more "spyware" proof? Hard to say. You certainly don't have the rates of proliferation with Linux that you do on Windows, but that could merely mean that it's not targeted as often due to market share. If you're a spyware maker, you focus your efforts on the biggest area of return.

    There are generally far more ways however to gain elevated access to Linux boxes than there have been for Windows boxes.

    As for saying that patching and AV are a waste of money. Please. People occasionally fall over railings and get injured. We don't say that because this happened, putting in railings is a waste of time.

    Would you rather tackle one infection that got past, or 500?

    Security products are going to have to evolve to compete with the malware threat. OS's are going to have to evolve, and most of all, END USERS are going to have to evolve. But lets not say that AV and Patching is a waste of money. I'll put my fully patched system with AV on the internet and your unpatched system with no security on the internet and we'll see which of us stays running longer and which of us can get more work done, and which of us spends more billable time fixing our computers.
  • Really?

    Why does apple keep releasing security updates then? The fact is, malware targets the largest platform. If I have limited resources, and I going to code to hit 200 million machines? or 20 million?

    As Apple market share increases, so will the level of threats.
  • Wrong! MS apps DO run in linx and Mac

    Check out for Crossover Office. I use it and can run MS Office, Photoshop, Visio, and others. The difference is that vulnerabilities of any of these apps is nullified because the apps run in VM sessions and the rest of the system is TOTALLY safe from infection. Even if a hacker created malware specifically intended to penetrate WINE or Crossover Office, the user is not logged in as root and any attempt to install anything would result in a popup window asking for the root password.
  • Free or No Patches?

    Is it safe to assume that future IOS patches will be free or will there be none at all?
  • Can't believe you said this:...

    "There are generally far more ways however to gain elevated access to Linux boxes than there have been for Windows boxes."

    Are you nuts? First of all, linux users don't log in as admins, or root. The very fact that Windows is shipped with the intention that the user will run as an administrator nullifies your statement. VISTA didn't improve this much at all. For one thing, most users of Windows that try to run as a "limited user" quickly find that many apps won't run. In fact, you can corrupt Zone Alarm Security Suite if you set up a limited user account, upgrade Zone Alarm as administrator and then log back in as a limited user. True Vector service will constantly stop working. I could go on for years...

    More ways to gain elevated access in linux? Prove it. For all the years you say you've been a linux user, that statement undercuts your credibility; big time!!!
  • sounds like the standard for web dev

    This is how any good web developer would develop an application. Makes sense to start treating the rest of the web the same way.
  • Re:linux on the desktop? pffff

    Windows Vista and OSX dont really pass the Mom test yet either. Mom needs a good webpliance but those never support all of the plugins etc. needed for web browsing,