Is the antivirus era really over? Not yet
Summary: Antivirus missed well conceived malware such as Stuxnet, Duqu and Flame, but so did business-grade defenses. Simply put, antivirus is being hung out to dry.
Antivirus software has its issues: Signatures need to be updated, new attacks avoid common defenses and it's consumer grade protection. But it's far too early to write the antivirus software obituary.
MIT's Technology Review declared the antivirus era over. In a nutshell, the Flame attack highlighted how antivirus scans aren't perfect. F-Secure's research chief Mikko Hypponen said on Ars Technica that the antivirus industry failed.
Hypponen noted that the antivirus industry has frequently missed well conceived malware such as Stuxnet, Duqu and Flame. These attacks weren't run-of-the-mill malware since they were created by governments to target oppressive regimes.
Indeed, antivirus missed those attacks---but did ultimately find them---but let's not get crazy with the bashing here. Why? Simply put, antivirus is being hung out to dry. Newfangled defenses---notably business grade IDS and IPS---all missed Stuxnet, Duqu and Flame. If we're going to rant about antivirus it may be time to take out a few other defenses as collateral damage.
Meanwhile, it's worth considering the consumer alternatives to antivirus. Alternative approaches aren't commercialized.
Hypponen said:
The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers, and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose....It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.
Hypponen didn't declare the end of antivirus. He was just noting that the security industry is outgunned.
Now what? The Technology Review argued that it's time to demote antivirus. Going forward, antivirus is just part of the equation. Startups are cooking up new defenses, but commercialization appears to be distant.
In the meantime, antivirus, which may indeed be outgunned, is the best we have. And given the risks involved antivirus software will continue to sell. Passwords suck too, but you still use them. Antivirus will ultimately be demoted, but before we declare the end of an era I'd like to see the alternative defenses first.
See also:
- ESET security software update includes small-business bundle
- Windows malware: are you safer today than you were 10 years ago?
- Handling the BYOD surge: Five assumptions for IT pros
- Android malware families nearly quadruple from 2011 to 2012
- Avira Antivirus update cripples millions of Windows PCs
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I've thought for years that Apple's approach was the best
The problem with Apple's walled garden approach
And BTW the cries of monopoly are not stopping Microsoft from making the apps for Metro a walled garden.
Apple is doing this with OS X
This is the approach Apple is taking with Mountain Lion and I think it is the correct choice. I'm not sure I can eloquently state exactly why I'm not upset about iOS offering no choice (if we ignore the jailbreaking option) but all I can say is that this doesn't bother me in the slightest.
[i]And BTW the cries of monopoly are not stopping Microsoft from making the apps for Metro a walled garden.[/i]
Anyone is still free to download non metro apps from anywhere they want so Windows 8 is not a walled garden.
Re: Google Approach
If it were as you describe it, there would be no malicious applications on the official android market; there would be no need to think twice before trying a popular application on your Android device, overall, there would be no need to run any Anti-Virus on your mobile device for safety reasons.
That is what Cr_apple has in place; they took responsibility of what enters the AppStore. Only downside is that they don't give any easy exits from the walled garden; which is where the thrust worthy Jailbreak community comes in play. They provide the key to these hidden exits in iOS and everything power users gain on Android can be found in a source from the Jailbreak comunity.
Apple's approach was copied from BSD and GNU/Linux repositories
That said, Apple chose wisely to learn from BSD and GNU/Linux and use the software repository approach in their online app stores for iOS and OS X.
Finally, I agree that well-managed software repositories are an important defense-in-depth strategy to counter malware. However, as we learned from iOS app developers recent theft of users contact information, the app store approach is not iron-clad. Also, note that iOS app sandboxing did not prevent the theft of users contact information.
A blog Adrian Kingsley-Hughes wrote for Forbes four days ago (06/08)
Specifically, you state that "Microsoft has never been allowed to do what's best for the consumer because they are just too successful and the cries of monopoly prevent them from implementing things like this in Windows."
AKH quotes opinions by Gary Davis, director of global consumer product marketing for antivirus McAfee stating that the chief reason Microsoft will not enable their own Windows Defender antivirus software as a Win 8 default is because of intense pressure brought upon Microsoft by Windows PC hardware system OEM's. (Even though Win 8 will ship with Windows Defender preinstalled.)
According to that Forbes article, Gary Davis states "the reason that Microsoft is doing this is not to give consumers a choice, but to give the OEMs an opportunity to load trial versions of antivirus programs onto new PCs.
The logical question to ask is why Microsoft would do this? Gary answers that OEMs want to load trial antivirus software onto new PCs because "... a large portion of their profits on PCs come from revenue associated with antivirus software."
And there you go! Anti-virus software is always championed as a necessary software program NOT because it is effective (just this one article highlights how ineffective those programs are) but because it improves the bottom line for OEMs substantially. (Due to the razor thin profit margins that PC OEMs operate under, who can blame them for championing a software class of programs that allow them to increase their profits?) Heck, I'm no business major but if I could continuously hood wink my customers into buying expensive snake oil preventive type products, I would do it myself - and cast aside any ethical concerns that I might have. (IMO, there is no such thing as business ethics anyway. But that's another debate for another time.)
Returning to your main point, Todd, IMO,Microsoft does what it does because of complicated symbiotic financial realities with their business partners and not simply because they are too successful (by themselves).
Microsoft has, in the past, been a corporation that has had to act in certain ways due to monopolistic legal concerns but in this case, I believe those concerns (although bearing upon this topic) are of secondary importance. The chief influence is a financial one .. as AKH pointed out in his Forbes blog.
AV S/W is Expensive?
ultimately, the most important thing you can do to protect yourself is patch your OS as soon as patches are available. Run Secunia's PSI and update your apps when patches are available (or let PSI do it for you).
Most attacks are on patched vulnerabilities, not zero day attacks.
It always amazes me how complicated things get with Microsoft.
I have used Linux for the last 10 years and have never used AV. Linux source code is open, so effectively the blueprint for the kernel and OS has been freely available to anyone since 1991. I've never had a malware issue on my computers or on any that I installed Linux on for family and friends.
Sadly, what a lot of people here don't realize is that for every Anti-virus event postulated or encountered, the true essence of the action is a fault in the source code that is unaddressd by Microsoft. In Microsofts' eyes, they are big enough to schlep out poor quality code well knowing the malware events will first be experienced by the users, then AV company research will identify the actions needed, supplying updated .dat files to users and then eventually publish the details so Microsoft can create a Critical Update.
Having no AV for 10 years obviously is acknowledging a boundary where the OS has reached a point where there are no transgressions. It's extremely convenient to use an OS without proprietary, money making appendages such as product keys, WGA, DRM and constant advertising for additional purchases. Sadly, Windows users are so inundated with this "must have" mentality about using antivirus that they constantly come the the LInux door saying "we need it so you must need it also". If you don't believe my response that it's not necessary, go do your own research on the web or look back at the posts here to see if there is anything posted about Linux users using AV or getting infected. There isn't, and obviously Linux has become popular enough for there to be reports of AV user or infections. The only way to "get through" to the crowd is to insist they try it. If they are obstinate about it, insist they use it and try to get infected. I have 11,837 saved Linux emails, mostly from Forums and none mention malware infections
Microsoft has done a good job over the years of establishing these paradigms and they are not going to disappear overnight, but so much of what they do is built upon a foundation of propaganda.
AV is not necessary if the quality of the OS is sufficient, as in the case of Linux.
Microsoft must, at all costs, continually convince their users that AV is an absolute necessity. Articles here have attempted to convince users that Linux and Apple need virus protection, when in actuality, they do not. Part of this deception by ZDNet and it's authors is to try and place Windows on an equal level with Apple and Linux to reinforce the fallacy that they also require viruses. I can speak from personal experience that Linux never required anti-virus.
They've never been perfect, though.
Antivirus has never been perfect, though. Ever since polymorphic viruses reared their ugly heads, signature databases have never been enough.
The key really is prevention. Make sure your defenses are good. Make sure you're behind a NAT router or firewall. Scan email attachments or use a web host that scans them automatically (the popular ones like Gmail usually do). Use NoScript or something similar while surfing. Keep all of your software up to date. Keep your OS up to date. Make sure your wireless router is using WPA or WPA2. Use strong passwords.
And the list goes on - but the point is, there's a lot besides AV you can be doing to make yourself more secure. AV is IMO one of the last lines of defense - it's a tripwire to tell you when something got past everything else. Thus, I only use Microsoft Security Essentials. I don't bother with anything fancy that slows down my system.
The key really is prevention
What you really mean is...
Don't use a computer than you can install software onto
"so please, don't start with that tired old canard"
It's not, your chances of getting infected with malware on your typical Linux distro is basically next to nill.
"If the system can allow software to be installed, it's vullnerable, period, full stop, no exceptions"
Right, that's like saying if your house has a point of entry then it's vulnerable, period, full stop, no exceptions, well I'm sorry to break this to you but some houses are a whole lot easier to get into than others.
@RyuDarragh
I can see how intelligent the audience of zdnet is!
Proof?
Give some proof.
[i]"Linux is not malware proof"[/i] -> -> -> What Linux have you used and exactly how did you become infected? Let me know or admit that you never used it and you have no information on getting it infected. People like you have no credibility with your remarks and can't even say you ever used the OS. How about getting called out once in a while? I've been using it for 10 years without AV and haven't been infected. You are dead wrong. Anyone remotely serious about computers has at least a basic working knowledge of Linux. Virtually every dissenting Linux post here from a Microsoft supporter make absolutely no mention of their experience with Linux or that they have ever even used it.
Use Linux Mint 13, it's simple and great for someone who has never used Linux before.
And ...
"Antivirus has never been perfect"
I think the people say things like this just just to grab some media attention without caring how stupid it makes them sound. The introduction of more sophisticated attacks will not directly cause the end of the anti-virus era. Only the advent of secure systems that are invulnerable to virus attacks can possibly cause the end of the anti-virus era. This article suggests that the opposite is occurring. Rather than computers becoming more secure, attacks are becoming more sophisticated. There is no sugestion in the article in fact that computers are more secure so as to not need anti-virus to protect against the less sophisticated, run of the mill viruses (malware).
This article can be summed up in one logical fallacy: Non sequitur
what a virus cain't get into
This is just a straw man argument
Intrusion protection is just one of the added features in an Internet suite, and the better systems use heuristics, action monitoring, and crowd-sourced threat assessment to run ahead of issues in constant update of signatures, which they have practically to the minute also.
The distinction I can find for 'commercial' versions of intrusion protection (IPS/IDS) comes when you are talking about protecting servers. Otherwise the language used seems to be just marketing-speak: odoriferous and misleading.
That MIT site seems to have become a bad example of conservative science trying to become emotively newsworthy -- all the wrong buttons get pressed.
It's been dead since the 90's...
RE: Is the antivirus era really over? Not yet
It has been very recently reported that Bit9's whitelisting technology successfully blocked Flame malware:
http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240001537/microsoft-will-strengthen-windows-update-to-repel-flame.html
However, since both Duqu and Stuxnet included 0-day exploits for the Windows kernel, among other 0-day exploits, Bit9 nor any other security software that I am aware of would have blocked them.
New Zeus (Windows banking trojan) variants are also known to bypass anti-virus defenses with impunity. I'm quite sure that Bit9 and other whitelisting technologies would block Zeus.
Anti-virus companies have been adding various technologies to their arsenal. For example, via acquisitions, Symantec has added application sandboxing (Altiris) and McAfee has added whitelisting (SolidCore), both for enterprises only, while Avast has added application sandboxing to its paid anti-virus product.
For enterprises, I would ask the question whether the antivirus era is over for end points? Sandboxing and whitelisting technology seem better-suited to me for end points than does anti-virus signature scanning. Enterprise sysadmins have the chops to manage these newer technologies and can do so transparently to their end users. It does make a lot of sense to me for enterprises to continue to use anti-virus technology for mail servers and file servers. In fact, an approach similar to what Jotti and VirusTotal use in their online file scanning services, multiple anti-virus engines, seems like it would be particularly well-suited for file servers. Why depend on a single anti-virus vendor, especially for newly emerging threats or variants?