Antivirus is completely wasted money?

Companies are resigned to virus infection despite antivirus protection and wasting money on security processes that do not work, says Cisco CSO John Steward.

Companies are wasting money on security processes--such as applying patches and using antivirus software--which just do not work, according to Cisco's chief security officer John Stewart.

Speaking at the AusCERT 2008 conference in the Gold Coast Tuesday, Stewart said the malware industry is moving faster than the security industry, making it impossible for users to remain secure.

"If patching and antivirus is where I spend my money, and I'm still getting infected and I still have to clean up computers and I still need to reload them and still have to recover the user's data and I still have to reinstall it, the entire cost equation of that is a waste.

"It's completely wasted money," Stewart told delegates.

He said infections have become so common that most companies have learned to live with them.

"There are too many companies in the world that actually believe infection is just a cost of doing business and are getting used to doing it--as opposed to stopping it completely. That's dangerous," he said.

A better way of dealing with the unknown is to use whitelists--where only authorized or approved software can execute, said Stewart.

"I'm sick of blacklisted stuff. I've got to go for whitelisted stuff--I know what that is because I put it there," he said.

Security software vendors did not agree.

Gavin Struthers, regional director for McAfee Australia and New Zealand, said that although installing antivirus and updating patches are not a perfect solution, they certainly aren't a waste.

"I disagree that it is a complete waste of money... Against today's sophisticated attacks, antivirus and patching won't stop these threats, so you need a layered approach and defense in depth," he told ZDNet Australia.

Chris Thomas, technology specialist for CA's Internet Security business unit, said that antivirus alone did not provide enough protection.

"It's not a complete waste of money. If it's the only level of protection that someone has, it's probably not going to be enough. The arms race between the malware writers and antivirus researchers is a constant race," he said.

Thomas agreed, however, that whitelists are a good idea: "The way security is moving now is, as John Stewart said today, whitelisting, as in 'trust what you know’, as opposed to the black list signatures."