Signature-based antivirus is dead: Get over it

A hacking competition will attempt to prove that signature-based antivirus is dead, but security vendors say, apart from signatures, antivirus is alive and well.
Written by Liam Tung, Contributing Writer

A hacking competition will attempt to prove that signature-based antivirus is dead but security vendors say, apart from signatures, antivirus is alive and well.

White could be the new black after this year's Race to Zero competition at the Defcon security conference. Hacking competitors will be encouraged to tweak known viruses in an attempt to foil signature-based blacklists of several major antivirus engines.

Some representatives of antivirus companies claim the competition is "not a good idea" and that it will not show anything vendors don't already know — that signature-based defences do not work.

"Security research should centre around bettering detection not evasion," Dave Marcus, security research and communications manager at McAfee Avert Labs told ZDNet.com.au's sister site, CNET News.com.

But the organisers of Race To Zero say antivirus vendors have lied to consumers, and have failed to deliver what they claim their products do.

"We're just pointing out the basic flaw in signature-based antivirus," competition organiser, Simon Howard told ITRadio.com.au podcast Risky Business.

"[Antivirus] is their bread and butter and I can't really believe they're still making money on this stuff. For example, you see a new AV pattern is released and then you notice it's detecting a whole lot of viruses on your machine, when in actual fact you were infected with these viruses months ago and the AV vendors have just caught up," he said.

Howard is not alone on this front. Leading security expert Bruce Schneier has called the security industry a "lemon market", similar to second-hand cars, because consumers cannot know how a product performs until it's too late.

In 2006, Graham Ingram, general manager of the Australian Computer Emergency Response Team (AusCERT), revealed that the most popular antivirus applications failed to detect 80 percent of new malware.

Simon Clausen, MD of antivirus company PC Tools, said the competition won't reveal anything new — not to security vendors anyway.

"Proving signature-based technology is outdated has already been done and we're already moving to the next stage. All major AV companies have for a long time been aware that malware writers' goal is obfuscation. We don't need proof. Every day we see attacks far more malicious and cunning than what will come out of this competition," he told ZDNet.com.au.

"Every AV company worth its salt is investing in R&D to counter these attacks," he added.

Sean Richmond, technical support manager at Sophos, threw down a gauntlet to the competition organisers: "Write a detection engine that can withstand modifications to the test set in the same way as what we — AV vendors — do on a regular basis. And test whether it requires updates to the products in minutes — that would be really interesting and might come up with novel ways of dealing with malware."

Yet despite the apparent shortcomings of signature-based antivirus software, there is consensus that antivirus is essential to use.

"It is still good to have AV software on there, don't get me wrong but it's not a panacea," conceded Race to Zero's Howard.

IBRS security analyst James Turner told ZDNet.com.au: "I wouldn't advise anyone not to use antivirus software — not even if you own a Mac these days."

However, there is a problem with the use of blacklists, said Turner. "When the majority of stuff you're handling is malicious, it makes more sense to use a white list because that deals with the exception — blacklists only work if 'bad' is in the minority."

PC Tools' Clausen said the security industry has been looking beyond blacklists.

"I would very much disagree that AV is dead. Really, traditional signature-based AV is going to be dead in a few years, but what every antivirus company is evolving towards, like us, is behavioural AV technology, so AV will be alive," he said.

Editorial standards