Is Antivirus Dead?

Symantec declared anti-virus dead, and Brian Krebs writes a good response.

He’s right: antivirus won’t protect you from the ever-increasing percentage of malware that’s specifically designed to bypass antivirus software, but it will protect you from all the random unsophisticated attacks out there: the “background radiation” of the Internet.

Posted on May 15, 2014 at 1:18 PM40 Comments

Comments

Jack Daniels May 15, 2014 1:58 PM

Antivirus was dead from the beginning. People either lived with the malware or reinstalled windows and the vicious cycle repeats.

Was funny the first few times but gets quite annoying when you have to deal with baby duck nonsense when you try to give them a practical solution.

Andrew Wallace May 15, 2014 2:11 PM

As soon as a new anti-virus or version number comes out. There are dedicated teams ready to break and circumvent it. To protect from random by chance malware, you are ok. For targeted attacks, you are as good as toast.

Evan May 15, 2014 2:14 PM

I wouldn’t say it’s dead, I’d say it succeeded. Remember, in the old days computer viruses were actually like the biological kind – a bit of malicious code would insert itself into another executable and hide there, periodically propagating itself still further, especially onto floppy disks. That’s what anti-virus software was designed to protect against.

That whole class of malware is now, as far as I know, extinct. There are plenty of other ways to own a computer, some more sophisticated than others, but with DRM, anti-cheat measures, BitTorrent, NSA-mandated backdoors, and so forth, it’s harder and harder to say whether a certain sequence of activities is malicious or operating as normal. It’s getting too hard to tell the difference.

Anura May 15, 2014 2:27 PM

Antivirus became insufficient in the late 90s/early 2000s when people realized that malware and exploits could be commercialized. What we need today is better isolation between applications combined with improved patching of vulnerabilities, as well as better education on social engineering. Anti-malware is always going to be useful, but it’s as a bandaid, not the first line of defense.

The plan for the long term should be to strengthen international law; as long as countries look the other way as enterprises within their borders profit off of malware, then malware will continue to be widespread. Malware is not going away ever, but at least you can push it further underground. Stay tuned for more pipe dreams.

Winter May 15, 2014 2:31 PM

The death of anti-virus has the same cause as our inability to protect ourselves against the NSA cs. Our ICT infrastructure is neither designed nor constructed to be secure, or even securable.

The fact that the intelligence agencies have worked actively to prevent the adoption of secure technologies has not helped.

Cyber-espionage, surveillance, eavesdropping, viruses, rootkits, and malware are all symptoms of the same weaknesses in the ICT infrastructure.

simmer_down May 15, 2014 2:48 PM

Antivirus is not actually “dead.” It’s that there is lots more money to be made selling appliance licenses to CTO’s that make workers interchangeable. As the Target compromise shows, it doesn’t work. It sure sells subscriptions though!

Antivirus became a huge industry because the operating system that became popular is some combination of poorly designed and poorly implemented and still is.

Case in point, the Krebs article mentions opening an email with malware attached and the malware is executed. Apparently, this application behaviour (auto-exec code from a hostile source) is still okay at Krebs’ level in 2014???

Someone May 15, 2014 2:49 PM

I use a product called “Anti-Executable”. It blocks executables or DLLs from running/loading if they’re not on a whitelist. That way I have to specifically allow anything (with a password) before it will run.

Crispy May 15, 2014 3:05 PM

“Shape Security Inc., a Silicon Valley startup, assumes that hackers will steal passwords and credit-card numbers so seeks to make it difficult to use the pilfered information.”

Wouldn’t it be better not to keep customer credit card numbers in the first place? I’ve lost count of the number of times I’ve read about hackers stealing credit card databases from retailers but they still insist on keep this potentially toxic data.

chetatkinsdiet May 15, 2014 3:34 PM

We still build new houses with locks on the doors. That doesn’t really keep out thieves, but it’s a layer of protection that works in conjunction with monitored alarms, etc. The real key is not being lazy and/or careless and leaving the garage door open and watching out for your neighbors and that sort of thing.
No different than online security.
AV or endpoint protection is still necessary, but only part of the picture.

m

Anura May 15, 2014 3:34 PM

@Crispy

There’s always some storage, even if it’s just in memory for a few seconds, and business requirements can require long term storage, such as reucrring payments. The Target hack was not capturing credit card number stored in a database somewhere, for example, it was stealing cards as they were charged. The solution is to design the system so that no one ever has enough information to charge your card. Instead of a super-secret number that must be given to someone else in order to charge your card, there should be a super-secret number that must never be given to someone else, such as a curve25519 private key that is combined with the banks static public key to generate keys to authenticate the message and encrypt the cardholder details.

Basically, a system needs to be developed so that the merchant never has enough details to charge your card without you (well, your private key) being directly involved.

Ben G May 15, 2014 4:49 PM

AV is far from dead – I have been hearing that as long as I have been in the industry (13 years) and while people bash AV, they continue to use it because it fills a gap nothing else does. Is it perfect? Of course not. It is still a very important tool in securing a system and identifying infected systems. An AV product backed by an aggressive research team and regular signature updates helps prevent many common infections. For the infections AV misses, chances are very good signatures will be released that will detect the infection in a day or two. Simply alerting on an infection is a very useful feature of AV. Most infections today are quiet and give little indication to the end user they are infected. AV has the unique capabilities of actually scanning the disk and finding infections. Without AV many users would have no clue they have something wrong with their system.

For people that actually do security in a dirty, hands on way on a daily basis, AV is far from dead (as opposed to talking about it at a higher level). For example, for larger organizations that have established relations with an AV vendor, a sample can be submitted and signatures released rapidly. This signature can then be used to scan the enterprise and identify other infected systems. This is a critical component in incident response.

Of course, there needs to be many other layers of protection on the network, but AV is far from dead and very useful to actual security practitioners.

Gary D May 15, 2014 6:49 PM

Yep, it’s good protection from nuisance infections. That’s about it.
What’s more effective is just taking away admin rights from users.
Even Windows supports denying users the ability to install system-level code, yet we still give it to them (or ourselves) as a matter of course.
Sure, an exploit that can escalate its privs will still work, but now at least you’ve raised the bar to the level of the more sophisticated stuff, not letting in the junk-malware that sneaks past AV by the Trojan Horse method.

Nick P May 15, 2014 7:29 PM

Firefox + NoScript + HIPS (DefenseWall, Sandboxie, browser VM, etc) = way better protection from web background radiation. Take away NoScript, you still have a solid solution without issues of AV. And for browser VM’s, without spending money either. And if on a LiveCD/USB, you’ve eliminated persistence & reduced infection risk for most of the threats attacking the host.

Biggest risk I’ve found using Linux systems is accidentally infecting someone with a file I sent them because it had no affect on my system. Oops.

Clive Robinson May 15, 2014 7:55 PM

Yes AV is old, infact older than the commercial use of the internet, and also older than LANs in the majority of companies.

It goes back even befor the Peter Norton “pink shirt book” for those old enough to have heard of it…

Virus software first came about shortly after low cost comercial computers came about, the first I knowingly came across was on a CP/M machine with eight inch floppies long befor IBM made it’s first PC…

Back then the only computers with networking that most people saw was at Universities. The way most people in business or home use moved data/programs around was by “Sneaker Net” which was a fanciful name for walking removable media from one computer to another.

The way a lot of viruses later moved around was by infecting the “boot-sector” of the floppy, when the internet and LANs became ubiquitous floppy disks became more or less redundant and virus software stopped using the boot sector and several generations of IT staff never knew about it and the industry in general forgot about boot sector attacks. So when thumb drives became ubiquitous somebody who remembered or invented it anew brought the forgotton boot sector vector back into use much to many peoples surprise.

And thereby provided a lesson, “old tricks become new tricks when people forget them” so whilst AV software may appear of less and less importance currently it will with the way the ICT industry works come back again over and over…

Nick P May 15, 2014 8:33 PM

@ Clive Robinson

Once again, we can thank von Neumann for his inadvertent contribution to the field of information [in]security: the invention of self-replicating machines.* We can thank Bob Thomas for turning the idea into the first worm on 70’s ARPAnet. We can thank Fred Cohen for the phrase “computer virus,” a demonstration of one, and early efforts at defending against them. It’s funny to think that the reaction in Cohen’s time was that it was a largely theoretical worry that would go away if nobody talked about it. Cohen’s requests to get started early on “computer immune systems” was ignored. A decade or three later we can see the wisdom of their choice… (sarcasm)

  • Of course, that kind of research might also end the human race one day. So, von Nuemann’s winning streak may not be over. 😉

Nick P May 15, 2014 8:35 PM

EDIT TO ADD:

Of course, for people running up-to-date Linux distro’s, computer viruses are largely a theoretical risk. :O

James Mason May 15, 2014 9:38 PM

I would use the analogy of purchasing a home alarm (or purchasing the window stickers and yard sign off eBay). If a burglar specifically targets you, chances are pretty good they know how to defeat your average ADT system or can find some other way in. But for all of the other “casual” burglars out there looking for dusty driveways and overflowing mailboxes, they’ll see the stickers and just move on to an easier target.

Brandioch Conner May 15, 2014 9:39 PM

@simmer_down, I agree. Anti-virus will continue to sell subscriptions for years and years to come.

Antivirus became a huge industry because the operating system that became popular is some combination of poorly designed and poorly implemented and still is.

Again, I agree. It is possible to mitigate/ameliorate the risk/damage by running additional apps which attempt to restrict what can run on the machine. I’ve done that. It works. But it requires dedication from the person doing it.

Anti-virus companies COULD include such functionality but it isn’t in their financial self-interest to do so.

Which leads to the amusing situations where an anti-virus update decides that an OS file is a “virus” and disables the machine. And all other similar machines that received the update.

At the very least an anti-virus app should:

  1. Boot from a “live” CD/DVD/PXE of a different OS.
  2. Identify files, their location and their origin using multiple checksums and hashes and a white-list.
  3. Create multiple checksums and hashes of unidentified files and provide a means of saving/uploading that information along with name / size / location for analysis.
  4. Provide an option for moving the files in #3 to a secure location.

At least you’d know that the machine did not have software installed that you had not approved.

Nick P May 15, 2014 10:04 PM

@ Brandioch Conner

That sounds similar to what Invincea does although without a dedicated boot environment. Closest thing to what your describing is LynuxWork’s rootkit detector built on their separation kernel/hypervisor. Knowing how SK scheme typically work, they likely virtualize the OS and run the security critical components in isolated address spaces directly on the kernel. So, some of the industry is going in a similar direction to what you described. If only all of those pieces could be integrated into one solution, yeah?

Clive Robinson May 16, 2014 2:59 AM

Robert R. Fenichel,

Actualy no Bob Morris son of Robert Morris –then chief scientist at the NSA– was not the creator of the first worm.

There had been research on using worms to get around the software patch/update issue long prior to that.

Further it is quite likely junior got the idea indirectly from senior along with some of the exploits the worm used. Senior had a “helpfull and enquiring personality” and was known to mention what we would now call attack vectors with those who he regarded as peers (famously was telling Clifford Stol about dictionary attacks on unix password files). Even if senior did not provide actuall information BSD Unix was known to have a large number of attack points “out of the box”, but few in the accademic community actualy considered that they would be put to actual use. Thus the worm caused a badly needed wakeup call, that caused a major culture shock in the then rose garden of computer science.

What made Bob Morris famous was the effect the worm had on what we now call the Internet, he got the replication rate wrong –by a small amount– as well as not providing a sufficiently good mechanism to prevent reinfection on an given host. The resulting traffic caused the network to significantly slow and the reinfection problem caused hosts to crash as they ran out of available RAM. As a number of these hosts were used for infrstructur tasks the overall effect to many was that it crippled the Internet.

As was pointed out at the time if everyone –who had a host that could be attacked– pressed their reset button at the same time it would have killed the worm then and there as it worked from system RAM only and did not write to hard drives or other longterm storage.

As senior said publicly of junior “this is not going to look good on a resume”.

Clifford Stol in his book “The Cookoos Nest” had a section on what happened and how the worm was dealt with, and there is atleast one repository on the Internet where you can download the code and various commentaries on it.

Wael May 16, 2014 3:43 AM

@ Clive Robinson,

Clifford Stol in his book “The Cookoos Nest”

Actually it’s called “The Cuckoo’s Egg”. You are probably thinking of Jack Nicholson’s movie “One Flew Over the Cuckoo’s Nest”. Both book and movie are good…

Lowell Gilbert May 16, 2014 6:21 AM

Krebs’ headline (and Bruce’s quoting of it) is hyperbolic. In context, the Symantec VP said that antivirus is dead as a “moneymaker”, not in any technical sense. I don’t see any indication that Krebs and Symantec actually disagree in any meaningful way.

Evan May 16, 2014 9:43 AM

@Anura: How would that work with online shopping? Your card provider could use one-time codes via text or something but that means your phone has to be working, turned on, and able to get a signal for you to be able to shop.

Anura May 16, 2014 10:20 AM

@Evan

You store a private key on your computer. You can even build a protocol on top of HTTP that your browser interacts with. You don’t need to communicate directly with the bank in this case; you communicate with the merchant who forwards what you send to their payment gateway, who finally communicates with your bank to charge your account.

Harvey MacDonald May 16, 2014 11:09 AM

We are all condemned to high-paying security jobs until computers can reliably discern between data and executable code.

There. I said it.

Nick P May 16, 2014 11:44 AM

@ Robert R. Fenichel

A worm is (in minimal definition) essentially a program that spreads itself over networks and also executes a payload. Bob Thomas, in 1971, wrote a program that spread itself from one PDP-10 (TENEX) machine to another over the ARPAnet packet-switched network. The program, Creeper, contained instructions to display “I’m the Creeper. Catch me if you can!” on computers it infected. A program, Reaper, was later created to remove Creeper off machines.

So, we have the first worm and the first malware removal tool on historical record. That was 1971. Morris’s worm was 1988. Thomas beat him to it by almost two decades.

@ Harvey McDonald

“We are all condemned to high-paying security jobs until computers can reliably discern between data and executable code.”

Haha. I’d rather have a high paying administrative job for a group of machines immune to code injection and fault-tolerant in general. Closest thing are people who run mainframes, AS/400’s, and VMS clusters. They always cringed at switching over to the new platforms as their previous job was 9a-5p, had fewer headaches, and no calls at 3am about servers going ka-plunk. (Or ka-boom back in WinNT days.)

A nice anecdote is a recent conversation with an employee of a major retailer about IT platforms & quality. Upon positive mention of AS/400, he recoiled saying they did their timekeeping, scheduling and some other critical stuff on an AS/400. He said he “hated that damned thing.” Asking why, I figured that he actually hate the app’s textual interface. It was truly a horrid interface. There were other TUI’s that didn’t bother him, though.

In any case, I asked if they have problems with their network & IT guys regularly coming in. He said plenty to the point they’ve even lost business due to certain service outages. I asked how many times the AS/400 crashed and people had to fix it. Drew a blank expression: “I… don’t remember it ever having a problem. I’m honestly not even sure where they keep the machine as I’ve never looked at it.” Exactly. Good engineering = uninterrupted business & less headaches for users/admins. 🙂

MikeA May 16, 2014 1:05 PM

Best not blame Von Neumann for it all. The referenced article describes what I’d call the love-child of Turing’s machine and a Quine. It’s interesting that the notion of interpretation (hence virtual machines) seems to have arisen in many places, often from people who are invisible to academia. So using your time-machine to stop Von Neumann would not help. BTW: “his” EDVAC paper described a machine where each word was tagged as either instruction or data (by an unspecified program-loading “organ”), so it could not do fully self-modifying code. Only the address part of an instruction could be modified. Of course, one was quite able to write an interpreter whose target “code” could modify itself, and which could execute its data. (The tag was more of an optimization, avoiding the need to mask and merge when doing address modification in a time before B-Boxes. The lack of a tag allowed Mel to do his hack 🙂

More disappointing is that some still believe in the magic pixie-dust of “execute permission” or its flip-side the “NX bit”, as if just keeping the CPU from executing a particular string of bits without permission will do the trick. I recall a strongly worded response on comp.risks to the notion that the NX bit would fail protect one against, e.g. “content” like Flash or JavaScript exploiting bugs in the interpreters. The more things change…

Nick P May 16, 2014 1:39 PM

@ MikeA

It’s a play on a running, inside joke between Clive and I. The von Neumann architecture’s mixing of code and data is the cause of all sorts of malware problems. True Harvard architectures, tagged architectures, etc solve these problems. Yet, designers and researchers often start with von Neumann architecture for their security designs, leading to all kinds of ways to do an end-run around them that are inherent in the architecture (or its implementations). That’s why I directed the comment at Clive as he’d get what I was doing. 😉

“BTW: “his” EDVAC paper described a machine where each word was tagged as either instruction or data ”

Now that I didn’t know. Thanks for the info. So, maybe he isn’t as guilty as he seems haha. I’m going to have to look that up. 🙂

“I recall a strongly worded response on comp.risks to the notion that the NX bit would fail protect one against, e.g. “content” like Flash or JavaScript exploiting bugs in the interpreters. The more things change…”

Too true. I think the older capability systems anticipated this where they allowed software management of hardware enforced capabilities. Certain capabilities, esp primitive data types, might be hardcoded into system. Privileged software might modify data types or create abstract ones on behalf of less privileged software. So, an interpreter might safely be implemented using the tags/capabilities internally for data & control flow protection. The bytecode that was validated would be converted to machine code into memory, then tagged as code by the security system with POLA still enforced. Such a scheme, esp if it had security at interfaces as well, might be quite strong despite the extra TCB & complexity of interpretation. (i.e. fundamental hardware mechanisms are doing the heavy lifting)

Yet, the modern designs went with architectures that threw bits around, weak NX permission models, abandonment of hardware-enforced compartmentalization (i.e. segments) almost entirely, and interpreters that include libraries full of unsafe code. The results were… entirely predictable.

RonK May 18, 2014 2:04 AM

@ Clive R

As senior said publicly of junior “this is not going to look good on a resume”.

Possibly not, but I don’t think we need to worry too much about Junior… besides selling a startup for millions, he currently has tenure at MIT.

Comparing his CFAA sentence to what the DOJ threatened Aaron Swartz with, however, is enlightening.

Clive Robinson May 18, 2014 6:17 AM

@RonK,

Sometimes a little previous “bad behaviour” gets you a degree of fame that opens doors to you, thus if you have the skill to capitalize on it you can go quite a lot further than you might have done just on ordinary skills merit (all the best jobs I’ve had are where people who work there have known me personaly befor hand).

As for the current use by the authorities of poorly considered legislation it can only be partly considered with respect to idiot prosecutors chasing their own fame and promotion prospects.

Whilst the US plea barganing system is designed to reduce court costs etc, it can be manipulated badly by dishonest people and thus can be used to prevent considered and reasond justice and turn it instead into a political tool, inventing crimes where they don’t exist. Thus comparisons to Witch Hunts and Inquasitions are made and the words of Cardinal Richelieu no longer sound either hollow or from another more terrible age.

koita nehaloti May 18, 2014 8:47 AM

Antivirus should work only from a bootable live CD that fetches signatures of programs that should be there, not signatures of programs that should not. That could mean 3rd party sha512 repositories for windows, linux distros, BSD…

If that is too clunky for many, maybe we could hide antivirus functions, classes and modules to random software. Gimp, vuze or vlc could randomly begin a virus scan if such function is hidden in some suitable random hiding place inside source code. The OS may have to be compiled from source like Gentoo Linux, and the potential hiding places need to be marked in the sources so the automated hider program knows where are the good places. The antivirus module is better to be obfuscated.

Annoyed May 18, 2014 8:08 PM

When people say “antivirus is dead” it seems like they are referring to signature based detection. While I agree this type of antivirus is most likely reaching the end of its usefulness, I don’t believe that antivirus is truly dead.

The problem isn’t just because malware is more sophisticated, but also in part because people are more impatient. Everyone wants their PC to boot in less than 30 seconds, web pages to load in under 5 seconds and programs to install and startup immediately. If people were more patient and didn’t mind programs taking a bit of time to load, a combination of a sandbox and antivirus would catch a lot of the non-state level malware.

If an antivirus program would intercept everything and push it into a sandbox (such as Sandboxie), if the program didn’t decrypt itself it could be considered malware. If it did decrypt itself, the next stage would be a signature / heuristics check. Finally, the program would be run in the sandbox and an operational check would be performed to see if anything “unusual” was occurring.

Antivirus companies are starting to realize that antivirus is dead not so much because of sophisticated malware but rather the impatience of their customers.

@Someone

Norton Internet Security has a feature to block all DLLs and binaries from loading until whitelisted but it’s off by default because it’s extremely difficult (almost terrifying) for novice PC users to use.

The implementation is a bit poor because it notifies you with a popup each time a DLL is loaded which for some programs can be hundreds.

I would’ve done it differently by scanning the import section of the file header (similar to Depends from Sysinternals) and present a nice list of DLLs and EXEs for the user to scroll through.

fajensen May 19, 2014 10:29 AM

Symantec is the graveyard of the software elephants, however, the software is not an elephant until Symantec adds “features” to it.

Joking aside, anti-virus is rapidly becoming irrelevant because the biggest threat is ad-ware, spy-ware, e.t.c. the so-called “Potentially Unwanted Programs” which the anti-virus vendors completely ignore, because Hey, Someone may want “Wajam” or some other filth to highjack all their desktop link and install yet more crapware … and anyway they are Legal Businesses.

jim May 19, 2014 1:42 PM

Interestingly, I find antivirus programs for routine sysadmin work (on consumer computers) usually works better in reverse. Unknown file on client computer identified as W32.Keygen or W32.WPAtool? Probably safe (after doing some google searches, and reminding the consumer to use legal software). Unknown file on client computer (.exe) that seems perfectly clean, and SHA-256 on google draws a blank? My alarm bells immediately go off.

Jine May 27, 2014 6:27 AM

Kaspersky Anti-Virus 2014 is among one of the best antivirus software available today, Its one of the powerful security tool that you can use to stop all kind of known threats like viruses, worms, Trojans and other sorts of malware.

Source:http://www.downloadstack.com/

Robin February 24, 2015 6:02 AM

I dont think its completely dead. These days they are becoming very essential and the statement should be “Antivirus is not enough” to protect users data and privacy. The computer users should go through some good security practices to protect their identity online. Education is the missing part here and that should be filled to protect the user from increasing cyber threats and attacks.

Kaspersky or Bitdefender, considering premium antivirus software will definitely a good choice over free antivirus softwares.

Robin.

Me Myself and I March 13, 2018 4:53 AM

I don’t think antivirus is dead. Maybe they can’t stop all things being thrown at us, but atleast they find and handle a lot of the crap that’s out there.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.