A requiem for anti-virus

We have relied on anti-virus until now. But have we - really - asks Amichai Shulman

In a sensational quote in the Wall Street Journal just weeks ago, a Symantec executive declared anti-virus dead. Well, it's about time.

AV has been kept on artificial life support for too long now, so it is right that it has finally been put out of its misery.

Twenty-five years ago, AV was an emerging technology. It was basically software that looked for string patterns within computer files that were identified to be part of a previously identified "virus".

Many did not believe it was necessary and some even speculated that the sporadic viruses (as malware was called then) that surfaced from time to time were created and magically distributed by the start-up companies that tried to push AV technologies.

Those trying to avoid the unnecessary expense of purchasing a strange, unfamiliar technology said that just by using a calendar of expected virus outbreaks (which they obtained from an obscure source) they could avoid potential damage simply by turning off their computers on certain days.

Soon enough though, everyone had to acknowledge that AV was in fact the best technology at hand to avoid malware damage incurred by (almost) harmless pranks such as Ping Pong or more serious BIOS-obliterating programs such as CIH.

Believe it or not, the first AV updates were pushed to customers by physical media through standard (non-e-) mail.

Twenty or so years passed, enterprise computers are all connected to enterprise networks, enterprise networks are all connected to one another through the internet. And lo and behold, there are those sneaky devices that constantly jump from one network to another (we call them mobile and personal devices).

AV solutions have adapted to many of these changes over the years. Vendors are now able to process huge amounts of files and almost automatically find the patterns that will distinguish the next AV signature update.

Pattern-matching engines have become more powerful to accommodate the larger set patterns, and complex, to look inside different file formats, such as compressed archives. But basically, the technology remains the same: it is about looking for string patterns of previously observed software that was somehow identified as malware.

In a simple study we performed in the second half of 2012 we tested the ability of 40 AV offerings to detect a random set of malware samples collected from random places over the web. We repeated the experiment with the same set of samples on a weekly basis for six weeks.

The results were depressing for anyone who relied on AV as their primary protection for enterprise data. Only one of the products used was able to detect all samples after six weeks. None of them detected all samples in the first week.

Other parameters we measured in our study just emphasised this dismaying picture. It turned out that AV software was adapting to everything but the change in the threat model.

AV technology was effective in a world where virus coding was practiced by only a few, most malware relied on self-replication within networks, and most infections were via physical interaction.

It worked for a computing model that was end-point centric – where most valuable data always resided on a user's workstation.

Today's threat landscape is quite different. Malware variants are generated ad hoc by programs and servers all over the world and distribution is achieved mostly through infected hosts or through email.

Attackers almost never use the same malware sample twice so detecting its signature becomes useless at the moment it was created – usually hours or days after infections have already occurred.

However, this is not the saddest thing that could happen to AV software. BYOD is and the unmanaged end-point is. If it were not bad enough that AV software lost its effectiveness for managed devices, it has inherently no value for unmanaged devices connected to the network.

Most of a business's valuable assets are not today tied to a specific end-point but rather stored in a datacentre – physical or virtual.

Modern security products operate on the basis of an assumption that some end-points within the organisational network have been compromised by malware. Some try to identify infected machines within the network and some try to mitigate the effect of such compromise by protecting the data repositories.

At times, such products even interact to quickly isolate infected machines from sensitive data repositories.

AV has served us well for 20 years but it's time to say goodbye and move on. Enterprises must repurpose large proportions of their AV budgets.

I wonder, though, what the next security technology we need to retire might be.

Amichai Shulman is chief technology officer of Imperva