Anti-virus is Dead!

Stand-alone, signature-based, anti-virus is dead. The stand-alone anti-spyware market is over too, if it even existed!

Signature based AV isn’t protecting anyone anymore, it certainly wasn’t providing any protection against spyware or some of the nastier threats that have popped up recently. It didn’t stop blaster, or sasser, or slammer, it did nothing to help choicepoint, or the VA or the orgy of disclosure we have all become numb too. It was running happily along, updated and content on my mom’s machine when it turns out her Windows XP box was infected with some pretty nasty bits.

It offers limited protection against bots and their ability to detect rootkits is nearly non-existent. It can’t constrain the end-points, it doesn’t allow port or protocol blocking, it doesn’t protect data from theft, it does almost nothing to improve the security of the systems it voraciously consumes the resources of. It always seems to impact the performance of my, I mean my kids, video games. It is usually the first thing listed to turn off in the troubleshooting guides of 3rd party applications. It has become a vector of attack and hackers have shown increasing cunning in using AV product flaws as a launching point for attack, the AV vendors have also done a good job of breaking their own stuff too though, with bad dat signature files even.

Of course it is still a billion dollar industry and growing, and licenses will continue to be renewed, but this market is a changing since I worked on McAfee AV for Windows 95.

So what happens next?

Well AV becomes part of a converged security client, offering multiple capabilities including anti-spyware, personal firewall, and intrusion prevention as the foundation, which I have talked about (here). Of course this has already begun and the AV guys are shoving more and more technologies onto the desktop, including data leak prevention, end-point policy enforcement, patch and configuration management. They bundle it under some uber-agent, while the individual executables are fighting to claim your system resources. They offer some half-baked management console, slap a new coat of paint on some recent acquisitions, and complain anytime Microsoft attempts to improve their security if it in anyway affects their sacred AV cash cow.

Enterprises will still need to invest and deploy AV, but more out of a sense of fear than because they believe it is offering value. Organizations with mature IS departments, ones that are type A in their technology acquisition and process development, have already realized that AV is dead and are looking to strategically address client security in a new world. It includes a signature component, like AV, but it certainly will not be the cornerstone of end-point security for very much longer.

What should organizations do?

1. Spend less, demand more. Consolidate spending on multiple client solutions. Do not pay the same price for AV this year that you paid last year, ask for more security and operations function, but do not pay more. Demand more cow-bell! (here) – centralized management and administration becomes one of the key evaluation criteria.

2. Rip out your incumbent if they aren’t providing value, I did a study at Gartner and the costs of switching out an incumbent AV vendor is far less than people realize. I know my current company (here) can do it for your entire enterprise in about 5 minutes.

3. Security and operations are converging at the desktop and servers, look for operations vendors to provide more security functions. They generally have stronger systems management, centralized administration and scalability than the security folks.

Bottom Line: By the end of 2007 stand-alone AV will be dead, d-e-a-d, dead! Organizations need to evolve their client security programs or expect to see increased costs as the number of agents continues to rise.

17 thoughts on “Anti-virus is Dead!

  1. Well, I’m not completely with you? Why should I have one Security Suite, containing all the stuff, from Firewall to IPS to AV? Then why not have ONE Software for all my work, or ONE Operating System that cares abou all that stuff? Of course, its a good Option to have all that in one package, but the basic approach of gluing all this together with different products is also there…and in my eyes, both solutions are eqaul, all depending on the implementation.
    By now, I don’t know one package fitting all these tasks. While, for example Checkpoint, clams to do Anti Virus, and claims to do IPS /IDS, these solutions can’t compete with a specialised product.

  2. I believe what you are saying is that the suites do not offer the same level of value as the point solutions, essentially you are making the best of breed arguement?

    The problem is since the number of technologies required at the desktop has increased since the late 90’s most organizations have significant challenges centrally managing all these disparate agents, so central management and administration becomes an evaluation criteria higher than how many viruses in the wild does the AV component stop.

    Also you mention the potential for ONE agent or piece of software that does it all, that would be great but it doesn’t exist, it is just a bunch of individual agents obfuscated by a single install path.

  3. I think we should difer between enterprice and home users needs, especially when it comes to central management. (wich is a total must have for a enterprice solution with more than a handfull of users)…

  4. Very good point and my bad for not making that distinction. The needs of the consumer market is completely different than the enterprise market…consumers couldn’t care less about centralized management. They are driven by price.

    So if MS has AV in the OS or it is a service delivered through an ISP like comcast, AOL, earthlink or yahoo than customers will not pay for AV, it essentially becomes free – the upsell will come from offering solution packages that proviide update of system configurations, patches and updates such as One care. But you can only charge for this type of service for so long before it becomes commodotized and free to consumers.

  5. It often bothers me when people use absolute terms like “dead”. For example, firewalls are dead, right? Are you going to run without one? No. It just means it’s less valuable, stops a smaller percentage of what you hope, and frankly, is a commodity. And to reiterate, that’s “commodity”, as in you WILL have one, and you will have to find something else to get you ahead of the curve.

    There’s nothing wrong what traditional AV does, and it does what it always did. It has a known list of viruses, can disinfect files with known viruses, and can block filesystem access of known viruses. AV has always blocked viruses as of maybe a week after they are released. The differences is of course that you don’t have a week anymore. AV never protected you from new viruses, and someone always had to be first.

    Does that mean AV is useless? No, of course not. (And I understand you’re not really trying to say that, but I’m spelling it out.) When is it still useful? So, assume for sake of argument that you figure out based on some observed behavior that you’ve got a virus. What do you do? You go after the AV. And if you’ve already been infected, then you HOPE it’s been a week, and it gets identified properly. Nothing is more helpful for disinfecting a machine than knowing exactly what virus you’ve got.

    What am I getting at, as it related to your overall point? I another option besides kitchen-sink-style endpoint software. I see room for stripping down to a lean-and-mean virus scanner ONLY. Which we can then manage with a real heavy-duty management infrastructure. (For those who don’t know, I work at BigFix with Amrit.)

    You know what many people hate about AV software? They hate how deeply it insinuates itself into a Windows box. They hate all the bells and whistles they don’t want, that cause problems, and that open security holes. They hate AV license management. They hate the conflicts that more than one heavy end-point package will have with another. And so on.

    You know what AV people are good at? Ripping apart viruses and writing signatures to detect them. How about if they stuck to their core competency, and sold an inexpensive version that did just that? Heck, if it were light enough, customers might get two to get better coverage.

    I’d kinda prefer to see that, than a single piece of software making a failing attempt at doing a little of everything.

    And of course, we will manage them all, since that’s what BigFix does better than anyone else.

  6. There is one big difference between firewalls and AV (well there are many, but for the sake of this debate I will focus on one)

    Firewalls do not affect my environment in a negative way – AV does. AV is like a giant pimped out hummer slamming down the highway at 3mpg. AV is the reason we are in Iraq. AV is a resource hog, conflicts with all sorts of other applications, and requires constant care and feeding (new dat files) to be even remotely effective. Organizations struggle with managing 80,ooo instances of AV vs. a handful of firewalls.

    Also firewalls still block basic stuff smacking against your network. I haven’t actually seen my AV product detect a virus in years – although, even with up to date engines and dat files, I have still found malware on my windows boxes.

    I do agree that AV needs to have a lightweight engine, and I would prefer that to a single piece of bloatware half-assing various functions.

  7. Hey AV and other tools are always and will always be re-active rather than pro-active by nature of the product and disease. I mean no one is a Hodini at the popular compianies who protect. I mean unless there’s a conspiracy out there to infect, trojan, mal, worm and bot and steal ID’s by the companies they can’t possibly antisipate every bad thing. I found the article to be of interest.

  8. Pingback: » ‘Storm Worm’ surge exposes AV deficiencies | Zero Day |

  9. Pingback: The AV Industry Sucks! « Amrit Williams Blog

  10. Pingback: The 11 Worst Ideas in Security « Amrit Williams Blog

  11. Excellent than others
    After trying out for all antispyware software’s available in market I finally switched on to
    search-and-destroy which helped me to remove dangerous Trojans stalling my computer for several days……you too go for it …..It works.

  12. Pingback: Is Anti-Virus Dead? « Aggressive Virus Defense

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s