Thursday, March 06, 2008

The Future of Anti-virus Software?

Larry Dignan of ZDNet made a very interesting post on the ZDNet Zero Day blog about the future of anti-virus software. One thing that caught my attention was the comments of Websence CEO Gene Hodges, "Modern attackware is much better crafted and stealthy than viruses so developing an antivirus signature out of sample doesn't work".

Look, if you told me that people should stop wasting their money on stand-alone anti-virus applications then I could have agreed with you to some point. The only thing that's outdated is the term "anti-virus". Strictly speaking, the main online threat is no longer called a virus, a more appropriate term should be "malware" and it is time we started to adapt to this new term. Online threats consist of viruses, spyware, key-loggers and trojans, all residing under the common term of malware.

I understand that the term "anti-virus" is a heavily marketed term and when you mention the term "anti-virus" to computer illiterate and inexperienced users they know exactly what you are talking about, but when you talk about malware they often give you that glossy stare, you know, the kind of stare that screams: "What the hell are you talking about!" Most anti-virus applications now offer protection against spyware and other malware related threats as well, so it is really silly to keep calling them anti-virus applications, they are in essence anti-malware applications.

Scraping your anti-virus solution is reckless and plain stupid. It's just as good as saying we should stop patching the security flaws in software, leave them un-patched because the threats, exploiting these flaws, are evolving way too fast. Should we stop installing security systems in our homes because new, more advanced burglars are born each day? If you can protect your system against known threats why not do it?

It is true, malware evolves much faster than the anti-malware solutions, but known malware gets recycled on the web over and over again. Protecting yourself against a known variant means you can't be attacked by it again and believe me it is not uncommon to be attacked by the same variant more than once. This means anti-virus software still plays a vital role in your protection against malware, it also means that anti-virus software developers are still detecting new threats at a very high rate. New variants may infect quite a lot of computers before they get detected, but once the anti-virus vendors release an updated signature file to all their users, they are at least constraining the spread of the malware and preventing uninfected users from getting infected.

Scraping anti-virus solutions means systems are left unprotected, meaning that they are left infected, thus making a contribution to the processing power of bot networks like Storm. At least an infected system can be cleaned once a new variant has been detected, therefore you are pro-actively taking a bot network down bit by bit and making it harder for the malware to spread any further. Remember, an infected machine becomes a distributor for new variants of the malware. Killing a known variant means you are preventing it from mutating and spreading any further.

Improve the technology, don't scrap it. Yes, definition based protection is nearing its end, but anti-malware solutions are moving towards behaviour based detection. It is suicidal to scrap anti-malware solutions completely just because of the fast evolution of new threats. The argument that the value of anti-virus software is declining is a bunch of hogwash. Big corporations should stop putting reckless ideas into the minds of ordinary users, they should stop the throw-away-your-anti-virus-program-and-buy-our-software kind of marketing. The Internet is dangerous enough as it is, so don't go encouraging people to throw a way the only thing that's keeping the Internet from collapsing.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and assisting the Internet Community in choosing effective security software solutions.

No comments: