In the IT security scene, the discussion about the effectiveness of anti-virus products is an ongoing hot topic. She was recently inspired by comments from Robert O’Callahan, a former Mozilla developer, and Justin Schuh, Director of Chrome Security at Google. They claimed that anti-virus solutions are often a stumbling block to developing safer browsers and may even reduce effective security.
They referred to Tavis Ormandy, a Google security researcher who had recently discovered vulnerabilities in some antivirus solutions. However, the affected manufacturers fixed them so quickly that even Ormandy praised the speed. However, O’Callahan went as far as advising users to uninstall their anti-virus solution in a blog post!
It’s not that simple
In addition, there are numerous studies of varying quality available online to prove that signature-based solutions achieve malware detection rates of only 30 to 40 percent and extrapolate that the gain in security is marginal at best. It is undisputed among security experts that purely signature-based malware detection alone does not provide sufficient protection, especially for interactively operated desktop systems, where web surfing and e-mail remain the most important infection vectors.
The sheer number and high volatility of malware located “in the wild” is simply too high. It is also true that simple pattern matching procedures fail in complex malware with mutating, polymorphic code due to the concept.
But it is also a fact that the majority of malwares do not display such a high degree of complexity. Furthermore, it does not do security vendors justice if modern virus scan engines are reduced to pure pattern matching. All providers have long since expanded pattern recognition with heuristics, numerous decoders, whitelists and variant detection to such an extent that even for “custom” malware it is becoming increasingly difficult – albeit not impossible – to remain undetected.
A disservice to regular users
Allow me to make a comparison to show that PR-effective, provocative statements, such as O’Callahan’s, are a disservice to regular users. It should be clear that a normal cylinder lock does not prevent an experienced burglar from breaking into a house. If, from the burglar’s point of view, the prospect of the loot justifies the risk and effort, the said lock will be a hurdle, but one that can be overcome.
This fact does not justify, however, not having a lock on your door at all and reduces the effort for the burglar to virtually zero and shifts the cost-benefit calculation for the burglar in favour of the burglary. Likewise, systems without antivirus protection become the point of least resistance for attackers and evoke attacks.
No easy way out
Under no circumstances should security vendors, whose products do not meet the requirements of secure software development, be protected. Here, customers have to call upon the manufacturers to fullfil their responsibilities.
With their purchasing decisions, they have a considerable lever to demand improvements and quality from those manufacturers who want to secure their share of the enterprise endpoint security market (according to Forrester, a market volume of 5.9 billion US dollars annually until 2021). Nor do I think that signature-based malware detection alone is sufficient to comprehensively protect every type of endpoint against malware.
However, I do believe that modern anti-virus protection must remain an integral part of any serious multi-layered security strategy for the foreseeable future. These solutions are the only line of defense where malware is not executed but merely stored. This means central distribution points in the company network, which are accessed by numerous internal and external users – such as storage, document management and last but not least SAP systems!