Antivirus Software - Modern Snake Oil?
Blog Security

Antivirus Software – Modern Snake Oil?

In the Wild West, "Clark Stanley's Snake Oil Liniment" promised to be a medication for many diseases - and turned out to be completely ineffective. Since then, snake oil has stood for expensive, useless products - just like today's antivirus and malware solutions?

In the IT security scene, the discussion about the effectiveness of antivirus products is an ongoing hot topic. She was recently inspired by comments from Robert O’Callahan, a former Mozilla developer, and Justin Schuh, Director of Chrome Security at Google. They claimed that anti-virus solutions are often a stumbling block to developing safer browsers and may even reduce effective security.

They referred to Tavis Ormandy, a Google security researcher who had recently discovered vulnerabilities in some antivirus solutions. However, the affected manufacturers fixed them so quickly that even Ormandy praised the speed. However, O’Callahan went as far as advising users to uninstall their anti-virus solution in a blog post!

With malware, it’s not that simple

In addition, there are numerous studies of varying quality available online to prove that signature-based solutions achieve malware detection rates of only 30 to 40 percent and extrapolate that the gain in security is marginal at best. It is undisputed among security experts that purely signature-based malware detection alone does not provide sufficient protection, especially for interactively operated desktop systems, where web surfing and e-mail remain the most important infection vectors.

The sheer number and high volatility of malware located “in the wild” is simply too high. It is also true that simple pattern matching procedures fail in complex malware with mutating, polymorphic code due to the concept.

But it is also a fact that the majority of malwares do not display such a high degree of complexity. Furthermore, it does not do security vendors justice if modern virus scan engines are reduced to pure pattern matching. All providers have long since expanded pattern recognition with heuristics, numerous decoders, whitelists and variant detection to such an extent that even for “custom” malware it is becoming increasingly difficult – albeit not impossible – to remain undetected.

A disservice to regular users

Allow me to make a comparison to show that PR-effective, provocative statements, such as O’Callahan’s, are a disservice to regular users. It should be clear that a normal cylinder lock does not prevent an experienced burglar from breaking into a house. If, from the burglar’s point of view, the prospect of the loot justifies the risk and effort, the said lock will be a hurdle, but one that can be overcome.

This fact does not justify, however, not having a lock on your door at all and reduces the effort for the burglar to virtually zero and shifts the cost-benefit calculation for the burglar in favour of the burglary. Likewise, systems without antivirus protection become the point of least resistance for attackers and evoke attacks.

No easy way out

Under no circumstances should security vendors, whose products do not meet the requirements of secure software development, be protected. Here, customers have to call upon the manufacturers to fullfil their responsibilities.

With their purchasing decisions, they have a considerable lever to demand improvements and quality from those manufacturers who want to secure their share of the enterprise endpoint security market (according to Forrester, a market volume of 5.9 billion US dollars annually until 2021). Nor do I think that signature-based malware detection alone is sufficient to comprehensively protect every type of endpoint against malware.

However, I do believe that modern anti-virus protection must remain an integral part of any serious multi-layered security strategy for the foreseeable future. These solutions are the only line of defense where malware is not executed but merely stored. This means central distribution points in the company network, which are accessed by numerous internal and external users – such as storage, document management and last but not least SAP systems!

E-3 Magazin (German) May 2018

About the author

Joerg Schneider-Simon, Bowbridge

Joerg Schneider-Simon is CTO of Bowbridge Software, a developer for cybersercurity solutions for SAP applications.


Click here to post a comment

  • This article is providing for all the new users or mostly for the beginners so that they can make effective access on such paid or as well as free based antivirus software in their Windows-based systems.

  • I think till now antivirus has not given us proper protection and it is still very difficult to remove malicious contents from the rootkit.

  • Pretty unspecific text to a problem that is as well very broad and not easy to sum up in a short text. Thus, a headline like this clickbates people in IT Security awaiting alternatives to classical AV solutions as well as a more fundamental knowledge of the security landscape nowadays.

    There are ways to secure networks with less perfomrance driven solutions like Heuristics, AI and other buzzword heavy software. The trend is to combine simpler concepts to unclutter a security landscape no one can tell who it really works and what it does.
    Meaning that combining approaches like traffic analysis that closes the gap a firwall approach leaves in network traffic and detects anomalies in that traffic a passive approach like a firewall simply can’t. Furthermore application whitelisting as primarily AV to exclude attackers by simply not knowing the thread is far more effektive, secure and less performance driven than the monsters that virus scanners became latly. Mixing their original focus with more and more add ons to stay relevant.

  • It depends on the software you are using. Some anti-malware software will work for both, some doesn’t. That’s because viruses are a specific form of malware. It never hurts to check with your vendor to see what kind of protection you have.

  • Is there a need to have both antivirus and anti-malware software installed? It seems that both are preventing intrusions and file infections from spreading. Is that correct?

Sign up for e3zine´s biweekly newsbites

Please do not use administrative mail adresses like "noreply@..", "admin@.." or similar as these may get blocked for security reasons.

We use rapidmail for dispatching our newsletter. By signing up, you agree that the data you have entered will be transmitted to rapidmail. Please take note of their terms and conditions and privacy policy.termsandconditions.

Our Authors