AV is Not Dead

AV Protection.jpgRecent stories in the news imply Anti-Virus (AV) is dead.  A longtime staple of security managers and consumers, AV and more broadly, anti-malware products are a pillar of the security industry.  Could all our investments, preconceptions, and efforts be worthless?  Rest assured, the sky is not falling.  The “Anti-Virus is worthless/dead” mantra has been around for years.  Yet the anti-virus/malware industry is alive and thriving, with good reason. 

The world of computing is a dangerous place.  Client systems, such as PC’s and more recently smartphones, are under constant pressure from new malicious software.  To date, about a hundred million different specimens of nefarious code are in the wild and ready to pounce on their next victim.  Those numbers continue to increase by tens-of-thousands of new malware emerging daily.

Most of the security industry embraces anti-virus/malware protections resident on their devices, to resist the persistent onslaught of malware developers.  Even consumers, typically not savvy in security matters, recognize the value of AV in protecting their devices and data.  In most managed environments, anti-malware controls are leveraged across the networks and back-end servers, in addition to client systems.

Over the years, a very small community has voiced opinions that AV is dead or worthless.  They hold the position client based anti-virus and anti-malware are ineffective at protecting systems.  They run tests against small samples of new malicious code or show how some systems still get compromised even when benefiting from AV products.  Year over year they speculate how traditional AV methods can’t keep pace with the increasing malware being introduced and it is on the verge of collapse.  Like doomsday predictions, they keep coming.

I believe this is an extremist position and in many cases, putting forward a misleading straw-man argument.  The false-logic goes something like this:

  1. Longstanding position of the security industry: Anti-Virus/Malware provides important protection of systems against malicious code
  2. False-logic counter argumentAnti-Virus/Malware does not provide total protection and a system could be infected with malicious code, therefore AV is not worthwhile and dead (or soon will be)!

Don’t fall for the hype.  Here is the real scoop.  Anti-virus/malware solutions are one of many different security controls.  It is not an impervious shield, just like all other potential protections are not perfect solutions.  These tools do provide a great deal of protection but should be used in combination with other controls.  In security parlance, it is called Defense-in-Depth.  No one tactic or tool will suffice.  The attackers are just too many and too smart for a single control to work across the board for any meaningful period of time.

More reasonable people in the past have also weighed in on the value of AV and in some cased they have chosen to rely on other compensating controls.  But their message is different than “AV is worthless”.  They see AV as one of many different options which can manage security risks.  They are savvy enough to choose the right set of interlaced solutions which achieve the desired level of security for their specific computing environment.  This can be misconstrued when it is not understood.  In the end, they are still applying a defense-in-depth methodology.

Why would a security professional choose not to deploy Anti-virus/malware on clients?  Well, in some delicate, isolated, or sensitive environments AV may not be a viable option.  Products may not support the hardware, software or operating systems, be cost prohibitive, invalidate system or maintenance warranties, or be unacceptable from a performance perspective.  Instead, other security controls may be employed which compensate for this deficiency.  As far as I have seen, these tend to be limited to small parts of corporate environments.  For most systems which connect to large networks and the Internet, anti-virus/malware makes practical and economic sense.

Evaluating controls and implementing the right combination has been at the very heart of computer security from inception.  Time and again, anti-virus/malware has been chosen as a valuable contributor to the mix.  This will likely not change in my lifetime.    Rest assured, akin to what Mark Twain said, I say the death of AV has been greatly exaggerated.

Time machine sampling for the “AV is dead” concept: 
2012 report: Antivirus Software a Waste of Money for Businesses, Report Suggests

2012 article: Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results
2010 article: Is Anti-virus Dead – The answer is YES. Here’s why…

2009 article: Experts only: Time to ditch the antivirus?
2009 venerable Bruce Schneier’s blog: Is Antivirus Dead?

2008 article: Signature based antivirus is dead: Get over it

2007 article: Is desktop antivirus dead?

2006 white paper: Anti-virus is Dead

And finally, here is my own blog post from 2010 showing hard numbers of effectiveness for AV: The Hard Truth of Anti-Virus.

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.