The term Anti-Virus or AV is a misnomer and largely misleading to those who are following the cybersecurity industry but unaware of the history of this misused term. Over the years it has become an easy target for marketers to twist into a paper tiger, in hopes of supporting arguments to sell their wares. It seems to be customary, whenever a vendor comes out with a new host anti-malware product, for them to claim “AV is dead” and their product is superior to signature matching! Well, such practices are simply dated straw-man arguments, as those venerable anti-virus solutions have evolved in scope and methods, greatly expanded their capabilities, and do so much more than just AV.
“The report of my death was an exaggeration” – Mark Twain
I have been hearing AV is Dead for years! I blogged about it in 2012 and it was already an old story, with origins dating back to at least 2006! The term “AV” was once relevant, but nowadays it is an artifact. A legacy term which describes early products and their way of protecting endpoints from malicious code. The term has survived, largely due the marketing value of end-user recognition. People are familiar with the term “AV” and it is easy to generalize vendors and products under this banner. But the technology and methods have dramatically changed and solutions no longer exist as they once were. It references quite old technology when host based anti-malware emerged to detect and clean personal computers from viruses. Back then, most of the threats were viruses, a specific type of malicious code. Those viruses were eventually joined by trojans, bots, macros, worms, rootkits, RAT’s, click-jackers, keyloggers, malvertizing, and other unsavory bits of code which could infect a device. Today we collectively call them ‘malware’.
Back when AV was a relevant term, the tools typically detected viruses by matching them to known samples. These signatures, were periodically updated and the AV tool would be run on a regular cadence to check the system for any matches. Nearly two decades ago, I can remember the weekly virus scan would consume so much of the system resources the user could not do any work. Scans could take 30 minutes to several hours to complete, depending on the settings and system. Most people would start the scan and go to lunch or initiate it on their workstation before going home for the evening. Yes, we all had desktops in those days! Not very efficient nor user friendly, but then again there were not too many actual viruses to contend with.
Yes, original AV software relied solely on static signatures and scheduled scans, but those days are long gone. Times have changed with the explosive growth, pervasiveness, and specialization of malware. Protection systems run continuously and can receive updates of the latest threats as often as needed throughout the day. Performance has improved and is unnoticeable most of the time by users. The sheer quantity of threats is mesmerizing. The total number of malware has steadily grown at a 150% annual rate and now over 400 million unique samples are known to exist. As a result, security vendors had to adapt to meet the growing challenge and complexities
Modern client based anti-malware has evolved to include a number of different processes, tools, and techniques to identify harmful and unwanted activities. It would be unwieldly to rely solely on static signatures of all 400m pieces of known malware and attempt to scan every file against the library. Computing would grind to a halt. Instead, current products in the industry leverage a host of different methods and resources to protect endpoints, finding a balance between efficacy, speed, cost, manageability, and user impact. They will continue to evolve as they always have over time (signature matching, polymorphism, heuristics, machine-learning attribute inspection, peer consensus, community reporting, cloud analysis, file reputation, sandboxing analysis, exploit detection, signature validation, whitelisting, etc.) to meet emerging challenges and customer expectations. The big players in the industry have the resources to stay at the forefront by organic innovation or through acquisitions.
New players in the industry, the wonderful startups, are critically important as they spawn and infuse new ideas which will eventually either fizzle-out or prove their worth and find their way into bigger products as companies acquire the technology. This is the history we have seen and the future we can predict, as even the newest capabilities will eventually be outmaneuvered by malware writers and someday also viewed with an eye of inadequacy.
Nowadays, when people normally talk about AV, they are really talking about is the use of endpoint anti-malware, which is not going away. There was a push many years ago to actually abandon client based anti-malware in lieu of network-only controls. The argument was simple, malware and attackers had to go through the network, therefore a focus on filtering bad traffic would solve the problem. Droves of industry pundits, myself included, listed a number of reasons why this poorly conceived stratagem was doomed to fail. Which it did. At the time, those same “AV is dead” arguments were used in an attempt to convince the public and shift users. But the fundamentals of security don’t change due to marketing and in the end, to be truly effective, a capability must exist on the endpoint to help protect it.
Even recently I see stories in the news, talking about the death of AV and how some companies are abandoning AV altogether. When in fact, as far as I can tell, they are not forsaking endpoint anti-malware but rather simply changing endpoint vendors. This may include a shift in the mix of different techniques or technologies, but still focused on protecting the host from malicious code. Practically speaking this is not really a huge deal. Change is part of adaptation and optimization, but the truth probably fails to get the desired headlines. Claiming a major transition or the death of a technology is far more attention grabbing. I see this tactic as a marketing ploy by new product companies and news outlets vying for reader’s eyeballs. It is a pity as many new innovative companies really have something to add to the market and can stand on their own merits without needed to misrepresent others. After all, the professional security community is working towards the same goal.
So I believe it is time to retire the “AV” terminology. Instead, let’s be more specific and use host or network based anti-malware or just anti-malware for short. This might limit the creativity of marketing folks who periodically dust off the “AV is Dead” stories for a few more views. Shifting away from the “AV” terminology to more accurate depictions of modern anti-malware is really for the best, for everyone.
Sound off and let me know what you think?
Intel Social Network: My Previous Posts