Is Anti-Virus Technology Dying?

I was interested to spot an item on The Register site about the “slow death” of anti-virus technology. This article, written by Robin Bloor, a US analyst (who appears to be running a one-man “anti-virus is dead” campaign) makes some valid points. Essentially it claims that AV technology is gradually dying and being replaced by far more effective “whitelisting” technology. Such technology works by authenticating the applications and executables that users can run. It’s a sound approach. So he has a good point.

Now I’m a great supported of whitelisting. If you can implement such an approach across your estate, then you will have achieved the most elegant and effective solution. And one that’s more in tune with the de-perimeterisation strategy that we’ve been promoting through the Jericho Forum. Black lists are inelegant, incomplete and can present scaling problems. But one has to admit that they’ve served us remarkably well for the past two decades. Whitelisting is the smart approach for the long-term. However, we haven’t yet experienced all of the practical management issues associated with this technology. Whitelists can also be incomplete and present one or two performance problems. The jury is still out for the time being.

And technologies can also bounce back. Many said that Cinema would kill the Theatre, that TV would kill Cinema, that Video would kill TV, etc. They all survived. Blacklisting is too useful a control to discard. It’s used in other fields of security, for example to screen new recruits to large organisations. So don’t write off AV technology just yet.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

The biggest problem with blacklists is simply figuring out how to write security policies for things that have not been seen before-pretty close to impossible. It is not well understood that preventing unauthorised access to the network is not the same thing as allowing access to the data. That is where white listing makes sense, because unknowns are denied. While I agree that blacklists should not be completely abandoned, I would say that they are part and parcel of reactive technologies, and that whitelists are proactive.
I read your post with interest but I still believe that it is all over for stand-alone, signature-based, anti-virus software. Stand alone AV isn't protecting anyone anymore. It can't constrain the end-points, it doesn't allow port or protocol blocking, it doesn't protect data from theft, it does almost nothing to improve the security of the systems it voraciously consumes the resources of. It is usually the first thing listed to turn off in the troubleshooting guides of 3rd party applications. It has become a vector of attack and hackers have shown increasing cunning in using AV product flaws as a launching point for attack, the AV vendors have also done a good job of breaking their own stuff too though, with bad dat signature files even. If anything I believe that AV will become a part of a converged security client, offering multiple capabilities including anti-spyware, personal firewall, and intrusion prevention as the foundation. Of course this has already begun and the AV guys are including more and more technologies in the desktop, including data leak prevention, end-point policy enforcement, patch and configuration management. They bundle it under some uber-agent, while the individual executables are fighting to claim your system resources. Enterprises will of course still invest and deploy AV, but more out of a sense of fear than because they believe it is offering value. Organisations with mature IS departments, ones that are type A in their technology acquisition and process development, have already realised that AV is dead and are looking to strategically address client security in a new world. It includes a signature component, like AV, but it certainly will not be the cornerstone of end-point security for very much longer.