Is antivirus worth the investment?

Antivirus is at best a sticking plaster – we need a better approach to dealing with malware.

Only 8% of European companies plan to decrease spending on antivirus (AV) in 2013, compared with 21% that will increase their investment in this area, according to a recent poll by Computer Weekly.

This is a worrying trend, because some types of AV can actually cause more harm than good. This notion is not new, and the ineffectiveness of signature-based AV in particular has received substantial attention.

Signature-based AV is tackling a problem that was prevalent 20 years ago, but is not relevant to many of today's modern threats.

We have seen this issue rear its head in a number of high-profile incidents. For example, in January 2013, the New York Times revealed that following a lengthy targeted cyber attack, its antivirus software only found one instance of 45 pieces of custom malware.

But why is it so ineffective?

Firstly, for signature-based antivirus to work, a particular sample or close relative needs to have been captured, analysed and a signature generated.

Take Symantec, one of the largest antivirus producers, for example. As of 28 October 2012, it maintained a database of more than 20 million signatures for its Endpoint Protection Product. Yet, according to Sophos, in the calendar year of 2011 there were 15,000 new samples a day – or 54 million new samples a year. Even taking into account heuristics – or fuzzy matching – that AV software uses in an attempt to make up this deficit (which itself is easily bypassed), these statistics do not make for easy reading.

When we look at alleged state-sponsored threats such as Flame, the picture is soured further. Companies such as F-Secure have been quite open on the fact that while they did possess the samples in their collections, they had effectively missed them for longer than 18 months.

On top of this, security products are not always secure products. There are numerous examples of vulnerabilities in antivirus products, giving attackers the opportunity to gain a foothold in the networks they are designed to protect.

But what methods should businesses adopt instead? To provide stronger defences, businesses should reinvest money that was historically spent on AV in other areas:

  • White listing
    This ensures that only authorised software and associated components can execute. White listing is supported by most common mobile computing platforms, as well as modern desktop computing operating systems.
  • Threat behaviour-based detection
    Defines expected (good) behaviour of code, with anything outside of these parameters considered suspicious.
  • Data loss prevention and detection
    Placing more emphasis on coping with successful attacks to quickly identify, mitigate and resolve incidents.

We have observed over the past 15 years that buying products which aim to solve specific problems can be both expensive and ineffective. Instead, going back to base principles which are proven over time, instead of using a "sticking plaster" approach is, in our opinion, a viable long-term strategy.

Paul Vlissidis (pictured) is technical director at NCC Group.

Read more on Data breach incident management and recovery