Is Antivirus Dead?
There have been quite a few more references in the media questioning if antivirus is dead.
I think it's still too early to rule out, but there are some disturbing new trends.
For instance, not that long ago Kaspersky was in the news for their alleged attempts to cause some competitors to create false positives for AV matches. Granted their approach was misguided. Had another company spun it in terms of using code matching, watermarks or fingerprint techniques to catch competitors stealing intellectual property it might have been received differently.
However, there seems to be something else going on that they highlighted. With several firms cooperating in security research and sites like VirusTotal that provide valuable services matching basically MD5 signatures to files, it seems like there are a lot of folks now taking advantage of the IP (intellectual property) of real security players proving valuable services and getting a free ride via the research of others.
Have we digressed to a point where we're really just matching MD5s to filenames? I hope not and certainly there are real contributors out there providing real actionable intelligence to the community via various forms of sandbox techniques to discover and report real zero day malware.
At the same time others are saying antivirus is dead, but the threats at the endpoints persist and while some claim new techniques for finding threats via advanced endpoint protection techniques focusing on common and pervasive vulnerabilities, I have concerns such as:
- They don't embrace all desktop platforms
- They generally don't address mobile and certainly not all mobile platforms
- They focus on the last CPU or last device protection (that's risky)
- They may protect against new threats, but do nothing for already entrenched threats!
- They cannot detect data exfiltration from existing threats or other methods
- They don't detect changes to the underlying file system (e.g. FIM - File Integrity Monitoring)
Additionally, old school techniques are being used in APTs and zero day malware to use macros, files, scripting etc. and they are quite effective.
Antivirus is somewhat dated and I question the validity of a lot of firms in the business, but it's still very necessary. However, in and of itself, it is ineffective and inadequate.