The unwarranted war on AV products

“Antivirus software a waste of money for businesses” crows the headline of a recent story, one of many missives against antivirus (AV) software driven by an outdated understanding of how such software works. The truth is that the death of AV tools’ effectiveness has been greatly exaggerated.

Traditionally, antivirus software was powered by signatures: digital fingerprints that uniquely identify malicious files or code snippets. The AV software on a computer would receive updates of its signatures once per day or week from the AV company, ensuring it could protect the user from the latest threats. The effectiveness of an AV product was determined primarily by the number of different signatures available and how quickly they were distributed. Tools like VirusTotal arose to make it easy to see which AV tool could detect a particular piece of malware. Product testing labs and tech journalists could load up a computer with a bunch of malware files and easily compare detection rates across products.

Today, everything has changed. Malware evolves far too quickly—sometimes even on a per-download basis—for AV products to depend on daily signatures. As one would expect, most of the major vendors have responded, dramatically increasing the frequency of signature updates and supplementing signatures with new approaches. Here are a few features that have become popular in major AV products recently:

  • If you download a file, the AV product will check it against a whitelist of known safe files. If it’s not on the whitelist and it doesn’t match a malware signature, the product will analyze the file’s behavior and/or reputation in real time (either on the computer or via the cloud) before allowing it to run.
  • If your browser connects to a website/URL known to distribute malware, the user will receive a warning and/or the browser will be blocked from downloading potentially harmful files.
  • If unknown software on your computer attempts to engage in a potentially harmful behavior (e.g., installing a new add-on in your browser), it will be  blocked and/or the user will receive a warning.
  • If a web page or online ad attempts to exploit a vulnerability to install malware on your computer, the AV tool will block the attempt.

By layering several approaches (including the use of signatures) atop each other, today’s AV products protect users far more effectively than their predecessors. Unfortunately, many people, even in the security industry, are not aware of this evolution. It’s common to see articles like the one above that claim AV tools are still primarily signature based and that use VirusTotal (which only assesses signature-based detection) as a gauge of AV effectiveness. In reality, this is like assessing the effectiveness of a building’s security system based only on its window alarms, while ignoring its motion detectors and cameras. When you look at tests that attempt to simulate real-world user behavior, such as visiting malicious websites and opening infected email attachments, it’s clear that AV is far more effective than the pundits claim. A recent set of studies by Dennis Technology Labs, for example, found that products prevented infection in between 53% and 100% of cases—far more effective than the pundits claim. The range of results shows that the more important discussion is about which tools and methodologies work best. (Some other important areas of comparison are false positive rates, the tools’ impact on system performance, and user experience.)

It’s time to end the unwarranted war on AV products. They may not be perfect—nothing is—but they do continue to earn their place alongside a range of other security measures in companies and homes alike.