Home / Blogs

Is Anti-Virus Dead?

Each SANSFIRE, the Handlers who can make it to DC get together for a panel discussion on the state of information security. Besides discussion of the hot DNS issue, between most of us there is a large consensus into some of the biggest problems that we face. Two come to mind, the fact that “users will click anything” and that “anti-virus is no longer sufficient”. These are actually both related in my mind.

Users will Click Anything

Some studies show that the success rate of a well-formatted phishing attempt can garner about a 10% click-through rate. However, with targeting techniques, such as using what would be expected to be legitimate content in a phishing attempt this can go upwards of 80%. An example, if you got a random PDF file from someone named “fbtgsertgrwetgfe” with the Subject “Angelina Jolie NEKKID!” you would most likely not click on the e-mail. Even better, your anti-spam solution might even filter that message. However, if you got a PDF file from your CEO with the subject “Important Changes to Health Care Plans”, you would likely take a gander. The better targeted a phishing attack, the more likely even savvy people get infected. It isn’t even necessarily targeting via email that can be widely successful. How many of you add every facebook application that gets forwarded to you without even bothering to do any examination of the content?

However, the fundamental problem behind this isn’t so much that users will click anything, but that whatever the user says goes. Or, to put it another way, we tend to operate desktops under the principle of most privilege. How many of you allow your users administrator rights in the workplace? At home, everyone has local administrator. This allows the “bad guys” free reign. If you look at the development of the various phishing kits, they aren’t really high tech. For them, its lather, rinse, repeat all day long. The real development of malware tends to be on the command & control side, the phishing kits, web sites and to a lesser extend, the droppers, don’t seem to be evolving all that quickly. They simply don’t have to evolve fast, what they do keeps on working.

Is Anti-Virus Dead?

“I can’t get infected by malware. I have anti-virus!” The absurdity of that statement needs no explanation at this point. This has led to people considering anti-virus a dead technology because it is always one-step behind attackers. This isn’t necessarily untrue, but anti-virus by its very nature is reactive… it will only block against known threats. Additionally, anti-virus signatures are essentially public. Any number of resources exist to scan your malware to see if it detects. In short, you know ahead of time if you have the first ~24 hours of free reign. If you target your attack, you can have far longer because you have a higher potential of floating under the radar and getting your bad bytes captures by the AV guys and/or security researchers like us. AV, like all reactive technologies, suffers from the “First Win problem”. It isn’t so much that they are “one-step behind”; it is that fundamentally it can never be ahead of the attackers.

Does that mean AV solutions should just be chucked? Of course not. AV is a “90% solution”, it still does protect against known threats. Is it sufficient? No, but it also never has been sufficient. Blacklisting technologies are far more effective when combined with whitelisting technologies. For instance, the combination of AV protection with a good perimeter firewall brings you a little farther down the road of security. While there is a debate on whitelisting vs. blacklisting technologies for binaries, a good step would be to start digitally signing binaries and go to a “bayesian” method of determining risk. Not perfect, but better. Heuristics would also be another good step (although heuristics is still basically a blacklisting technology and reactive).

What Now?

So how do we protect ourselves from malware? That’s the million dollar question but here are some suggestions. Please send in your feedback for a follow on post.

  • We need to shift our paradigm in what we protect. We ought not to primarily be concerned with protecting “machines”. Machines are a means to an end, not an end in and of themselves. We protect “information” not hardware. For instance, we simply cannot protect consumer PCs. They are inherently insecure and insecurable and it’s fundamentally unsound and unfair to expect consumers to be able to harden their own machines. We need to accommodate our electronic commerce to this fact. For instance, we assume that the “cloud” of the Internet between point A and point B is insecure. That is why we have things like VPNs; we simply bypass the problem with encryption. The same should be true of consumer PCs; we need to find ways to do commerce on an insecure system so that information cannot be stolen… or at least enough information by which we can totally jack someone’s identity. The same is true on the corporate side… we don’t protect hardware for the sake of protecting hardware. We are securing intellectual property and in that sense, we need to “redraw” our perimeter around the logical information flows of confidential data.
  • As I mentioned before, digital signatures for binaries and “bayesian” style scoring for binaries/scripts.
  • Stop operating under a Principle of Most Privilege for the desktops. In a corporate environment this is far easier. A little more difficult in an academic environment (I’ve been party to debates in academia on why we can’t do information security because it impedes academic freedom… luckily much of this has subsided, but still a problem). It is a very difficult problem at home, but there are still some things that we can do and some things that operating systems shouldn’t allow.
  • We’ve conditioned our users to operate their computers in a “button mash” method. The infinite series of “Are you sure?” messages no longer mean anything, whether it’s installing programs or getting AV warnings or pop-up windows. The UI needs to stop the information spam to unsophisticated users because the overload causes people to shutdown their thought processes in looking at it and simply mash “Next… Next… Next…”.

What else would you add?

By John Bambenek, Information Security Practitioner and Journalist

Filed Under


Perimeters Simon Waters  –  Aug 2, 2008 9:06 PM

I think there is a fundamental issue here, you can’t redraw the perimeter if the OS is compromised. You can’t make a secure channel on an untrusted system. You can try, you can have Java code that is signed, and tried to check itself in memory, and ... but ultimately if the system calls it is using can’t be trusted to do what they are suppose to it can’t know what is happening around it.

Probably the best we can do is something like my bank, which has a separate device that provides a code to authorize transactions. Thus the computer isn’t involved in the authorization process other than as a messenger. Although if someone compromised my machine there are other easier channels to emptying my bank account than trying to transfer it out of my account using my online banking facility.

I’m not sure malware is a difficult problem. Sure it is a big problem, partly due to monoculture, but as you indicate most of the problem now is in the users, and the interface to them.

The difference between corporate Microsoft systems and home Microsoft systems is largely of Microsoft’s making. Vista already moved away from the principal of most privilege in the home user versions, but it did it in a half hearted and muddled fashion.

The next step for Microsoft Windows on the technical side is to catch up with the GNU/Linux systems in terms of software distribution. My desktop patches every piece of software for which is patch is available every day, from one source of digitally signed code using one reliable method.

On the Windows XP machine I use sometimes, after it boots, Microsoft, Sun Java, Apple, Adobe, Macromedia, the antivirus program, Firefox, Thunderbird, all try and update their software with varying mechanisms, and as soon as one of these mechanisms breaks the box is stuck with the current version of that software till someone fixes the specific update mechanism (usually by reinstalling a newer version of that application manually). The end users routinely dismiss the “upgrade now” buttons as they just want to use the machine to do something, not watch software installing. Worse yet if they see a “install this antivirus update” dialog box some of them will click on it thinking it is genuine because it is the kind of thing they are conditioned to do.

Not one of these update mechanisms used on Windows is as reliable as the single one I use on GNU/Linux, even through the one I use relies heavily on volunteer effort, donated servers and bandwidth etc. The main reason being they all rely on the program being started (by the user), or starting one of dozens of helper apps when the user logs in, or IE working, or Microsoft Update (which seems to get in a mess on a regular basis all by itself), or the user entering proxy data (when behind a proxy) or entering authorization keys.

The most common method of owning a PC these days is probably out of date browser plug-ins (Flash, Real, Adobe etc….).

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC


Sponsored byVerisign

New TLDs

Sponsored byRadix