Security News Endpoint Security: Is Anti-virus Dead?

omidomi

Level 71
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,008
More and more, the question being asked about endpoint protection and anti-virus isn’t “Who should we use?” but, rather, “Do we even need anti-virus anymore?”

Traditional anti-virus refers to those anti-virus-focused clients that used to be commonplace, like Norton and McAfee. While that method of protection worked in the past, the efficacy of it is starting to decrease, and that’s why some new vendors are arguing that, overall, anti-virus is dead.

The Anti-Virus Past

Traditional anti-virus safeguards from known viruses and known malware. From a process level, every anti-virus has a unique signature or fingerprint. If you run a piece of malware or a virus through a cryptographic hashing process, it generates a new fingerprint, and the anti-virus software keeps a database of all of those fingerprints. If it sees something like a Zeus or any other virus, it says “I know what you are” and it blocks it. The problem is that each and every very time you change a virus’s source code, even by one character, it generates a new hash or cryptographic signature, which has to be updated and distributed to the endpoints.

So, now it has to store 1,000 fingerprints, then 10,000 fingerprints, then 100,000 fingerprints … As a result, that database on your local machine gets bigger and bigger and bigger. So where the original anti-virus client may have been just 10 megabytes, now it’s 100 megabytes, and it constantly has to update that database signature.

All of this is even more difficult now, not only because there are hundreds of thousands of database signatures, but also because there are polymorphic viruses that change their own code. It’s just an arms race between the virus and the anti-virus. We beat them, they beat us--it goes back and forth.

A Two-Fold Problem

Anti-virus manufacturers made good strides in offloading the databases and storing most of the signatures up in the cloud. The anti-virus would identify something suspicious, search the Internet, then come back and say whether or not it was a threat. That, however, is processor-intensive and memory-intensive, and it takes time, even with the speed of the Internet.

The problem doesn’t stop there. Because of the growing sizes of anti-virus programs, the impact on endpoint security is becoming bigger and bigger. If you look at some of the usual suspects, a lot of times the cure is worse than the disease: Your anti-virus is so big that your machine does nothing but constantly scan files for anti-virus.

What Now?

The shift is now to next-generation endpoints. There are really a finite number of ways (around 13 to 15) to compromise a Windows machine. However, there are n number of variables on those vectors. So, what “next-generation endpoint” manufacturers are doing is watching the behavior of software. If the software only has to watch for a smaller number of different processes and behaviors, then that’s much more efficient--it doesn’t have to scan every file, just track that behavior. As a result, if it can block one of those attack vectors, it can shut the whole problem down in advance.


Is Anti-Virus Dead?

Today, there are some manufacturers that will tell you that anti-virus is dead. While traditional anti-virus may not quite be dead, some would say the funeral isn’t far off. The next-generation endpoint security market is a fast growing one, and there are tons of services attached to it for customers and partners who want to get into it.

Where this really comes into play is with virtualization. Traditional anti-virus on virtual machines tends to be very problematic due to limiting factors such as disk contention, memory overhead and CPU bottlenecks.

Since Windows machines are used by 90% of the world, they’re the biggest target. However, mobile phones, other mobile devices and Macs are becoming more and more prevalent. Everybody has a mobile device, and they’re too small to run full anti-virus on, so we’re seeing a lot of small malware. This is where next-gen endpoint will really come into its own in the near future. Partners who are educated about, and able to deliver solutions around, next-gen endpoint will be ahead of the curve.

With the combination of malware analytics, application visibility firewalls, SSL decryption, security analytics suites and cloud access service brokers (CASBs) coming more into play, we can actually start watching who’s doing what, where they’re going, should they be talking to this, should they be talking to that … As we keep saying, it’s defense in depth--you can’t rely on any one thing. So, as cool as malware analytics and the new malware pieces are, they are still part of an overall security strategy that needs to be developed.
 
H

hjlbx

Signature-based detection will not die anytime soon:
  • There is a massive industry infrastructure built to develop and support signature detection
  • There is no industry-wide accepted replacement for signature detection
  • Signature detection is the easiest protection model for typical users to understand, learn and use - and that is of paramount importance to the industry
Signature detection isn't dead, but it sure is a problematic protection model.
 

Aura

Level 20
Verified
Jul 29, 2014
966
Signature-based detection will not die anytime soon:
  • There is a massive industry infrastructure built to develop and support signature detection
  • There is no industry-wide accepted replacement for signature detection
  • Signature detection is the easiest protection model for typical users to understand, learn and use - and that is of paramount importance to the industry
Signature detection isn't dead, but it sure is a problematic protection model.

And you need something efficient to take care of malware, viruses, etc. that aren't 0-days and legacy ones.
 
D

Deleted member 2913

I like Comodo protection model...decent signs + autosandbox + whitelist And with CCAV, options like "run only safe programs", "alert for unknown", promising Valkyrie.
BUT the prob..."not organized" And this is the reason for all their probs like bug fix, no timely release, direct releases without public beta test, talk & talk & no results, some forum mods prob, their bug report format, their "autosandbox", "default deny" chanting for everything by everyone including the CEO, etc..., etc..., etc...
 

Mohan Rajan

Level 2
Verified
May 7, 2016
85
The only defenses are typicaly Signatures and HIPS. Now if we do away with traditional signature based protection, then we would have all kinds of malware and nasties on our systems before we realize it.
This would not only slow down our system but also cause the HIPS to overload.
We would then have to spend time deciding whether to allow or block each and every activity that HIPS determines to be suspicious.Remember that most actions that are deemed to be suspicious are caused by both normal as well as malware.
Further, this would lead to Click Fatigue and we would end up allowing malware at some point to infiltrate our system.
In trying to defend our systems from zero day threats are we going to leave our systems wide open to known and existing malware?
 

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Not chance signature based detection will go away anytime soon, Although it misses lots of zeroday stuff it still covers you against a vast majority of threats.
That's why many vendors now use to pair it with cloud detections, what I think is a great idea as long as you have internet connection. So as you said, protection will be gone without internet and offline signatures, so they will not die anytime soon (hopefully).
A good HIPS / BB improves the whole package to some non-neglectable extent, too.
 

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
I like Comodo protection model...decent signs + autosandbox + whitelist And with CCAV, options like "run only safe programs", "alert for unknown", promising Valkyrie.
BUT the prob..."not organized" And this is the reason for all their probs like bug fix, no timely release, direct releases without public beta test, talk & talk & no results, some forum mods prob, their bug report format, their "autosandbox", "default deny" chanting for everything by everyone including the CEO, etc..., etc..., etc...
I love the level of protection Comodo has once tweaked too, auto-sandbox lone is amazing. If they had a better AV I'd use the full CIS, but their AV is shockingly bad.
 

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
I would opinion-ed it as "not dead" but "going to be dead".

Here are my thoughts:
Antivirus (AV) still have its market all along due to consumer's preferences and to a certain extent society influences that AV still able to protect your system. This can be observed from a typical household when the family members aren't really IT-knowledgeable person; thus relying on advertising (social media's influences) or through peers/ salesman. Possible root cause would likely be the level of understanding in cybersecurity or broadly speaking the world of internet. As long as the demand is there, supply will surely stayed afloat.

However, as education improves, more (school)kids and teenagers are being exposed to computers and internet more. Hence their sense of security needs are heightened. They would want to seek more than just AV. As time goes by, they would realise they loopholes from an AV and then possibly look for a better one. Probably that's where it's getting demand lower. This can be seen through a trend since 1990s where AV is a favorite choice of security and as years goes by, more and more security softwares emerge and AV is being bundled into a more robust security packages. I believe in the next 10-15 years time, AV could slowly dinished and a new security type would emerge (LV, AE, etc).
 
L

LabZero

So many years that there are discussions about signature-based AV are dead or dying..

But even today, the majority of the AV uses signatures as a primary technology.

It has many limits, simple techniques allow you to bypass AV signatures. Many malware are simply recycled with these techniques, so one detected sample, when modified, becomes signatures FUD.

Some of them:

During malware coding unnecessary bytes are added on an executable (instruction NOP = No Operation).
By adding these bytes, also some of the strings of control (CRC and MD5) that are used by antivirus software to recognize malware, change.
In most cases, then you'll get an executable undetected by anti-virus but operationally identical to the original.

Change String: replace in the file one string (Search for) with another (Replace with).
This is useful to mask the file to many antivirus that will recognize a file according with some strings that are contained in it: so no detection.

Some detected malware become undetected if converted in VBScript (Visual Basic Script) that can be run from Windows.
In this way, the signatures used by antiviruses, become useless and the file becomes invisible to them.

Packed executables (using a modified version of UPX) maintain full malignancy, and compression often involves the invisibility to antivirus that do not support the scanning of files compressed with UPX or modified UPX version.
In the case if the antivirus can also scan compressed files, this option makes it indecipherable UPX headers so the file will not be unpacked and therefore more disguised.
In order to use this option, the file is already compressed in UPX (for example with the feature Pack).

And many other techniques...

The signatures have many limitations, but they offers a great advantage: detect the malware before its execution, increasing the chance of detection in a secure way.
When a malware is FUD by signatures, then the big players are: behavioral technology, HIPS and whitelisting and around here it is necessary to work.
 
R

Ramona

Because the AV was never intended for protection, the AV was for removal and because of that, it will never protect you. This is why they started adding BB, HIPS,DD and so on.

Now, is endpoint security us AV dead, YES! (as Network Administrator I see it often).
 

NekoHr

Level 3
Verified
Well-known
Feb 5, 2016
139
First thing with articles like that is that you need to define what AV is for you. Is Norton from 10 years ago AV? Is Comodo with HIPS and Sandbox AV? Tomorrow some new technology, also AV?

Pure signature based (what most of these articles mean by AV) is not enough but there are less and less pure signature AVs. Most of these articles are marketing. Remember Spohos a while back: "Antivirus is dead"; and than they go to sell new and improved antivirus.
 

Tony Cole

Level 27
Verified
May 11, 2014
1,639
When my uncle was incharge (before retirement) they used Kaspersky Endpoint, Kaspersky DDoS and Kaspersky Fraud Prevention and they never had a single virus, I as it was a big company they had a dedicated Kaspersky manager 365 days of the year. His son wants to now also include Kaspersky Anti-APT - it's kinda cool learning from him/IT guys, gives you big tips/info.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top