"The Death of Anti-Virus"

Status
Not open for further replies.
Venustus

Venustus

Level 59
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Here’s the abstract:

Anti-Virus is, it seems, an ex-parrot. We’ve seen so many announcements of the death of anti-virus we’ve taken to carrying black ties around with us, ready for the next one. This paper probably won’t have much impact on the ludicrously funereal tone of some commentary, but will take an informed look at the reasons most often given for the imminent demise of the AV industry and in the hope of achieving a balanced view of the present role and future evolution of malware analysis. Reports of the (near-) death of static signature detection may not be exaggerated, but anti-malware technology has moved far beyond simple signatures. We consider in depth the accuracy of some of the basic contentions that keep turning up ad infinitum in memoriam…

  1. Conclusions based on detection testing and pseudo-testing statistics
  2. Anti-virus is ok if you don’t have to pay for it
  3. Heuristic detection has gone the way of the static signature
  4. Spammed out malware is less important than targeted malware
  5. New (mobile) platforms require new defensive paradigms
Catching or blocking malware is just part of the security challenge, at home or in the workplace, and malware detection is a very different technology to what it was 20 years ago, but does that mean it’s obsolescent? We look at the three primary functions of AV:

  • protection in the form of proactive detection and blocking through a range of heuristic, reputational and generic countermeasures
  • detection of known malware
  • remediation where something is detected and has managed to gain a foothold
We contend and demonstrate that while emphasis has undergone an irreversible shift from detection by signature, to remediation of signature-detected malware, to more generic detection by technologies such as heuristics, behaviour analysis, and reputation, a complete solution addresses all those issues. AV is dead, or at best comatose: at any rate, self-replicating malware is a small part of a much larger problem, while signature detection is primarily a fallback technology that helps with remediation rather than a primary layer of protection.

Anti-malware technology moved on long ago. Customer and media perception, though, has lagged way behind. Could it be that when other sectors of the security industry, driven by commercial agendas, engage in inaccurate and at best misinformed anti-AV commentary, that they are also putting their own interests and those of the community at large at risk? Would a world without the mainstream anti-malware industry be such a good place to live?
Click to expand...
http://www.welivesecurity.com/2013/12/19/the-death-of-anti-virus-conference-paper/

The full paper in PDF:
http://www.welivesecurity.com/wp-content/uploads/2013/12/avar-2013-paper.pdf
 
  • Like
Reactions: Keyang556
Nico@FMA

Nico@FMA

Level 27
Verified
May 11, 2013
1,687
Static Signature Detection, has always been the Achilles heel of the AV industry.
For the plain and simple reason that a virus needs to be known, or match a signature in order to be detected.
Dramatically limiting the ability of the AV industry.

With the introduction of Behavioral, Heuristic, Zero day and MultiCriteria analysis (MCA) scanning engines a whole new world opened up full of possibilities.
For the first time AV solutions where able to "learn" and to wipe out entire malware families, while this malware was not even known.
So it did already proof that signature based engines and scanning options where going to be obsolete sooner or later.
Also the new generations of malware are in most cases way to advanced to be detected by simple sig detect.
Talks about this have been around for the past 5 years, so i am kinda surprised that it is now a hot thing, because the ICT world knew about this long time ago. Personally it would make scanning and the resources usage by AV solutions a lot less, due to the fact that during scanning (Passive and Active) the AV does not need to run trough its database.
 
  • Like
Reactions: Venustus
Fingolfin

Fingolfin

New Member
Verified
Oct 14, 2013
63
The thing with signature detection is it's very solid. If a malware signature is known, it will always be detected without fail--unless it changes its code. I don't claim to know a lot about how the antivirus industry works, or even how malware works, but I think that signature detection is important because it's the fallback if the more advanced methods fail. It's like the foundation I guess, the way I'm thinking of it, but I could of course be wrong.
 
Nico@FMA

Nico@FMA

Level 27
Verified
May 11, 2013
1,687
Fingolfin said:
The thing with signature detection is it's very solid. If a malware signature is known, it will always be detected without fail--unless it changes its code. I don't claim to know a lot about how the antivirus industry works, or even how malware works, but I think that signature detection is important because it's the fallback if the more advanced methods fail. It's like the foundation I guess, the way I'm thinking of it, but I could of course be wrong.
Click to expand...

True but not entirely true.
Signature based detection should be considered as a strict rule which specifically matches a set of codes to that of the malware source.
And this in newer versions also includes some behavioral detection methods.
But generally its a static way of detection and a absolute one, because without releasing updated signatures the AV cannot learn.

But with modern: Behavioral, Heuristic, Zero day and MultiCriteria analysis (MCA) techniques the AV can actually learn without intervention and updates from a AV service. Obviously there are limits as the scanning engines are by no means AI based lol.
So updates to their engines still take place just as often as signature releases. And they still get signature updates, BUT and here is the trick, these signatures are not absolute, which means that the AV can ADD new rules based upon its experience and encountered malwares. It also has the ability to write new signatures on its own and during updates it actually releases them back to the server which will distribute new signatures with field signatures.
So generally modern scanning engines are capable of detecting and removing most of the newest malwares without additional updates.
And this is a ability that static signatures do not have.
 
Status
Not open for further replies.

Similar threads

Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Emsisoft Anti-Malware Home 2024
Replies
23
Views
1,505
Video Reviews - Security and Privacy
penta_gramm
P
Brownie2019
    • +Reputation
On Sale! Malwarebytes 5 Premium [1-D, 1-YR] 19.99 €
Replies
0
Views
272
Discounts and Deals
Brownie2019
Brownie2019
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Malwarebytes Premium Anti-Malware v5
Replies
5
Views
1,149
Video Reviews - Security and Privacy
anirbandutta01
anirbandutta01

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top