Anti-Virus Software: The Game is Almost Up
By Robin Bloor, Partner
A few months ago, AV-Test.org – that’s the name of the web site, by the way, the organization itself is located in Germany at the Otto von Guericke University Magdeburg – monitored the responses of AV companies to new viruses over a 3 day period. The results were disquieting to say the least. I reproduce some of them below. The time period given is the period of time before the named vendor was able to post an AV signature following the appearance of a new virus or virus variant and I’m listing them in the order of worst, first:
AV Vendor Response hh:mm
1 InoculateIT-VET 29:45
2 Symantec 27:10
3 McAfee 26:11
4 A2 24:12
5 Esafe 17:16
6 Panda 14:04
7 Command 13:59
8 Norton 13:10
9 Trend Micro 13:06
10 Dr Web 12:31
In case you are wondering, the fastest average responses came from Kaspersky (6 hours 51 minutes) and Bitdefender (8 hours 21 minutes).
Now, if you’re thinking that the response time above is the time that you are exposed to possible infection from a virus, think again. The time you are exposed is that time plus the time it takes for your antivirus software to download the signature. AV companies vary as to how frequently their software updates the AV signatures. With some products, automatic updates happen only once a week. (Hard to believe isn’t it?)
The most frequent is Kaspersky Labs (every 3 hours) but with some AV vendors it is as long as 7 days. Meaning that you could be unprotected from a virus for 10 days.
But how much protection do you need?
The Cost of Virus Attacks
Of course it isn’t possible to generalize. Consider the Slammer Worm for example. It infected 90 percent of all sites that had the vulnerability within 10 minutes of release. That’s right 90 percent. The AV software was completely useless in that case. Slammer slammed it. The Slammer worm did about $1.5 billion in damage (in 2003) which is about half of the revenues of the AV industry for that year.
Other viruses don’t travel so fast so the vulnerability can be less. The speed of propa-gation depends entirely on the virus itself so there is no easy rule of thumb. Also the actual cost of infection varies – that too depends on the virus. As a minimum of course, you will have to clean every infected PC and the cost of doing that also varies. However in general the cost of AV infection is high. According to the CSI/FBI security survey 2005, AV is the source of greatest average financial loss of all IT security incidents.
So who is there out there that doesn’t have any AV technology (other than a handful of home PC users and users of Apple Macs)? Corporately, according to the CSI/FBI security survey 2005, over 96% of companies have AV protection. So, most companies don’t suffer from AV infection do they?
Well actually according to the CSI/FBI survey successful virus attack is the most common as well as the most expensive security breach that occurred in 2005 (and 2004 and 2003 and 2002) despite the fact that most companies had protection. It’s those zero-day threats that cause the problem and the expense – the AV vendors offer you little protection against them.
AV technology is bizarre when you think about it. Imagine that the crime rate goes up in your neighborhood and you ask the police for advice on how to protect yourself and your household and all they have to say is “Unfortunately, at the moment we don’t have the means to capture or stop these criminals. But don’t you worry, we have researchers with astronomic IQs working on the problem right now and when one of them comes up with something we’ll be sure to let you know, eventually.”
The Sane Alternative
As it happens there is an alternative. There are three IT security vendors we are aware of, AppSense, Securewave and Bit9 whose products do the job correctly. These products don’t bother creating AV signatures they simply hold a validation list of the processes that are allowed to run: the good stuff. These products give you 100 percent protection from viruses and, as it happens, from many other security threats too.
Processes that are not on the “white-list” are prevented from running until they have been authenticated (by an administrator) or, if really necessary, they are allowed to run but only in a protected way so that they cannot infect or damage any other machine. These products acknowledge that users may sometimes need to run a process before it can be directly authenticated, and hence they allow it, if the user insists.
Technology of this kind has only become available quite recently, but it is already proving very popular. Initially adopters of it were cautious about trusting it, and ran it alongside AV software. Now however, many of the users are turning the AV software off and saving money accordingly.
The sad truth is that AV software is simply the wrong idea. Its time is over.