Reports of Antivirus Death May Be Exaggerated

IT guru Robin Bloor has thrown down the gauntlet to the antivirus software industry, but the only response he’s received has been the equivalent of one hand clapping.

For months now, Bloor, a partner with Hurwitz & Associates, a consulting and research firm in Waltham, Mass., has been preaching about the demise of antivirus software. He’s even cooked up an acronym for it: AVID, for “Anti-Virus Is Dead.”

“When I floated the idea that antivirus software was irrelevant, I expected some kickback,” he told TechNewsWorld. “I expected to be contacted by antivirus companies to demonstrate to me why I was wrong, but they went silent.”

‘Boats With Holes’

He argues that the reactive approach to malware taken by antivirus software makers is ineffective.

“This a (US)$4 billion industry that isn’t doing its job,” Bloor declared. “It’s like a boatmaker making boats with holes in them.

“The industry believes the way to deal with the problem is the way you would deal with any biological invader of the body, which is a completely wrong idea,” he contended.

What needs to be done, he maintains, is not to foil black-hat software but to only allow white-hat software to run; in other words, a whitelist versus a blacklist approach.

Labs Overwhelmed

“Viruses are executables and various computer environments allow them to run without anyone having to validate whether they’re authentic or not,” Bloor explained. “The correct solution to the problem is to authenticate the software before it runs.”

Corporations are realizing that antivirus software isn’t providing them with the level of protection they need, added Andrew Jaquith, a senior analyst with the Yankee Group.

“The traditional, signature-based technologies are simply not able to keep up with the sheer volume of malware that’s out there,” Jaquith told TechNewsWorld. “There are over 200,000 unique pieces of malware out there. Some host intrusion vendors say that number is closer to a million.

“That’s a tactic being exploited by the bad guys,” he continued. “The folks circulating spyware have taken a deliberate tactic of generating unique variations of malware in an effort to overwhelm the labs of the antivirus companies.”

Good Versus Bad

“When you consider that the average PC has maybe 50,000, 100,000 files on it, it’s becoming easier to count the number of good things than it is to count the number of bad things,” Jaquith added

To create a secure computing environment, he maintained, traditional antivirus software needs to be supplemented with host intrusion prevention, or behavior blocking software.

Behavior blocking applications analyze what an application is doing and prevent it from executing suspicious actions.

Another preventive approach is the applications whitelist. Applications on the list are allowed to run on a computer; everything else is blocked.

“We see a lot more interest in whitelisting, as companies have more and more trouble dealing with all the different types of threats that they face,” observed Sioux Fleming, director of product management for CA.

No Substitute

While acknowledging that whitelists can be effective, Randy Abrams director of technical education at antivirus software maker ESET, warned that they can be a bear to administer because on top of adding new programs to the list at the request of users, existing applications are continually be upgraded and patched.

What’s more, pressure from users to add files to the list can undermine its effectiveness. “If you start adding programs to the list just because someone wants to run a program, you’re not doing the research to determine if it should be trusted,” Abrams told TechNewsWorld.

Whitelists shouldn’t be seen as a substitute for antivirus software, maintained Scott Petry, founder and CTO of network security firm Postini.

“I don’t think anyone is going to start whitelisting and turn off their AV protection,” Petry told TechNewsWorld. “There’s just too much opportunity for something to be executed or run on the network. You need something that’s scanning the bits and scanning the data that’s being executed.”

He cited a Web browser as an application that might appear on a whitelist but could be an entry point for malware.

Misplaced Child

“You could get a Java applet or a payload that could be nasty stuff. They would never register as an application per se in this whitelisting environment, but it would be an application that’s executing and doing nasty things,” he said.

Nevertheless, there are companies that swear by the whitelisting approach to security. The First National Bank of Bosque County in Valley Mills, Texas, shelved all its antivirus software in favor of a whitelist solution offerd by SecureWave.

Since the bank started using whitelisting, Vice President Brent Rickels said that security has been a less worrisome problem. “I know that the worst exploit of all can be running loose out there, but if it’s not on my whitelist, it’s not going to run,” Rickels told TechNewsWorld.

Antivirus dead? Not so, contends SecureWave Senior Vice President Dennis Szerszen. “It’s a misplaced child,” he said. “We expect our antivirus solutions to do a whole lot more than they can potentially can do.

“We expect them to keep us safe,” he continued. “We’ve expected them to be the thing that keeps us from having to become security experts and engineers. That kind of burden has overstressed the concept of what antivirus is supposed to be.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

Technewsworld Channels