Traditional signature-based anti-virus is notoriously bad at stopping newer threats such as zero-day malware and ransomware, but it still has a place in the enterprise, experts say, as part of a multi-layer endpoint security protection strategy.
According to a survey of this year's Black Hat attendees, 73 percent think that traditional anti-virus is irrelevant or obsolete. "The perception of the blocking or protection capabilities of anti-virus has certainly declined," says Mike Spanbauer, vice president of strategy and research at NSS Labs, Inc.
Plenty of recent research supports that point of view. In March, security company WatchGuard Technologies reported the results of a comprehensive test of traditional anti-virus. They calculated how well a leading traditional anti-virus product did at spotting zero-day threats by looking at customers who had both traditional anti-virus and next-generation endpoint protection products installed. Traditional anti-virus caught 8,956,040 malware variants, but it missed 3,863,078 others that were caught by a next-generation platform that used a behavior-based approach. That's a failure rate of about 30 percent.
The traditional anti-virus product was from AVG Technologies, a well-reviewed product. In fact, in a report released last month by AV Comparatives, AVG caught 99.6 percent of the samples tested, making it one of the top ten products on the market.
Anti-virus is particularly bad at catching ransomware, one of the biggest new threats that companies face. In a March survey of 500 organizations, anti-phishing vendor KnowBe4 found that only 52 percent of companies were able to thwart a simulated ransomware attack. For the rest, the ransomware was able to get past their anti-virus defenses.
NSS Labs has also been running tests of both traditional and next-generation endpoint protection tools. In its latest rounds of testing the company has focused only on vendors that have advanced detection capabilities. Last year, when testing included signature-only vendors as well, the traditional products did poorly. "A number of products scored in the 90s," says NSS Lab's Spanbauer, "But none of those were sole traditional anti-virus."
The problem is compounded if the new threats are designed to spread quickly in a company and do as much damage as fast as possible, and compounded again if enterprises delay rolling out anti-virus updates. In addition, the amount of malware is growing exponentially, according to AV-Test, so even if a particular product has a high detection rate, more and more malware in absolute terms is going to slip through. Plus, if the attackers notice that a particular kind of malware is getting through, they can double-down on it.
These four factors combined have helped propel the recent WannaCry ransomware to more than 400,000 infected devices and potential total financial impact of as much as $8 billion. That doesn't mean that traditional anti-virus is completely obsolete. It still has a place in the enterprise, experts say, because it is very effective at spotting and blocking known threats quickly, efficiently and with minimum human intervention. Plus, traditional anti-virus is a compliance or customer requirement in some industries.
The case for traditional anti-virus
One company that doesn't have a choice about whether to use traditional anti-virus is Emeryville, Calif.-based National Mortgage Insurance Corp. "Our customers are banks, and many require a traditional signature-based anti-virus as part of the defense we have in place," says Bob Vail, the company's director of information security.
[Related: Review: Minerva protects endpoints with trickery and deception]
Sophos, the companyâs anti-virus vendor, has a good detection record, and is very light-weight, he says. That makes it a good first round of defense, but Vail says he knows that's not enough. "Anti-virus in general is going to be after-the-fact," he says. "Someone has to be infected and a signature developed and hopefuly everyone else gets protected before they get attacked."
The company also has a second level of protection in place to guard against the malware that gets through, a behavior-based system from EnSilo. The two products work well together, Vail says. "If a known virus comes down, Sophos will quarantine the file before it gets a chance to execute," he says. "But those things that get past it, EnSilo will prosecute those, so it's a classic defense at depth."
Traditional anti-virus is a good adjunct to the newer technologies such as those that involve behavior analytics, sandboxing, and machine learning. The more advanced tools can require more processing power, which can slow down computers. If the product runs behavioral or other tests on potential threats before permitting user access, it can impact productivity. If the product allows the threats through, then tests them separately, malware has a window of opportunity to get access to enterprise systems.
Finally, when a new threat is detected, additional work is required to mitigate the threat and generate signatures to protect against the threat in the future. "The first level of defense will always be some kind of signature-based defense," says Raja Patel, VP for corporate product at McAfee LLC. "If you already know something is bad, why do an additional layer of protection against it?"
Without that initial signature-based screening, companies will have to spent a lot more time, effort and money to handle all the threats that come in, he says. "You can image how much a security team would have to put up with." If a threat can be caught and stopped right out of the gate, it's the cheapest option. "Signature-based anti-virus saves human effort and reduces false positives and time delays," he says. "It's a fantastic first layer, and will be for a long time."
Traditional, next-gen tools are converging
As the industry matures, enterprises are going to be able to get the full-suite of malware protection tools from a single vendor, if they don't already. Traditional anti-virus providers are adding next-gen capabilities, while the next-generation vendors are including signature-based protections in their suites.
Endpoint security startup CrowdStrike, for example, launched its all-in-one Falcon platform three years ago, allowing customers such as the Center for Strategic and International Studies, a Washington, DC, think tank, to get everything in one place. "We had CrowdStrike already in place and were relying on it as part of endpoint security," says Ian Gottesman, the organization's CIO. "Extending that solution to include anti-virus was advantageous for CSIS. I would recommend any other organizations do the same."
According to a survey released earlier this year by the SANS Institute, about 95 percent of respondents expect to see anti-virus protection included in their next-generation endpoint solution. Traditional anti-virus vendors aren't sitting on the sidelines, either.
Instead, many are buying or building the next-generation tools that can help catch the attacks that get by signature-based defenses. "Anti-virus will become extinct in the next few year unless they are able to evolve," says Luis Corrons, PandaLabs technical director at Panda Security, a traditional anti-virus vendor. "We at Panda have been fully aware of this."
The company has been behavioral-based malware detection for several years, but even that is not enough. Many successful security breaches involve no malicious software at all, he says. "To say it crystal clear, a traditional anti-virus is useless against these attacks as there is no malware involved," he says. For example, attackers can take advantage of existing non-malicious software.
The company has recently rolled out new tools to monitor the behavior of all active applications in an enterprise. "It allows us to have full visibility of what is happening in our network," he says.
McAfee has also added on new layers of protection, says McAfee's Patel. "Signature-based defenses will protect you after you know about the threats, but they won't protect patient zero and the time period after infection and when you wrote the signatures," he says. "We added two new protection capabilities last year -- machine learning and dynamic application containment."
Why some companies still rely on traditional anti-virus alone
Ransomware infection rates show that many companies still lack adequate endpoint protection. According to an IBM survey released late last year, nearly half of all companies fell victim to ransomware in 2016, with 70 percent of them deciding to pay the ransom.
[Related: With new dynamic capabilities, will whitelisting finally catch on?]
Small firms are also hit, and, unlike the largest enterprise, may not be taking endpoint protection as seriously. Earlier this year, a survey by the Ponemon Institute showed that 51 percent of small and medium-sized businesses have experienced a ransomware attack, but, despite that, 57 percent says that they were "too small" to be targets for ransomware.
According to a May report by endpoint protection vendor VIPRE Security, 48 percent of IT managers and small and medium-sized enterprises says that a company of their size doesn't need endpoint security with advanced malware defense capabilities.
That's a mistake, says NSS Labs' Spanbauer. There are so many good options available on the market today, and very competitive pricing, that no company should be using signature-based anti-virus and nothing else, he says. "There is not a price or protection argument that can be made that would make traditional anti-virus the first choice or the preferred recommendation for any specific environment." More comprehensive protection is easier to find than ever before, with even entry-level products offering advanced controls, he adds. "It's hard to find a strict signature-only anti-virus product these days."