Traditional signature-based antivirus is notoriously bad at stopping newer threats such as zero-day exploits and ransomware, but it still has a place in the enterprise, experts say, as part of a multi-layer endpoint security protection strategy. The best antivirus products act as the first layer of defense, stopping the vast majority of malware attacks and leaving the broader endpoint protection software with a smaller workload to deal with.
Antivirus products create a signature for each piece of malware that is detected in the wild, but it requires someone to be infected to get the process started. "And, once an antivirus company does this, it could be days or months for all endpoints to be properly updated with the correct signature," says Ed Metcalf, senior director of product marketing at Cylance, Inc. "By this time, a cyber attack could easily spread throughout an enterprise and cause damage or steal data."
Research reveals the changing role of antivirus software
According to a survey of last year's Black Hat attendees, 73 percent think that traditional antivirus is irrelevant or obsolete. "The perception of the blocking or protection capabilities of antivirus has certainly declined," says Mike Spanbauer, vice president of strategy and research at NSS Labs, Inc.
Plenty of recent research supports that point of view. In September, security company WatchGuard Technologies reported the results of a comprehensive test of traditional antivirus. They calculated how well a leading traditional antivirus product did at spotting zero-day threats by looking at customers who had both traditional antivirus and next-generation endpoint protection products installed. Traditional antivirus missed 38 percent of malware attacks that were caught by a next-generation platform that used a behavior-based approach. That's up from 30 percent in late 2016, when the company first started doing this research.
The traditional antivirus product was from AVG Technologies, a well-reviewed product. In fact, in a report released in September by AV Comparatives, AVG caught 100 percent of the samples tested, making it one of the top ten products on the market. However, AV Comparatives tested AVG against samples of known malware, not against brand-new attacks.
Why is traditional, signature-based antivirus getting worse at detecting threats? "The threat landscape has evolved," says Rob Lefferts, corporate VP of Microsoft 365. "I would avoid using the phrase 'antivirus is dead,' but thinking about straight-up antivirus as a solution -- those days are gone."
Not only are attackers getting better at quickly generating countless versions of existing malware, tweaked just enough to not be picked up by existing signatures, but new attacks, like fileless attacks, are showing up that won't be picked up by traditional antivirus, he says.
Companies are aware of the problem. According to the latest SANS endpoint protection survey of IT professionals, traditional antivirus caught endpoint compromises only 47 percent of the time. The rest were caught by SIEMs, network analysis, advanced endpoint protection systems and other technologies.
However, only 50 percent of companies have acquired next-generation capabilities, and 37 percent have turned on that functionality. In addition, while 49 percent have tools to detect fileless attacks, 38 percent aren't using them.
Similar findings were reported by the Ponemon Institute this month in a survey of IT security professionals. Seventy percent said they were very concerned about new and unknown threats, but only 29 percent said their traditional signature-based antivirus provided all the protection they needed.
The case for traditional antivirus
Should companies eschew traditional antivirus in favor of newer technologies? Not according to Microsoft's Lefferts, who says that traditional AV still has a role to play.
Behavioral analytics, sandboxing, and other advanced tools take time and use up network bandwidth and computational resources. Traditional antivirus is fast, cheap and lightweight. "If you're counting the number of different types of malware, there are more and more polymorphic or custom attacks," he says. "But considering the onslaught of commodity malware, it is still the vast bulk of the number of encounters that happen on a daily basis."
Even if traditional antivirus isn't able to stop all attacks, it can block a significant number of them at low cost. "So let’s do that," says Lefferts. "But we certainly can't afford to stop there, and I don't think anyone today says we should stop there."
Those potential threats that make it past the first line of defense can then be analyzed based on their behavioral characteristics or sent off to a sandbox for secure detonation.
One company that doesn't have a choice about whether to use traditional antivirus is Emeryville, Calif.-based National Mortgage Insurance Corp. "Our customers are banks, and many require a traditional signature-based antivirus as part of the defense we have in place," says Bob Vail, the company's director of information security.
Sophos, the company’s antivirus vendor, has a good detection record and its product is very lightweight, he says. That makes it a good first round of defense, but Vail says he knows that's not enough. "Antivirus in general is going to be after-the-fact," he says. "Someone has to be infected and a signature developed and hopefully everyone else gets protected before they get attacked."
The company also has a second level of protection in place to guard against the malware that gets through, a behavior-based system from enSilo. The two products work well together, Vail says. "If a known virus comes down, Sophos will quarantine the file before it gets a chance to execute," he says. "But those things that get past it, enSilo will prosecute those, so it's a classic defense at depth."
Traditional antivirus is a good adjunct to the newer technologies such as those that involve behavior analytics, sandboxing and machine learning. The more advanced tools can require more processing power, which can slow down computers. If the product runs behavioral or other tests on potential threats before permitting user access, it can impact productivity. If the product allows the threats through, then tests them separately, malware has a window of opportunity to get access to enterprise systems.
Finally, when a new threat is detected, additional work is required to mitigate the threat and generate signatures to protect against the threat in the future. "The first level of defense will always be some kind of signature-based defense," says Raja Patel, VP for corporate product at McAfee LLC. "If you already know something is bad, why do an additional layer of protection against it?"
Without that initial signature-based screening, companies will have to spend a lot more time, effort and money to handle all the threats that come in, he says. "You can image how much a security team would have to put up with." If a threat can be caught and stopped right out of the gate, it's the cheapest option. "Signature-based antivirus saves human effort and reduces false positives and time delays," he says. "It's a fantastic first layer and will be for a long time."
Traditional antivirus, next-gen endpoint protection tools are converging
As the industry matures, enterprises are going to be able to get the full-suite of malware protection tools from a single vendor, if they don't already. Traditional antivirus providers are adding next-gen capabilities, while the next-generation vendors are including signature-based protections in their suites.
Endpoint security startup CrowdStrike, for example, launched its all-in-one Falcon platform four years ago, allowing customers such as the Center for Strategic and International Studies, a Washington, DC, think tank, to get everything in one place. "We had CrowdStrike already in place and were relying on it as part of endpoint security," says Ian Gottesman, the organization's CIO. "Extending that solution to include antivirus was advantageous for CSIS. I would recommend any other organizations do the same."
Enterprises increasingly expect to see antivirus protection included in their next-generation endpoint solution. "Businesses don't like to mix and match," says Adam Kujawa, head of malware intelligence at Malwarebytes Corp. "They prefer to have one vendor to go to. So, the security solutions have multiple layers, with multiple technologies involved to maximize the amount of protection."
Traditional antivirus vendors aren't sitting on the sidelines, either. Instead, many are buying or building the next-generation tools that can help catch the attacks that get by signature-based defenses. "Antivirus will become extinct in the next few year unless they are able to evolve," says Luis Corrons, PandaLabs technical director at Panda Security, a traditional antivirus vendor. "We at Panda have been fully aware of this."
The company has had behavioral-based malware detection for several years, but even that is not enough. Many successful security breaches involve no malicious software at all, he says. "To say it crystal clear, a traditional antivirus is useless against these attacks as there is no malware involved," he says. For example, attackers can take advantage of existing non-malicious software.
The company has recently rolled out new tools to monitor the behavior of all active applications in an enterprise. "It allows us to have full visibility of what is happening in our network," he says.
McAfee has also added on new layers of protection, says McAfee's Patel. "Signature-based defenses will protect you after you know about the threats, but they won't protect patient zero and the time period after infection and when you wrote the signatures," he says.
According to the Ponemon survey, 64 percent of companies this year experienced one or more endpoint attacks that that compromised assets or infrastructure, and 63 percent said that the number of attacks went up compared to last year.
Meanwhile, the average cost of a successful attack has increased from $5 million to $7.1 million, with an average cost per compromised endpoint of $440. For small- and medium-sized companies the average cost was even higher, at $763 per endpoint.
"What is worrisome is how slow many organizations have been to respond to these new tactics and adjust their security strategies," says Satya Gupta, founder and CTO at Virsec Systems. "We’re still stuck in a mindset of guarding the perimeter and stopping what’s been seen before."