Skip to main content

Antivirus is dead. Long live antivirus.

Networking & security Commodity sourcing Software Licensing

News Headers antivirus is dead
Author Images DavidBS

David Brookes-Smith

IT Security and Networking Specialist

The continued rise of sophisticated malware attacks means enterprises need to recognise the importance of updating and modernising their endpoint security.

"Antivirus is dead" claim both John McAfee and Brian Dye of Symantec, and they're right. What they mean, of course, is that traditional antivirus is no longer enough; it needs to develop and adapt radically in order to combat sophisticated modern attacks.

That is why endpoint is fast becoming the focus of the security industry, backed by analysts, enterprise investment and a growing number of new start-ups. Whilst a complete security plan still involves technologies like IPS, NGFWs and sandboxing, enterprises need to understand this new emphasis on endpoint and why it is vital to a layered defence.

The problems with encryption and antivirus

For security that relies on analysis of network traffic to detect malicious files, SSL encryption poses a problem. Somewhere between 40 and 70% of traffic traversing a network is SSL encrypted, which makes decryption and re-encryption of traffic into an exceptionally resource-intensive process that can decrease the throughput of network-based security appliances by up to 80%.

This is a serious problem for enterprises. The additional overhead that SSL inspection adds means most customers threat detection appliances simply cannot cope with the additional load. Even with appropriately sized appliances or SSL offloading to another device, nothing done at a gateway or network level is ever 100% effective. Inevitably, some malicious traffic will reach the endpoint.

Traditionally, antivirus detection at the endpoint relies on a list of 'known bad' signatures, which are based on the hashes of viruses and malicious files that have been seen before. All an attacker needs to do is change the hash of a file using a readily available and legitimate 'packing' tool such as Procmon and it will no longer be recognised or picked up by traditional antivirus.

Of course, detection is also only half the battle. Post-breach analysis and effective response methods are also critical; both for remediating the effects of breaches and for identifying threat vectors in order to continually update and tune an enterprise's defence.

Next-generation antivirus

Fortunately, there are a number of new start-ups who address these trends and problems, and focus entirely on endpoint security. There are two main camps emerging: those who are interested in increasing malware detection rates beyond signature-based antivirus, and those concerned with forensics.

These next-generation antivirus (NGAV) vendors consider many more factors than just a list of known bad signatures. Indeed, some don't use signature-based methods at all. All that they're looking at are characteristics of a file, based on the 'machine learnt' knowledge that if a certain number or combination of characteristics point to either out and out malicious software, or applications which are just potentially unwanted (internet toolbars, for example). A couple of simple examples of these characteristics are PDF/word documents which are trying to connect to the internet or a file which begins to rapidly encrypt multiple files on a drive. These are obvious examples but when the software maps thousands of data points to look for these (and many more) characteristics it removes the need for having any prior knowledge of any specific piece of malware. It just needs to know what bad files do.

The converse approach is to map normal behaviour on an endpoint, and allow-list only approved applications and processes. However, this approach doesn't always account for seldom used apps and requires significant intervention in creating normal user behaviour profiles.

A new lease of life

The evolution of both these approaches involves technique such as machine learning. By analysing characteristics and behaviours in thousands of good and bad files, NGAV can assess and act upon malicious (or simply unwanted) files, regardless of whether or not there is an unknown IOC or just unwanted characteristics.

Combined, these approaches allow NGAV to potentially capture 99% of viruses. Compared to the reported 40-80% virus capture offered by traditional signature-based AV, it is clear to see why these start-ups offer a whole new lease of life for endpoint security and antivirus. The big players are forced to innovate, the endpoint becomes a tool in the security analyst's arsenal, and hackers have a re-energised layer of defence to overcome.

Find out more

For more information about our security solutions contact your Softcat account manager or get in touch using the form below.