So, What Do You Do for a Living? Security.

Generally in polite conversation what you do for a living comes up, usually pretty early on. Often this leads to some mildly curious questions and you move along. However, when I tell people I work in the security industry, the polite questions are usually supplanted with an awkward silence – followed by an inevitable story about how the person recently had a virus (even with up to date antivirus) or knows someone who did. Eventually it boils down to one uncomfortable question: Why did my antivirus product fail me? The answer is bit more involved than I like to get over polite chatter at my daughter’s soccer game (for example) but it’s something which does bear discussion.

Your antivirus software is a seat belt – not a force field.
Over the years we have been marketed to with messaging that assures us our traditional antivirus products have been reviewed and catch 99+% of threats. Therefore we should expect 99% coverage correct? The blunt answer is “no.”

Any enterprise administrator can tell you that even with up to date software you get viruses, full stop. There are few if any exceptions to this. The same can be said for consumer users; it’s pretty tough to find someone who has not had a virus or who knows someone who has. I would hate to see a world without seat-belts, or without antivirus, because while neither are panaceas they do provide strong benefits. The risks of going it alone without these protections are very serious. However, know that a seatbelt will not save you every time, nor will traditional antivirus software.

So, why does traditional antivirus not provide 99%+ protection?
That question, once you get down to brass tacks, is pretty straightforward. There are a bevy of good reasons but two underlying truths provide a basis for many of the other points.

1. Computers make for poor moralizers. Essentially what you are asking antivirus software to do is judge the behaviour of other software in a moral light – is it good or bad, is the ‘intent’ harmful in the context it’s being executed in? In the struggle to make software perform this act of reasoning for us, in real-time, we add a tremendous amount of support (machine learning, behavioural analysis, host IPS, emulation, sandboxing, reputation etc…) in the hopes we can bring it close to perfection. We must continue to try and innovate here.
2. The bad guys never release a new virus that is detected by current antivirus software. The guys (and presumably gals) who write malware have access to all of the commercial and free antivirus software in the market. This means they can, and do, test their creations to see if they are detected before they release them on the unwitting public. This means that antivirus needs to be somewhat predictive to be more effective.

This puts the antivirus industry on its back foot out of the gate. It does not mean variants will not be detected but antivirus vendors will almost never detect the first push of a new threat, before mutation. It’s seems like common sense but it’s chilling none the less.

Where does this leave us then? That entirely depends on how educated you are on the efficacy of traditional antivirus. If you recognize it’s a powerful utility but has marked limitations you can plan your defences accordingly. If you expect it to perform at marketing level performance you’re likely to be disappointed.

So, what should you look for in an antivirus product? Your selection should be focused on a product you feel is dynamic and open enough to meet the needs of your specific environment. You should be able to test it thoroughly and have access to the vendor’s technical team while doing so. Transparency with this sort of technology is critical and frank, honest answers should be expected. A more advanced antivirus solution should be data-driven so that it can understand the technology’s performance in the field and gather intelligence to improve efficacy.

Ultimately your selection should have two basic criteria – does it meet your technical needs and do you feel you can work closely with the vendor? If those two criteria cannot be reconciled the product in question might not be the right one for you.