Anti-virus Dead? What Is the Future for Anti-Virus?


Far too many of us take IT security for granted, presuming that our anti-virus protection is keeping the worst of the web at bay. But it seems we are putting far too much faith in our off-the-shelf antivirus protection to keep our IT systems safe. Brian Dye, corporate vice president at Intel Security, has even gone on record and said that antivirus is dead. Well the truth is that antivirus hasn’t yet had its day. It is still a useful tool that can keep your systems safe. But it is true is that computer protection is about to enter a whole new era – an era where behaviour based, rather than signature based security, is more important. So let’s take a look at what this means for businesses like yours.

Most of the best known antivirus software and intrusion detection systems (IDS) are signature-based, meaning they work by searching for a known identity or signature every time there is an intrusion. This signature is then checked against a list of known malware and malicious codes, if the antivirus deems it dangerous it will be blocked.

Traditionally, this signature based security has been highly effective but is also a reactive technology. As such, it is only so effective against known threats. Anti-virus programmers need to know how a piece of malware works before they can write the code to find and neutralise it. And with one piece of malware being released every second, according to recent estimates, it is a near impossible task for antivirus programmers to keep up. Because of the sheer number of threats out there, traditional antivirus now only detects around 45 percent of all attacks. And signature based systems need to be constantly updated to be effective. Signature-based IDS is only as good as its database of stored code and signatures. This is why “Zero day” attacks, when hackers launch a brand new piece of malware, often slip through without being detected as antivirus software doesn’t recognize the threat.

Behaviour based security is different in that it detects any network activity that doesn’t fit a pattern of expected behaviour. This means that the software has to be configured to learn what a user’s normal patterns of activity are. If there are any anomalies these are then flagged as threats or viruses and stopped before they infect your systems. For example, if a computer user with a restricted set of records suddenly begins to try and access other types of information, it is highly possible that his workstation has been taken over by a third party or is infected with a virus and action can be taken.

Unlike with signature based systems, behaviour based antivirus systems are able to detect zero-day attacks as they don’t have a pattern that is recognizable. Of course, such systems have to be configured to learn about user’s typical behaviour and configurations need to be updated every time new applications are added or modified but in general they can adapt to new, unique, or original attacks.

Advantages and Drawbacks

There are many advantages to this behaviour-based approach in detecting new and unforeseen vulnerabilities in your systems. Because it detects any traffic that is new or unusual, the behaviour-based approach is good at identifying sweeps and probes towards network hardware. This is like an early warning for potential intrusions as such probes and scans are often the predecessors for system attacks. They can also detect abuse of privilege attacks, which normally don’t trigger security warnings. Of course there are some drawbacks too in that there is a higher false alarm rate than with signature based attacks. What’s more, the learning curve for behaviour-based intrusion detection techniques can’t cover everything and people’s online behaviour is likely to change over time, so you need to implement occasional retracing of the behaviour profile. During the learning phase, any system attacks that occur won’t be detected as anomalous meaning your systems could be compromised. Behaviour based IDS is also more costly in that you need more hardware spread further across your IT networks than is required with signature based IDS.

Drawbacks and a long customization process aside, it looks like the behaviour-based approach to IT Security is the future. Antivirus hasn’t yet had its day, but it’s no longer the be all and end all of IT security. There are many ways you can keep your systems safe and taking a multi-layered approach is actually the best way forward. Blacklisting, whitelisting and sandboxing are three methods that can be used to ensure you’re safe while online. Antivirus has just become one of the IDS tools you can use to protect your computer against malicious attacks.

If you want to know more about the best security approach to take when it comes to your business IT, why not come to talk to the experts at Empower IT and we can find new ways to keep you safe.