Gartner Blog Network


Antivirus is Dead. Long Live Antivirus.

by Neil MacDonald  |  December 23, 2010  |  5 Comments

Signature-based antimalware detection is increasingly ineffective against an explosion in the number of malware variants as well as an increase in the number of financially motivated targeted attacks.

Does this mean we get rid of antivirus technology altogether? Not at all.

What it means is that we can no longer protect endpoints using signature-based mechanisms alone. Endpoints must be protected using a combination of mechanisms – whitelisting, blacklisting and behavioral-based approaches — working together as a system.

That’s why we retired the antivirus magic quadrant at Gartner back in 2006. We combined separate research streams on personal firewalls antivirus, antispyware an host-based intrusion prevention systems into what Gartner research refers to as the “Endpoint Protection Platform” (EPP).

The EPP truly is a platform supporting multiple styles of protection for an endpoint. We’ve just updated our rating of the vendors in this market in this magic quadrant research note for clients.

EPPs have gone well beyond converged antimalware protection. Here are the types of capabilities we evaluated in this latest research:

  • Data protection capabilities in the form of full drive, removable device and file/folder encryption as well as basic data loss prevention capabilities.
  • Behavioral heuristics based host intrusion prevention capabilities
  • Buffer overflow protection
  • Application control capabilities (aka whitelisting)
  • Device and network access control capabilities
  • Security configuration management
  • Ability to optimize scanning in virtualized environments
  • Vulnerability management (some have patching capabilities, others report on vulnerabilities).
  • Integration with cloud-based community systems for faster access to emerging threats

The good news for enterprises is that the EPP market is extremely competitive and prices continue to drop. In many cases, encryption can be combined in the same contract without an increase in pricing as compared to prior contracts, especially in competitive bidding situations.

Using the migration to Windows 7 as a catalyst, EPP replacements offer a significant opportunity for cost reduction and vendor consolidation in 2011 and beyond.

Category: beyond-anti-virus  endpoint-protection-platform  next-generation-security-infrastructure  virtualization  windows-7  

Tags: beyond-anti-virus  defense-in-depth  endpoint-protection-platform  next-generation-security-infrastructure  reducing-cost  virtualization-security  windows  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio


Thoughts on Antivirus is Dead. Long Live Antivirus.


  1. Amey says:

    Signature-based detection is efficient for unmodified malware, but with several variants of malware coming out signatures are no longer enough to keep our systems protected. Behavior-based intelligent antivirus are the need today. But this approach is not robust as of now, it will require quite a lot of research to become perfect. Many AV vendors now-a-days include behavior-based detection for desktops. But as of my personal experience it has only given me false positives.

  2. David G says:

    I agree with Neil, conventional signatures can’t detect all those millions of variants that use compression or encryption to bypass them. You need a new way to do it. Since 90% of the threats come from the Web, it is a good start to have a Web reputation enabled EPP to block some of them from reaching you, NAC won’t help you on this. Also, Application White listing does not help you that much when the targeted application is white listed (like browsers or plug-in like Adobe Acrobat or Flash). The most advanced products block Exe’s and application protocol at network level (ex: P2P, IRC).

    The other 10% infection source come from external devices. Device control is helping if you block execution but permit read and write. At least, people can still work and autorun malware family can’t spread. This is a quick win.

    End Point encryption won’t help you against data stealing malware since it runs in your context (unencrypted). End Point encryption will protect your data if your PC got stolen, period. Data Loss Protection on the other hand will help you detect or prevent a data loss from an infection.

    Behavior analysis or monitoring sounds like the way to go but I agree with Amey, we have seen some false positive in the first implementations by vendors. And it slow down your apps like crazy. So you need to tune it. But that’s beyond the average IT guy abilities. New AV’s (sorry). New EPP’s are more complicated that they use to be and training about new threats and new EPP is rare.

    Self vulnerability assessment or protection is cool but rare. Some vendors will sell this feature as Virtual patching. It won’t detect the buffer overflow, but it detect the exploit.

    From my audit and incident handling experience, IT guy’s disable all the protection features as soon as they got one false positive. This leave only traditional signature detection in place. Two customers called me this autumn, they were infected (2000 and 1400 computers). Both of them were not patched and everybody had access to almost everything. Combined with bad practices, this conduct to disasters and the n they blame the EPP to save their jobs…

    One of the technology I like and I don’t see much in EPP is integrity monitoring and enforcement. Those that were using it during the last Stuxnet outbreak were lest vulnerable.

    And yes, we need EPP made for the virtualized infrastructure. Only a few (very few) vendors do it.

    Windows 7 migration might be a good time to change EPP, but virtualization is a good reason too. When they are combined (7 + VDI) it is a must.

  3. Neil MacDonald says:

    @Amey – agree on the issue of false positives if behavioral approaches alone are used to dectect malware. Our vision of an EPP is a system that uses a combination of whitelisting, blacklising and behavioral based styles of protection working together.

    Another thought to consider is rethinking the typical binary yes/no response on a piece of suspect code. For example, rather than blocking something that appears malicious, let’s limit its access to system resources via sandboxing, virtualization or network throttling techniques.

    Final thought – many false positives are created when rules that govern what an application should or should not be doing are violated because the rules themselves fall out of synch with the application they are protecting. If you are considering a technology that uses this approach, make sure new applications are deployed with updated rules.

    Neil

  4. Neil MacDonald says:

    @David – you raise a couple of really good points.

    Support for virtualized environments was considered as we evaluated solutions in the research I referenced. Agreed there are only two vendors really innovating here.

    In addition to your suggestion to disable autorun for a quick win, I’d add making sure that Data Execution Prevention (NS/XD) support is enabled on the OS and the applications you are running. Windows, Linux and Mac OS support this on x86 hardware. That’s another quick win.

    Virtual patching is available from some of the vendors in their broader HIPS capabilities. Cool stuff. You may already have this type of protection from network-based inspection devices, so doing deep packet inspection twice may not be necessary. For laptops and other devices that move from out behind network-based protection, local HIPS with vulnerability-facing filters (aka virtual patching) provide defense in depth.

    Neil



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.