Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Antivirus is Dead. Long Live Antivirus.

by Neil MacDonald  |  December 23, 2010  |  5 Comments

Signature-based antimalware detection is increasingly ineffective against an explosion in the number of malware variants as well as an increase in the number of financially motivated targeted attacks.

Does this mean we get rid of antivirus technology altogether? Not at all.

What it means is that we can no longer protect endpoints using signature-based mechanisms alone. Endpoints must be protected using a combination of mechanisms – whitelisting, blacklisting and behavioral-based approaches — working together as a system.

That’s why we retired the antivirus magic quadrant at Gartner back in 2006. We combined separate research streams on personal firewalls antivirus, antispyware an host-based intrusion prevention systems into what Gartner research refers to as the “Endpoint Protection Platform” (EPP).

The EPP truly is a platform supporting multiple styles of protection for an endpoint. We’ve just updated our rating of the vendors in this market in this magic quadrant research note for clients.

EPPs have gone well beyond converged antimalware protection. Here are the types of capabilities we evaluated in this latest research:

  • Data protection capabilities in the form of full drive, removable device and file/folder encryption as well as basic data loss prevention capabilities.
  • Behavioral heuristics based host intrusion prevention capabilities
  • Buffer overflow protection
  • Application control capabilities (aka whitelisting)
  • Device and network access control capabilities
  • Security configuration management
  • Ability to optimize scanning in virtualized environments
  • Vulnerability management (some have patching capabilities, others report on vulnerabilities).
  • Integration with cloud-based community systems for faster access to emerging threats

The good news for enterprises is that the EPP market is extremely competitive and prices continue to drop. In many cases, encryption can be combined in the same contract without an increase in pricing as compared to prior contracts, especially in competitive bidding situations.

Using the migration to Windows 7 as a catalyst, EPP replacements offer a significant opportunity for cost reduction and vendor consolidation in 2011 and beyond.


Category: Beyond Anti-Virus Endpoint Protection Platform Next-generation Security Infrastructure Virtualization Windows 7     Tags: , , , , , ,

5 responses so far ↓

  • 1 Amey   December 24, 2010 at 1:08 am

    Signature-based detection is efficient for unmodified malware, but with several variants of malware coming out signatures are no longer enough to keep our systems protected. Behavior-based intelligent antivirus are the need today. But this approach is not robust as of now, it will require quite a lot of research to become perfect. Many AV vendors now-a-days include behavior-based detection for desktops. But as of my personal experience it has only given me false positives.

  • 2 custom gmp peptide   December 24, 2010 at 7:52 am

    waiting for it

  • 3 David G   December 26, 2010 at 8:06 pm

    I agree with Neil, conventional signatures can’t detect all those millions of variants that use compression or encryption to bypass them. You need a new way to do it. Since 90% of the threats come from the Web, it is a good start to have a Web reputation enabled EPP to block some of them from reaching you, NAC won’t help you on this. Also, Application White listing does not help you that much when the targeted application is white listed (like browsers or plug-in like Adobe Acrobat or Flash). The most advanced products block Exe’s and application protocol at network level (ex: P2P, IRC).

    The other 10% infection source come from external devices. Device control is helping if you block execution but permit read and write. At least, people can still work and autorun malware family can’t spread. This is a quick win.

    End Point encryption won’t help you against data stealing malware since it runs in your context (unencrypted). End Point encryption will protect your data if your PC got stolen, period. Data Loss Protection on the other hand will help you detect or prevent a data loss from an infection.

    Behavior analysis or monitoring sounds like the way to go but I agree with Amey, we have seen some false positive in the first implementations by vendors. And it slow down your apps like crazy. So you need to tune it. But that’s beyond the average IT guy abilities. New AV’s (sorry). New EPP’s are more complicated that they use to be and training about new threats and new EPP is rare.

    Self vulnerability assessment or protection is cool but rare. Some vendors will sell this feature as Virtual patching. It won’t detect the buffer overflow, but it detect the exploit.

    From my audit and incident handling experience, IT guy’s disable all the protection features as soon as they got one false positive. This leave only traditional signature detection in place. Two customers called me this autumn, they were infected (2000 and 1400 computers). Both of them were not patched and everybody had access to almost everything. Combined with bad practices, this conduct to disasters and the n they blame the EPP to save their jobs…

    One of the technology I like and I don’t see much in EPP is integrity monitoring and enforcement. Those that were using it during the last Stuxnet outbreak were lest vulnerable.

    And yes, we need EPP made for the virtualized infrastructure. Only a few (very few) vendors do it.

    Windows 7 migration might be a good time to change EPP, but virtualization is a good reason too. When they are combined (7 + VDI) it is a must.

  • 4 Neil MacDonald   January 4, 2011 at 8:15 am

    @Amey – agree on the issue of false positives if behavioral approaches alone are used to dectect malware. Our vision of an EPP is a system that uses a combination of whitelisting, blacklising and behavioral based styles of protection working together.

    Another thought to consider is rethinking the typical binary yes/no response on a piece of suspect code. For example, rather than blocking something that appears malicious, let’s limit its access to system resources via sandboxing, virtualization or network throttling techniques.

    Final thought – many false positives are created when rules that govern what an application should or should not be doing are violated because the rules themselves fall out of synch with the application they are protecting. If you are considering a technology that uses this approach, make sure new applications are deployed with updated rules.


  • 5 Neil MacDonald   January 4, 2011 at 8:21 am

    @David – you raise a couple of really good points.

    Support for virtualized environments was considered as we evaluated solutions in the research I referenced. Agreed there are only two vendors really innovating here.

    In addition to your suggestion to disable autorun for a quick win, I’d add making sure that Data Execution Prevention (NS/XD) support is enabled on the OS and the applications you are running. Windows, Linux and Mac OS support this on x86 hardware. That’s another quick win.

    Virtual patching is available from some of the vendors in their broader HIPS capabilities. Cool stuff. You may already have this type of protection from network-based inspection devices, so doing deep packet inspection twice may not be necessary. For laptops and other devices that move from out behind network-based protection, local HIPS with vulnerability-facing filters (aka virtual patching) provide defense in depth.