1) The question “Has antivirus outlived its value?” is wrong. AV hasn’t been AV for years. Gartner stopped calling the market “AV” back in 2006. Modern Endpoint Protection Platforms (EPP – the term Gartner has used since 2006 to describe the market) include a variety of protection styles- signature and non-signature based to protect machines.
In other words, AV has been obsolete since 2006, but signature-based antimalware protection still lives on as a part of defense-in-depth strategy to protect endpoints.
2) Here’s how I’ve explained this in a graphic for the past five years:
Reactive, signature-based detection mechanisms alone are not enough. A market-leading EPP should provide a variety of protection styles that combine whitelisting, blacklisting and heuristics-based protection approaches in a system where these elements work together.
3) If you have a signature, by all means use it. Signatures (if you have them) can be much more efficient and have a lower chance of introducing a false positive onto a user than behavioral heuristics. Think of it this way, would you rather have your children inoculated against measles and smallpox, or have them get infected and let their adaptive immune system identify it and respond?
4) Whitelisting-based approaches are at the bottom of the pyramid and a more more foundational and critical approach to protecting any type of endpoint – desktop, mobile device or server. Why doesn’t iOS require antimalware? Two big reasons – reduced user rights and the Apple appstore functioning as an implicit whitelist. If we can bring this model to PCs, the need for antimalware will be reduced as well. By the way, this is exactly the model Microsoft is using on the WinRT side of Windows 8. Unfortunately, the legacy Windows Desktop side is still there and must be secured and so traditional EPP protection is still needed (see this recent research note on Windows 8 security for clients).
It comes down to this – if you have a general purpose OS where users run around will full admin rights and can download arbitrary executable code from anywhere, then signature-based antimalware protection as a part of an integrated EPP solution should be a requirement to protect the user and the information being handled on the device.
That’s is the state of todays Windows PC. And yes for those that are still in denial, Apple’s Mac OS.
Oh, and Android by the way – this is one of the factors in Google’s recently announced acquisition of VirusTotal.
Category: Beyond Anti-Virus Endpoint Protection Platform Information Security Next-generation Security Infrastructure Windows 8 Tags: Adaptive Security Infrastucture, Apple, Beyond Anti-Virus, Defense-in-Depth, Endpoint Protection Platform, Information Security, Microsoft, Microsoft Security, Windows