Gartner Blog Network


Is Antivirus Obsolete?

by Neil MacDonald  |  September 13, 2012  |  3 Comments

I blogged about this question years ago, but a recent blog on CSO got me thinking once again. Has anything changed?

Thoughts:

1) The question “Has antivirus outlived its value?” is wrong. AV hasn’t been AV for years. Gartner stopped calling the market “AV” back in 2006. Modern Endpoint Protection Platforms (EPP – the term Gartner has used since 2006 to describe the market) include a variety of protection styles- signature and non-signature based to protect machines.

In other words, AV has been obsolete since 2006, but signature-based antimalware protection still lives on as a part of defense-in-depth strategy to protect endpoints.

2) Here’s how I’ve explained this in a graphic for the past five years:

image

Reactive, signature-based detection mechanisms alone are not enough. A market-leading EPP should provide a variety of protection styles that combine whitelisting, blacklisting and heuristics-based protection approaches in a system where these elements work together.

3) If you have a signature, by all means use it. Signatures (if you have them) can be much more efficient and have a lower chance of introducing a false positive onto a user than behavioral heuristics. Think of it this way, would you rather have your children inoculated against measles and smallpox, or have them get infected and let their adaptive immune system identify it and respond?

4) Whitelisting-based approaches are at the bottom of the pyramid and a more more foundational and critical approach to protecting any type of endpoint – desktop, mobile device or server. Why doesn’t iOS require antimalware? Two big reasons – reduced user rights and the Apple appstore functioning as an implicit whitelist. If we can bring this model to PCs, the need for antimalware will be reduced as well. By the way, this is exactly the model Microsoft is using on the WinRT side of Windows 8. Unfortunately, the legacy Windows Desktop side is still there and must be secured and so traditional EPP protection is still needed (see this recent research note on Windows 8 security for clients).

It comes down to this – if you have a general purpose OS where users run around will full admin rights and can download arbitrary executable code from anywhere, then signature-based antimalware protection as a part of an integrated EPP solution should be a requirement to protect the user and the information being handled on the device.

That’s is the state of todays Windows PC. And yes for those that are still in denial, Apple’s Mac OS.

Oh, and Android by the way   – this is one of the factors in Google’s recently announced acquisition of VirusTotal.

Category: beyond-anti-virus  endpoint-protection-platform  information-security  next-generation-security-infrastructure  windows-8  

Tags: adaptive-security-infrastucture  apple  beyond-anti-virus  defense-in-depth  endpoint-protection-platform  information-security  microsoft  microsoft-security  windows  


Thoughts on Is Antivirus Obsolete?


  1. You missed Linux :) Linux desktops also need EPP.

    Endpoint protection will be needed as long as there is some point of connectivity… so will therefore never be obsolete.

  2. Neil MacDonald says:

    @Solis

    Yes, you are correct – the same applies to a general purpose desktop running Linux.

    Neil

  3. Isn’t it tempting to announce a demise of a muti-billion dollar industry? I bet it is.

    The question IMHO is not so much whether or not the anti-virus industry is dead, but rather how many active and strong players can / will it effectively sustain in the long run?
    There are dozens of players in this nowadays commoditized industry despite relatively high entry barriers.

    Ideally such players shall pool their research and resources more openly and effectively, something VirusTotal is doing with its aggregated threat analysis results for the AV players. (This is why I disagree with you on Google’s acquisition of VT, I think it makes more sense to use VT’s backend to run Google’s backend data through rather then using a specific AV.)

    In this scenario a user does not need to have one version of anti-virus, the user merely needs a tool that checks a specific threat agains all known AVs and takes an action based on a prescribed policy.

    How long shall / will this list be? My guess is <5.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.