Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Is Antivirus Obsolete?

by Neil MacDonald  |  September 13, 2012  |  3 Comments

I blogged about this question years ago, but a recent blog on CSO got me thinking once again. Has anything changed?

Thoughts:

1) The question “Has antivirus outlived its value?” is wrong. AV hasn’t been AV for years. Gartner stopped calling the market “AV” back in 2006. Modern Endpoint Protection Platforms (EPP – the term Gartner has used since 2006 to describe the market) include a variety of protection styles- signature and non-signature based to protect machines.

In other words, AV has been obsolete since 2006, but signature-based antimalware protection still lives on as a part of defense-in-depth strategy to protect endpoints.

2) Here’s how I’ve explained this in a graphic for the past five years:

image

Reactive, signature-based detection mechanisms alone are not enough. A market-leading EPP should provide a variety of protection styles that combine whitelisting, blacklisting and heuristics-based protection approaches in a system where these elements work together.

3) If you have a signature, by all means use it. Signatures (if you have them) can be much more efficient and have a lower chance of introducing a false positive onto a user than behavioral heuristics. Think of it this way, would you rather have your children inoculated against measles and smallpox, or have them get infected and let their adaptive immune system identify it and respond?

4) Whitelisting-based approaches are at the bottom of the pyramid and a more more foundational and critical approach to protecting any type of endpoint – desktop, mobile device or server. Why doesn’t iOS require antimalware? Two big reasons – reduced user rights and the Apple appstore functioning as an implicit whitelist. If we can bring this model to PCs, the need for antimalware will be reduced as well. By the way, this is exactly the model Microsoft is using on the WinRT side of Windows 8. Unfortunately, the legacy Windows Desktop side is still there and must be secured and so traditional EPP protection is still needed (see this recent research note on Windows 8 security for clients).

It comes down to this – if you have a general purpose OS where users run around will full admin rights and can download arbitrary executable code from anywhere, then signature-based antimalware protection as a part of an integrated EPP solution should be a requirement to protect the user and the information being handled on the device.

That’s is the state of todays Windows PC. And yes for those that are still in denial, Apple’s Mac OS.

Oh, and Android by the way   – this is one of the factors in Google’s recently announced acquisition of VirusTotal.

3 Comments »

Category: Beyond Anti-Virus Endpoint Protection Platform Information Security Next-generation Security Infrastructure Windows 8     Tags: , , , , , , , ,

3 responses so far ↓

  • 1 Solis Consulting   September 15, 2012 at 5:19 am

    You missed Linux :) Linux desktops also need EPP.

    Endpoint protection will be needed as long as there is some point of connectivity… so will therefore never be obsolete.

  • 2 Neil MacDonald   September 16, 2012 at 8:18 am

    @Solis

    Yes, you are correct – the same applies to a general purpose desktop running Linux.

    Neil

  • 3 Dmitry Shesterin   September 17, 2012 at 12:29 pm

    Isn’t it tempting to announce a demise of a muti-billion dollar industry? I bet it is.

    The question IMHO is not so much whether or not the anti-virus industry is dead, but rather how many active and strong players can / will it effectively sustain in the long run?
    There are dozens of players in this nowadays commoditized industry despite relatively high entry barriers.

    Ideally such players shall pool their research and resources more openly and effectively, something VirusTotal is doing with its aggregated threat analysis results for the AV players. (This is why I disagree with you on Google’s acquisition of VT, I think it makes more sense to use VT’s backend to run Google’s backend data through rather then using a specific AV.)

    In this scenario a user does not need to have one version of anti-virus, the user merely needs a tool that checks a specific threat agains all known AVs and takes an action based on a prescribed policy.

    How long shall / will this list be? My guess is <5.