Blog post

A Quiet Assumption

By Anton Chuvakin | March 04, 2013 | 9 Comments


When I go to the RSA conference, I always “sniff” the air for trends, emerging developments and even just new research data points. Here is one such discovery from RSA 2013. 

Despite all the anti-malware test methodology debates and controversy among warring security vendors, I sensed what I now call "the quiet AV assumption." Essentially, people who deal with advanced incident response today quietly assume that the malware will not be detected by whatever anti-virus tools installed. The question of "does AV detect it?" never even comes up anymore. In their world, anti-virus effectiveness is basically 0% and this is not a subject of any debate. This is simply a fact of their daily life.

In fact, not only “top shelf” incident responders, but also network forensics implementers, skilled SIEM analysts and even good security architects now  operate under an assumption that the malware will get in and will stay awhile and that traditional anti-malware tools will not affect its propagation and survival. Note that this quiet assumption has nothing to do with the questions like “is AV useful?”, “does AV work?” or “what is the AV effectiveness across the entire pool of systems where it is installed?”

The mere concept of IOCs (such as registry keys, file names and checksums, connections, processes) implies that these need to be analyzed before the artifact  is decided to be “bad.”  The need to do malware reversing also implies that no AV vendor has a nice write-up on it and tossing a sample up to VirusTotal is merely a token gesture.  Thus, IOCs and reversing exist in a different world compared to anti-malware updates and debates about “AV effectiveness.”  One can say that they exist in a more cruel, primal world where only your technical skills  matter, not your purchasing decisions or your security vendor market profile. This is the world of true hand to hand combat between the attackers who create malware (and other tools of their trade) on one side and you and your detection and reversing skills on the other side.

Think about it for a second, does the kill chain paper says "… and then the attacker installs malware … and AV catches it"? Not funny, Anton 🙂

In fact, the line between Security Haves and Have-nots goes cleanly between those who trust AV and those who have seen it fail repeatedly in their own environments to the point that it is assumed to never work for the advanced threats that the organization cares about. Endpoint cleanup with no analysis is still the default in the other world. Reversing the malware to extract the IOCs  FAST (or get those IOCs shared with you by trusted friends) and then look for them on other systems is the norm in the other…

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Stiennon says:

    I think you nailed it Anton. AV and it’s cousin patch Management are relegated to health maintenance. Do it well and you will have fewer fire drills. But no matter how well you implement these two technologies you are not even close to addressing the problem of targeted attacks.
    It was ten years ago that I first encountered end-user frustration with AV vendors. One in particular was called out by a large financial institution because they refused to add signatures to their DAT files for malware that was found on the bank’s network. The excuse was that it was not “in the wild” and therefore would not be of benefit to other users of the AV software.
    Look how far we have come.

  • Tyler K says:

    You can apply this to any security technology that attackers have learned to deal with and work around. (Firewalls, for example.) That doesn’t mean you stop using them, just that the bar is higher.

  • Lesliekess says:

    Anton, your point is especially true in the SCADA/Critical Infrastructure world which Modulo highlighted in its #RSAC panel session.. along with research results and the need for industry/academia/government collaboration to address this challenge:

  • @stiennon Thanks for the comment. “no matter how well you implement these two technologies you are not even close to addressing the problem of targeted attacks” <- I love that specific bit, but sooo many are trying.

    @tylerk Re: any technology. Not sure I fully agree – DENY:ALL still works as well as it did in 1993. I guess maybe its value as the primary/the only control has diminished…

  • Andrew Plato says:

    Yes, a lot of security people think AV is useless. And it is, primarily because they do not use it correctly.

    In all the IR incidents we investigated last year, every one of them could have been prevented with good AV, IPS, patching or a combination thereof. Of the one APT style attack we saw, it was still an unpatched vulnerability on a desktop that allowed it to happen.

    While it is true that AV and many security controls can be bypassed with advanced attacks, this is not an excuse to stop using them. If anything, it should reinforce the need to keep these defenses strong and current, so they can block less sophisticated attacks and allow analysts to focus on more sophisticated ones.

    It does not help when shows like RSA obsess over APT to the point of ignoring and outright dismissing basic security controls as “worn out.”

  • @andrew Thanks for the comment. I haven’t met that many in security who think that “AV is useless” (apart from those much-maligned idiots who think that “everything not 100.0% perfect is useless”, of course :-))

    However, I have a sneaking suspicion that your IR workload is NOT the same as that of, say, a Mandiant crew. I dunno, maybe I am wrong about this, but something makes me think that.

    >While it is true that AV and many security controls can be bypassed
    >with advanced attacks, this is not an excuse to stop using them.

    is absolutely true, IMHO. Nowhere in the post I advocate that, of course.

    “Shows like RSA” represent the drama, the circus and the tragedy of the security industry … which makes them so fun to attend. Treating them as a slice of real concerns of security pros in the trenches? Like I say in the post, “not funny, Anton” 🙂

  • Tamer Ibrahim says:

    AV by itself is good but not enough, but being part of an Endpoint Security software will have better impact on breaking the targeted attack cycle, implementing basic security practices and having comperhinsive reporting with solid analysis process will help to be in better position than

  • arnim says:

    The wisdon that AV doesn’t help to protect from APTs isn’t new. Google for it, you’ll find thousands of pages.

  • >The wisdon that AV doesn’t help to protect from APTs isn’t new

    Sure, not new for *you* and *me*. It is not only VERY new for many others, it hasn’t even dawned on them yet. So, it may eventually be NEW, but not it doesn’t exist in their world yet….