Anti-virus is alive and kicking

Rumours of anti-virus software's death are exaggerated. It still packs a punch, as Jessica Twentyman explains.

In recent years, a growing chorus of industry analysts has boldly predicted the imminent death of traditional anti-virus technologies. Their argument is that by relying on signature-checking to detect and eradicate pernicious code, the anti-virus suppliers can't keep up with the flood of viruses, Trojans, bots, zombies, spyware, spam and blended malware constantly released onto computer networks by the criminal underworld.

By design, the analysts argue, this kind of technology can only respond to threats it has seen before, and even packages that use more sophisticated approaches, such as advanced heuristics, can't stop all of the fresh threats they encounter.

But despite the rumours of its death, anti-virus software continues to enjoy a privileged position in corporate security budgets. Simply put, most information security professionals are not prepared to take the risk of going without it.

For that reason, IT market research firm IDC estimates that the worldwide enterprise anti-virus market, which amounted to some US$3.1 billion in 2007, will grow to US$4.5 billion by 2010.

And, despite some shortcomings, the reason for continued investment in anti-virus is clear. The volume, severity and sophistication of attacks have never been greater, and a technology effective at tackling known threats is still highly valued - it frees up time and resources to manage previously unseen threats.

In short, while most information security professionals agree that anti-virus software is (by and large) a commodity item, they remain convinced that it's still a valuable and necessary one.

Leading anti-virus vendors are working to incorporate the latest technologies, such as intrusion protection systems (IPS), into their products. The anti-virus products of the future, they argue, will be less reliant on signature-based eradication and more capable of blocking malware where signatures don't exist.

This trend requires a fresh definition of the anti-virus market, says John Oltsik, an analyst with IT researchers Enterprise Strategy Group (ESG). "Some analysts declare that anti-virus software is dead. I disagree and submit that endpoint security is evolving as a function of the changing threat landscape," he says. A good example, Oltsik adds, was the acquisition of data security company Utimaco by Sophos in August 2008.

Oltsik's advice to information security professionals? "In 2009, look for traditional anti-virus, anti-spyware and firewall software to merge with endpoint operations, data loss prevention and full-disk encryption."

Other analysts agree. In 2007, Gartner replaced its ‘market quadrant' for anti-virus suppliers with one focusing on ‘endpoint protection suppliers'. The results, however, remain much the same, with McAfee, Symantec, Trend Micro and Sophos leading the field.

In general, a more accurate definition of today's anti-virus (or anti-malware) market includes products that protect file servers, email gateways, web browsers and desktops. They may be standalone products or part of an integrated security suite that includes a firewall, intrusion detection system, network access control and spam filtering. Also gaining in popularity are security appliances, as well as hosted and managed security services that outsource the management details of an organisation's security strategy.

At a minimum, an enterprise anti-virus solution needs to be compatible with the customer's enterprise operating systems and be able to scale. It should provide frequent automatic signature updates and alert generation when an event is detected and quarantine or removal functionality, and perhaps healing capabilities for suspicious content.

So how will vendors seek to protect enterprise customers from malware during 2009? For a start, they're looking at the ways in which it is delivered. "The old method of spreading malicious code via emails will nearly disappear in 2009," predicts Magnus Kalkuhl, member of the global research and analysis team at software company Kaspersky Lab.

"Today, threats are mainly spread via links, and when the user clicks on them, malware will be downloaded," explains Kalkuhl. "The malicious program can then start its nasty tricks, whether that's logging keystrokes, stealing an ID, or downloading more malware. As these links may be routed over a number of servers, the user gets redirected from one machine to another. These ‘virtual relays' require additional efforts by anti-virus vendors to identify new malware, so such methods are certain to be used more frequently in the coming year."

Botnets emerging in Russia, Brazil and China; social networking-based malware; and attacks focusing on mobile smartphones - all will be major concerns in 2009, according to MessageLabs' 2008 Annual Security Report.

Luckily, the most recent releases of popular anti-virus products are catching more malware than previous versions and without the major performance hits that were common to their processor-intensive predecessors, according to independent testing lab, AV-Test. Last year, it analysed the latest versions of 33 anti-malware products, measuring how well they did in detecting known malware and spyware, as well as unknown malware.

Symantec's Norton 2009 beta came out with the best ratings in the lab tests, catching over 98 per cent of malware, over 95 per cent of spyware, and with no false positives. The software found new malware over 95 per cent of the time.

In general, says Andreas Marx, CEO of AV-Test, "the 2009 [products] seem to be a lot better optimised for the real needs of the customers, and they will not slow down the systems in such a dramatic way, as the 2008 editions did." In addition, he notes, many of the 2009 products can or will eventually use ‘cloud'-type services for more comprehensive scans, contributing to better detection rates.

But despite improvements in the effectiveness of anti-virus software, there is no room for complacency, warns Stuart Okin, UK managing director of IT security specialists Comsec Consulting. "Of particular concern to the security heads at major organisations that I've been talking to recently is the threat of ‘spear phishing' or ‘whaling', where a small handful of the most influential executives within a company become the focus of an attack," he says.

In these attacks, sophisticated social engineering techniques are used in the form of emails that often purport to originate from a government agency and are so convincing that the recipient is persuaded to open an attachment or follow a link.

At that point, malware may be unwittingly released onto their organisation's systems. "This approach works, because the spam is individually targeted, often appears genuine and urgent, and recipients feel obliged to take action on it," explains Okin.

Anti-virus software will play an important part in protecting organisations from the malware introduced during such attacks - but only in conjunction with a host of other threat-management solutions, Okin says. "Anti-virus is still an important part of a layered approach to IT security - but it is only a part of such an approach. You need to keep an eye on everything that your anti-virus systems aren't able to detect - and that can encompass a huge range of nasties."