By Robin Bloor
January 22, 2007
Antivirus technology is a crock. It fails to prevent computers from
getting infected with viruses, and this failure contributes to many
other security woes that plague the world's computers.
Because viruses spread, hackers find it easier to compromise computers,
identity theft is better enabled, and computer fraud is easier to
perpetrate. Virus-infected computers become a resource for hackers to
exploit. Some hackers assemble and control networks of thousands of such
computers and use them to distribute huge volumes of spam, mount
sophisticated phishing attacks, and launch targeted "denial of service"
attacks on companies.
The level of virus infection is high. It's not an epidemic; it's a
pandemic. How bad is it? That depends on how you look at it.
For the home computer user and small-business user, infection is
chronic. In June, 2006, Microsoft (MSFT) revealed the results of a
15-month test of its Malicious Software Removal Tool on home PCs and
small-business PCs. The utility had been used to scan and clean 5.7
million PCs, and it found backdoor Trojans, or programs that let hackers
gain entry, on about 62% of them. And during the 15-month period, 20% of
PCs that were cleaned were reinfected.
Big companies aren't immune, either. The 2005 Yankee Group Security
Leaders & Laggards Survey indicated that while 99% of enterprises have
deployed antivirus programs, 62% got infected by viruses. The situation
for large enterprises is, it seems, not much better than for other PC
users. They may be better able to recover from infection, but they still
Faulty "Burglar Alarms."
So why is it that AV technology does such an inept job? Consider the
following information, published last year by AusCERT, Australia's
Computer Emergency Response Team.
The most popular AV products fail to prevent 80% of new viruses. AusCERT
declined to name the AV companies publicly, but in case you didn't know,
the leading AV vendors are Symantec (SYMC), McAfee (MFE), and Trend
Micro (TMIC), in that order.
Mind you, it isn't necessarily the case that these products are
technically inferior to other AV products. It's just that most virus
writers test their viruses against the popular AV products before
unleashing them on the world.
Because of this, AV technology is doomed to be ineffective, and it is
never going to be effective. The AV vendors have built "burglar alarms"
that alert you only if a known burglar tries to enter your house. Any
burglar that they don't recognize gets in unopposed.
The practical solution is to have a "burglar alarm" that sounds when
anyone you don't know tries to enter the house. Deceptively simple,
isn't it? But security products that work in this way have only recently
The first company to offer such a product was SecureWave, in 2001. Since
then three other companiesAppSense, Bit9, and Savant Protectionhave
introduced products that work in this way. Instead of focusing on
identifying malware, these products manage a full recorda so-called
white listof the valid programs, and prevent other programs from
running, or, if necessary, run unrecognized programs in quarantine until
their nature becomes clear.
Not Solved Yet
At the moment these products are focused only on the enterprise market.
As the persistent failure of AV products becomes increasingly visible
and as the popularity of these newer products grows, they will become
available to the home user. Until then, the computer virus pandemicand
all the evils it engendersis likely to continue.
Symantec Chief Executive John Thompson declared in a speech in October
that the problem of "worms and viruses is solved." It was a bewildering
declaration, coming at a time when virus infection rates are as bad as
they have ever been and cybercriminals are better able to exploit such
But he was partly right. Only it's not Symantec that has solved the
problem. Technically, the malware blocking problem is solvedby the
handful of companies that deliver a whitelisting-based solution. Yet
cybercrime is rampant, and it will remain a blight until the use of this
newer wave of products is widespread.
Bloor is a partner and analyst with Hurwitz & Associates, a
Massachussetts-based IT research and consulting firm. He is also chief
research officer and founder of Bloor Research, an IT research and
consulting firm based in Northamptonshire, England, and co-author of
Service Oriented Architecture for Dummies..
Subscribe to InfoSec News