Our anti-antivirus study got a
lot of attention (you could say it went viral). Most interestingly,
people called our methodology “flawed.”
While our report acknowledged
the limitations of our methodology, we believe that, fundamentally, the model
for antivirus—and not our methodology—is flawed. Antivirus was built years ago during an age
when mass infections was the name of the game.
Today, malware is deployed to target SPECIFIC individuals—CEOs,
researchers, politicians, executives—and not everyone’s mom.
One reaction to our study
asserted that a virus can be blocked based on source IP: “email with the malware attached, or
the included URL… could have been blocked based on its source IP.” This approach, however, addresses an old threat model in which the attacker would
try to infect as many as possible targets with a single campaign – that
included reusing URLs to hoax the malware and IP addresses to send an email. Reusing
IPs allowed security companies to have blacklists for both IPs and URLs.
However, in today’s threat scape, where we consider attackers that are
specifically targeting a specific victim, they create a dedicated URL to host
the malware and use a dedicated IP address to send malicious mail, easily overcoming
Our study concluded that antivirus
solutions are very effective in fighting widespread malware, and slightly less
effective for older malware (2-3 month old).
But for a new malware, there is a good chance it will evade the
antivirus. In fact, our results are
consistent with other studies. For
example, let’s look at the AV-TEST Institute’s results.
The AV-TEST Institute, according to their site, is a “leading international
and independent service provider in the fields of IT security and anti-virus
research.” According to AV-TEST’s
website, in order to test the protective effect of a security solution, AV-TEST
researchers simulate a variety of realistic attack
scenarios such as the threat of e-mail
attachments, infected websites or malicious files that have been transferred
from external storage devices. When carrying out these tests, AV-TEST takes the
entire functionality of the protection program into account. But even when all
of the Anti-virus functionality enabled, the results reveal a worrisome
antivirus solutions are very effective in fighting widespread malware and slightly
less effective for older malware, for a new malware, there is a good chance it
will evade the antivirus solutions.
That’s exactly what we found.
Finally, one should ask a
question CEOs are asking CISOs worldwide:
if antivirus software is so good, how come we see so many successful
attacks based on infected computers (Coca-Cola, South Carolina DoR to name a
few)? And the obvious answer is that antivirus is not perfect and needs to be
augmented with data security solutions, as was honestly acknowledged by antivirus
veteran researcher, Mikko
systems need to strike a balance between detecting all possible attacks without
causing any false alarms. And while we try to improve on this all the time,
there will never be a solution that is 100 percent perfect. The best available
protection against serious targeted attacks requires a layered defense.”