Anti-Virus Software: Is the Cure Worse Than the Disease?

Updated: April 30, 2009

Is desktop anti-virus software headed for irrelevancy , or is it on track to endure as a security measure? That question has surfaced repeatedly in recent years. Various disenchanted users have reported for some time that they forgo anti-virus software, preferring to rely on their own security moxie. In 2006, consulting firm Hurwitz & Associates launched an "anti-virus is dead" campaign, contending that signature-based technologies can't provide adequate virus protection.

But arguments for anti-virus technology suggest that many users lack the security savvy to do without desktop protection. Security vendors, for their part, believe technology improvements equip them to deal with evolving threats. Symantec Corp ., for example, has embedded behavior-based scanning technology into recent products, which the company says helps protect against zero-day attacks .

More Harm Than Help

That said, some industry executives view anti-virus technology with a degree of skepticism.

"The problem is that many of the AV (anti-virus) products have crossed over into being bigger problems for the users than the viruses they protect against, often screwing up how legitimate products work," said Rob Enderle, principal analyst at Enderle Group. "And they can be almost impossible to uninstall without experiencing major problems."

Enderle also noted that anti-virus wares generally appear unable to keep pace with the increase in polymorphic viruses, which he described as viruses that are "different on almost every machine they touch."

David Lawson, director of risk management at Acumen Solutions Inc., a business and technology consultancy, said he stopped using anti-virus on many of his computers about 18 months ago. Initially, he disabled anti-virus to conduct malicious code experimentation on a subnet with three computers. He expanded the approach to more machines as anti-virus subscriptions expired. Lawson said he's encountered no problems with his computers since going without anti-virus software, and that he believes ISP scanning and corporate border scanning have kept trouble at bay.

But Should Enterprises Drop Desktop Anti-Virus Software?

Lawson said that organizations should consider the cost of software in terms of both licensing fees and employee productivity. If the dollar or productivity impact proves unfavorable, "there's a strong case to be made for pulling [anti-virus] off the desktop and going with border scanning and infrastructure based scanning," he said.

Liability Worries

But as for actual practice, Lawson said that he's not aware of any examples of companies that have disabled desktop anti-virus software. IT managers might think such a move possible but may be unwilling "to accept the liability of recommending it," he said.

George Myers, director of product management for Symantec's endpoint security group, said that he doesn't see anti-virus deserting the desktop. "Our view right now is that [anti-virus] will remain at the desktop as well," Myers said. He explained that endpoint security remains essential in light of mobile users and the blurring of the enterprise perimeter . Employees or contractors who bring laptops into an organization can introduce infections within the perimeter. Myers identified the remedy as a layered security approach deployed at multiple points throughout the network infrastructure.

"Laptops, and mobile devices are constantly being connected and disconnected from a company's network as workers travel in and out of the office and connect to network resources from remote locations," Myers said. "This dynamic perimeter demands the use of comprehensive security technologies to protect the information that resides on these machines."

Jon Oltsik, senior analyst for information security at Enterprise Strategy Group, also sees anti-virus in the context of layered defense. "The whole notion that AV becomes irrelevant is misguided in my opinion," he said. Oltsik said that attackers have devised ways around anti-virus, but he noted that there are "still plenty of garden-variety attacks where AV is useful."

Beyond Signatures

But anti-virus vendors aim to push their products beyond the traditional threats. Products over the years have relied on signature-based detection of viruses. But signatures are only effective against known exploits. Rapidly mutating malware can outstrip the anti-virus vendors' ability to write signatures.

"Many systems still use a signature-based system as the sole method of detecting malicious code, which is becoming less and less effective all of the time," said Kevin Prince, chief security officer at Perimeter eSecurity, a managed network-security services company.

Myers acknowledged the changing threat landscape, noting that signatures aren't 100 percent effective against many different types of threats. Symantec's response has been to use a combination of signature-based and behavior-based technologies in its products. Behavior-based technologies examine behaviors of an application and may block executables from running based on the examination of those behaviors.

Symantec introduced behavior-based scanning to its anti-virus offerings in the late 1990s. The company's Symantec Endpoint Protection 11.0 product line, which became available in September 2007, includes TruScan behavior-based technology, which stems from Symantec's acquisition of Whole Security in 2005. Symantec Endpoint Protection also includes Generic Exploit Blocking, which Symantec says employs a single signature to block all exploits targeting a specific vulnerability.

So Is Anti-Virus on the Way Out or a Technology with a Future?

Prince said the answer to that question may depend on the user's perspective. "I have seen many experienced users, what I will call ‘power users' not use anti-virus software for years," he said. Prince said those users can identify email that could contain viruses, are conscious about the media they connect or use in their systems, and know how to configure browsers to not download malicious content off the Web.

But for other users, desktop protection will remain important, Prince suggested. Today's protection suites perform not only anti-virus chores, but also provide other features such as anti-spam , firewall , intrusion detection and intrusion prevention . Prince said, "A less sophisticated user that disables this package would certainly be putting themselves at risk."

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more