AntiVirus: To Be or Not To Be
Hello there. This is my first blog and I hope the reader finds it interesting and useful. My team has been working on a big project inside Symantec code named Hamlet. It is one of the most important projects that Symantec is working on. Driving a project so critical to Symantec’s customers and partners, is both a lot of fun and a lot of pressure. ;) In my Blog, I plan to write a lot about this release. The topic this time is whether traditional antivirus technology is dead.
There is a lot of discussion in the media right now about the usefulness of traditional AV based technologies. I have even participated in a couple of those discussions such as this one at Network World. The discussions are generally started by small intrusion prevention companies that are trying to make a name for themselves or analyst firms trying to stir up some controversy. I should mention that neither one of those motives are bad. Most of these discussions bring up the issue that traditional AV technology cannot keep up with the volume of threats. For example, in the last 6 months of 2006, Symantec identified 8258 new Win32 variants. With the pace of new variants as well as the rise of targeted and zero day attacks, the small companies and analysts argue that customers are not secure solely using their traditional antivirus based solutions. Based on this, a few of them broadly and boldly proclaim AV is dead.
Coming from the biggest antivirus company in the world, this might seem strange to read, but guess what? I think they are right; at least about their premise. I do not agree with their conclusion. In the landscape of today’s dynamic threat environment, traditional signature based antivirus technologies are not enough to protect endpoints for consumers, small businesses , or large enterprises. To me, this is not new news. Back when Slammer first hit in January 2003, it became clear to Symantec that traditional signature based detection technologies were not sufficient. Since 2003, Symantec has been adding technologies to our end point products that catch threats without relying on signatures.
As I mentioned, the conclusion that is often offered is that AntiVirus is dead. On this point, I strongly disagree for three reasons. First, there are still a lot of threats out there that traditional antivirus protection can provide protection from. Let me pick on Slammer again. For two years after the threat came out, the vulnerability was still the number 1 attack that Symantec saw. Refer to the Sept 2005 ISTR for more information on that. Second, as our customers start deploying more and more proactive solutions that can threats without signatures, the signatures are still necessary to clean the threat up. For example, let’s say we notice a process doing something bad so we prevent it, yet we do not necessarily know everything we need to in order to successfully clean that threat up. That is another area where signature based AV continues to play a vital role on the endpoint.