Is desktop antivirus dead?

Tenfold increase in malware variants since 2002

Is the bell tolling for desktop antivirus technology?

Some industry analysts are proclaiming the traditional antivirus method for detecting and eradicating viruses, trojans, spyware and other baneful code by matching it against a signature to be "dead."

They say signature-based checking can't keep up with the flood of virus variants manufactured by a criminal underworld that is beating the antivirus vendors at their own game. And they are arguing it's time for companies to adopt newer approaches, such as whitelisting or behavior-blocking, to protect desktops and servers.

"It's the beginning of the end for antivirus," says Robin Bloor, partner at consulting firm Hurwitz & Associates, who adds he began his "antivirus is dead" campaign a year ago and feels even more strongly about it today.

"I'm going to keep beating this drum. The approach antivirus vendors take is completely wrong," Bloor said.

"The criminals working to release these viruses against computer users are testing against antivirus software. They know what works and how to create variants."

The fundamental problem "isn't about viruses, it's about what should be running on a computer," Bloor says.

Instead of antivirus software, he says, users should be investing in whitelisting software that prevents viruses from running because it only allows authorized applications to run.

Whitelisting products are available from SecureWave, Bit9, Savant, AppSense and CA, the first traditional antivirus vendor to see the light, in Bloor's view.

Others are joining Bloor's way of thinking. Andrew Jaquith, a security analyst at Yankee Group, in December published a research paper entitled "Anti-Virus is Dead: Long Live Anti-Malware." Yankee Group's research indicates that there's an "explosion" in cumulative malware variants, with 220,000 cumulative unique variants expected in 2007, a tenfold increase over 2002 levels.

The antivirus vendors simply can't keep up, Jaquith says, noting that some antivirus lab managers privately complain this flood of virus variants, which force signature changes every 10 minutes, adds up to the equivalent of a denial-of-service attack against them.

"Most antivirus labs work the same way; they get more samples than they can handle on a daily basis," Jaquith says.

"They triage based on severity. The antivirus people are like folks with nets trying to catch the big fish, so if you're a bad guy, you want to be a minnow and get through the driftnet."

The best thing about antivirus signatures is that "they're accurate and the false positives are very low," Jaquith says.

But the purpose in writing the "Anti-Virus is Dead" paper is to "bust everybody's bubble that this stuff is keeping people safe and the notion it will solve your malware problem."

Jaquith says he's enthusiastic about behavior-blocker technology incorporated in Sana Security's Primary Response or Prevx's Prevx1.

Behavior-blocking antimalware software works by observing the behavior of applications running in memory, and blocking those deemed harmful.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about AppSenseBillionCA TechnologiesFirst NationalGartnerGatewayHISIDC AustraliaIPSMcAfee AustraliaMicrosoftProClaimPrudentialSana SecuritySoftware WorksSymantecTenFoldTrend Micro AustraliaYankee Group

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Ellen Messmer

Latest Videos

More videos

Blog Posts