Monday, March 9, 2009

Why your antivirus can't tell you anything useful.

I wrote about your antivirus being unable to tell you anything here and here. I want to take a quick minute to tell you why your antivirus product can't tell you the things you want to know. Or how about you hear the AV industry tell you why they can't tell you anything? The following two quotes are from an AV vendor.

"The most effective detection nowadays is either generic (detection of whole families and sub-families), proactive (heuristics, sandboxing, emulation etc), or hybrid.”

“In the 90s, a good heuristic scanner could claim to detect something like 70-80% of new malware: clearly, that's no longer the case.“

That sort of explains some things I think. The primary detection method is generic, followed by a proactive and hybrid detection model. In short, Antivirus products can't do what they claim to - which is protect your system from malware infections. And when they do detect malware, they are unable to tell you a whole lot about it since the method of detection is nonspecific. Harlan's been on a rampage lately discussing how antivirus vendors are unable to provide adequate information to Incident Responders and I tend to think this explains the source of the problem.

That AV vendors are admitting they can't do the same thing they used to, I tend to think it's past time organizations move beyond antivirus products and in to new markets. Antivirus products are now marginalized and they can't keep up with the malware onslaught. I don't say this to be pessimistic, but I do tend to think it's true. The battle is not being lost, it already is lost. Relying on Antivirus products alone is simple negligence.