There was a certain amount of steam coming out of my ears at a recent post by Gunter Ollman, so I didn’t feel comfortable blogging about it at ESET. And it’s not altogether a testing issue, so I didn’t feel quite comfortable blogging it here (though I suspect Mac would have cheerfully picked up the cudgels, if he’d thought of it). Nevertheless, closely related to Imperva’s pseudo-testing with VirusTotal, so I posted it at Securiteam, where they’re used to my occasional venting of spleen: The death of AV. Yet again.
One of the points I made in that blog was this:
There is, in fact, a rational debate to be held on whether AV – certainly raw AV with no multi-layering bells and whistles – should be on the point of extinction. The rate of detection for specialized, targeted malware like Stuxnet is indeed very low, with all-too-well-known instances of low-distribution but high-profile malware lying around undetected for years. (It helps if such malware is aimed at parts of the world where most commercial AV cannot legally reach.)
Subsequently, Pierre Vandevenne, a friend from the good old days of alt.comp.virus, came up with some pertinent commentary that, with his permission, I’ll reproduce here.
Traditional stand-alone A-V (essentially the scan-detect-protect-clean paradigm) should definitely be dead. Multi-layered protections with web browsing protection, DNS monitoring, in the cloud file checks and heuristics, real time analysis of new and/or infrequent or unique executables (of all kinds) etc… are definitely needed but won’t ever reach the near perfect protection levels the A-V industry offered at very specific and short lived moments in the history of malware.
But the public’s mind remains stuck in the “scan-detect-protect-clean” era thanks to some 20 years of repetitive dumb marketing by A-V companies. Just look at the promotional material and white papers offered by any anti-virus company? Can you find one that doesn’t refer to some kind of award won in some “scan-etc…” test? Can you find one that doesn’t claim to offer “best” or often “near perfect” detection or protection percentages?
Fundamentally, what is attacked is not how a modern A-V works but how it is perceived by the public. And that perception was created by the A-V vendors themselves… We’ve had the example of a positive reality distortion field with Apple. We’re experiencing a negative one on the A-V industry as a whole right now. If I was launching a competing product today, I would probably build its internals quite like those of a modern A-V, but would market it as “Definitely Not an A-V”.
Detection statistics and test performance as a promotional tool strikes me as a particularly contentious point, one that isn’t far removed from Kevin Townsend‘s point about WildList testing. I don’t happen to think it’s valueless, but if companies use marketing that suggests that everything in the wild (whatever you may understand by that) is on the WildList so a 100% detection of WildCore = 100% protection, that sets an expectation just as unrealistic as the 0-5% figures bandied by AV’s critics.
It’s important to keep improving products as they move further and further away from static detection, but if we’re to counter misinformation from other security sectors, we also need to make it clearer to our audiences and customers – not necessarily the same thing - what we really do and what they can realistically expect from us.
David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN/Mac Virus
ESET Senior Research Fellow