Antivirus isn't dead--it's growing up

We've been hearing it for years: antivirus software is dead. But is it really? If so, it seems to have more lives than Richard Nixon.

Rather than being the industry's swan song, mobile devices could be its redemption opportunity.

The antivirus industry is in major transition as threats have evolved from being just the viruses and worms written to exploit holes in Windows that plagued computers in the 1990s to the exploits that target vulnerabilities in Web applications and end user gullibility today.

Many consumers fork over at least $40 for Norton AntiVirus or something similar, many more are turning to free antivirus from AVG or Avast (here's why), and yet millions of computers are still getting hit with infections daily.

While no antivirus software is perfect, the perception that AV often isn't doing a good enough job is backed by studies. Recent benchmark tests pegged the average detection rate among major antivirus products at about 75 percent. (In one test, three out of 10 products stopped all of the original exploits, but the vendors are not named. However, the tests are to be taken with a grain of salt given the variances in testing standards.)

Antispyware and antispam have become standard in most AV, or antimalware, products as vendors have expanded their software into endpoint protection suites. And many have begun placing as much emphasis on heuristic technologies that look at the behavior or reputation of a piece of software as well as matching it to a database of malware signatures. But malware writers are adept at testing their code against the antivirus software and tweaking it until it passes through undetected.

As an alternative, some people are turning to whitelisting technologies that allow only approved programs to run on a computer. Whitelisting is akin to the closed environment of the iPhone where Apple vets every app and is largely effective in protecting the devices, said Gartner analyst John Pescatore. (Bruce Schneier discusses the problems with whitelisting in his essay from last year on the state of the antivirus industry.)

"Antivirus in the e-mail server does a lot of good things...(but) antivirus on people's desktops is almost totally ineffective," Pescatore said. "The antiviral model has been broken for quite a while."

With the fast rise of smartphones and new electronics like iPads, the big challenge for antivirus companies is how best to protect those devices.

It's obvious the traditional antivirus software model won't work, in large part because handheld devices have limited processing power, memory and storage, said Rebecca Bace, chief executive of Infidel, a security consultancy. That's where the cloud comes in, she said.

"There is market demand from the consumer that this will be rolled in as part of the service," Bace said. "This is part of the utilization of network access; something you expect a provider to offer. When I sign up with Verizon, to a degree I'll have the expectation that they'll handle all the security stuff."

Pescatore has a similar view of the future of mobile security.

"In the smartphone world, the answer will not be putting antivirus clients on every phone," said Pescatore. "The answer will be (malware) filtering by cellular carriers...Everything that goes on the phone has to go through the carrier."

Clearly, the antivirus space is grappling with how to move to mobile, said Hugh Thompson, who serves as chair of the RSA Conference and is founder of consultancy People Security and an adjunct professor of software security at Columbia University.

"The challenge for antivirus is how to adapt to new devices, how to allow users to make better choices around what they're doing, and from a business perspective it's coming down to the cloud--what does antivirus mean in the cloud?," he said. "Those three points will define AV over the next two to three years."

Mobile is likely a big reason behind Intel's $7.6 billion acquisition of McAfee, according to Thompson. "For Intel to buy McAfee, they can build some synergies there so that when the chip is released they will have an antivirus solution that supports the chipset and the platforms that come on it," he said.

In general, a big part of the problem for people today is the fact that they are putting so much of their lives on the Web and they don't realize that that data, albeit in numerous different Web sites and sources, can be easily used to trick them into accepting malware with open arms. Sites like Facebook, LinkedIn, and Twitter have expanded peoples' circles of friends and acquaintances exponentially and that can be used to advantage in personalized attacks.

Antivirus will eventually have to defend against social engineering attacks as well as malware, Thompson said.

For instance, an e-mail coming from someone claiming that they met you at an event a few months back and you have a friend in common is more likely to be trusted than one with a generic reference like "LOL is this you?" with a link that appears to lead to a video.

"In the future, an antivirus product will go out and analyze the information and say this is the data that is out there on the Web, this could be a legitimate person, but it will make you aware that you are connected to this person on LinkedIn and you tweeted about a meeting five months ago," Thompson said. "That context sensitive level of threat information is going to be really important in the future."

"It's a fascinating time for AV," he said. "Rumors of its death have been greatly exaggerated over the last few years."