Traditional signature-based anti-virus is notoriously bad at stopping newer threats such as zero-day malware and ransomware, but it still has a place in the enterprise, experts say, as part of a multi-layer endpoint security protection strategy.
According to a survey of this year’s Black Hat attendees, 73 percent think that traditional anti-virus is irrelevant or obsolete. “The perception of the blocking or protection capabilities of anti-virus has certainly declined,” says Mike Spanbauer, vice president of strategy and research at NSS Labs, Inc.
Plenty of recent research supports that point of view. In March, security company WatchGuard Technologies reported the results of a comprehensive test of traditional anti-virus. They calculated how well a leading traditional anti-virus product did at spotting zero-day threats by looking at customers who had both traditional anti-virus and next-generation endpoint protection products installed. Traditional anti-virus caught 8,956,040 malware variants, but it missed 3,863,078 others that were caught by a next-generation platform that used a behavior-based approach. That’s a failure rate of about 30 percent.
The traditional anti-virus product was from AVG Technologies, a well-reviewed product. In fact, in a report released last month by AV Comparatives, AVG caught 99.6 percent of the samples tested, making it one of the top ten products on the market.
Anti-virus is particularly bad at catching ransomware, one of the biggest new threats that companies face. In a March survey of 500 organizations, anti-phishing vendor KnowBe4 found that only 52 percent of companies were able to thwart a simulated ransomware attack. For the rest, the ransomware was able to get past their anti-virus defenses.
NSS Labs has also been running tests of both traditional and next-generation endpoint protection tools. In its latest rounds of testing the company has focused only on vendors that have advanced detection capabilities. Last year, when testing included signature-only vendors as well, the traditional products did poorly. “A number of products scored in the 90s,” says NSS Lab’s Spanbauer, “But none of those were sole traditional anti-virus.”
The problem is compounded if the new threats are designed to spread quickly in a company and do as much damage as fast as possible, and compounded again if enterprises delay rolling out anti-virus updates. In addition, the amount of malware is growing exponentially, according to AV-Test, so even if a particular product has a high detection rate, more and more malware in absolute terms is going to slip through. Plus, if the attackers notice that a particular kind of malware is getting through, they can double-down on it.