Misconceptions: Antivirus Software

By Chris Williams

The antivirus dichotomy

Is antivirus (AV) software a necessity, or does it simply offer users a false sense of security? In reality, this is a false dichotomy as both perspectives on this topic are somewhat true. While AV software protects inexperienced users from a variety of common threats, it doesn’t protect high-profile users (managers, executives, etc.) from advanced threats; in the latter case, training these users to avoid high-risk behavior is vital. Safe Internet browsing practices, awareness of common social engineering tactics, and use of physical access controls within the environment are all important to reduce malware exposure. If systems never come in direct contact with malicious code, then the chances of infection drop accordingly.

Does this mean that end users with little to no security training should go without antimalware protection of any sort? Absolutely not. However, it is critical to understand that in IT security, defensive technology is perpetually catching up to offense. If you’re a high-profile enough target for a malicious attacker to expend one of their most valuable commodities (E.G. a zero day exploit) to crack, then just know that by definition your AV software is not going to prevent the resulting damage—if it detects the attack at all. In other words, additional defense mechanisms are required to compensate for the limitations posed by antivirus programs.

Defense-in-depth

Defense-in-depth is the methodology which IT security practitioners rely upon to secure complex systems from a wide variety of threats; the basic premise is to employ multiple overlapping security measures to protect each asset.

The term “layering” is often used to describe defense-in-depth. For each access point that exists within a system, there must exist at least one defense mechanism, or layer. Each successive layer adds to the security of the system, since an attack which breaches the first layer should hypothetically fail to breach the second layer. (Otherwise, why is the second layer even there?) If multiple security measures are vulnerable to the same exploit, it defeats the purpose; that would be like having an outside security door, an inside security door, and the door to the most securely guarded portion of the building all keyed to the same key. If a malicious person obtains that key, then all of the security mechanisms are defeated simultaneously.

What does this have to do with antivirus software? Simply this: AV programs have known shortcomings that can, and must, be anticipated in order to maintain a secure environment. And while the protection offered by these software platforms does almost unarguably outweigh the negatives, there is no antivirus on the market which can be considered “perfect”. Lastly, even if a perfect AV package were developed (hypothetically), malware is only one threat vector; there are dozens of other means that malicious attackers use which would be virtually unhindered.

The takeaway

Even with all of the above caveats in mind, it is essential in today’s reality to run antivirus software on endpoints such as user workstations and public-facing servers. The following points may provide some additional guidance:

  • Administrators and security professionals should research and learn about all of the AV software on the market and select one which suits their needs. The most popular platforms aren’t necessarily the best, nor are the most expensive options inherently better than others.
  • A second-opinion software option should be kept on stand-by just in case; due to differences in definitions and analysis methods, it is often necessary to scan using multiple different vendors.
  • Become familiar with services such as VirusTotal (virustotal.com) which can, for no charge, examine suspicious files and URLs in a sandbox environment.
  • Not all malware are viruses, and it is often necessary to use specialized tools to detect or remove threats such as spyware/adware.
  • One cannot stress this enough: AV software is simply one piece of the larger puzzle, rather than a one-and-done solution to all network security ailments.

Copyright © 2017 ParadoxPrime IA, All rights reserved