The ability of antivirus (AV) programs to effectively fight malware has been called into increasing question in recent years. Many have said that the reliance of such programs on signature-based detection, in which programs scan for already discovered malware, has fallen far behind criminals’ ability to produce new malicious strains.
But AV vendors continue to adapt. In recent years, many have developed and touted some of the alternative malware-fighting capabilities in their programs aside from signature detection. These have included heuristics, or behavior-based detection, as well as methods that judge programs and executables by their reputation.
Such methods may not be as advanced as some consumers think, however, according to a few computer security experts who spoke at the recent RSA Conference in San Francisco.
Heuristics have been discussed and used as part of AV programs for more than 20 years, said Steven Northcutt, president of the Bethesda, Maryland-based SANS Institute, during an independent security presentation. The term is broadly used, he said. But heuristics have been more effective in other computer security areas, such as identifying and blocking e-mail spam, than they have been in fighting malware, he said.
AV programs have progressed over the years, but their advances have been so slow as to be almost negligible, said Dr. Peter Tippett, vice president of research and intelligence for Verizon Business, in an interview. Tippett is credited with writing the first antivirus program, which later became Norton Antivirus.
Despite the criticism, Tippett acknowledges that AV programs serve a purpose. “Just by having AV on your computer, you’re at least 1,000 times safer,” Tippett asserted.
Rather than worry too much about an individual product’s security features, Northcutt says, consumers should pick a reputable product they find usable. They should then take advantage of another current AV trend: the ability to supplement the AV software with free online scans offered by a growing number of reputable vendors.
AV’s use also appears unthreatened because of the relatively slow adoption of its primary alternative, whitelisting technology. The latter involves generating a list of viable applications and then blocking any additional ones from executing (without explicit permission). Whitelisting programs are still generally only viable in highly regulated environments running few programs, Northcutt said. The few whitelisting vendors do not appear to have produced a product that is flexible enough to suit a wide range of business environments, he said.