What is antivirus software, Part 3?

I seem to be asking this question a lot. I have already written one article and one previous blog entry on this subject. It is an important question: Millions of people are using antivirus and probably every piece of data on this planet has been processed at least once through one or more antivirus solutions. 

In a way that is a staggering concept. How many files are scanned a day by all the antivirus products in the world? Hundreds of billions? I know we do a good chunk of that. Antivirus software has become extremely prevalent. It has a presence in virtually every company, house, ISP and country in the world. Being in the antivirus industry also implies that I can feel a little bit proud about this.

But this also implies that there is a huge target painted on the antivirus industry. If you can evade/attack the products or the industry then there is something to be gained. For the criminals it is all about money. If their malware is not being detected it implies they are making money. For some of the alternate technologies, like IDS, IPS and white-listing it is also about making money. Most of the so-called alternate technologies are actually complementary and can play a useful role in a multi-level security environment. For some reason people unnecessarily perceive complementary products to be in competition with antivirus products.

This is probably also one of the big motivations for the “Antivirus is dead” camp. For something dead we are surprisingly agile, active and successful.

The question we have to ask is why is antivirus so prevalent? My slightly biased opinion is that it is because it works. It generally is set-and-forget and it just sits in the background and does its job very fast and efficiently. Not only does it work fast, seamlessly and efficiently, but it works against real world threats in real environments in the face of real attacks. It provides practical and useful security to the vast majority of its users. If I am right then I am glad, because this is our aim.

Is antivirus perfect? I want to expand that to: Is any security product perfect? The answer is a definite no. Any individual security product is there to raise the bar for criminals. When used in conjunction with other security products, procedures and protocols you can have an environment that is mostly secure. The effectiveness and cost depends on how invasive these products, procedures and protocols are: The old usability vs. security debate.

Does that imply that anti-virus is flawed? No, but it does imply that it is being attacked by large groups of people that can gain significantly from evading or discrediting it. Fortunately the antivirus industry is agile and smart. And we have been around for a long enough time to have seen a lot of the attacks before and to be amused at the new ways the same old things repeat themselves yet again.

Part of the agility of an antivirus company is its ability to respond to new threats very quickly. It is what we do. There are new threats and malware every day as there have been for the last 20 years and we have dealt with that effectively in the past and we will deal with any new threats effectively in the future. It is what we have been doing, and given our success and pervasiveness we have probably been doing it quite successfully.

No reasonable security paradigm, protocol or procedure is perfect. If it were perfect, then whatever it was protecting would be quite unusable. In the security field it is about reasonable compromises that provide a good enough level of security to make the number of incidences low enough and limited enough so that it makes sense. A good analogy would be driving a car. You could say that not allowing anybody to drive a car is the only way to prevent all car accidents. In a way that is true but it is also completely impractical. Therefore we allow people to drive cars but with rules, processes and procedures that allows most people to drive in a mostly safe environment. There will be accidents, but hopefully we can limit the risk of them causing large scale mayhem, injury and death. The same can be said for security. It is all about managing the risk in a cost effective and reasonable manner.

Virtually nobody wants perfect security because it means complete lack of usability, but most people expect a reasonable level of security. Part of reasonable security is antivirus software. As threats evolve and the performance of computers increase and the quality of third-party software and operating systems improve, it implies that security and thus antivirus software will evolve.

This also implies that if I were to ask this question again in a few years that I will probably give a different answer than I did now or last year. One constant will most likely be that we will still be doing it very well, quickly and efficiently. In addition to that we will probably be scanning trillions of files per day and not the meager billions we scan now.