The Value of Anti-Virus

2012-03-17 21:37:34 by chort

There has been a lot of noise recently about whether it's worth the cost to run anti-virus software. As laid-out in the Wired article, the opposing viewpoints typically boil down to:
FOR: Anti-virus is essential for protecting careless users.
AGAINST: There are more effective ways to spend security budget.
Those are both good points, so I think making a purely binary use it/don't use it decision is short-sighted.

Before I get to the main point, I'd also like to note the only source on-record in that article vigorously defending anti-virus is a giant analyst firm. You don't have to think very hard to see a huge economic reason for a company that makes a lot of money off of vendors being a vocal cheerleader for the two companies who dominate all security spending. A cynic might wonder how good the advice is they're getting from an analyst who puts the interest of their own firm ahead of their customers. It seems there's a lot of that going around. I'd wager this situation contributes greatly to the suspicion of giant AV vendors.

Entertaining as it may be to speculate, we are not gathered here today to discuss the asymmetry of information and the profiteers who exploit it. What we are discussing is what anti-virus is worth. I think it's pretty clear that there are better ways to spend your budget than massive per-user cost of "best of breed" anti-virus software. As the popular refrain goes, if someone is specifically targeting you, they will encode their malware such that it bypasses signatures. Even petty criminals can do this, so the first wave of a new malware version will always succeed for a while. That doesn't make AV worthless, but it does make it worth less.

Consider how many thousands of malware sites and ad banners are being created every week. Due to sheer scale, it's impossible that they all are reported and taken down. For various reasons sites and ads are abandon, and thus become the digital equivalent of a chemical spill in a dead-end alley. It's unlikely that many people will be effected by it, but someday, someone probably will. Although this poses much less of a real threat, it still needs to be cleaned-up and investigated when someone steps in it, and thus there's a cost. If you can cheaply prevent those types of accidents from happening, that is worth something (Chris Hoff made a similar point).

So far I've stated that high-end anti-virus isn't worth the enormous expense, when compared to other security technology. I've also stated that it's still worth running AV. What then do I propose? I propose using market forces rationally. Refuse to pay premiums for what should be a commodity service. If your vendor won't come down on price, go with affordable AV, as long as their support is responsive and it doesn't cause serious conflicts with your necessary applications.

One might object "but the big vendors invest a lot in R&D, that justifies the cost!" Not to me it doesn't. I don't think there should be 40 different anti-virus engines and client suites. The cost of keeping up with new OS versions is massive, not to mention AV vendors frequently fight hard to resist kernel hardening that would lock them (and malware writers!) out. I think OS vendors should be providing AV frameworks built-in to their products from day 1. They understand the internals better than anyone, they can trust their own code more than any third-party code, and they become responsible for the vast majority of client-support (which client version is compatible with what OS version).

This is not to say I'm completely against anti-virus vendors. I think there's a huge opportunity to differentiate on the quality and focus of threat intelligence. Vendors in certain geographies or serving particular demographics are uniquely positioned to be aware of specific threats. This knowledge is valuable. I could easily see an AV marketplace where the OS vendor provides the app and customers can select multiple signature/threat intel feeds to subscribe to. For corporate customers, they would select several feeds based on their industry vertical and office locations. Consumers might pick only one well-rounded feed, or perhaps separate feeds geared towards social networking and online banking. The point is that OS vendors should be providing the instrumentation and response mechanisms. The AV vendors should be providing threat research.

So do I use anti-virus? Yes and no. On the Mac I use for work, I run ClamAV due to contractual obligations. Every time it kicks in, it turns the hard drive into a space heater and I have to use a workstation for the next 2 hours because the laptop becomes useless. On Windows machines I install Security Essentials and the malicious software removal tools. If I'm just defending against old news malware, it might as well be free defense. At work we use one of the big vendors, which was a decision before my time. The IT department seems content paying for the subscription, although they're much less content patching it constantly. What's that, patching anti-virus? Yes. Ironically the highest number of vulnerabilities by unique endpoints have been from the AV agent. There have been multiple issues, some allowing remote code execution. Thanks for all that R&D guys, you're doing a bang-up job.

If it's stupid and it works, it isn't stupid. What is stupid is spending the majority of your security budget on something that doesn't provide the majority of the benefit.

Add a comment:




max length 1000 chars