Brian Dye recently told Wall Street Journal that antivirus tools (like his company Norton) are effectively “dead” because they catch less than half of all attacks. From where we sit, that’s really just half the story.
Does Brian mean that antivirus defenses – also know as “AV” – are useless? Probably not. Just like you should get a flu shot to protect you from known viruses in the real word, you should also keep running AV to protect you from known viruses in the virtual world. We think a better way to put it is this; an AV alone isn’t enough to protect your computer because the websites you visit are constantly introducing new, unknown viruses. When you look at websites, the same principle applies. Every day, we clean infected websites and webservers that already had some kind of antivirus or security software installed. We would never tell our clients to just get rid of the security software.
The main reason that these sites get hacked is that the core of most security software relies heavily on signatures of known virus families. In the past, this worked well because there were just a few variants of viruses, which made it simple for research teams to study them and release signatures. However, the amount of malware now being created and released is so astronomical –because there is a lot of money in it– that a manual process is almost impossible. By the time researchers are able to dissect one malware string, a thousand more will already be released. So, even if you have an antivirus, your site and server can still be at risk. The key is to protect yourself from these bad outcomes before they can infect your site or your computer.
What Can You Do?
First, you have to be able to detect and respond to compromises quickly. Second, security, like winter weather, is all about layering. The more layers you have, the more comfortable you’re likely to be out in the wild.
As part of this layering technique, we recommend every website owner engage with a WAF (web application firewall), like our Website Firewall. The firewall sits between a website and the rest of the Internet, so every HTTP/HTTPS request is filtered before reaching the server. This means that it will let good traffic go to your site and block bad traffic, stopping attacks from touching your files. It does not rely solely on fixed signatures, but also on behavior, which helps it detect most of the threats to your site.
On top of that, it can also block most of the attacks webservers handle everyday including:
- Cross Site Scripting (XSS)
- Remote File Inclusions (RFI)
- SQL Injection (SQLi)
- Local File Inclusions (LFI)
- Malicious post requests
- Malformed cookie requests
- Malformed headers
- Layer-7/HTTP Denial of service attacks
- Malicious or Improperly used bots
Perhaps, AVs are dying. However, we like to think about the challenge differently. Hacks have evolved and so security must also evolve. AV isn’t dead. It’s now just a portion of your security suite that you can layer with additional security options to protect yourself, your site, and your personal computer.
Speaking of Your Personal Computer
If you’re a website visitor–and you’re reading this blog so we bet you are–you should demand that the websites you visit employ firewalls to protect your experience and information. One reason that you need a firewall on your computer is to prevent viruses that spread through the websites you visit. Therefore, when the sites you visit are protected, your personal computer is also afforded another layer of protection.
8 comments
Can’t go wrong with Eset Nod32 and malwarebytes, there is very little ive seen that doesnt get flagged that is actually malware, virus and sometimes malicious code. Norton and the more commercially known AV’s have been on the decline for years, too much resource usage for tasks that shouldnt really need it. Nod32 is by far the best imo , although im not a fan of the security suite, the standard AV does what i need it to.
It’s not a matter of which AV it’s a matter of how smart people are. Most of the infections come from cracked software or infected sites. While in the first case the easiest thing is to buy original software without installing infected keygen or cracks in the second case software like NoScript may be a extra level of protection as removing Java and updating old software.
Right, websites are the biggest distribution mechanism employed today which is kind of the correlation we were attempting at. Thanks.
One question that I think is worth asking is who should take action? The website owner is usually the lest informed, sadly. The host has the biggest ability to lay out security measures and remove or block infected websites from having access to the internet, yet they rarely do anything. Most blocked attacks that we see in our logs come from servers, very very few come from computers. I think it is also safe to say that most servers have little or no protection at all on them.
Many of our customers come to us as they are sick of suffering attacks and infections with their old developer. When we check the developers config, we usually find no AV, no firewall, no protection of any kind.
Can you guys write a security article without ever plugging yourself?
Hi ChrisH
Yes, we probably can.
Thanks.
often friend ask me to check their PCs because of malware pop-ups, toolbars, etc. And often I can’t do much with so many points in which these things are installed, and it doesn’t help doing the AV scanning because either AV doesn’t detect it or because AV was broken by some malware and can’t scan anymore.
Anyway, AV is in a good part about “enumerating badness”, and there’s so much of it that the signature based detection isn’t that effective anymore. And most people that I know don’t buy AV suites with more advanced protections, they use just the standard free AV.
In my experience, malware enters the PC (or Mac or Android) more through vulnerabilities than any other means. So keeping current with updates, specially browser and plugins makes a huge difference (I never got infected through a 0 day). At least this has worked for me for the last 10 years. This also allows me to use a free AV and not get be an easy target.
But I recognize that this thing of computer protection is still unsolved in scale, in the sense that you can’t get protected if you’re not good with computers.
Anyway, AV is not dead. It just got disabled in the last infection.
Sorry for the long comment.
Thanks for sharing it, no worries.
Comments are closed.