Antivirus (AV) software is used to detect, contain, and in some cases eliminate, malicious software. Most AV software employs two techniques – signature-based recognition and behavior-based (heuristic) recognition. A common misconception is that AV software is 100% effective against malware intrusions. Unfortunately, this is not the case. Although AV applications are an essential malware detection control, they are limited in their effectiveness. This is due to three factors:
- The sheer volume of new malware.
- The phenomena of “single-instance” malware.
- The increasing sophistication of malware.
The core of AV software is known as the “engine.” It is the basic program. The program relies on virus definition files (known as DAT files) to identify malware. The definition files must be continually updated by the software publisher then distributed to every user. This was a reasonable task when the number the types of malware were limited. New versions of malware are increasing exponentially, thus making research, publication, and timely distribution a next-to-impossible task. Additionally, zero-day exploits are becoming commonplace. These attacks target unknown (or unpublished) vulnerabilities in software.
Complicating this problem is the phenomena of single-instance malware – that is, variants only used one time. The challenge here is that DAT files are developed using historical knowledge, and it is impossible to develop a corresponding DAT files for single instance that has never been seen before.
The third challenge is the sophistication of malware – specifically, blended threats. A blended threat occurs when multiple variants of malware (worms, viruses, bots, and so on) are used in concert to exploit system vulnerabilities. Blended threats are specifically designed to circumvent AV and behavioral-based defenses.
It is also important to note that hackers have access to the same AV tools that you do. They test their code against the same techniques you're employing in order to ensure that they are able to bypass them.
According to McAfee Labs Five-Year Retrospective published in August 2015, a perfect security storm is approaching, with more of everything - users, attacks, data, connected devices, etc. - that will massively increase the number of potential targets. Ready your organization with a strong defense-in-depth cybersecurity strategy that includes AV software along with a vareity of malware prevention controls and malware dection controls.
Note: This article contains excerpts from Security Program and Policies: Principles and Practices (2nd Edition) by Sari Greene.