Anti-Virus Is Dead (But Still Makes Money) Says Symantec

judgecorp (778838) writes "Symantec says anti-virus is dead but the company — the world's largest IT security firm — still makes 40 percent of its revenue there. AV now lets through around 55 percent of attacks, the company's senior vice president of information security told the Wall Street Journal. Meanwhile, other security firms including FireEye, RedSocks and Imperva are casting doubt on AV, suggesting a focus on data loss prevention might be better."

Re:No explanation for why though?

[Anonymous Coward]

Because marketing is more effective than a quality product.

Re:No explanation for why though?

[Xicor]

they dont update the virus signatures anymore, because ppl who use symantec antivirus dont have any clue wtf they are doing. it is kindof like going to a steak restaurant and ordering your steak well done. the restaurant has lower quality meat for those people because it is cheaper and they cant tell the difference.

Re:No explanation for why though?

[manu144x]

One answer could be because now threats are mostly targeted at the biggest weakness: humans. Phishing, scams, and all that are much more profitable and incredibly hard to detect programmatically. Legit websites are hacked daily and injected phishing sites and then removed fast.

They all rely pretty much on human stupidity and ignorance, and that is very hard to stop...

Makes sense

[American AC in Paris]

When the back door was made of cloth and paper, there wasn't much sense in trying to fool the user guarding the front gate. Now that we've locked that down with a steel door and a proper deadbolt, it's a lot easier to try to sneak past the guard--and it's a lot harder to upgrade a guard than it is to upgrade a door.

I think we're entering a period where forensics and an effective legal apparatus are going to become the primary means of defense.

Does the nature of the business hold it back

[Eravnrekaree]

Part of the problem may be the closed source nature of AV itself. I have always wondered if the closed source AV vendors are basically reinventing the wheel and needlessly wasting resources on finding viruses that have already been found by other companies, and that maybe there should be a central virus database that all of the companies would contribute to instead. The model of each company having to independantly find viruses is inefficient and leads to much slower progress on eliminating them. It is wasted time and effort reinventing the wheel, and as well it actually worsens things for users because things do not work as well as they could.

Does anyone here have a recommendation for the best AV software?

What about ClamAV? Is this as good as the closed source AV products?

AV dead? Symantec's certainly is

[argStyopa]

I wouldn't use a Symantec product if it was an extinguisher and I was on fire.

Nobody even vaguely familiar with PC support over the last 20 years can possibly fail to be acquainted with what was (is?) the most complicated, agonizing, and laborious process that was removing a Symantec/Norton antivirus "product" from a computer.
Seriously, with a newer machine, just re-installing the OS was far quicker, easier, and less likely to leave you with later issues.

As an AV product, it was not terribly successful in most neutral tests I saw.

If you didn't uninstall it, it was a resource hog, bringing even powerful machines to their proverbial knees when scanning. If you were foolish enough to install the 'suite' of security applications, it would involve literally dozens of services installed obscurely across your system. Removing it was very much like (or worse than) trying to get rid of some of the most tenacious malware I've ever encountered.

Truly, the 'cure' in this case was nearly worse than the disease. They *owned* the PC security market in the early days...why do you think its competitors have been so widely successful?

Re:Does the nature of the business hold it back

[Arker]

The problem is deeper than that. It goes back decades to the very idea of a scanner vs other methods of security. Scanners are good 'solutions' if you dont really want to solve the problem but rather want to profit from it. They are reactive, they require constant updates (which justifies continuing payments) and will absolutely never do more than partially ameliorate the problem. Scanners only find old threats and it's a very old game to just switch bytes around until the scanner says you are clean.

A system actually designed for security would instead focus on behavior and abilities, and look more like SELinux than a traditional virus scanner. It wouldnt care if a program was exceeding its authority because it's a virus or because it's damaged or just because it's poorly programmed - it would prevent it from doing damage regardless.

This is far from impossible, but as an industry we turned away from that road several decades ago, because it's slower, more expensive, and harder to develop for. First to market seems to trump well designed every time. :(

Re:No explanation for why though?

[mlts]

One of the biggest infection vector these days are holes in Web browsers or add-ons. I don't see worms and viruses a common threat these days. It is mainly something from a website or even worse, an ad server. By using adblock, noScript (or the "click to play" functionality in Chrome), and SpywareBlaster's black list, this has kept my machines clean where the AV program is mainly for scanning a download (and even then, for small downloads, VirusTotal does the job better.)

IMHO, an AV maker should take a page from that book and start blocking URLs and bad sites. Some ad company allowing malware to get posted through their server? Block it by IP and/or URL.

So far, this has done a good enough job for protection. I mainly browse the Web in a VM, and when I take the VM offline and scan the disks with a decent AV program, the scans turn out clean.

This doesn't mean AV is useless. Not using it is similar to leaving the key in the ignition when running into a gas station. However, it would be nice if AV programs could build in functionality similar to AdBlock and block not just by IP, but by URL.

Re:No explanation for why though?

[CastrTroy]

This is similar to the reason that I think the iPad is what most users really want/need. Techies complain about the walled garden, and how that limits what they can do with the hardware. But that's exactly what end users want. They want to be able to install and use software without thinking about all the bad consequences that could come of it.

Imagine going to a store and buying a toaster. Some toasters would be cheap, but would sometimes catch on fire and burn your house down. Some toasters would be cheap but listen in and record all the conversations going on in your kitchen. Some toasters would be more expensive and actually just toast the bread, without any ill effects. Sure it's the customer's choice which one they buy, and you can tell them to read reviews and be careful, but that's really not a good situation to put the customer in. The customer should have reasonable expectations that the product is safe and isn't trying to be malicious. But when installing software, it's very hard to verify that an unknown program is actually safe or not.

Re:Social Engineering.

[Notabadguy]

I have a T-Shirt that I got from jinx.com that basically says that.

Front: Social Engineering Expert:
Back: Because there is no patch for human stupidity

Re:No explanation for why though?

[Xicor]

yes, but when you can cut costs and not have any issues, a lot of places will do it. theres no point in spending 20$ on a prime steak if the person eating it cant tell the difference between a shoe and a steak.

Re:No explanation for why though?

[Bacon Bits]

Viruses used to be targeted at impacting systems. Destroying data. Disabling operations. They were focused on taking your computer down. It was very obvious when you had a virus because your computer was obviously broken. There was no way for a virus creator to make money.

Viruses today are used to steal information, steal resources (network, CPU, etc.), or open access. To function, they require your computer to be on, fully functional, and connected to the Internet. It's trivial to make money with a botnet, meaning viruses are now funded by major criminal business enterprises.

Re:Maybe that their AV sucks?

[MikeBabcock]

The stat you're quoting is "how many of the things we're designed to look for do we find" not "how many of the things that cause problems do we find."

Anti-virus software doesn't work because MOST problems now aren't and don't look like viruses.