Halkyn Security Blog
Specialist Security & Risk Management Consultants

AV is not dead – it just has limits

Antivirus (AV) has been around for decades now and this is both a good and bad thing. On one hand, AV is so well known most people already understand that they need to have it. But on the other, all the attackers know about it. This means the first step in pretty much every attack is “bypass AV.”

AV is not dead, just understand what it can and cant do.

AV is not dead, just understand what it can and cant do.

The reality is, bypassing AV is actually not that hard. Partly this is because there is a tendency for antivirus software to use “signature” based detection. Here, all an attacker needs to do is make an insignificant change and the signatures can be totally different.

Even the better AV products, which uses things like heuristics can be bypassed with freely available tools.  An example is the Shikata ga nai framework designed to leave AV helpless.

The availability of these tools is now so widespread that lots of security professionals are confidently making statements like “AV is dead” or posts titled “Why antivirus protection is a joke.” You can even watch an excellent YouTube video on how to bypass antivirus.

Basically, everything these people are saying is correct. Attackers can and will bypass antivirus. Often they will do it with very little effort.

Despite what the vendor may tell you, you can have a top end, fully updated AV product and still get hacked. A lot.

But this is missing the point. It doesn’t mean that the product is useless or that we should all give it up and live in an AV-free world. It just means that, like every security product, it has its place. Remember, there is no holy grail, silver bullet, product that can do everything and protect you from every cyber threat.

The important thing to remember is if you DONT have antivirus, even the lazy attackers who cant be bothered to bypass it will get in to your system.

Bringing AV Back to Life

So, we’ve established that the reports of antivirus being dead are premature, but what do we do about it?

Remember, security is all about defence in depth. You need to be adding so many layers of controls that the attacker runs out of steam long before they hit your important assets. Within this model, AV has a crucial part to play.

With this in mind, here are our handy hints on how to keep AV alive in your organisation and make sure it is providing the value you expect.

  • Review your security model. AV has a part to play but it is only a part. Make sure you have other controls.
  • Fund AV properly. Dont blow your budget on an incremental improvement to AV but also dont scrimp and get some freeware version which you cant manage.
  • Implement good security practices. Whatever else you do, you need to consider the top three security controls: Application Whitelisting; Patching; Privilege Management. With these in place, your AV works much better. Without them, you will still get hacked. A lot.
  • Use your antivirus. We’ve lost count of the number of incidents we are called to support which have an origin in a machine where AV has been disabled or not updated in months. This is poor practice.

The key point here is that AV needs to be part of your security controls. It should never be the only control you have but that isn’t enough of a reason to not have it. While it is possible for reasonably low skilled attackers to circumvent your antivirus controls, you would be amazed at how much it will still stop.

If you implement the three security good practices mentioned above, and run an up-to-date AV tool, 90% (or more) of attacks will fail.

Don’t give up on AV simply because it cant work on its own.

Similar posts
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • North Wales Cyber Security Cluster &#... The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]

Recent Tweets Recent Tweets