Halkyn Security Blog
Specialist Security & Risk Management Consultants

AV is not dead – it just has limits

Antivirus (AV) has been around for decades now and this is both a good and bad thing. On one hand, AV is so well known most people already understand that they need to have it. But on the other, all the attackers know about it. This means the first step in pretty much every attack is “bypass AV.”

AV is not dead, just understand what it can and cant do.

AV is not dead, just understand what it can and cant do.

The reality is, bypassing AV is actually not that hard. Partly this is because there is a tendency for antivirus software to use “signature” based detection. Here, all an attacker needs to do is make an insignificant change and the signatures can be totally different.

Even the better AV products, which uses things like heuristics can be bypassed with freely available tools.  An example is the Shikata ga nai framework designed to leave AV helpless.

The availability of these tools is now so widespread that lots of security professionals are confidently making statements like “AV is dead” or posts titled “Why antivirus protection is a joke.” You can even watch an excellent YouTube video on how to bypass antivirus.

Basically, everything these people are saying is correct. Attackers can and will bypass antivirus. Often they will do it with very little effort.

Despite what the vendor may tell you, you can have a top end, fully updated AV product and still get hacked. A lot.

But this is missing the point. It doesn’t mean that the product is useless or that we should all give it up and live in an AV-free world. It just means that, like every security product, it has its place. Remember, there is no holy grail, silver bullet, product that can do everything and protect you from every cyber threat.

The important thing to remember is if you DONT have antivirus, even the lazy attackers who cant be bothered to bypass it will get in to your system.

Bringing AV Back to Life

So, we’ve established that the reports of antivirus being dead are premature, but what do we do about it?

Remember, security is all about defence in depth. You need to be adding so many layers of controls that the attacker runs out of steam long before they hit your important assets. Within this model, AV has a crucial part to play.

With this in mind, here are our handy hints on how to keep AV alive in your organisation and make sure it is providing the value you expect.

  • Review your security model. AV has a part to play but it is only a part. Make sure you have other controls.
  • Fund AV properly. Dont blow your budget on an incremental improvement to AV but also dont scrimp and get some freeware version which you cant manage.
  • Implement good security practices. Whatever else you do, you need to consider the top three security controls: Application Whitelisting; Patching; Privilege Management. With these in place, your AV works much better. Without them, you will still get hacked. A lot.
  • Use your antivirus. We’ve lost count of the number of incidents we are called to support which have an origin in a machine where AV has been disabled or not updated in months. This is poor practice.

The key point here is that AV needs to be part of your security controls. It should never be the only control you have but that isn’t enough of a reason to not have it. While it is possible for reasonably low skilled attackers to circumvent your antivirus controls, you would be amazed at how much it will still stop.

If you implement the three security good practices mentioned above, and run an up-to-date AV tool, 90% (or more) of attacks will fail.

Don’t give up on AV simply because it cant work on its own.

Similar posts
  • Memory analysis in incident response ... Incident response is often a stressful, high-pressure situation. Responders are desperately trying to claw together information. All around them the world is collapsing. Furthermore, everything important seems to be deleted or obfuscated. Yet it is not all doom and gloom. They have memory analysis. Life can be hard for the incident responder. You are faced [...]
  • Checklist or your memory, is one bett... Quite rightly, security professionals are proud of how much information they hold in their heads. There is no doubt that to be effective you need to have immediate access to lots of different concepts. However, the really effective ones also have a checklist. First off – the problem. Lots of certificate exams are memory tests and [...]
  • Threat Hunting – essential for ... Lots of articles, blog posts and webcasts talk about threat hunting. Despite this few, if any, organisations do it. This is a mistake. Security hit the headlines again recently, when Equifax admitted to a breach exposing around 143 million records of personal data. While details are still emerging, it looks like the attackers compromised an [...]
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
%d bloggers like this: