Antivirus (AV) has been around for decades now and this is both a good and bad thing. On one hand, AV is so well known most people already understand that they need to have it. But on the other, all the attackers know about it. This means the first step in pretty much every attack is “bypass AV.”
The reality is, bypassing AV is actually not that hard. Partly this is because there is a tendency for antivirus software to use “signature” based detection. Here, all an attacker needs to do is make an insignificant change and the signatures can be totally different.
Even the better AV products, which uses things like heuristics can be bypassed with freely available tools. An example is the Shikata ga nai framework designed to leave AV helpless.
The availability of these tools is now so widespread that lots of security professionals are confidently making statements like “AV is dead” or posts titled “Why antivirus protection is a joke.” You can even watch an excellent YouTube video on how to bypass antivirus.
Basically, everything these people are saying is correct. Attackers can and will bypass antivirus. Often they will do it with very little effort.
Despite what the vendor may tell you, you can have a top end, fully updated AV product and still get hacked. A lot.
But this is missing the point. It doesn’t mean that the product is useless or that we should all give it up and live in an AV-free world. It just means that, like every security product, it has its place. Remember, there is no holy grail, silver bullet, product that can do everything and protect you from every cyber threat.
The important thing to remember is if you DONT have antivirus, even the lazy attackers who cant be bothered to bypass it will get in to your system.
Bringing AV Back to Life
So, we’ve established that the reports of antivirus being dead are premature, but what do we do about it?
Remember, security is all about defence in depth. You need to be adding so many layers of controls that the attacker runs out of steam long before they hit your important assets. Within this model, AV has a crucial part to play.
With this in mind, here are our handy hints on how to keep AV alive in your organisation and make sure it is providing the value you expect.
- Review your security model. AV has a part to play but it is only a part. Make sure you have other controls.
- Fund AV properly. Dont blow your budget on an incremental improvement to AV but also dont scrimp and get some freeware version which you cant manage.
- Implement good security practices. Whatever else you do, you need to consider the top three security controls: Application Whitelisting; Patching; Privilege Management. With these in place, your AV works much better. Without them, you will still get hacked. A lot.
- Use your antivirus. We’ve lost count of the number of incidents we are called to support which have an origin in a machine where AV has been disabled or not updated in months. This is poor practice.
The key point here is that AV needs to be part of your security controls. It should never be the only control you have but that isn’t enough of a reason to not have it. While it is possible for reasonably low skilled attackers to circumvent your antivirus controls, you would be amazed at how much it will still stop.
If you implement the three security good practices mentioned above, and run an up-to-date AV tool, 90% (or more) of attacks will fail.
Don’t give up on AV simply because it cant work on its own.