December 21, 2016

Endpoint security: Is anti-virus dead?

Davitt PotterBy Davitt Potter
Sr. Engineering Manager, Cybersecurity
Arrow Enterprise Computing Solutions


More and more, the question being asked about endpoint protection and anti-virus isn’t “who should we use,” but rather, “do we even need anti-virus anymore?”

Traditional anti-virus refers to those anti-virus-focused clients who used to be commonplace, like Norton and McAfee. While that method of protection worked in the past, the efficacy of it is starting to decrease, and that’s why some new vendors are arguing that, overall, anti-virus is dead.

The anti-virus past

Traditional anti-virus safeguards from known viruses and known malware. From a process level, every anti-virus has a unique signature or fingerprint. If you run a piece of malware or a virus through a cryptographic hashing process, it generates a new fingerprint and the anti-virus software keeps a database of all of those fingerprints. If it sees something like a Zeus, or any other anti-virus, it says “I know what you are” and it blocks that. The problem is that each and every very time you change a virus’ source code, even by one character, it generates a new hash or cryptographic signature, which has to be updated and distributed to the endpoints.

So, now it has to store a thousand fingerprints, then ten thousand fingerprints, then a hundred thousand fingerprints… As a result, that database on your local machine gets bigger and bigger and bigger. So where the original anti-virus client may have been just 10 megabytes, now it’s 100 megabytes, and it constantly has to update that database signature.

Now, it’s even more difficult, not only because there are hundreds of thousands of database signatures, but also because there are polymorphic viruses that change their own code, and it’s just an arms race between the virus and the anti-virus. We beat them, they beat us – it goes back and forth.

Davitt Is AV DeadA two-fold problem

Anti-virus manufacturers made good strides in offloading the databases and storing most of the signatures up in the cloud. The anti-virus would identify something suspicious, search the internet, then come back and say whether or not it was a threat. That, however, is processor intensive, memory intensive, and it takes time, even with the speed of the internet.

The problem doesn’t stop there. Because of the growing sizes of anti-virus programs, the impact on endpoint security is becoming bigger and bigger. If you look at some of the usual suspects, a lot of times, the cure is worse than the disease – your anti-virus is so big that your machine does nothing except constantly scan files for anti-virus.

What now?

The shift is now to next generation endpoints. There are really a finite number of ways (around 13-15) to compromise a Windows machine. However, there are n number of variables on those vectors. So, what “next generation endpoint” manufacturers are doing is watching the behavior of software. If the software only has to watch for a smaller number of different processes and behaviors, then that’s much more efficient – it doesn’t have to scan every file, just track that behavior. As a result, if it can block one of those attack vectors, it can shut the whole problem down in advance.

Is anti-virus dead?wpid-curata__v62R7bEytb9rwAM.jpeg

Today, there are some manufacturers that will tell you that anti-virus is dead and some that say it may just be MIA. According to a recent Vanson Bourne survey of 500 cybersecurity image004.jpgdecision makers sponsored by SentinelOne, 44 percent say antivirus is dead but 85 percent still run it. The next generation endpoint security market is a fast growing one, and there are tons of services attached to it for customers and partners who want to get into it.

Where this really comes into play is with virtualization. Traditional anti-virus on virtual machines tends to be very problematic due to limiting factors such as disk contention, memory overhead and CPU bottlenecks.

Since Windows machines are used by 90% of the world, they’re the biggest target. However, mobile phones, other mobile devices and Macs are becoming more and more prevalent. Everybody has a mobile device and they’re too small to run full anti-virus on, so we’re seeing a lot of small malware. This is where next gen endpoint will really come into its own in the near future. Partners who are educated about and able to deliver solutions around next-gen endpoint will be ahead of the curve.

With the combination of malware analytics, application visibility firewalls, SSL decryption, security analytics suites, and cloud access service brokers (CASBs) coming more into play, we can actually start watching who’s doing what, where they’re going, should they be talking to this, should they be talking to that… As we keep saying, it’s defense in depth – you can’t rely on any one thing. So, as cool as malware analytics and the new malware pieces are, they are still part of an overall security strategy that needs to be developed.

Different solutions, strategies and approaches to anti-virus and endpoint protection are rapidly appearing. Anti-virus isn’t dead yet, but it may be on its way. For more information about anti-virus and next generation endpoint security, please contact Davitt Potter or your Arrow representative.

Editor’s note: This post was originally published in August 2016 and has been updated for accuracy and comprehensiveness.