The Death of Antivirus Software

Monday, January 23, 2012

Danny Lieberman


So often my ISP calls us up and asks to speak with the IT manager or the person who is responsible for the network.

This time it was Netvision offering me a special deal on Symantec anti-virus and a $5/month service package for virus updates.

Well, I said “We don’t use Windows, and I have not installed nor used an anti-virus for over 9 years”. The sales person asked me what we use and I replied Ubuntu. Never heard of it, she said.

So – I told her – “imagine a free operating system that installs in 15′ with thousands of world-class free software and no need to  run an anti-virus and it looks like a Mac”. She said – wow that sounds good. Maybe I should check it out.

Who needs an anti-virus? If I have a solid operating system like Ubuntu 11.10, iptables, good control of the services on my notebook and practice safe email, why should I add additional layers of content security and feed the Symantec stock price?

Additional security controls do not necessarily reduce risk.

Installing more security products is never a free lunch and tends to increase the total system risk and cost of ownership, as a result of the interaction between the elements.

Many firms see the information security issue as mainly an exercise permissions and identity management (IDM). However, it is clear from conversations with two of our large telecom customers that (a) IDM is worthless against threats of trusted insiders with appropriate privileges and (b) Since the IDM systems requires so much customization (as much as 90% in a large enterprise network) it actually contributes additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats, is that your cost of attacks and ownership go up, instead of your risk going down. This is as true for a personal workstation as it is for a large enterprise network.

The question from a security perspective of an individual user is pretty easy to answer. Install a decent personal firewall (not Windows and please stay away from Symantec) and be careful.

For a business, the question is harder to answer because it is a rare company that has such deep pockets they can afford to purchase and install every security product recommended by their integrator and implement and enforce all the best-practice controls recommended by their accountants.

An approach we like is taking standards-based risk assessment and implementing controls that are a good fit to the business.

Our 6 step business threat analysis methodology enables any business  to build a quantitative risk model and construct an economically-justified, cost-effective set of countermeasures that reduces risk in their and their customers’ business environment.

More importantly, a company can execute a “gentle” implementation plan of controls concomitant with its budget instead of an all-or-nothing compliance checklist implementation that may cost mega-bucks.

And in this economy – fewer and fewer businesses have the big bucks to spend on security and compliance.

Software Associates specializes in helping medical device vendors achieve HIPAA compliance and improve the data and software security of their products in hospital and mobile environments in the best and most cost-effective way for your business and pocketbook.

Cross-posted from Israeli Software

Possibly Related Articles:
Operating Systems
Information Security
Antivirus Risk Management Software malware Symantec Operating Systems Ubuntu PC ISP vendors Danny Lieberman IP Tables
Post Rating I Like this!
Kevin McAleavey You might recall that I did a six-part piece a couple of months ago on how the AV industry has failed, and I can't agree more wholeheartedly with your conclusions.

Just wanted to add though that although Linux is a vast improvement over Windows as a server and end user environment, I'd like to point out that BSD is even better from a security standpoint with far fewer security issues than the Linuces. And sadly, Ubuntu's been seeing more of them than some of the other distros of late from what I've been seeing. Still far better than Windows though.

BSD's downside is that though it's incredibly secure, it's entirely user-hostile and is difficult to configure since so little of it is readily packaged to install and go. It's even more difficult for an end user to make use of. That was the reason for our KNOS product which adds numerous levels of additional security for client use and is ready to go.

And my whole reason for the KNOS Project was exactly because of the points you bring up and an antivirus industry that continues to fail harder with each passing day.

Thanks for adding your voice to mine in that regard!
Bobby Mann You guys make me laugh. First, your "less-than-poular" i.e. non-mainstream OSs have their issues - but why waste time on these Operating Systems when there is so much more low-hanging fruit. The failure is not in the software (I don't know about you, but I don't have the skills to block every possible attack with a limited toolset and interfaces), the failure is in the Opertiing systems and applications. Period. Stop blaming the security industry who is trying to patch a rubber dinghy full of holes! The reality is that for the vast majority of home user Norton/Symantec and other AntiVirus products are a necesessity and do go a long way to securing those systems. Symantec did a poll a year ago and 90% of the users were satisified - that's a pretty good track record and vote of confidence. Face it, your operting systems are purposebuilt and nobody will waste their time to hack into them. And if they do, watch out.
Danny Lieberman Bobby,

I'm not sure I follow your argumentation.

You say that the failure is in the Operting (sic) systems and applications - I assume you mean Windows and Windows applications.

You equate end-user satisfaction with Symantec products as proof of security countermeasure effectiveness, which is like saying that since I love my Merida road bike I'm not going to get killed by a drunk driver tomorrow morning.

There is little to no correlation between consumer product satisfaction and it's inherent safety unless you're talking about Volvo.

Empirical evidence and prospect theory (road bikes, motorcycles, unpatched Windows) show that people are risk-hungry for high impact, rare events and risk-averse to low-impact,common events like anti-virus.

In my post, I am claiming that there is a CHEAPER security alternative than Windows and anti-virus.

Ubuntu 11 has a rich UI and infinitely richer set of available applications than Windows 7 via the package manager and the stock installation can be done by any babushka.

Wake up and smell the hummous man. Linux is not Red Hat 3 anymore. Safer, sexier and more fun than Windows

CP Constantine as much as I hate to beat the "It's the users, stupid" drum once again.. No consumer-grade OS is inherently more secure than another.. however, some consumer grade OS /configurations/ are more secure than others.

Case in point? Install your beloved Ubuntu or OSX, choose not to set a user password. Anything I can execute through your browser now has easy, unfettered access to root. Game Over.

(And yes, I am implying that Network and Host Security Management is just a glorified term for Configuration Management at the end of the day.Throw in some quality assurance there too, and you start wondering why Security always seems so at odds with the rest of IT, when we essentially do exactly the same work...)

(Disclosure, I am an Ubuntu user and work for a SIEM vendor: I'm also a firm believer that arbitrary configuration changes i.e swapping one OS out for another, are not the answer to our lack of ability to directly address fundamental root causes in infosec over treating the symptoms, time after time).
Danny Lieberman CP

We cannot derive the entire threat surface from a sample of 4 (you, me, Bobby and Kevin).

Almost 8 years ago, Dan Geer, Rebecca Bace,Peter Gutmann, Perry Metzger, Charles Pfleeger, John Quarterman and Bruce Schneier wrote a report titled: CyberInsecurity: The Cost of Monopoly How the Dominance of Microsoft’s Products Poses a Risk to Security.

One of the commonly used canards by Microsoft monoculture groupies is that all operating systems have vulnerabilities and Windows is no better nor worse than Linux or OS/X. If “you” patch properly everything will be hunky-dory. There are a number of reasons why this is fallacious, to quote the report:

Microsoft is a near-monopoly controlling the overwhelming majority of systems. This means that the attack surface is big, on a US national level and international level.

Microsoft has a high level of user-level lock-in; there are strong disincentives to switching operating systems.

This inability of consumers to find alternatives to Microsoft products is exacerbated by tight integration between applications and operating systems, and that integration is a long-standing practice.

Microsoft’s operating systems are notable for their incredible complexity and complexity is the first enemy of security.

The near universal deployment of Microsoft operating systems is highly conducive to cascade failure; these cascades have already been shown to disable critical infrastructure.

After a threshold of complexity is exceeded, fixing one flaw will tend to create new flaws; Microsoft has crossed that threshold.

Even non-Microsoft systems can and do suffer when Microsoft systems are infected.

Security has become a strategic concern with this administration but security must not be permitted to become a tool of further monopolization by companies like Microsoft.
CP Constantine All true,but my point remains: microsoft's dominance is not a root cause of security woes, it is just an exacerbating factor. Getting the patient with congenital heart disease to stop drinking may prevent things getting worse, but it's not the cure.

Likewise, screaming into the echo chamber we built in the late 90's with "Dump Microsoft, it's Insecure" isn't going to change anything, MS is here to stay for a while yet, the problems inherent to their platform are yet another symptom we must route and take into account. If you purged every Microsoft OS Installation from the planet, you'd maybe buy us a year's respite of comparitive threat downtime while threat actors regrouped.

In short, security is not an issue of what systems we use, but how we use and build them.

Or, to re-use an old one.. People don't rob banks because of the challenge, or personal grudges against the bank, but because that's where the money is.

And finally. If commercial developers weren't demanding that app/os integration from microsoft, they'd be demanding it from (insert replacement OS here).

Whatever symptoms you treat, others will arise to replace them.

Danny Lieberman CP

For sure, attackers exploit vulnerabilities, not the other way around.

The 2 key points of the post, which you seem to be missing by over-generalization, are:

a) standards such as PCI DSS place an over-emphasis on anti-virus as a "threat management" tool at the expense of "threat analysis". This causes customers to stop thinking about security since they are spending most of their brain cycles thinking about how to mitigate the auditor threat.

b) security being complex, is about alternatives. non Windows (non commodity) operating systems are an alternative, just as mobile devices are an alternative to notebooks.

I disagree that everything is equal and nothing can be changed.

If the automotive industry were structured like the PC industry, you would buy a car from your local KIA dealer, and have to drive somewhere else to buy brakes.

Consider that.
CP Constantine Actually I wasn't really responding to the rest of the post at all, just the comments thread. But to return back to the major point you were making (Antivirus is obsolete) I'll weigh in on 0.02 here.

If your entire enterprise security program relies on endpoint integrity, (i.e. antivirus and expanded product family) you're fraked from the get-go. (and of course, almost everything I've seen out there takes desktop endpoint as 99% of what they monitor).

PCI is, and always has been, a way to force a minimum amount of manageable security, onto people that otherwise would almost deliberately do none. So it overemphasis things that are simple, repeatable and measurable (not effective, since we still have no standardized way of measuring and communicating what it is effective security).

Danny Lieberman CP

Well - you got me thinking.

You work for a SIEM vendor so you know a thing or 2 about reality.

Yes, PCI is about forcing a minimal amount of security so we need to examine the end game objective of PCI.

The card associations are champs at risk management and they have excellent and well-proven ways of quantifying their value at risk (unlike the general security industry).

PCI is about protecting the card associations and the payment process supply chain not the card-holder nor a specific merchant. They can always sanction the merchant by cutting him off at the knees or recover their costs via chargebacks and a higher interchange.

Once we understand that, we realize that Visa and M/C understand very well the costs of their security countermeasures (PCI DSS 2.0) versus their value at risk (lost transactions and processing of fraudulent transactions).

It is a deliberate risk management decision on the part of Visa and M/C to enforce the minimum amount of security that their supply chain will bear, because more than that - the merchants will balk and less than that, the cost of attacks is too high.

The card association risk management strategy, does not bode well for the legions of security vendors that pay Larry Ponemon money to inflate the costs of data security breaches.

CP Constantine heh, I took a job with a SIEM vendor to get *away* from reality (too many years working Incident Response and having to use crappy SIEM products.. so I decided to attack the problem at its source :) )

As to the issue of PCI, and minimum set of security, here's a though for you: wouldn't it be great if we could actually empirically prove what is effective and what isn't: and actually enforce the 'minimally effective' instead of the 'concensus concession' to it we have to do now. But then, we'd have to have security become guided by numbers other than ledger balances, and we're still far off from that.

Danny Lieberman There is a growing number of people who understand the importance of security metrics, quantifying threat and prioritizing countermeasures. Read Jaquith's book on Security metrics and work we've done on quantitative threat modeling at

But - I agree that we're far away from the ultimate goal of running security like we run a real business.
irish celena There were lots of softwares which came in 2011. some were good and some was not upto mark!!! according to your point You say that the failure is in the Operting (sic) systems and applications.there were lots of attacks from viruses caused tooo. but Ubuntu and linux were not affected by it.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.