Antivirus software can not keep up with new malware or variants of known malware but continues to play a role in the overall endpoint strategy. Traditional signature-based antivirus is a serious defect to stop new threats, such as zero-day attacks and software for extortion, but experts say there is a place in the company as part of a multilayer endpoint strategy. The best antivirus products act as the first layer of defense, stopping the vast majority of malicious software attacks and leaving less workload to wider endpoint protection software.

Antivirus products create a signature for every piece of malware detected at liberty, but for this process to start, one needs to be infected. "And when an antivirus company does it, days or months can be passed to ensure that all points are correctly updated with a new signature," says Ed Metcalf, senior product marketing director at Cylance, Inc. "Until then, the cyber attack could easily spread to the entire enterprise and cause damage or steal data."

The research reveals a change in the role of antivirus software

According to a poll of last year's Black Hat participants, 73 percent believe the traditional antivirus is irrelevant or outdated. "Trust in the ability to block or protect antivirus has definitely decreased," says Mike Spanbauer, vice president of strategy and research at NSS Labs, Inc. Much recent research confirms this understanding. In September, the security company WatchGuard Technologies released the results of a comprehensive test of traditional antivirus.

They calculated how one of the leading traditional antivirus products made it possible to detect the threat of zero-attack attacks, watching customers who had traditional antivirus products and those who had products to protect the endpoint of the next generation. Traditional antivirus has missed 38 percent of malicious attacks that have captured the next-generation platform that uses a behavior-based approach. This is an increase of 30 percent compared to the end of 2016 when the company began to do this research.

Traditional antivirus product was from AVG Technologies, a well-tested product. In fact, in a report released by AV-Comparatives in September, AVG has captured 100% of the tested samples, which rank it among the top ten products on the market. However, AV-Comparatives tested AVG on samples of known malware, not against new attacks. Why is a traditional signature-based antivirus worse when detecting threats? "Obstacles are developing," says Rob Lefferts, corporate vice president of Microsoft 365. "I would avoid using the statement" antivirus is dead, "but if I'm thinking of a reliable antivirus solution - those days have passed."

Not only did the attackers begin to better quickly generate an infinite version of existing malware, altered just enough to modify an existing signature, but new attacks appear, such as an attack without a file, which traditional antivirus will not catch, he says. Companies are aware of this problem. According to the latest SANS survey of IT professionals on end-point protection, traditional antiviruses capture only 47 percent of the end-point breakpoint. The rest were captured by SIEMs, network analysis, advanced systems for endpoint protection and other technologies. However, only 50 percent of companies acquired funds from the next generation, and 37 percent had that functionality and included. In addition, although 49 percent have tools to detect an attack without a file, 38 percent do not use them.

Similar findings by the Ponemon Institute released this month in a survey of IT security experts. Seventy percent said they were very worried about new and unknown threats, but only 29 percent said that their traditional antivirus system provided all the protection they needed on the basis of the signature.

Defense of traditional antivirus

Should companies reject a traditional antivirus for the benefit of new technologies? No, according to Lefferts from Microsoft, who says that traditional antivirus still has its role. Behavior analysis, quarantine, and other advanced tools require a lot of time and waste the bandwidth of network and computer resources. Traditional antivirus is fast, inexpensive and easy. "If you look at the number of different types of malware, more and more polymorphic or customized attacks," he says. "But if you take into account the routine of malicious malware, it still represents the prevailing number of attacks that happen on a daily basis."

Although a traditional antivirus cannot stop all attacks, it can with a low-cost block a significant number. "Well, let's do it," Lefferts says. "But we certainly can not afford to stay on it, and I do not think that nobody says today that we should stay on it."

Potential threats that pass through the first line of defense can then be analyzed based on the characteristics of their behavior or sent into quarantine for safe detonation. One company that can not choose whether to use the traditional antivirus is Emeryville, a national mortgage insurance corporation from California. "Our clients are banks, and many of them require that as part of the installed defense we have a traditional signature-based antivirus," says Bob Vail, director of information security at the company.

Sophos, the company's antivirus maker, has good detection results and its product is very light, he says. It's a good first round of defense, but Vail says he knows it's not enough. "As a rule, antivirus work post festum," he says. "Someone has to be infected to develop the signature, and then we hope that everyone else will be protected before being attacked."

The company also has a second level of protection to protect itself against malicious software that breaks down, a single Enosh-based behavior system. These two products work well together, says Vail. "If a known virus is detected, Sophos will put the file in quarantine before it gets the chance to execute," he says. "But what goes next to him, will be an enemy, so this is a classic defense in depth."

Traditional antivirus is a good addition to newer technologies such as behavioral analytics, quarantine, and machine training. More advanced tools may require more processing power, which can slow down the computer. If the product tests behavior or other tests of potential threats before allowing the user to access, it can affect productivity. If the product allows threats to pass, and then test them separately, malware has an interval of opportunities to access the enterprise.

Finally, when a new threat is revealed, additional work is needed to alleviate the threat and generate signatures to protect against threats in the future. "The first level of defense will always be a kind of signature-based defense," says Raja Patel, vice president of corporate McAfee LLC. "If you already know that something is bad, why make an extra layer of protection against it?"

If they do not use this initial assessment based on signatures, companies will have to spend a lot more time, effort and money to counter all the threats they encounter, he says. "You can imagine how much the security team would have had." If the threat can be caught and stopped at the entrance itself, it is the cheapest option. "Signature-based antivirus saves human effort and reduces the number of false positive and delayed times," he says. "It's a fantastic first layer and it will stay so long."

If they do not use this initial assessment based on signatures, companies will have to spend a lot more time, effort and money to counter all the threats they encounter, he says. "You can imagine how much the security team would have had." If the threat can be caught and stopped at the entrance itself, it is the cheapest option. "Signature-based antivirus saves human effort and reduces the number of false positive and delayed times," he says. "It's a fantastic first layer and it will stay so long."

Traditional antivirus and endpoint protection tools of the next generation are convergent

As the industry matured, companies will be able to get a complete malware protection tool from one manufacturer, if they do not already do so. Traditional antivirus suppliers add new generation capabilities, while next-generation sellers incorporate into their packages and signature-based protection.

Startup Security of Endpoint CrowdStrike, for example, launched its comprehensive Falcon platform four years ago, enabling users such as the Trust of the Center for Strategic and International Studies in Washington to have everything in one place. "We already had CrowdStrike installed and relied on it as a part of endpoint security," says Ian Gottesman, technical director of the organization. "Extending this solution with an antivirus system was useful for CSIS, and I would recommend that every other organization do the same."

Companies are increasingly expecting antivirus protection to be included in the end-point solution of the next generation. "Companies do not like to interfere and match," says Adam Kujava, Malwarebytes Corp., a malware vendor. "They prefer to have one supplier, so security solutions have multiple layers, with the inclusion of more technologies to maximize the amount of protection."

Neither traditional antivirus manufacturers stand by. Instead, many buy or build a next-generation tool that can help capture attacks that breakthrough the signature-based defense. "Antivirus will disappear in the next few years if it does not develop," says Luis Corrons, PandaLabs technical director at Panda Security, a manufacturer of traditional antivirus programs. "We in Panda were aware of that."

For several years, the company has detected malware-based behavior, but even that is not enough. A large number of successful security breaches do not contain any malicious software at all, he says. "Let's say this crystal clear, traditional antivirus is useless against these attacks because there is no malicious software there," he says. For example, attackers can use existing software that is not malicious. The company has recently developed new tools to monitor the behavior of all active applications in the company.

"This allows us full visibility of what is happening in our network," he says. McAfee also added new layers of protection, says McAfee's Patel. "Signatures based on signatures will protect you because you already know about threats, but will not protect the zero patient or the time period from infection until the new signature," he says.

According to Ponemon's research, 64 percent of companies experienced one or more end-of-life attacks this year endangering property or infrastructure, and 63 percent said the number of attacks has increased compared to last year. In the meantime, the average price of a successful attack rose from $ 5 million to $ 7.1 million, with an average price of $ 440 at a compromised endpoint. For small and medium-sized enterprises, the average price was even higher, from $ 763 by the endpoint.

"What is worrying is how slowly many organizations react to these new tactics and adjust their security strategies," says Satya Gupta, founder, and technical director at Virsec Systems. "We are still stuck in the idea of keeping the perimeter and stopping what has been seen before."