Imperva have released a whitepaper on the supposed effectiveness of Anti-Virus products. The conclusion? Anti-Virus products are less effective against malware it has not seen previously.
Really? You are telling me a signature based product is less effective when it does not have a signature? Wow, revolutionary.
Having previously worked for a virus vendor I am well aware of the Anti-Virus solution limitations. The products essentially work by creating a unique hash of any file that has been identified as malicious. The identification of files as malicious is pretty straight forward, you run the files in a sandbox environment and monitor their activities. If they attempt to send out data, attempt to spread to other systems or replace critical executables it is likely malicious.
The question then becomes how do you collect the files to run in these sandboxed environments. The Imperva study suggests that the wider a virus distributes the more likely the Anti-Virus vendors will detect it, which is a logical conclusion.
The Anti-Virus vendors do have honey pots out on the Internet, but the boring reality is that most get their virus samples from emails. Attached files are an obvious risk, especially if they are executable files, less obvious are file links embedded within the emails. These URL’s are automatically visited by the Anti-Virus vendor which then monitors to see if anything bad happens, such as a browser exploit or file download, if so they create a signature.
Popular download sites are also visited and applications run in the sandbox. The repackaging of popular applications, such as the Chrome Installer or 7zip, to hide a new Trojan or Virus is common place. Therefore the wider your malware is distributed the more likely it will be detected, this is especially true if the malware is distributed via email.
So what is Imperva on about? They essentially draw the above conclusion; the Anti-Virus vendors are more likely to spot you if your Malware is widely distributed. Not that this is news to the Anti-Virus vendors, Eva Chen, CEO of Trend Micro, has been very vocal about the Anti-Virus product limitations, essentially labelling them ineffective against zero day or targeted attacks.
Does that mean we can uninstall our Anti-Virus solution and still feel safe? The simple answer is no, while that Anti-Virus products might not be the most effective tools against a zero day attack or targeted attack , they are still the best solution for known Virus, which to be fair are still the most common Viruses on the internet.
Plus, once they are detectable via a signature, current Anti-Virus products are still the best way to clean them up.
Do you need another solution for zero day and targeted attacks, absolutely. There are a number of solutions in the market, Imperva is one, Netwitness is another and Trend Micro have a product called Deep Discovery. These tools essentially monitor the network and look for suspect behaviour, and in the case of Trend go one step further by giving you your own sandboxing capability.