An organization I have been doing some consulting with has decided that they want to standardize their Anti-Virus product across their 5+ centers. I wanted to head off the time-consuming, in-depth study of what AV product is currently the best, and so I wrote up the following, and sent it out to them (a little longer then I meant it to be).
Anti-virus, as it has been done the past 20 years, is dead.
The reason is that, the primary method of anti-virus detection is signature based. A virus is released, the AV company captures it, and writes a signature for it, and pushes out the signature to their clients. The problem is that today’s malware (virus, worms, adware, etc) are not monolithic code—They are polymorphic, encrypted, and much more. They change what files they infect, how they infect a system, and then once inside, disable anything that could dislodge them. (AV programs, etc)
Do you see the issue? Since the malware is ever-changing, for the AV companies to detect it, they have to write a new signature for every infected system!
Not only that, but more and more systems are being initially compromised not by the traditional viruses or worms, but by “drive-by-downloads” on legit websites, or by a vulnerability in Flash or PDF Reader—Then, the malicious code downloads a Trojan, and opens a back door to the system, or rootkits the system.
By this time, I hope you are asking yourself what anti-virus programs are good for?—because it is a valid question.
I see them, as another layer in our defense in depth strategy. They are still good for detecting and cleaning old viruses, as well as the modern day unsophisticated viruses (something script kiddies might throw together). And the AV companies are working on new techniques—Better heuristics, etc…
But when it comes down to it, it is going to be layers of defense that helps to protect us. Taking away admin rights, anti-malware programs, host-based firewalls, etc…
So with all this in mind, my recommendation is that we do a little bit of research and looking around, but that we don’t spend a lot of time and energy on comparing the top 5 AV companies—Because they all struggle with the same issues—Some just have better signatures and response times than others.