Signature-based antivirus products have long been dismissed for failing to provide adequate security for systems and a new study undertaken by Imperva has found that sluggish update mechanisms to the signature databases of some products may pose a significant decrease in effectiveness.
The study was conducted with Tel Aviv University. The database and application security firm tested more than 40 antivirus products and found that 75% of the products took up to a month or longer to update its signatures. The delay causes the software to miss out on signatures for new threats that could spread quickly, Imperva said.
"We discovered that there exists today a market for antivirus product which provides insufficient protection in light of the fact that the rate of detection of these products among the files which were identified by most antivirus products as infected files, was very low," Imperva noted in its report. "Additionally, the rate of update for their signature databases is very slow and even viruses that are already known to most antivirus products are still not identified by these insufficient products."
Chenxi Wangvice president, principal analyst, Forrester Research Inc.
When tested against 80 unreported viruses in the wild, not surprisingly, all antivirus software detected none of the threats. The set of antivirus products that provided the most optimal protection included two freeware antivirus products, Avast and Emsisoft. The firm said Symantec and McAfee put up a good fight against viruses. The two firms ranked highly in a variety of tests and were followed by ESET, Avast, Kaspersky and Trend Micro.
Most antivirus products make an attempt to update their databases very quickly with viruses that are propagating across the Internet, according to the study. "Among the leading antivirus products in the marketplace, the rate of improving the detection on files that weren’t previously identified is approximately 3 weeks," Imperva said.
Imperva recommends a common security industry best practice: layered defenses or a defense-in-depth approach which includes antivirus at the endpoint.
Despite poor detection rates outlined in a variety of studies, it is unlikely that enterprises will eliminate antivirus altogether, said Chenxi Wang, vice president and principal analyst at Cambridge, Mass.-based Forrester Research Inc. Nor should they, Wang said. There are a variety of different security technologies that provide attack detection capabilities or mitigate risks, but there is still no panacea and no one ever wants to be the one who made the decision to completely forgo antivirus, Wang said.
"It is not necessarily as effective as it needs to be but when combined with other security measures it does serve as an important part of that defense-in-depth strategy," Wang said. "There isn't a single technology out there that completely replaces it or obliterates any need for antivirus."
In addition, enterprises often combine the purchase of endpoint antivirus with endpoint management products, which provide a different set of capabilities, such as a patch or software rollout. Antivirus alternatives are also available. Meanwhile, antivirus vendors have been adding capabilities, such as cloud-based antivirus, improving detection, signatures are being stored in the cloud and updated in near real-time reducing the size of the database or eliminating the need to store signatures on site altogether.
Large antivirus vendors also offer some form of application control or whitelisting capabilities that can greatly reduce the attack surface, Wang said. "It's a house cleaning technology versus a threat defense technology," Wang said of whitelisting, adding that organizations that have applied smart policies have had success eliminating highly targeted applications from the environment without impacting employee productivity and satisfaction levels.