Problem solve Get help with specific problems with your technologies, process and projects.

Enterprise antivirus protection: Is signature AV worth the money?

There's little doubt that signature-based enterprise antivirus protection is dying, but what technologies should enterprises consider to replace it? Expert Nick Lewis weighs in.

Enterprises have long relied on signature-based antivirus technology to protect them from information security...

threats. In many cases, antivirus has been and is the only antimalware protection companies have in place, which unintentionally puts organizations at risk.

The expectation that antivirus software will protect a system from all threats is no longer reasonable (if it ever was). As the sheer number of never-before-seen types of viruses, worms and other malware grows, traditional signature-based antivirus is unable to keep up and is being bypassed more often, resulting in increased infections. Some antivirus software itself has even been under direct attack or has caused significant problems for users.

The evolution of viruses and malware has resulted in vendors adding new protections to core antivirus software for antimalware functionality, such as cloud-supplemented checks, and enterprises are attempting to find ways to thwart the vastly increased number of random viruses in the wild, along with targeted attacks. In this tip, we'll discuss whether it is still worth spending the money on antivirus software suites, or if enterprises should focus on other threat mitigation technologies.

Who cares about antivirus?

First off, for those who aren't aware, the performance of signature-based antivirus software is increasingly lackluster. Consulting firm Cyveillance Inc. reported last year that its tests of more than a dozen popular antimalware suites found that on average they were able to detect less than 20% of new malware attacks. This, along with the rise of botnets, attacks on sensitive data, and attacks on online banking, means every enterprise should re-evaluate whether antivirus is still worth the cost and effort to manage.

Listen to this tip

Listen to "Enterprise antivirus protection: Is signature AV worth the money?" as an mp3.

In general, including antivirus software as a part of a comprehensive strategy to protect systems is a good idea, though not necessarily traditional signature-based products. More advanced antivirus software, such as behavioral-based detections and cloud-based or cloud-augmented antivirus, can offer greater security. Enterprises should carefully evaluate and test any advanced antivirus software to ensure it integrates into their strategy and is mature enough for their systems, as it is much less mature than standard antivirus offerings.

Some believe antivirus is only necessary on desktop systems, but many servers require antivirus to provide consistent protection for client systems -- such as file servers that might allow unprotected clients to access potentially infected files stored on the server -- along with providing some protections for the server itself. In the past, enterprises have spent heavily on antivirus software, but, in the future, they should look to spend some of that money on other areas of protection, while still maintaining some level of antivirus software usage. The bottom line is, though, if your antivirus software hasn't been protecting servers and endpoints from malware, consider different software or protection methods.

What else could an enterprise do?

Most enterprises will find they should adopt a more comprehensive approach to supplement their usage of antivirus software to enhance the effectiveness of the protections and achieve a layered, defense-in-depth security model, which is particularly helpful, considering the ever-more threadbare state of signature AV.

When it comes to enterprises antivirus protection, it's important to consider technologies such as whitelisting, graylisting, and sandboxing to go with the well-known general host security: the comprehensive patching, firewalls and IDS/IPSes that enterprises should already have in place. Whitelisting means proactively defining what executables are allowed to run on a system and prohibiting all others, which could prevent many types of malware from executing on a system. Graylisting is similar to whitelisting, but, as the name suggests, is less stringent. Non-approved executables are checked for malware via a signature or behavioral check that could include real-time checking against a cloud service with updated detections; if it's not determined to be malware, the executable would be allowed to run. Sandboxing allows an executable to run in an environment isolated from the host system, which could prevent it from infecting the host system if it were malicious. All or any of these technologies could be used to provide additional system security.

Other technologies that could be explored to protect systems in various scenarios are full disk encryption and virtualization (which, when used in this way, is similar to sandboxing ). Full disk encryption will protect your data if a system is stolen when turned off, and virtualization can reduce system risk by running untrusted code or applications in a separate virtual machine rather than on the primary system, greatly reducing the likelihood that an exploit could affect the underlying OS. Some organizations with high security requirements may also want port control -- which allows them to control what kinds of devices can be connected to their systems -- or DLP products that control where data can be copied.

More on antivirus

Learn how to form a security awareness training plan for fake antivirus pop-up scams.

See if regional banking Trojans can hide from signature-based antivirus?

Learn how to prevent rogue antivirus programs in the enterprise.

The recommendation to evaluate what is necessary applies to all systems, regardless of the OS or hardware, and should also include smartphones and other non-traditional endpoints; but remember: Not all systems will require all protections and the protections should focus on each specific system's needs. For example, systems may not require full disk encryption if they do not access sensitive data, or a server may not even need antimalware software if it doesn't allow clients to connect to it using protocols such as DNS that could transmit malware. These recommendations also assume the operating system has been secured, users are not logging in as administrators, and that users have some minimal security awareness.


Declaring signature-based antivirus dead is unwarranted, but it is on life support, and must change to adapt to the new wave of targeted custom attacks. What is currently thought of as antivirus will eventually go the way of all other obsolete software and be replaced by software that meets the current needs. If an enterprise hasn't carefully re-evaluated its stance on antivirus software recently, this may be a good time to determine what your future needs will be, and invest in the software and protection methods most likely to meet these needs.

About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.

This was last published in February 2011

Dig Deeper on IPv6 security and network protocols security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.