Despite my warnings, a friend of mine doesn’t use any antivirus program on his home computer. He’s in good company, as only 58% of Americans have a software security suite installed. And yet, over 58% of the U.S. computers are infected some type of malware. What’s wrong with antivirus software, and what needs to be done to fix it?

Inaccurate marketing

Antivirus software is often pitched as a panacea, supposedly allowing the user to engage in all sorts of unsafe computing practices as long as they use the vendor’s antivirus product. Many vendors claim that they prevent 85-100 percent of potential threats. However, Greg Shipley’s article “The Wrong Protection” (InformationWeek, October 11) points out that the current antivirus software only provides 20-30 percent protection — a far cry from most vendors’ numbers.  As a result, the end users’ experience is rarely what the vendor promises, resulting in product dissatisfaction.

Obsolete detection methods

Early antivirus software scanned executables against a database of known malware checksums. This approach required a known infection first (and a checksum created) before anyone could protect against it. At the time, this worked reasonably well, as malware authors were blasting out the exploit code to as many computers as possible to maximize the infection rate. This lead to development of a checksum database, which could be distributed to individual desktop engines on a regular basis.

However, as the malware writers realized they could make money with their wares, they began writing customized software for specific purposes, using multiple vulnerabilities to quietly infect systems without users being the wiser. This resulted in thousands, then tens of thousands, and currently hundreds of thousands of new malware variants a year, making the traditional checksum approach obsolete except against the most primitive attacks.

Thus, most current antivirus engines complement the reactive approach with proactive systems — heuristics that examine the behavior of unknown code and compare it to known malware. Unfortunately, heuristics engines tend to have a higher false positive rate, which can lead to the end-user ignoring the warnings, or worse yet disabling the software.

The rise of custom malware

The Zeus and EyeSpy trojans have opened up malware to an entirely new type of fraudster. The newer authors sell their malware to others, who then use automatic tools to “pack” the malware payload into new binaries, often customized for a specific computer. Not only does this bypass traditional reactive antivirus checksums, it makes it even harder for the companies to write software to defeat it, as the custom payloads won’t run on a computer other than what originally downloaded it.

Out of date software

Many commercial antivirus software is licensed yearly. After the license expires, the software can no longer download updates. While the software may protect against older threats, it cannot detect newer malware variants.  However, the licensing reminders are often viewed as little more than nagware, and since they only show up when the computer boots, the user rarely notices, much less reads them.

It’s not just the antivirus software that’s out of date. Many Windows computers are missing patches freely available from Microsoft’s website, and over half of Firefox users were running unsafe older versions of Adobe’s Flash Player, to say nothing of Adobe Acrobat Reader or Shockwave installations. Older versions of Oracle’s Java are still in widespread use, and malware authors are actively exploiting them.

Unsafe browsing practices

Most users still view security as an impediment — something to be worked around. A majority of people will still click on links in Facebook or emails, with anywhere between 23 and 88% of people dismissing any error messages or security notices.  In addition, 73% of computer users still use the same password to access multiple accounts, allowing fraudsters to leverage one break-in to access multiple other systems. Thus, no matter what we do to improve the software, the end user is still the easiest security component to defeat.

Alternative approaches

Despite all the doom and gloom, I still stand my by earlier basic desktop security advice as a good place to start. However, it may be time to retire the special-purpose antivirus software. A number of alternatives show promise.

Application whitelists

Rather than spending so much processing on figuring out bad software, why not only allow known good software to run? This approach is known as application whitelisting, and is gaining traction in antivirus software as well as newer operating systems.  Various systems use application signatures, with a signature stating whether the program comes from a recognized company.  Symantec and others are working with a variation on this, granting files a “reputation” based upon the number of other computers seeing the same file.

Privilege separation

A user’s normal account doesn’t need to modify the operating system. The web browser, even less so. Microsoft’s User Account Control is a step in the right direction, although it still depends upon the user making a judgment call.

Automated software updates

Both Microsoft and Apple have automatic updates as part of their current operating systems. However, there’s no standard method to update third-party applications and web plugins. Apple and Adobe have their own (incompatible) methods for their own products, as does Oracle.  There’s no one control panel to manage them all. An application update API would seem a logical solution.

Virtual applications

We can virtualize the web browser and web-based applications. This should limit any potential malware to a virtual PC, which is reloaded every time you restart the application. Unfortunately, the early attempts have proven buggy and unpopular. Microsoft Windows has many different API calls which transfer data from the virtual browser window to the host operating system. A bug in any one of these can be used by malware to break out of the virtual sandbox and infect the host. The idea has potential, even if the products to date haven’t proven successful.

Network detection

Rather than focusing on prevention on the desktop, some security professionals recommend watching the network for signs of compromise, identifying the infected host(s), and removing them from the network until they’ve been cleaned. Unfortunately, this returns us to the reactive approach, as we have to know the system has been infected (and figure out an appropriate signature) before we can recognize it and quarantine the system.  In addition, modern malware can use convert command and control channels, receiving encrypted data from normally benign locations such as Google Mail.  This makes it even harder to distinguish the good traffic from the bad.

All of the above

Rather than focusing upon a single technology to save us from malware, we need to get into the mindset of “defense in depth” — multiple layers of “good enough” security that together provide us an acceptable solution to our level of risk. The higher the risk, the more levels of protection we need.

However, this can make a large difference to the established antivirus providers. You can’t charge $39.99 for an A/V signature engine, $19.99 for an application whitelist, then tack on another $9.99 for browser virtalization. Well, technically you could try, but that’s over 10% the cost of a new computer in just antivirus software. That’s not acceptable in today’s market. Some of these layers will become commodities focusing on price and performance, handled by Microsoft and the other operating system vendors. We’ll see how the market changes in the next few years.