Anti-Virus Is Dead (But Still Makes Money) Says Symantec

judgecorp (778838) writes "Symantec says anti-virus is dead but the company — the world's largest IT security firm — still makes 40 percent of its revenue there. AV now lets through around 55 percent of attacks, the company's senior vice president of information security told the Wall Street Journal. Meanwhile, other security firms including FireEye, RedSocks and Imperva are casting doubt on AV, suggesting a focus on data loss prevention might be better."

No explanation for why though?

"AV now lets through around 55 percent of attacks" What happened? What's the big game changer from the 95% detections of just a few years ago?

Re:No explanation for why though?

Because marketing is more effective than a quality product.

Re:No explanation for why though?

[Xicor]

they dont update the virus signatures anymore, because ppl who use symantec antivirus dont have any clue wtf they are doing. it is kindof like going to a steak restaurant and ordering your steak well done. the restaurant has lower quality meat for those people because it is cheaper and they cant tell the difference.

Re:No explanation for why though?

[manu144x]

One answer could be because now threats are mostly targeted at the biggest weakness: humans. Phishing, scams, and all that are much more profitable and incredibly hard to detect programmatically. Legit websites are hacked daily and injected phishing sites and then removed fast.

They all rely pretty much on human stupidity and ignorance, and that is very hard to stop...

Re:No explanation for why though?

[Anubis+IV]

Bingo. Back when automated worms were the biggest threat we faced, programmatic tools were very effective. Likewise when viruses needed to be passed manually from user to user via infected files, AV could do a lot to stop it. Meanwhile, trojans weren't too effective, since software was still being distributed via physical media, so people were distrustful of downloadable executables. Nowadays though? Users are enticed to install trojans on their computers, which is now a perfectly normal thing to do, since that's the simplest vector most of the time, unaware that what they are doing is harmful.

As the saying goes, you can't fix stupid.

Even so, I rather like OS X's current way of combatting trojans, which gives the user three options in the System Preferences: allow anything to run, only run stuff from registered developers, and only run stuff from the Mac App Store. Doing so leaves the control in the user's hands, but allows them to choose the level of protection against executables coming from illegitimate sources that they want. The middle option in particular is a nice one (and used to be the default, though the Mac App Store one may be the default now...not sure), since it's rare that I encounter a legitimate Mac developer who isn't registered, meaning that the warnings about software from unregistered sources are exceedingly rare. Warnings that are rare are exactly the sort of thing we want, since it makes them stand out more and means that users are less likely to become blind to them.

Quick aside: I'm not suggesting anything about the relative worths of the various platforms, nor am I suggesting this feature is unique to OS X (e.g. I know Microsoft has dabbled with registered developer security features in the past). I'm merely citing a feature I think manages to nail a nice middle-ground between providing warnings without rendering users blind to them, while still leaving folks like us with the ability to install whatever the hell we want.

Re:No explanation for why though?

[mlts]

One of the biggest infection vector these days are holes in Web browsers or add-ons. I don't see worms and viruses a common threat these days. It is mainly something from a website or even worse, an ad server. By using adblock, noScript (or the "click to play" functionality in Chrome), and SpywareBlaster's black list, this has kept my machines clean where the AV program is mainly for scanning a download (and even then, for small downloads, VirusTotal does the job better.)

IMHO, an AV maker should take a page from that book and start blocking URLs and bad sites. Some ad company allowing malware to get posted through their server? Block it by IP and/or URL.

So far, this has done a good enough job for protection. I mainly browse the Web in a VM, and when I take the VM offline and scan the disks with a decent AV program, the scans turn out clean.

This doesn't mean AV is useless. Not using it is similar to leaving the key in the ignition when running into a gas station. However, it would be nice if AV programs could build in functionality similar to AdBlock and block not just by IP, but by URL.

Re:No explanation for why though?

[CastrTroy]

This is similar to the reason that I think the iPad is what most users really want/need. Techies complain about the walled garden, and how that limits what they can do with the hardware. But that's exactly what end users want. They want to be able to install and use software without thinking about all the bad consequences that could come of it.

Imagine going to a store and buying a toaster. Some toasters would be cheap, but would sometimes catch on fire and burn your house down. Some toasters would be cheap but listen in and record all the conversations going on in your kitchen. Some toasters would be more expensive and actually just toast the bread, without any ill effects. Sure it's the customer's choice which one they buy, and you can tell them to read reviews and be careful, but that's really not a good situation to put the customer in. The customer should have reasonable expectations that the product is safe and isn't trying to be malicious. But when installing software, it's very hard to verify that an unknown program is actually safe or not.

Re:No explanation for why though?

[Xicor]

yes, but when you can cut costs and not have any issues, a lot of places will do it. theres no point in spending 20$ on a prime steak if the person eating it cant tell the difference between a shoe and a steak.

Re:No explanation for why though?

[AthanasiusKircher]

yes, but when you can cut costs and not have any issues, a lot of places will do it.

I'd like to see reliable evidence of this. I've heard this crap ever since Anthony Bourdain included it in some rant in one of his books about people who liked meat cooked more than medium-rare. Perhaps he was known to serve crappy food to those people, but I'd be really interested to know how widespread the practice is.

Because if you search around on some cooking forums, you'll see other actual chefs chime in and say they do NOT do this. Actual chefs will tell you that they tend to have thinner cuts available for people who like well-done, so as not to delay the entire order while cooking one steak longer. (If they don't have this, they'll generally offer to butterfly the cut.) But actually serving people crappier meat? Not so much that I've heard, outside of Tony's confessions of being a jerk.

theres no point in spending 20$ on a prime steak if the person eating it cant tell the difference between a shoe and a steak.

"Prime" ratings refer to marbling, not necessarily quality of taste. So, if you pay more for "prime," you're paying for more fat. That fat won't disappear completely if the steak is cooked well done: in fact, more of it will often soften, because temperatures about 130 F (temp for medium-rare) allow faster break-down of a lot of fat. Case in point: taste a low-quality fatty cut cooked fast on a hot grill (often lots of gristle) vs. similar meat from the same part of the cow cooked to a much higher temperature longer as a pot roast... all that fat will be melt-in-your-mouth tender. A well-done steak, done properly, can be somewhere in between.

For the record, I generally order my steaks medium rare, and I agree that that maximizes certain aspects (particularly juiciness and tenderness).

But for those who like well-done, they often get extra browning flavors from the Maillard reaction and caramelization, and the extra fat break-down can do good things for the fat (though making the muscle tougher). If the steak is heated slowly before grilling or finished in the oven at a very low temperature, it can also be quite juicy (contrary to popular belief). Cooking a steak well-done that tastes good is also an art, and probably even more finicky that cooking one medium-rare.

Anyhow, sorry, but if you are actually able to tell a prime-grade steak at medium-rare, you should also be able to tell one at well-done. If you can't, you probably don't know as much about steaks as you think you do. Different people like different things, but that doesn't excuse insulting them or serving them crappier food.

Most AV is malware

[EmperorOfCanada]

Of all the problems that my relatives have called upon me to fix on their machines AV might be the number one complaint. They buy a machine from some big box store (against my recommendation) and the AV becomes more and more threatening as to the dire situation their machine is in and how only a subscription to their product will solve the problem.

Then to make it worse the AV infests the machine like a spreading cancer. The browsers work funny, the startup is longer, the thing periodically pigs out on the internet. But it might be the popups that are the worst. We have all see the public jumbotron/Kiosk with a big AV popup front and center.

Personally I blame AV bloatware for being one of the downfalls of the PC industry. People were buying their shiny new machines hoping that all their problems would go away and poof their new machine is effectively just as crappy as their old machine with these incomprehensible popups and threats.

My only happiness in this situation is that the AV products haven't managed to get much traction in the mobile device industry.

The key thing to keep in mind is that when you buy a basic PC from a manufacturer that they don't make much if any profit from the machine. It is the kickbacks they get from the crap AV, crap game, and crap music services that come as trialware. So if the AV industry has a business model based upon fooling people, kickbacks, and annoying people; then they can't die too soon.

The horrible thing is that some products like NOD32 were awesome and didn't play those MBA games.

Re:Makes sense

[Charliemopps]

I noticed my idiot bother-in-laws computer was sitting on a wide open wifi connection, no password, no encryption. Then I looked and the computer had no antivirus, UAC, the Firewall, everything was disabled. I pointed all this out to him and he said "I don't get viruses anymore." So I ran a standard on-line anti-virus product and he had hundreds of infections. I doubt he's done anything with it at all.

The authors of viruses make a profit off your infection by either displaying ads to you, or using your computer to host data or attacks. If they make what they are doing too obvious, you're going to do something about it. So it's in their best interest to make sure you don't notice it. Why fix something that's not bothering you? My brother-in-law has no idea the risks he's taking and likely thinks I'm dumb for bothering him with it. I suspect the majority of the people feel the same way.

AV dead? Symantec's certainly is

[argStyopa]

I wouldn't use a Symantec product if it was an extinguisher and I was on fire.

Nobody even vaguely familiar with PC support over the last 20 years can possibly fail to be acquainted with what was (is?) the most complicated, agonizing, and laborious process that was removing a Symantec/Norton antivirus "product" from a computer.
Seriously, with a newer machine, just re-installing the OS was far quicker, easier, and less likely to leave you with later issues.

As an AV product, it was not terribly successful in most neutral tests I saw.

If you didn't uninstall it, it was a resource hog, bringing even powerful machines to their proverbial knees when scanning. If you were foolish enough to install the 'suite' of security applications, it would involve literally dozens of services installed obscurely across your system. Removing it was very much like (or worse than) trying to get rid of some of the most tenacious malware I've ever encountered.

Truly, the 'cure' in this case was nearly worse than the disease. They *owned* the PC security market in the early days...why do you think its competitors have been so widely successful?

Re:Does the nature of the business hold it back

[Arker]

The problem is deeper than that. It goes back decades to the very idea of a scanner vs other methods of security. Scanners are good 'solutions' if you dont really want to solve the problem but rather want to profit from it. They are reactive, they require constant updates (which justifies continuing payments) and will absolutely never do more than partially ameliorate the problem. Scanners only find old threats and it's a very old game to just switch bytes around until the scanner says you are clean.

A system actually designed for security would instead focus on behavior and abilities, and look more like SELinux than a traditional virus scanner. It wouldnt care if a program was exceeding its authority because it's a virus or because it's damaged or just because it's poorly programmed - it would prevent it from doing damage regardless.

This is far from impossible, but as an industry we turned away from that road several decades ago, because it's slower, more expensive, and harder to develop for. First to market seems to trump well designed every time. :(

Maybe that their AV sucks?

[Sycraft-fu]

Good anti-virus still has high detection rates. AV Comparitives puts most virus scanners above 90% detection in their March real world protection test. The better ones are in the 98%+ range. http://www.av-comparatives.org...

Of course Symantec isn't on that list... perhaps there's a reason :).

Re:Does the nature of the business hold it back

[westlake]

Your typewriter needs a new ribbon.