Symantec, the largest seller of endpoint-security software--commonly referred to as antivirus software—grabbed the media spotlight May 5, when an executive told The Wall Street Journal that antivirus "is dead."
Yet the statement is not a repudiation of the technology, as many media outlets have reported, but an acknowledgment that antivirus software is not sufficient for security, a Symantec representative told eWEEK. Modern anti-malware software is no longer just "antivirus" but software that relies on a several defensive layers, including behavioral and intrusion-detection measures, to protect the endpoint, said Piero DePaoli, senior director of product marketing at Symantec.
"Antivirus is great for known threats, but you really need those proactive technologies," he told eWEEK. "You need both proactive and reactive together."
Symantec's take on the fate of antivirus is not new. Many security professionals have criticized the perceived ineffectiveness of antivirus. The performance of basic antivirus scanners, as measured by the number of scanners that detect a particular malware variant in VirusTotal, is frequently poor, especially for targeted attacks. Yet much of the criticism of antivirus technology does not take into account its evolution into a multi-layered defense of the endpoint and, perhaps, unfairly lays the blame for a breach solely at the last layer of defense.
Moreover, software that detects and blocks malicious code based on signatures has become a commodity and is no longer profitable, said DePaoli. Many free options exist for consumers or companies that need to comply with industry regulations, such as the Payment Card Industry's Data Security Standard. Symantec, McAfee and other security firms often differentiated their endpoint-security products from barebones antivirus, but have still been criticized for the attacks that continue to get by their products.
"The era of stand-alone antivirus is behind us," DePaoli said.
Antivirus as a component of endpoint security, however, continues to have a role in the enterprise and in protecting consumers. Blacklisting executables based on signatures may not work against targeted attacks, but it remains an effective baseline security measure against run-of-the-mill mass malware. In its 2012 H2 Security Intelligence Report, for example, Microsoft showed that systems with no antivirus, or outdated antivirus capabilities, are 5.5 times more likely to have infections than patched operating systems with updated security software.
Unsurprisingly then, Symantec argues that antivirus is only a component of an overall strategy and announced two new services on May 5 that look to fill the gaps in its security offerings: a managed security service aimed at protecting companies against advanced threats and a security intelligence service that delivers more in-depth information to companies on particular threats.
Symantec is playing catch-up in this area, but the new services have channeled much of the industry's focus on correlating disparate data to create better intelligence. The goal is to use data from different devices to reduce billions of potentially hostile network probes to hundreds of thousands of likely attacks, and reduce that to hundreds or thousands of actionable incidents, DePaoli said.
"The ability to get those other layers and getting better correlation of data from the endpoint to the network—that's exactly what we are intending," he said. "We want to give companies the ability to figure out what is real and what is not."