Thoughts on the future of Anti-Virus

One of the reasons I haven't been updating this blog much is that I have been doing less technical work of interest and spent more of my time thinking about building defenses. One of the issues that pop up when evaluating defensive technologies is where Anti-Virus products fit in.

Not to piss off my friends in the AV industry but, until recently, I have been extremely sceptical about the value of AV products.

Lately I have stepped down from my fundamentalist stance and must admit that blacklist AV technology has a place in the market, but certainly not as big a place as it occupies today.

I would still never recommend AV as your only means of defense against malware, as enumerating badness will always fail, but it does provide a nice benefit that I like to call the "hygiene factor". Like washing your hands doesn't protect you from disease, it does get rid of some of the crap so that your immune system doesn't have to deal with it.

The recent announcement from Microsoft that they will include technology from their Security Essentials product in the upcoming Windows 8 release has caused some debate.

One thing that most people conclude is that this move will bring down prices in what is already a commodities market and I hope they are right. Not because I hate Anti-Virus companies and want them to fail, but because the data security market today is grossly inefficient. Let me explain why.

AV is not about technology, it is about intelligence. The best AV-engine can be useless if it isn't fed with good, up-to-date intelligence about threats. Conversely, the worst AV-engine can still be effective if it has access to good intelligence. What you buy isn't the AV software you install, it's access to the AV companies' analysts. What AV companies compete on isn't technology, it's who has better and more up-to-date intelligence on current threats.

Imagine then the ammount of analyst manpower, not to mention computing power, that the world's 40+ AV companies spend keeping up with current threats and it is easy to see what I mean by inefficiency. Today the increasing commoditisation of blacklist AV technology has driven the larger players to integrate other products into their product offering because licensing fees for traditional blacklist AV products are dropping. What this means for users is that the cost of hygiene is approaching zero. Just like with cheap soap in the "washing your hands" analogy, it would then be silly not to use it.

If the market is driven towards a few large vendors servicing all our AV needs at a lower cost, then smaller players will be forced to innovate and find other uses for all that analyst manpower. One example that I have advocated for a long time is to provide intelligence about "goodware", effectively turning the AV business model on its head and providing updated lists of known good software that is continously AV-scanned and vulnerability tested by their analyst staff. That is only one idea, I imagine there are countless others.

I could write pages on this topic but choose to limit myself to conveying these three ideas, in summary: