Every now and then I come across an article or blog posting arguing that Anti-Virus software is near useless and shouldn’t be bothered with because it can only protect you against known threats and not emerging threats. First of all modern Anti-Virus software, better called Anti-Malware these days, generally does provide some protection against emerging threats. More importantly, the malware that users are most at risk from are the known threats not the emerging threats. Put this in human terms. Do you skip the vaccines for Polio, Tetanus, Pneumonia, H1N1, etc. because they don’t protect against Ebola? Or a new swine fly virus? No. So you don’t want your computer protected from Conficker (a family of Worms that has been with us since 2008 and remains a major threat) or other known threats because somewhere in Russia, or China, or Peoria a hacker is about to release a piece of malware that won’t be blocked by your anti-malware software’s current signatures or other protections? Really?
The vast majority of threats on the Internet are known threats. Mostly they’ve been known about, and protected against, for years. They lurk on websites, file shares, email archives, and offline copies such as USB keys and DVDs waiting for an unprotected user to activate them. And the vast majority of new threats become “known threats” rather quickly and are thus “contained” by anti-malware software.
Keep in mind that like communicable human disease computer malware doesn’t appear everywhere all at once (although there are exceptions, like SQL Slammer that spread incredibly quickly in the primitive security environment that was in place in 2003). Thousands of machines might be infected by a new piece of Malware before it is discovered and Anti-Malware vendors update their products to block it. But there are 1.3 Billion PCs in the world (plus the 500+ Million very vulnerable Android devices out there). What are the odds that YOUR PC will be infected by a new piece of Malware before your Anti-Malware vendor updates their signatures? You should worry far more about lightning.
Unless of course you don’t have Anti-Malware software with real-time protection on your machine. Then your odds are more like standing in the middle of a golf course with a golf club thrust towards the sky while a thunderstorm passes directly overhead. Not smart for those trying to avoid being hit by lightning. Not any smarter for those trying to protect their computer from being infected by Malware.
At worst Anti-Malware software should be considered absolutely necessary but not sufficient for keeping a computer safe from Malware. In practice, when combined with a modern operating system (meaning Windows 7 or later in the Microsoft world), other built-in capabilities like the firewall, URL Filter (e.g., IE’s Smartscreen), automatic update of software, and even a minimal amount of attention paid to best practices for surfing the web and reading email, it will keep the typical PC free of Malware.
For some reason, a lot of people simply don’t believe in defense in depth when it comes to computer security.
I don’t understand why. Would the same people keep their apartments unlocked just because they live in a doorman building? What about driving without seat belts because the car has an airbag?
Malware simply sticks around until it is cleaned off, or the media is wiped. I was recently reading some data off 5.25″ disks, and Windows Defender detected a boot sector virus from two decades years ago!
The problem with this argument is that it does not consider the cost of anti-virus. Security should always be a cost/benefit trade-off.
Also, I think you underestimate the efficiency at which botnets can distribute new threats via e-mail. For some random reason, last week I took one of the .zip mail virus spam messages I got and submitted it to virustotal.com to have it scan by the various engines and the result was pretty bad. Only 2 of 47 conclusively detected it and 3 others had some generic match based on the fact that the file was packed. Which is another problem, these broken heuristics regularly “detect” non-malware and this is also a hidden cost of anti-virus.
There are any number of issues here. First, often things that might be viruses simply aren’t. They are some grey area that some vendors consider malware and others don’t. Also virustotal, as useful as it is, has flaws in terms of talking about the effectiveness of the represented products. On one hand some anti-malware engines being tested are set to more aggressively flag things as malware while on the other hand some only test the effectiveness of file scanning and not other protections offered by the product’s real-time scanner (e.g., behavior monitoring).
All of the anti-malware products also have limits on how many levels deep they’ll scan an archive for performance reasons. You can usually change this on your own system, but on virustotal they either use the product’s defaults or set something of their own (maybe to not even scan into an archive). One can argue that scanning into an archive is itself a poor cost/benefit analysis because in order to cause harm the malicious executable has to first be extracted (explicitly or implicitly) from that archive, and then it will be scanned before execution. This is also the argument against periodic scans on a system that has real-time protection, though personally I prefer to keep my disks completely clean of malware. And I set the defaults on all anti-malware products I use to drill deeply into archives too.
I don’t think there is any environment in which the cost of having some anti-malware solution outweighs the benefit, but there are plenty of cost/benefit tradeoffs between the anti-malware products you choose. ClamAV simply has a horrible number of false positives. Microsoft Security Essentials has almost none. Other engines fall between those two. Because ClamAV is primarily used as a mail scanning tool the false positives tend not to be too harmful. But I’ve had it disable a system when used as part of a real-time scanner (e.g., Immunet). I’ve never had MSE leave a system, or application, unusable.
Finally, while I submit things I get through email to virustotal all the time those are almost always things in my junk folder. They just never get through to my inbox, which dramatically lessens the chance that I (or another user) will even get to find out if my own Anti-Malware is effective against them. Good email SPAM and Malware filtering is another part of defense in depth.