Tuesday, July 15, 2008

Symantec Antivirus: the Jar Jar Binks of Information Security

Earlier this week I published a post where I talked about an adventure I had once with a worm that was spreading around my organization and how we dealt with it. In that post I made a comment about Symantec Antivirus being able to detect the virus and tell you that you were infected, but it wasn't doing anything to stop the spread of the infection. This leads me to this post.

I firmly believe that antivirus technology vendors are the Gungans of the information security world. They talk funny and they're really only good for distracting an attacker while you do something worthwhile. And if antivirus technology vendors are Gungans, then Symantec Antivirus is Jar Jar Binks! You know how much any self-respecting Star Wars fan hates Jar Jar Binks? Well that's how much I hate Symantec Antivirus. Much like Jar Jar Binks it takes up a lot of space, makes a lot of useless statements, annoys the shit out of you, and makes you wonder why anyone would intentionally put it on their computer (or in their movie).

Recently a bunch of my coworkers were bitching about Symantec Antivirus, and how each version of it is heavier than the last and just as useless. This lead me to create Black Fist's First Law of Symantec Antivirus:
For any version of Symantec Antivirus, X: Symantec Antivirus X-1 was better.
Someone else followed this logic all the way back and discovered this great truth:
Symantec Antivirus Version 0 (meaning no Symantec Antivirus at all) is best.
The problem with antivirus software is that there is so much malware in the world that they can't possibly keep up. They regularly purge their signatures of old malware that has become rare on the Internet, which leaves you exposed to a certain degree. The really nasty stuff is the zero day malware that they wont have signatures developed for yet. When slammer came out in 2003, it spread around the Internet in 30 minutes! How can a reactive software package hope to protect you from that? In fact, the only reason I even run antivirus at my organization is because if we didn't someone would probably accuse me of being negligent. I honestly do not believe that it provides me with value anywhere near the cost of the safeguard.

Consider this as an excersize. If you do not run antivirus software on your computer, what is the probability that you will become infected with malware? I would say for the average user the answer is .8. So we can say that in a five year period, that average unprotected user would contract malware four times. Each time you have to clean up the infection, which probably costs $50. Norton 360 costs about $80 right now, plus you have to pay for a subscription so in five years you'll probably spend $120 on protection. Here is where you get the breakdown in value, I believe that even with antivirus installed, you still have only reduce the probability from .8 to .5 maybe? By that math, you're going to spend $120 to get $75 of savings.

I know that I'm not the only one out there that believes that antivirus is not very effective. I'd like to know if my analysis is too extreme, or if you think I'm spot on. Remember, I'm still learning about information security, and whenever I buck conventional wisdom I feel like I should be open to the fact that I might be wrong. I'll revise my opinion when suficient evidence comes to my attention.

EDIT: Here is a link to an article that shows at least one group of people agree with me on this one. The article makes the claim that using a whitelist of approved applications rather than a blacklist is more effective, and I agree with that. It also says that whitelisting hasn't caught on because it is relatively new technology which I believe is not true. http://www.darkreading.com/document.asp?doc_id=158750&WT.svl=news1_5

No comments: