anti-virus is not dead!

Posted on by michael

I hate hearing things like Anti-Virus is dead or IDS is dead. If they’re still being used in corporate and home environments, they are not dead! Now, this paper on greylisting (really, on Bit9 parity), is a noble effort, but as a paper about a “new” method to manage software and malware installation and blocking, the title is sensationalist and unnecessary. In fact, over half the paper is spent trying to convince me that anti-virus is dead. Unfortunately, while you might be able to float me a new product or paradigm, you can’t convince me anti-virus is dead (even as I don’t typically use any at home because I consider myself slightly educated in technical areas).

Anti-virus is not dead. It might be declining and changing, but it is far from dead. The day my parents remove anti-virus is the week they stumble upon malware on a website or in email, run it, and become infected with something. Thank you, move along, come again.

So I skipped down to greylisting. This is not a hugely novel new approach. In fact, the approach stinks when you turn your head in certain directions and sniff around a bit.

From a corporate or even home family perspective, I like the administrative control and tracking on blacklisting and whitelisting. I also like being able to turn it on and off for laptops that might be offsite. This is defeatable, though, and I’m not sold on it fully. I think many corporations will slowly be moving to thin clients or all laptops (while plenty will of course stay with desktops). Laptops leads to…

…From a user perspective, this is still flawed technology. Just like fake SSLs and firewall block/allow alerts, popups to users will not be understood and will eventually just always be allowed. Game over. The false assertion made in the paper is that the user will try to open a Word doc, see something else wants to start, and realize their error and know better than to continue. No, that’s not true. There’s even a good chance that I, a security-paranoid freak, would just chalk it up to a bad macro or mis-matched version warnings and click Yes before my brain kicks in and says, “No! You idiot!” The following assertion is also odd in that even if the user clicks it, they only infect themselves and not something else. I don’t buy that necessarily, or that that was even an option. If they got hosed and something spewed out copies of itself in emails to their contact list, we can just repeat the user acceptance and nothing has changed.

Ok, end rant, time to go home!