Open Source Subnet An independent Open Source community View more

The day the AV died

AV really died in 2009, Microsoft killed it.

I was a lonely teenage broncin' buck   ~ Don McLean, American Pie

With a pink carnation and a pickup truck

But I knew I was out of luck

The day the music died

Seems like everyone is all a-twitter (see what I did there) about the SVP of Symantec saying that AV is dead. Well, actually what he said was, "We don't think of antivirus as a money maker in any way." For Symantec, that means dead. But if AV not being a money maker is the definition of its death, I say AV died on September 29, 2009. That was the real day AV died, and it was Microsoft who killed it.

Microsoft killed off AV as a money maker when it began distributing AV for free in Windows with Microsoft Security Essentials (MSE). MSE went live on September 29, 2009. Prior to that, Microsoft had entered the AV market with Microsoft OneCare based on a few AV companies it had bought.

OneCare was about $50. While the other AV companies balked that Microsoft would use its market-crushing OS share to push OneCare onto Windows users, Microsoft went ahead. OneCare and some of the other Microsoft security products (Forefront) that followed didn't kill the other AV companies, but they did carve out a share of the market for Microsoft.

With MSE, Microsoft set the AV free. Now anyone could get AV for free. This by itself was not novel. There were actually several open source and free AV products available. But MSE was really easy and it was from Microsoft. This was a game changer for the AV industry. The vendors now had to justify why people should plunk down hard-earned money for something that they could get for free.

Many people didn't and wouldn't understand the difference that tests showed Symantec or some of the others stopped more viruses. Or the amount of money being poured into research and writing more signatures. AV was AV, and free was good. On top of this, some AV was better than no AV.

So how did the AV vendors respond? The AV suite. They took their basic AV engines and bloated the products with a whole bunch of other security add-ins. They put in their own personal firewalls, host-based IDS, anti-spam, patching, updaters and anything else they could think of. The AV suites became some of the biggest resource hogs on our machines.

Then two other things happened which really put the stake in the heart of AV. The first was the rise of the Mac and Windows 8 on the desktop, and the second was the desktop giving way to the mobile device.

Mac users loved to say they "didn't need no stinkin' AV," after all they had a Mac. Even Apple thumbing its nose at Redmond did not recommend using an AV product on the Mac. Of course, as Macs took more market share and became a greater target, that changed to some degree. Next Microsoft's Windows 8 did away with MSE all together, and now just bundled AV and stuff in. 

Is the bundled AV and security in Windows 8 good enough? Probably not, but the AV suites from Symantec and others isn't good enough either. So if nothing is good enough, I might as well go free.

More than that, we use fewer desktop computers. Phones and tablets are where it is at. In spite of the warnings and the actual events, most people do not put AV on their phones and tablets. Apple's walled garden approach to apps helps keep the iOS system relatively safe, and while Google's Android is a bit of the wild west, there just has not been a big enough attack to justify making AV mandatory for Android.

So if Microsoft killed AV back in September of 2009, Apple and mobile devices buried it over the last few years.

Make no mistake about AV being a money maker, either. I used to marvel back in the early 2000's when looking at security company revenues. The number 8 or 9 AV vendor revenue still dwarfed the largest IDS or vulnerability scanner companies. AV was a cash cow. Symantec, McAfee, Sophos, Trend and the rest rode that puppy for everything it was worth. A Symantec SVP saying it is dead is all the proof you need that these guys have squeezed every last drop of cash out of it.

Those of us in the security industry have been preaching that AV died a long time ago. For us, it was not whether AV was a money maker or not, it was that basically AV didn't work. In fact, worse than not working, it gave people a false sense of security.

The AV companies were drowning in their own research team's blood in trying to keep up with the torrent of new attack types and signatures. It seemed there were more new signatures discovered every day than there was time to update everyone's AV.

All we saw was AV suites growing more and more bloated. It was a question of how high you can stack this stuff. But the fact was that if you keep piling on more and more crap on top of each other at the end of the day, you just wind up with a big pile of crap. That pretty much summed up a lot of the AV out there today.

So AV is dead? No kidding. AV died in 2009 as a money maker and it probably died as an effective security tool way before that. You can blame Microsoft if you want (I know some love to blame Microsoft for everything), but it really died of its own ineffectiveness.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies