Has the end arrived for desktop antivirus?

Is the bell tolling for desktop antivirus technology?

Some industry analysts are proclaiming the traditional antivirus method for detecting and eradicating viruses, trojans, spyware and other baneful code by matching it against a signature to be “dead."

They say signature-based checking can’t keep up with the flood of virus variants manufactured by a criminal underworld that is beating the antivirus vendors at their own game. And they are arguing it’s time for companies to adopt newer approaches, such as whitelisting or behavior-blocking, to protect desktops and servers.

UPDATE 4/25/07: McAfee, Symantec, Trend Micro reveal their plans

“It’s the beginning of the end for antivirus," says Robin Bloor, partner at consulting firm Hurwitz & Associates, in Boston, who adds he began his “antivirus is dead" campaign a year ago and feels even more strongly about it today. “I’m going to keep beating this drum. The approach antivirus vendors take is completely wrong. The criminals working to release these viruses against computer users are testing against antivirus software. They know what works and how to create variants."

The fundamental problem “isn’t about viruses, it’s about what should be running on a computer," Bloor says.

Instead of antivirus software, he says, users should be investing in whitelisting software that prevents viruses from running because it only allows authorized applications to run.

Whitelisting products are available from SecureWave, Bit9, Savant, AppSense and CA, the first traditional antivirus vendor to see the light, in Bloor’s view.

Others are joining Bloor’s way of thinking. Andrew Jaquith, a security analyst at Yankee Group, in December published a research paper entitled “Anti-Virus is Dead: Long Live Anti-Malware." Yankee Group’s research indicates that there’s an "explosion" in cumulative malware variants, with 220,000 cumulative unique variants expected in 2007, a tenfold increase over 2002 levels.

The antivirus vendors simply can’t keep up, Jaquith says, noting that some antivirus lab managers privately complain this flood of virus variants, which force signature changes every 10 minutes, adds up to the equivalent of a denial-of-service attack against them.

“Most antivirus labs work the same way; they get more samples than they can handle on a daily basis," Jaquith says. “They triage based on severity. The antivirus people are like folks with nets trying to catch the big fish, so if you’re a bad guy, you want to be a minnow and get through the driftnet."

The best thing about antivirus signatures is that “they’re accurate and the false positives are very low," Jaquith says. But the purpose in writing the “Anti-Virus is Dead" paper is to “bust everybody’s bubble that this stuff is keeping people safe and the notion it will solve your malware problem."

Jaquith says he’s enthusiastic about behavior-blocker technology incorporated in Sana Security’s Primary Response or Prevx’s Prevx1.

Behavior-blocking antimalware software works by observing the behavior of applications running in memory, and blocking those deemed harmful. Sana Security’s CEO Don Listwin says Primary Response looks at 226 software characteristics deemed to be bad behavior and stops code trying to execute.