by Andy Patrizio

Yes, you still need endpoint malware protection

May 18, 2017

While operating systems and apps are more secure, the need for endpoint security remains.

pc antivirus
Credit: Irina Tischenko/iStock/Thinkstock

There has been a steady stream of reports and claims lately that many of us no longer need endpoint security, that antivirus (AV) programs on our PCs are worthless.

Gizmodo flat out said that you really don’t need an antivirus app anymore, arguing that Windows 10 and the browsers have tightened up security to the point that they adequately protect end users. Windows Central asked the same question, but determined that more protection is better than less.

Tom’s Guide was a little less sweeping, arguing that free antivirus programs are as effective as those charging an annual subscription of $50 per user or more. And security firm KnowBe4 said that most AV programs are useless against ransomware because it’s such a different animal.

So can you ditch the AV program? Nonsense, say security experts.

“Would you tell your mom to remove the antivirus from her computer? No? Ok then,” says Randy Abrams, an independent security consultant who previously worked for NSS Labs and ESET, the maker of the NOD32 antivirus program.

He acknowledged that antivirus is far from perfect, but said it still protects against most threats. “They’ve been saying since early 2000s that antivirus is dead, it’s not effective. The truth is it’s effective against the vast majority of threats but not so much the brand new stuff,” says Abrams.

Abrams says that most malware is old, and a recent report from security firm WatchGuard confirms this. The company found that 30 percent of malware attacks in the fourth quarter of 2016 were zero-day exploits that couldn’t readily be caught by antivirus programs. But that means 70 percent of malware attacks were not zero-days, and often these attacks were from virus strains that have been around for months if not years, which an AV program can catch.

David Perry, an independent consultant who has worked for Symantec, McAfee, F-Secure, and Trend Micro, said has heard the ‘AV is dead’ refrain many times and it’s never true. “Pretty much every year someone says antivirus is dead. With endpoint protection, we need to do everything. As good as your gateway protection might be, they still needed to clean up an infection on the desktop,” he said.

“Who has an alternative to sell that started the rumor this year?” he continues. “There are people in those industries who consider antimalware superfluous, but ask someone at a big bank or Boeing, they will agree that they need some way to clean malware off those desktops. They don’t want to have to flash them every day.”

Perry thinks we are headed to a future where client PCs will all use virtual desktops, so if you get an infection you simply reimage the PC. “That’s what people on my level do but that’s not an option for a law firm,” he said, although eventually it will be. Abrams also felt ransomware can be handled without a malware product by keeping proper backups, so if a computer is hit with ransomware it can just be wiped and restored.

Another proposed solution is whitelisting, where a security program only allows applications from a pre-approved list to run. This is the opposite of the blacklist method of antivirus, where executables are compared a list of known bad players and blocked if there is a match. Perry thinks, ultimately, whitelisting is an unworkable solution.

“If you do solid whitelisting, you don’t let anything [be] added to your system, so how do you get onto a web page because they all run JavaScript and Ajax. Are you going to stop using Netflix? It downloads Silverlight if you watch it on Windows 7. You’re going to frustrate yourself all the time. There isn’t one executable in a program. Microsoft Word isn’t one EXE; there are 150,” he says.

Still, malware continues to hit the internet and end users at an ever-increasing rate, the two say. “When I started, we saw 30 pieces [of new malware] a day. Now it’s 150,000 a day if not more. By the time tomorrow comes it’s all new again,” said Perry.

A lot of malware developer kits (yes they have those) allow for the constant generation of new, slight variants of the same malware, sometimes coming just five minutes apart. Abrams says 80 percent of the new malware samples sent in to antivirus companies are seen just once because of all the variants. “It’s a zero-day but how many people does it affect? One,” he says.

Ransomware is a problem because it often involves suckering people into loading a malware package by visiting a website or clicking a link. And technology can’t overcome stupidity.

“Antivirus programs have improved a lot, but I’d say the level of ransomware hitting people is indicative that there are still problems. Technology has a hard time beating social engineering. To some degree it’s perspective. It comes down to educating end users and that’s tricky,” says Abrams.