Page 2 of 3
Carbon Black's Viscuso estimates that virus traffic is growing at a rate of 783,000 new samples each day. Therefore, whatever signatures are missed on any given day will have to compete with all the new ones coming online tomorrow and the next day. Viscuso added that even if you could somehow keep up with the growth, the resulting performance hit on the individual machines would be far worse than the market would bear.
"That leads us to believe that customers should leverage the signature databases of multiple AV packages, as opposed to just one," said Viscuso. "In many cases, the AV products don't allow you to run more than one on a single machine. So, channel partners and customers should use a service that can scan all those binaries so that even if your particular antivirus isn't catching it, maybe the other one will."
Henry, from Lumension, argues that many machines are not adequately protected because we are relying on failed technologies that are erroneously considered to be a best practice.
"Firewalls are another example," he said. "For the last 20 years, we've used things like port-centric firewalls. If they wanted to block somebody from going to the Internet, we would block port 80. So, that just means the bad guys need to reconfigure their software to use port 79 because they left port 79 open."
Henry suggests that enterprises move towards a positive model for security in which they identify what is allowed to run, as opposed to a negative model for security in which they identify what is not allowed to run -- as is the case with antivirus.
"In a white-listing environment you have to approve a given piece of software, or even a script, to run in this environment," he said. "Beyond that, you also have to validate that nothing is changed with that piece of software. In other words, the signature for that software needs to be trusted. If it's not trusted, then it's not allowed to run. It's more work to deploy software in an environment like this. The administrative burden is a lot higher than just turning on antivirus. But, the level of security is much improved."
Henry added that, despite his point of view, the market for antivirus products will remain strong because AV technology is typically required by standards bodies. "If they went out and just did white listing, they would be non-compliant," he said.
"I'm not saying throw away antivirus," Henry added. "I'm saying complement antivirus with white listing. It's simply a smarter way to go."