In truth, a modern anti-virus deals with viruses only occasionally.
We still see self-replicating threats – true viruses, such as and – but most modern malware is of the one-shot variety.
These are Trojan Horses: inconspicuously malevolent programs, most commonly delivered over the internet, and designed to co-opt your computer for criminal purposes, such as sending spam, stealing passwords, attacking third parties or holding your data to ransom.
Thanks to the magic of the cloud, crooks can generate and deliver a brand-new sample of a single Trojan to each potential victim, using what is called server-side polymorphism. Every sample is different, just as in a polymorphic virus, but the – the program code which performs the sample-by-sample permutation – is secret.
In a world in which every sample of a new malware family might be unique, an anti-virus which could only deal with previously-seen samples would, indeed, be of little use.
Fortunately, that’s not how good anti-virus software works.
To be sure, exact identification of specific objects can be useful – enumerating commonly-seen known-bad components of various malware families, for instance, helps with blacklisting (aka blocklisting); maintaining a list of known-good operating system libraries allows for whitelisting (aka allowlisting).
But decent anti-virus software isn’t really just plain old anti-virus any more. It isn’t just an enormous blocklist of checksums.
A good anti-virus will analyse the potential behaviour of a file – both statically, before it is used, for true preventative blocking, and dynamically, after it is loaded, for a second chance at heading off malicious behaviour.
A good anti-virus solution will automatically monitor and control newly-arrived files (and by all possible routes, from web downloads to inserted USB keys); the behaviour of newly-started processes; the network traffic associated with running programs; and more.
A good anti-virus will not only allow you to detect and block malicious programs, but also allow you to control legitimate-yet-risky software, such as outdated browsers. It will help you to identify and eliminate dangerous web browsing, both by URL and by analysing returned content. It will spot unpatched or vulnerable software, as well as potential files and network traffic which might trigger those vulnerabilities.
In fact, a really good anti-virus – which is competent at unravelling complex compound objects such as DOCs, PDFs, HTML pages and more – will help you look not just for malevolent and risky content coming into your organisation but also for confidential or personal content going out. Better yet, it will do this “on-access” or “real time” – heading off risky behaviour before it happens, rather than simply detecting breaches after the fact.
Where does this leave us in respect of the assertion that “anti-virus is not good enough to handle today’s threats?”
In some ways, that statement is a truism. You can apply it to any individual security technology, considered all on its own. For example, you wouldn’t rely entirely on a packet-filtering network firewall to protect you from viruses, for example. (Removable media, QED.) You wouldn’t rely entirely on a spam filter to stop inbound malicious documents. (Web downloads, QED.) And so on.
Anti-virus isn’t a panacea, and if you are faced with a vendor who is trying to sell it as one, I suggest you shop somewhere else.
Nevertheless, anti-virus in its modern form is a jolly useful part of any defence-in-depth strategy.
In particular, a decent endpoint anti-virus is agnostic about the source of a threat – incursions by email, web, USB, P2P etc. are all handled in a similar way. A decent endpoint anti-virus actually keeps watch for much more than just known malware – helping you with patch assessment, exploit prevention, data leakage and risky network traffic, too.
And, most importantly, a decent endpoint anti-virus really helps you to put the Prevention into your multi-layer IPS (Intrusion Prevention System).
The truth is that no-one in computer security, except perhaps the crooks themselves, can predict what tomorrow’s malware, tomorrow’s dodgy domain names, tomorrow’s botnet command and control servers, or tomorrow’s illegal money-making scams are going to be.
But we can guess what tomorrow’s cybercriminality will be like, if we are well-informed about what has happened so far. (The fancy name for this is “heuristics”.)