Unlike some security professionals, I still regard antivirus as a necessity. It doesn’t catch advanced threats, and everything it does catch can be caught through other methods, but it is the most cost- and labor-effective way to catch the best-known, least sophisticated attacks. If you put a $100,000 incident responder to work hunting ordinary viruses, you’ll waste a lot of money on salary and quickly lose that incident responder to another company offering more interesting work.
Of course, there’s a great deal of discussion in the mainstream computer magazines about which antivirus is the best. I don’t agree with their methodology though–they might as well be looking for the longest 8-foot 2×4 at the home improvement store. Yes, you can probably find some variance if you get out a micrometer, but what have you accomplished?
SANS has a good real-world test to see how much protection your antivirus software is really giving you.
Odds are this SANS test file will blow right past your traditional antivirus. It’s a PDF with a Word document that contains a macro that generates its payload. Your antivirus will kick in when it writes the payload, which is the EICAR test file, a harmless executable that every antivirus vendor has agreed to flag as a virus in order to test functionality.
But that’s the problem with traditional antivirus. By the time it kicks in, unknown code from an unknown source is already running on one of your machines. You’d better hope your antivirus gets it right at that point.
So when you hear a security professional talk about antivirus being about 20% effective, that’s probably what they mean. Most antivirus products catch between 90 and 99% of known threats, but this file shows how easy it is to get one of those known threats into your network. The document’s creator, Didier Stevens, intentionally made this document easy to catch early, but it wouldn’t be especially difficult to put a real virus in this document and obfuscate it so that most antivirus won’t see it–and that’s likely what happens in the beginning of most of the attacks that end up making the news.
As the document creator says, if you test this at work, make sure you have permission first. Very high-level permission. But if you need to demonstrate the problem with antivirus, this is a very effective way to show how antivirus often trips entirely too late to make a difference.