Are Antivirus Softwares Reliable?
BY LUKE DONALD
Antivirus solutions cover a spectrum of opinions from claiming they are worthless to organizations basing their entire security strategy on these solutions. What is an antivirus solution supposed to do, what does it not do well, and how can organizations get the most out of antivirus solutions?
An antivirus software attempts to stop harmful software from running on your computers. It sounds simple, but think of all the odd things people ask their computers to do. Is it ok to download a file from the internet? What about installing a new piece of software? Or connect to another computer on the network? Malicious actors try to behave like normal computer users, which can make it tricky for antivirus software to make a judgement on what should be allowed and what shouldn’t; especially when antivirus software prevents a user’s legitimate software from running. The effectiveness of antivirus software is associated with the predictability of the user.
Many organizations put much of their trust into their antivirus solutions, treating them as a first and last line of defense. This is especially true of organizations with small security budgets (most frequently found in the small and medium business space). Attackers have developed a vast set of both private and publicly available antivirus software bypass tools. Within a few minutes, an attacker can create a malicious piece of software that will often go unnoticed by common antivirus solutions. An over-reliance on this software can be dangerous.
Is there a strong business case for allowing users to run software from anywhere on the internet? In most cases, businesses can operate with just a few applications. But if an attacker cannot get their software to run, they will likely have to find a new organization to attack. Supplementing antivirus software with a software Allow List can significantly reduce the chances of malware getting past your defenses. Application Allow Lists can be enforced through tools like AppLocker or mobile device management platforms. Adding a new tool to a list can be stressful, but is often much easier than recovering from a successful attack. Malicious software typically enters an organization through the actions of a user. Investing in user training can significantly reduce the number of malware samples your antivirus software has to analyze. Lastly, consider implementing security controls for when malware does get past your antivirus. For example, SIEM/NDR tools can detect malicious actions within a network, multi-factor authentication can prevent access to accounts if a user’s password is compromised, and network segmentation can prevent attackers from reaching valuable data. Having “back-up” options in place is very important and can save your organization’s security.
The more you can do to make it more difficult for a malicious actor to act against you, the more likely it is that they’ll give up and find an easier target. If you have any additional questions on antivirus software, reach out to SixGen’s team of experts here.