PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download.

Antivirus Technology

by Geoff Keston

Copyright 2022, Faulkner Information Services. All
Rights Reserved.

Docid: 00018041

Publication Date: 2210

Report Type: TUTORIAL

Preview

Protecting against viruses and other malware continues to become harder
and more complex. Corporate IT departments can no longer merely install
anti-virus software to defend their networks. Instead, they must carefully
choose an array of technologies and implement them in concert with new
policies and training programs. As hackers continue to devise new ways to
infiltrate systems, networks, and mobile devices, IT departments must
continually adapt.

Report Contents:

• Executive Summary
• Description
• Current View
• Outlook
• Recommendations
• References
• Web Links
• Related Reports

Executive Summary

[return to top of this
report]

Viruses can no longer be defended against using only conventional
anti-malware software.

Hackers have continually devised malware that uses a wider range of
attack techniques and that does more extensive damage. More significantly
for anti-virus software, hackers now commonly use malware as just one
component of multi-stage, multi-technique attacks.

These developments in the malware threat landscape have compelled
anti-virus product vendors to create more sophisticated, feature-rich
products. And they have pushed all organizations to create defenses that
use anti-virus software in conjunction with other security products – such
as VPNs and anti-phishing tools – as well as to employ processes including
employee training and the monitoring of devices used by remote workers.

Organizations that are updating their anti-malware protection strategies
will in particular need to address the following concerns:

• Protecting the Internet of Things – Devices such as sensors and
  cameras have been deployed quickly in recent years, often without
  sufficient security.
• Implementing a Zero Trust Approach – This redesign of corporate
  networks increases security by limiting the damage if an infection
  occurs.
• Creating a Ransomware Response Plan – Ransomware infections pressure
  organizations to quickly minimize damage and choose whether to pay.

Description

[return to top of this
report]

Anti-virus products are one of the oldest and most widely used
technologies in the software industry. Yet threats continue to break
through these defenses, and hackers remain innovative.

The most basic type of anti-virus product is software loaded onto a
desktop or laptop. This marketplace is well-established and has been
fairly stable for many years, with the following companies leading:¹

• Avast
• Avira
• Malwarebytes
• McAfee
• Norton
• Sophos
• Trend Micro
• Webroot

Yet while the marketplace has been relatively fixed, with only some new
vendors joining a consistent group of leaders, the technology has
substantially evolved. Hackers have forced security companies to devise
new ways to protect against a variety of new types of threats, including
malware categories such as:

• Rootkits
• Trojan Horses
• Spyware
• Viruses
• Worms
• Malvertising
• Bots (parts of botnets)
• Ransomware
• Adware

Changes in anti-malware technology have also been shaped by the following
trends:

• Hackers are no longer content to merely create generic malware that
  they release into the wild. Instead, they are increasingly creating
  targeted malware designed to circumvent the defenses of specific
  organizations.
• The damage that malware can cause has increased, in particular because
  of innovations to ransomware.
• The use of mobile phones has created another target.
• The advent of the Internet of Things, especially because of devices
  that are not well-protected, has created a portion of many corporate
  networks that is highly vulnerable to attacks.

Current View

[return to top of this
report]

Marketplace

The market for anti-virus software was estimated at $3.92 billion in 2021
and is forecast to grow at a compound rate of 3.2 percent per year until
2025, when it will reach $4.54 billion.²

But these numbers capture only some of the demand for anti-virus
technology. The sophistication of today’s malware compels companies to use
a wider range of security products, not just the traditional software
tools factored into the revenue estimates above. For example, many malware
attacks begin with a phishing email, so anti-phishing software and
services such as the following can be counted as belonging to this
marketplace:³

• Barracuda Sentinel
• IRONSCALES Email Security Platform
• KnowBe4 PhishER
• Microsoft Defender
• RSA FraudAction 

And the market for anti-malware software itself has diversified into the
following overall categories:

• Standalone software, which is loaded onto the system it is intended to
  protect.
• Cloud-based software, which stores information about virus signatures
  in the cloud (via a subscription service, for example).⁴
• Managed antivirus services, which protect systems across a network and
  use more advance techniques to identify unknown threats.

Threat Landscape and Defensive Technology

Broadly speaking, viruses fall into two categories:

• Malware created to be released “into the wild,” spreading across the
  Internet without a specific target. Such viruses typically infect
  systems and distribute their payload in a single step. This is the
  traditional way that malware has been distributed, and it is what
  commonplace desktop anti-malware software protects against.
• Malware that works as part of a multi-stage attack. For example, a
  hacker might use social engineering – an attempt to interact with people
  and to deceive them into divulging information or taking an action – and
  then distribute malware based on the results of the first step. These
  complex, often targeted, attacks are a newer strategy, but they have
  been used for many years at this point. They are well-developed and
  require more sophisticated anti-virus technology, along with other
  defenses, to protect against.

Among the second category of malware listed above are advanced persistent
threats (APTs), which target particular organizations with a combination
of social engineering, malware, and other techniques.⁵ APTs
don’t aim to immediately cause damage. Instead, they first seek to gain
information. They often infect an organization’s network, perhaps by using
a phishing email. But unlike with many other species of malware, this
initial infection seeks only to map a network and send its findings back
to hackers. This process takes time, so these scouting viruses are
designed to be difficult to detect via common commercial anti-malware
software.

APT tactics demonstrate the difficulty of guarding against today’s
malware through traditional anti-virus technology:

• Anti-malware software typically identifies viruses by spotting common
  characteristics. But APT malware is often custom-designed, so that it
  won’t be familiar to ordinary commercial products.
• Attacks use some non-technological steps, such as calling a company
  employee and tricking them into divulging information that a hacker can
  use to write a phishing email or to design a more effectively targeted
  piece of malware. These non-technical tactics show the limits of
  technology-only defenses.
• Hackers conducting APTs adjust their tactics based on what they learn
  during an attack, making generic defenses less effective.

This new threat landscape has pushed IT departments to catch up and to
adopt a heterogeneous approach to anti-malware defense that includes
traditional anti-malware software, software for mobile devices, supporting
tools such as anti-phishing software, and non-technical steps, such as
employee training. 

In addition to installing anti-virus technology on company-owned devices,
organizations must also consider how to protect employees’ personally
owned devices if they are used for work. These include phones (through
bring your own device programs) and home computers used by remote workers.
The increase in remote working has increased the size and distribution of
devices that access corporate networks and exchange corporate data. It has
also made devices that do so less accessible to IT departments, who often
do not even know what hardware and software home-based employees are
using.

The prevalence of remote work has increased the use of virtual private
networks (VPNs) for home computers as a key anti-malware tool. VPNs offer
some protection against malware infection, as well as offering significant
protection against a variety of other threats.⁶ They enable
employees to use corporate resources and exchange sensitive data more
securely outside the office by encrypting traffic between two sites.

Leading VPN clients include:

• Avast SecureLine PC VPN
• Check Point Remote Access VPN
• Cisco AnyConnect
• NordVPN
• Microsoft Windows 10+ built-in feature

Outlook

[return to top of this
report]

In 2012, an article published by the SANS Institute asked, “Is anti-virus
really dead?”⁷ In asking that question, security consultant Rob
Lee was expressing concerns that were widespread in the industry. “Over
the years, I knew that [anti-virus software] can be circumvented, but
until I helped plan out and execute this exercise I was exposed to the
truth first hand,” he wrote, describing a test of anti-virus software in
which he participated. “In many incidents over the years (including many
APT ones), we and other IR teams have found that A/V [anti-virus software]
detected signs of intrusions, but they were often ignored. I expected at
least some of those signs to exist this past week while running through
the exercises we were creating. I had hoped differently, but after a week
of exploiting a network using the same APT techniques that we have seen
our adversaries use, I think it paints a very dark picture for how useful
A/V [is] in stopping advanced and capable adversaries.”

In the decade since the publication of Lee’s article, anti-virus software
has proven to be very much a core part of enterprise security. But it has
become just a basic line of defense while more sophisticated anti-malware
technologies have been developed. Client-based software has been updated
to include many new features, such as malware identification and removal
features based on artificial intelligence and machine learning.
Additionally, many software clients now have functions focused
specifically on ransomware, which has become the most dangerous threat in
the malware landscape.

The practice of digital forensics to analyze malware has often become
more common, even though it is performed mainly be security firms, rarely
by typical organizations. Using technology and human intelligence,
forensics is the process of studying a species of malware in detail to
determine its origins and evaluate its functionality.⁸

One area in which further development is expected – and perhaps overdue –
is in developing better protection for network-connected sensors, cameras,
and other endpoints on the Internet of Things (IoT). For example, an
experiment conducted in mid-2022 by security firm Vedere Labs found a way
that an IoT network could be severely compromised by a ransomware attack.⁹
“It basically comes out of our observation of the evolving nature of the
threat actors that are involved in ransomware – they have been changing
tactics in the past couple of years,” said the leader of Vedere Labs’
security research, Daniel dos Santos. Further explaining the threat, dos
Santos says that devising such an attack would be “doable” for many
hackers and that “ransomware-as-a-service gangs” could sell the tools to
unskilled cybercriminals.

Recommendations

[return to top of this
report]

Consider a Zero Trust Network Architecture

Over the past few years, as malware has become much more widespread and
sophisticated, security experts have come to accept that occasional
infections are almost inevitable for enterprise networks. As a result,
experts often recommend that networks be segmented so that an infection
cannot move “laterally” to other segments. This “zero trust” design uses
the following technologies to limit the spread of infections, as described
by security company Fortinet:¹⁰

• Multi-Factor Authentication – The use of two or more methods to verify
  the access credentials of a user or a device.
• Microsegmentation – A technique for dividing networks into small
  areas, each of which can be protected by a firewall and other security
  devices.
• Endpoint Verification – Endpoints (that is, user devices) and their
  users both must be verified, and users must be authenticated to each
  endpoint separately through that endpoint’s own authentication system.

Develop a Ransomware Response Program

Ransomware differs from other types of malware not only because of its
high likelihood of causing severe damage but also because it forces
organizations to make the difficult choice of whether to pay. Developing a
response plan helps organizations to make better, quicker decisions if
they become compromised. “A plan is created so that response is thorough,
and when issues do arise, confusion and panic-induced decisions are
minimized,” says an IBM Security report.¹¹

IBM identifies the following as the key components of an incident
response plan:

• Detection
• Analysis
• Containment
• Eradication
• Recovery

The decision of whether to pay a ransom is complex, and it should
consider perspectives from multiple leaders within an organization, the
report says. Understanding in advance the legal and business concerns
involved will help organizations to make a better choice.

References

[return to top of this
report]

• ¹ This list was based in part on:
• Neil J. Rubenking. “The Best Antivirus Software for 2022.” PCMag.
  October 5, 2022.
• Mike Williams. “The Best Antivirus Software 2022.” TechRadar.
  July 21, 2022.
• ² “Antivirus Software Global Market Report 2022.” Research
  and Markets. April 27, 2022.
• ³ This list was based in part on:
• Tim Ferrill. “10 Top Anti-Phishing Tools and Services.” CSO.
  April 28, 2022.
• ⁴ “What Is Cloud-Based Antivirus Protection?” Webroot.
• ⁵ “Advanced Persistent Threats.” Crowdstrike. June 15,
  2022.
• ⁶ “How to Secure Your Remote Workforce and Protect Your
  Business with a Secure VPN.” Palo Alto Networks.
• ⁷  Rob Lee. “Is Anti-Virus Really Dead? A Real-World
  Simulation Created for Forensic Data Yields Surprising Results.” SANS
  Institute. April 9, 2012.
• ⁸ “Digital Forensics.” National Initiative for
  Cybersecurity Careers and Studies.
• ⁹ Jessica Lyons Hardcastle. “What If Ransomware Evolved to
  Hit IoT in the Enterprise?” The Register. June 1, 2022.
• ¹⁰ “Zero Trust Security Model.” Fortinet.
• ¹¹ “Definitive Guide to Ransomware 2022.” IBM Security.
  2022.

Web Links

[return to top of this
report]

Avast: https://www.avast.com/

Avira: https://www.avira.com/

Barracuda: https://www.barracuda.com/

Check Point: https://www.checkpoint.com/

Cisco: https://www.cisco.com/

IRONSCALES: https://ironscales.com/

Malwarebytes: https://www.malwarebytes.com/

McAfee: https://www.mcafee.com/

Microsoft: https://www.microsoft.com/

NordVPN: https://nordvpn.com/

Norton: http://www.norton.com/

RSA: https://www.rsa.com/

SANS Institute: https://www.sans.org/

Sophos: https://www.sophos.com/

Trend Micro: https://www.trendmicro.com/

Webroot: https://www.webroot.com/

About the Author

[return to top of this
report]

Geoff Keston is the author of  more than 250
articles that help organizations find opportunities in business trends and
technology. He also works directly with clients to develop communications
strategies that improve processes and customer relationships. Mr. Keston
has worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.

[return to top of this
report]