Antivirus Technology

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Antivirus Technology

by Geoff Keston

Docid: 00018041

Publication Date: 2210

Report Type: TUTORIAL


Protecting against viruses and other malware continues to become harder
and more complex. Corporate IT departments can no longer merely install
anti-virus software to defend their networks. Instead, they must carefully
choose an array of technologies and implement them in concert with new
policies and training programs. As hackers continue to devise new ways to
infiltrate systems, networks, and mobile devices, IT departments must
continually adapt.

Report Contents:

Executive Summary

[return to top of this

Viruses can no longer be defended against using only conventional
anti-malware software.

Related Faulkner Reports
Network Security Best Practices Tutorial
Ransomware Tutorial
Cybersecurity Best Practices Tutorial

Hackers have continually devised malware that uses a wider range of
attack techniques and that does more extensive damage. More significantly
for anti-virus software, hackers now commonly use malware as just one
component of multi-stage, multi-technique attacks.

These developments in the malware threat landscape have compelled
anti-virus product vendors to create more sophisticated, feature-rich
products. And they have pushed all organizations to create defenses that
use anti-virus software in conjunction with other security products – such
as VPNs and anti-phishing tools – as well as to employ processes including
employee training and the monitoring of devices used by remote workers.

Organizations that are updating their anti-malware protection strategies
will in particular need to address the following concerns:

  • Protecting the Internet of Things – Devices such as sensors and
    cameras have been deployed quickly in recent years, often without
    sufficient security.
  • Implementing a Zero Trust Approach – This redesign of corporate
    networks increases security by limiting the damage if an infection
  • Creating a Ransomware Response Plan – Ransomware infections pressure
    organizations to quickly minimize damage and choose whether to pay.


[return to top of this

Anti-virus products are one of the oldest and most widely used
technologies in the software industry. Yet threats continue to break
through these defenses, and hackers remain innovative.

The most basic type of anti-virus product is software loaded onto a
desktop or laptop. This marketplace is well-established and has been
fairly stable for many years, with the following companies leading:1

  • Avast
  • Avira
  • Malwarebytes
  • McAfee
  • Norton
  • Sophos
  • Trend Micro
  • Webroot

Yet while the marketplace has been relatively fixed, with only some new
vendors joining a consistent group of leaders, the technology has
substantially evolved. Hackers have forced security companies to devise
new ways to protect against a variety of new types of threats, including
malware categories such as:

  • Rootkits
  • Trojan Horses
  • Spyware
  • Viruses
  • Worms
  • Malvertising
  • Bots (parts of botnets)
  • Ransomware
  • Adware

Changes in anti-malware technology have also been shaped by the following

  • Hackers are no longer content to merely create generic malware that
    they release into the wild. Instead, they are increasingly creating
    targeted malware designed to circumvent the defenses of specific
  • The damage that malware can cause has increased, in particular because
    of innovations to ransomware.
  • The use of mobile phones has created another target.
  • The advent of the Internet of Things, especially because of devices
    that are not well-protected, has created a portion of many corporate
    networks that is highly vulnerable to attacks.

Current View

[return to top of this


The market for anti-virus software was estimated at $3.92 billion in 2021
and is forecast to grow at a compound rate of 3.2 percent per year until
2025, when it will reach $4.54 billion.2

But these numbers capture only some of the demand for anti-virus
technology. The sophistication of today’s malware compels companies to use
a wider range of security products, not just the traditional software
tools factored into the revenue estimates above. For example, many malware
attacks begin with a phishing email, so anti-phishing software and
services such as the following can be counted as belonging to this

  • Barracuda Sentinel
  • IRONSCALES Email Security Platform
  • KnowBe4 PhishER
  • Microsoft Defender
  • RSA FraudAction 

And the market for anti-malware software itself has diversified into the
following overall categories:

  • Standalone software, which is loaded onto the system it is intended to
  • Cloud-based software, which stores information about virus signatures
    in the cloud (via a subscription service, for example).4
  • Managed antivirus services, which protect systems across a network and
    use more advance techniques to identify unknown threats.

Threat Landscape and Defensive Technology

Broadly speaking, viruses fall into two categories:

  • Malware created to be released “into the wild,” spreading across the
    Internet without a specific target. Such viruses typically infect
    systems and distribute their payload in a single step. This is the
    traditional way that malware has been distributed, and it is what
    commonplace desktop anti-malware software protects against.
  • Malware that works as part of a multi-stage attack. For example, a
    hacker might use social engineering – an attempt to interact with people
    and to deceive them into divulging information or taking an action – and
    then distribute malware based on the results of the first step. These
    complex, often targeted, attacks are a newer strategy, but they have
    been used for many years at this point. They are well-developed and
    require more sophisticated anti-virus technology, along with other
    defenses, to protect against.

Among the second category of malware listed above are advanced persistent
threats (APTs), which target particular organizations with a combination
of social engineering, malware, and other techniques.5 APTs
don’t aim to immediately cause damage. Instead, they first seek to gain
information. They often infect an organization’s network, perhaps by using
a phishing email. But unlike with many other species of malware, this
initial infection seeks only to map a network and send its findings back
to hackers. This process takes time, so these scouting viruses are
designed to be difficult to detect via common commercial anti-malware

APT tactics demonstrate the difficulty of guarding against today’s
malware through traditional anti-virus technology:

  • Anti-malware software typically identifies viruses by spotting common
    characteristics. But APT malware is often custom-designed, so that it
    won’t be familiar to ordinary commercial products.
  • Attacks use some non-technological steps, such as calling a company
    employee and tricking them into divulging information that a hacker can
    use to write a phishing email or to design a more effectively targeted
    piece of malware. These non-technical tactics show the limits of
    technology-only defenses.
  • Hackers conducting APTs adjust their tactics based on what they learn
    during an attack, making generic defenses less effective.

This new threat landscape has pushed IT departments to catch up and to
adopt a heterogeneous approach to anti-malware defense that includes
traditional anti-malware software, software for mobile devices, supporting
tools such as anti-phishing software, and non-technical steps, such as
employee training. 

In addition to installing anti-virus technology on company-owned devices,
organizations must also consider how to protect employees’ personally
owned devices if they are used for work. These include phones (through
bring your own device programs) and home computers used by remote workers.
The increase in remote working has increased the size and distribution of
devices that access corporate networks and exchange corporate data. It has
also made devices that do so less accessible to IT departments, who often
do not even know what hardware and software home-based employees are

The prevalence of remote work has increased the use of virtual private
networks (VPNs) for home computers as a key anti-malware tool. VPNs offer
some protection against malware infection, as well as offering significant
protection against a variety of other threats.6 They enable
employees to use corporate resources and exchange sensitive data more
securely outside the office by encrypting traffic between two sites.

Leading VPN clients include:

  • Avast SecureLine PC VPN
  • Check Point Remote Access VPN
  • Cisco AnyConnect
  • NordVPN
  • Microsoft Windows 10+ built-in feature


[return to top of this

In 2012, an article published by the SANS Institute asked, “Is anti-virus
really dead?”7 In asking that question, security consultant Rob
Lee was expressing concerns that were widespread in the industry. “Over
the years, I knew that [anti-virus software] can be circumvented, but
until I helped plan out and execute this exercise I was exposed to the
truth first hand,” he wrote, describing a test of anti-virus software in
which he participated. “In many incidents over the years (including many
APT ones), we and other IR teams have found that A/V [anti-virus software]
detected signs of intrusions, but they were often ignored. I expected at
least some of those signs to exist this past week while running through
the exercises we were creating. I had hoped differently, but after a week
of exploiting a network using the same APT techniques that we have seen
our adversaries use, I think it paints a very dark picture for how useful
A/V [is] in stopping advanced and capable adversaries.”

In the decade since the publication of Lee’s article, anti-virus software
has proven to be very much a core part of enterprise security. But it has
become just a basic line of defense while more sophisticated anti-malware
technologies have been developed. Client-based software has been updated
to include many new features, such as malware identification and removal
features based on artificial intelligence and machine learning.
Additionally, many software clients now have functions focused
specifically on ransomware, which has become the most dangerous threat in
the malware landscape.

The practice of digital forensics to analyze malware has often become
more common, even though it is performed mainly be security firms, rarely
by typical organizations. Using technology and human intelligence,
forensics is the process of studying a species of malware in detail to
determine its origins and evaluate its functionality.8

One area in which further development is expected – and perhaps overdue –
is in developing better protection for network-connected sensors, cameras,
and other endpoints on the Internet of Things (IoT). For example, an
experiment conducted in mid-2022 by security firm Vedere Labs found a way
that an IoT network could be severely compromised by a ransomware attack.9
“It basically comes out of our observation of the evolving nature of the
threat actors that are involved in ransomware – they have been changing
tactics in the past couple of years,” said the leader of Vedere Labs’
security research, Daniel dos Santos. Further explaining the threat, dos
Santos says that devising such an attack would be “doable” for many
hackers and that “ransomware-as-a-service gangs” could sell the tools to
unskilled cybercriminals.


[return to top of this

Consider a Zero Trust Network Architecture

Over the past few years, as malware has become much more widespread and
sophisticated, security experts have come to accept that occasional
infections are almost inevitable for enterprise networks. As a result,
experts often recommend that networks be segmented so that an infection
cannot move “laterally” to other segments. This “zero trust” design uses
the following technologies to limit the spread of infections, as described
by security company Fortinet:10

  • Multi-Factor Authentication – The use of two or more methods to verify
    the access credentials of a user or a device.
  • Microsegmentation – A technique for dividing networks into small
    areas, each of which can be protected by a firewall and other security
  • Endpoint Verification – Endpoints (that is, user devices) and their
    users both must be verified, and users must be authenticated to each
    endpoint separately through that endpoint’s own authentication system.

Develop a Ransomware Response Program

Ransomware differs from other types of malware not only because of its
high likelihood of causing severe damage but also because it forces
organizations to make the difficult choice of whether to pay. Developing a
response plan helps organizations to make better, quicker decisions if
they become compromised. “A plan is created so that response is thorough,
and when issues do arise, confusion and panic-induced decisions are
minimized,” says an IBM Security report.11

IBM identifies the following as the key components of an incident
response plan:

  • Detection
  • Analysis
  • Containment
  • Eradication
  • Recovery

The decision of whether to pay a ransom is complex, and it should
consider perspectives from multiple leaders within an organization, the
report says. Understanding in advance the legal and business concerns
involved will help organizations to make a better choice.


[return to top of this

[return to top of this

About the Author

[return to top of this

Geoff Keston is the author of  more than 250
articles that help organizations find opportunities in business trends and
technology. He also works directly with clients to develop communications
strategies that improve processes and customer relationships. Mr. Keston
has worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.

[return to top of this