Tuesday, October 23, 2012

AV Updates - Where Do You Fit In?

Since my last post about AV, I've had some more discussions with industry peers, vendors, friends, and family. I've re-read my post today and want to clarify a few points.

First of all, AV is critical. If you read any sort of undertone in the AV thread indicating AV was not essential or effective, I'd like to correct that. It's a must for everyone. If you look at modern threats and those that are highly pervasive, AV is extremely successful at prevention - keeping you from being compromised or infected. Highly pervasive malware detection leveraging signatures is where AV vendors tend to average about the same in terms of effectiveness. Where they begin to separate out is when you move from the highly pervasive/common malware into the variants, targeted malware, and deeper levels of sophistication. So there is direct correlation between who you are, what you do, and what you need. If you are only exposed to highly pervasive threats, then standard/free AV is good for you. If you are a potential target (small business owner, public facing for your employer, executive etc.), you need to move beyond free protection.

During a brief at the McAfee security conference in Las Vegas this week, I saw a report from NSS labs that listed Kaspersky, McAfee, and Trend as 100% effective against HTTP based detection of pervasive threats. AVG was about 50% effective. But if you think in terms of the pervasive threats and what the average home user will be exposed to, I maintain that free solutions like AVG and Microsoft Security Essentials will remain largely effective - better than the 50% indicates. The reason I maintain that position is the threats you will likely be exposed to will fall within that 50% coverage. I'm also extremely nervous about anything that says 100%...because that's just not possible in my world. There is some arbitrary cut-off level which defines this list which I believe is subject to debate. So in terms of the home user experience...I give free AV better than 50%, and commercial AV less than 100%. The cautions home user who thinks before they click will be well protected with free AV products.

Among the pervasive threat category, McAfee contends (and I agree) that to get closer to that 100% you need a combination of signature based detection (AV) and Threat Intelligence (identification of malicious hosts/websites or website reputation scoring). This combination will provide a comprehensive and extremely high fidelity protection set. To get the most of this...you'll need a paid for product like Kaspersky or McAfee. Typically these come advertised as AntiVirus, AntiSpam, AntiSpyware.

The next tier of threats require some additional capabilities for detection, specifically around behavioral analysis, which sort of takes free AV off the table. To combat this category of threat, you'll need a commercial or "full suite" host-based solution. These are going to be your expensive AV products or from the AVG world, you'll need to pay up for the additional features. However, this category of threat is not as pervasive and the average home user is much less likely to be exposed to these sorts of threats, unless you are browsing around bad areas of the Internet. If you do a lot of social media where you're clicking on lots of links from Facebook friends, or mass forwarded emails etc., then look to a more feature rich solution. If you do online gaming, or watch lots of flash video...same applies. This tier combines AntiVirus, AntiSpam, AntiSpyware, AntiMalware, and Website Reputation or Categorization.

The final tier is customized and targeted malware which has a broad variation in terms of attributes, behaviors, and evasion capabilities. This final tier is where you need commercial solutions...but beyond AV. However a full featured host-based security suite will go a long way. So who needs this at home? If you are running a business from your laptop and have any sort of sensitive information on it...then go this path. This final tier includes the capabilities of the previous lists, but adds thinks like AntiRoot kit.

So here's a breakdown which may be overly simplified:


  • Free AV (AVG, Microsoft): best for home users who are cautious about their Internet use, check email carefully, browse a small number of "known" websites, and don't do a lot of social media interaction or limit it to only people you trust. Online banking is ok here...if you are also very cautions. Capabilities include:
    • AntiVirus
    • AntiSpyware
  • Full AV (McAfee, Kaspersky, Trend): best for home users who venture out of the box a little, perform extensive Internet searches/browsing, view lots of online videos, connect to lots of people via social media and email, and tend to be click happy (you like to click around the Internet), play games online etc. Capabilities include
    • AntiVirus
    • AntiSpyware
    • AntiMalware
    • AntiSpam
    • Website Reputation
  • Commercial AV: if you do any home based business on your system, go the commercial route. Most vendors have Small Business solutions that incorporate some additional features. Leverage them...remember you are storing other people's information or information about yourself that can lead to identify theft or stolen information.
    • Full AV
    • AntiRoot kit
    • Application white listing

No comments:

Post a Comment