Brian Dye tells the Wall Street Journal that antivirus tools like his company’s Norton suite are effectively “dead” because they catch less than half of all attacks, but from where we sit, that’s really just half the story.
Does Brian mean that antivirus defenses–also know as “AV”– are useless? Probably not. Just like you should get a flu shot to protect you from known viruses in the real word, you should also keep running AV to protect you from known viruses in the virtual world. We think a better way to put it is this; an AV alone isn’t enough to protect your computer because the websites you visit are constantly putting it at risk with new, unknown, viruses. When you look at websites, the same principle applies. Every day, we clean infected websites and webservers that already had some kind of antivirus or security software installed and we never tell our clients to just get rid of the security software.
The main reason that these sites get hacked is that the core of most security software relies heavily on signatures of known virus families. In the past, this worked well because there were just a few variants of viruses, which made it simple for research teams to study them and release signatures. However, the amount of malware now being created and released is so astronomical –because there is a lot of money in it– that a manual process is almost impossible. By the time researchers are able to dissect one malware string, a thousand more will already be released. So, even if you have an antivirus, your site and server can still be at risk. The key is to protect yourself from these bad outcomes before they can infect your site or your computer.
What can you do?
First, you have to be able to detect and respond to compromises quickly. Second, security, like winter weather, is all about layering. The more layers you have, the more comfortable you’re likely to be.
As part of this layering technique, we recommend every website owner engage with a WAF (web application firewall), like our CloudProxy Firewall. The firewall sits between a website and the rest of the Internet, so every http/https request is filtered before reaching the server. This means that it will let good traffic go to your site and block bad traffic, stopping attacks from touching your files. It does not rely solely on fixed signatures but also on behavior, which helps it detect most of the threats to your site.
On top of that, it can also block most of the attacks webservers handle everyday including:
- Cross Site Scripting (XSS)
- Remote File Inclusions (RFI)
- SQL Injection (SQLi)
- Local File Inclusions (LFI)
- Malicious post requests
- Malformed cookie requests
- Malformed headers
- Layer-7/HTTP Denial of service attacks
- Malicious or Improperly used bots
Perhaps, AVs are dying. However, we like to think about the challenge differently. Hacks have evolved and so security must also evolve. AV isn’t dead. It’s now just a portion of your security suite that you can layer with additional security options to protect yourself, your site, and your personal computer.
Speaking of your personal computer
If you’re a website visitor–and you’re reading this blog so we bet you are–you should demand that the websites you visit employ firewalls to protect your experience and information. One reason that you need a firewall on your computer in the first place is that viruses are spread through the websites you visit. Therefore, when the sites you visit are protected, your personal computer is also afforded a layer of protection.