Choosing an Anti-Malware or Anti-Virus Solution

Choosing an Anti-Malware or Anti-Virus Solution

Monday 15th January 2018

There is always a lot of discussions recently around the best anti-virus products to use.

Let's look at what anti-virus it, how to choose one, how much reliance to place on it and other choice factors

This is a topic that comes up with remarkable regularity - not to diminish its importance - but the answers do not change.

I'm going to answer this from the standpoint of a security professional who spends almost all of his consultancy time looking for weaknesses in business and security offerings and advising on the right combinations of security products to support this. As part of this, I frequently have to beat-up security product manufacturers to get them to do a better job.

Firstly - how does anti-virus (A/V) work?

Anti-virus/Anti-Malware manufacturers spend a lot of time looking at already compromised computers to find out a) what broke them, and b) how to spot that thing again, or spot something that looks or behaves similarly. This does mean that A/V suppliers are always behind the curve and running to catch up - some are quicker than others due to the amount they invest, some are more accurate than others due to the way their research has identified the viruses. A/V suppliers do often exchange malware intelligence with each other but still don't want to compromise their competitive edge.

Secondly - how do I choose one?

Tough question but the primary choice should be based on how quick the A/V supplier can respond to viruses found, how accurate they are in spotting viruses and how quickly can they get this information to your computer
The secondary choice is then mostly based on cost, licences and interoperability with your equipment.

Thirdly - how much reliance should I place on them?

Unfortunately, as described in the first point, A/V suppliers are playing catch-up. This usually means that a few tens-of-thousands of computers worldwide have to fall foul of the malware before the A/V supplies cotton on to the attacks....some manufacturers take longer than others.

If you are doing a lot of very diverse business communication or transactions with people and exchanging rich types of data (attachments), and you haven't kept your operating system up to date, then A/V is your last bastion here and best of luck to you. I suggest that you ask for security help from somewhere and that you need to buy the best service from whichever good A/V supplier you can.

For businesses concerned about State Sponsored attacks on them, A/V or Anti-Malware is not a lot of use (but should still be considered).

In between, for most businesses, there are rough assessments of A/V being 30%-50% useful and reliable in defending a computer against malware attacks.

Choosing one

When you select your A/V, it is worth noting that the free services are always slower in being updated compared to the paid-for service, and that the free services often contain a reduced capability A/V engine compared to the paid-for services.

It is also worth noting that some suppliers have fallen foul to bad practice. This includes, for example, AVG who have sometimes crippled some computers due to the (in)accuracy of their ability to identify malware and McAfee who has been lambasted by others for vulnerabilities in their own products.
(NOTE: this is not exhaustive and other big names, Symantec, Kaspersky, etc. have also been called to account).

There is always the typical top-five or so suppliers who are vying for first place for accuracy, and like any race, the winners are always changing (at the moment Symantec, Sophos, Trend, McAfee, Kaspersky), but some others such as Clam and ESET are hot on their heels, along with AVG.

If you are running A/V on business computers, you do need to ensure that you are using a business licence version and not a free-for-personal-use-licence, but don't forget that Microsoft has got their Security Essentials free offering too (and it's quite good too).

As a final note, there is good empirical evidence you can get from IT professionals that show how inefficient some A/V products are when running on computers. This is certainly worth paying attention to, especially if the best and most accurate A/V stops your computer from running!

Anti-virus should be only one part in your arsenal of malware defenses, and you should include other techniques such as Intrusion Detection devices, domain-based authentication (DMARC/DKIM/SPF), and keeping your computers fully patched and up to a lot of other useful things too.

As ever, any security questions don't hesitate to ask.

Sean Davin, SEVIN Cyber Security Surveillance