San Francisco: The anti-virus industry has a dirty little secret: Its products are often not very good at stopping viruses.
Consumers and businesses spend billions of dollars every year on anti-virus software. But these programs rarely, if ever, block freshly minted computer viruses, experts say, because the virus creators move too quickly. That is prompting startups and other companies to get creative about new approaches to computer security.
“The bad guys are always trying to be a step ahead,” said Matthew D. Howard, a venture capitalist at Norwest Venture Partners who previously set up the security strategy at Cisco Systems Inc. “And it doesn’t take a lot to be a step ahead.”
Computer viruses used to be the domain of digital mischief-makers. But in the mid-2000s, when criminals discovered that malicious software could be profitable, the number of new viruses began to grow exponentially.
In 2000, there were fewer than 1 million new strains of malware, most of them the work of amateurs. By 2010, there were 49 million new strains, according to AV-Test, a German research institute that tests anti-virus products.
The anti-virus industry has grown as well, but experts say it is falling behind. By the time its products are able to block new viruses, it is often too late. The bad guys have had their fun, siphoning out a company’s trade secrets, erasing data or emptying a consumer’s bank account.
A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Researchers collected and analysed 82 new computer viruses and put them up against more than 40 anti-virus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5%.
On average, it took almost a month for anti-virus products to update their detection mechanisms and spot the new viruses. And two of the products with the best detection rates—Avast and Emsisoft— are available free; users are encouraged to pay for additional features. This despite the fact that consumers and businesses spent a combined $7.4 billion on anti-virus software last year —nearly half of the $17.7 billion spent on security software in 2011, according to Gartner.
Symantec and McAfee, which built their businesses on anti-virus products, have begun to acknowledge their limitations and to try new approaches. The word “anti-virus” does not appear once on their home pages.
Symantec rebranded its popular anti-virus packages: Its consumer product is now called Norton Internet Security, and its corporate offering is now Symantec Endpoint Protection.
“Nobody is saying anti-virus is enough,” said Kevin Haley, Symantec’s director of security response.
Haley said Symantec’s anti-virus products included a handful of new technologies, like behaviour-based blocking, which looks at some 30 characteristics of a file, including when it was created and where else it has been installed, before allowing it to run. “In over two-thirds of cases, malware is detected by one of these other technologies,” he said.
Imperva, which sponsored the anti-virus study, has a horse in this race. Its Web application and data security software are part of a wave of products that look at security in a new way. Instead of simply blocking what is bad, as anti-virus programs and perimeter firewalls are designed to do, Imperva monitors access to servers, databases and files for suspicious activity.
The day companies unplug their anti-virus software is still far off, but entrepreneurs and investors are betting that the old tools will become relics.
“The game has changed from the attacker’s standpoint,” said Phil Hochmuth, a Web security analyst at the research firm International Data Corp. “The traditional signature-based method of detecting malware is not keeping up.”
As the number of prominent online attacks rises, analysts and venture capitalists are betting that corporate spending patterns will change.
“Technologies that once were only used by very sensitive industries like finance are moving into the mainstream,” Hochmuth said. “Very soon, if you are not running these technologies and you’re a security professional, your colleagues and counterparts will start to look at you funny.”
Companies have started working from the assumption that they will be hacked, Hochmuth said, and that when they are, they will need top-notch cleanup crews.
Mandiant, which specializes in data forensics and responding to breaches, has received $70 million from Kleiner Perkins and One Equity Partners, JPMorgan Chase's private investment arm.
Two McAfee executives, George Kurtz and Dmitri Alperovitch, left to start CrowdStrike, a startup that offers a similar forensics service. Less than a year later, they have raised $26 million from Warburg Pincus.
If and when anti-virus makers are able to fortify desktop computers, chances are the criminals will have moved on to smartphones. In October, the FBI warned that a number of malicious apps were compromising Android devices. And in July, Kaspersky Lab discovered the first malicious app in Apple’s app store.
The Defence Department has called for companies and universities to find ways to protect mobile devices from malware. McAfee, Symantec and others are working on solutions, and Lookout, a 5-year-old startup whose products scan apps for malware and viruses, recently raised funding that valued it at $1 billion.
“The bad guys are getting worse,” Howard of Norwest said. “Anti-virus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution.”
©2013/The New York Times