Back to basics

The best antivirus? Kaspersky leads in latest tests, but that's only part of the story

Ransomware and other threats often get through signature-based antivirus protection, giving it a bad rap. However, antivirus tools still play an important role in the enterprise security strategy.

The AV_TEST Institute recently tested the most popular Windows 10 client antivirus products on three primary criteria: protection, performance, and usability. Products that ranked highest in all three areas were Kaspersky Lab Endpoint Security 10.3 and Small Office Security 5, Symantec Endpoint Protection 14.0 and Endpoint Protection Cloud 22.9, and Trend Micro Office Scan 12. 

The downloadable infographic below summarizes the results. You can drill down on the full results at The AV-TEST Institute's website.

This infographic summarizes tests of Windows client antivirus software conducted by AV-TEST. The AV-TEST Institute The AV-TEST Institute The AV-TEST Institute

Why the best antivirus software may not be enough

Traditional signature-based antivirus is notoriously bad at stopping newer threats such as zero-day malware and ransomware, but it still has a place in the enterprise, experts say, as part of a multi-layer endpoint security protection strategy. The best antivirus products act as the first layer of defense, stopping the vast majority of malware attacks and leaving the broader endpoint protection software with a smaller load to deal with.

According to a survey of this year's Black Hat attendees, 73 percent think that traditional antivirus is irrelevant or obsolete. "The perception of the blocking or protection capabilities of antivirus has certainly declined," says Mike Spanbauer, vice president of strategy and research at NSS Labs, Inc.

Plenty of recent research supports that point of view. In December 2017, security company WatchGuard Technologies reported the results of a comprehensive test of traditional antivirus. They calculated how well a leading traditional antivirus product did at spotting zero-day threats by looking at customers who had both traditional antivirus and next-generation endpoint protection products installed. Traditional antivirus caught 9,861,318 malware variants, but it missed 3,074,534 others that were caught by a next-generation platform that used a behavior-based approach. That's a failure rate of about 24 percent.

The traditional antivirus product was from AVG Technologies, a well-reviewed product. In fact, in a report released last month by AV Comparatives, AVG caught 99.6 percent of the samples tested, making it one of the top ten products on the market.

Antivirus is particularly bad at catching ransomware, one of the biggest new threats that companies face. In a March survey of 500 organizations, anti-phishing vendor KnowBe4 found that only 52 percent of companies were able to thwart a simulated ransomware attack. For the rest, the ransomware was able to get past their antivirus defenses.

A newer threat called Process Doppelganging takes advantage of the ability of the transactions feature in Windows' NTFS file system. It allows malware to perform operations on files that make them invisible to security software. "From a technical perspective, [our] research shows that correct file scan engines are hard to get right and specifically, that correct handling of transactions is even harder," says Udi Yavo, a researcher at enSilo, which discovered Process Doppelganging. 

"However, I think the main takeaway of this research is that having a single line of defense is not enough, and sometimes even small tricks can lead to bypasses, even in mature products. Enterprises should move to solutions that can block fileless attacks and are effective in both pre- and post-execution scenarios,” says Yavo.

NSS Labs has also been running tests of both traditional and next-generation endpoint protection tools. In its latest rounds of testing the company has focused only on vendors that have advanced detection capabilities. Last year, when testing included signature-only vendors as well, the traditional products did poorly. "A number of products scored in the 90s," says NSS Lab's Spanbauer, "But none of those were sole traditional antivirus."

The problem is compounded if the new threats are designed to spread quickly in a company and do as much damage as fast as possible, and compounded again if enterprises delay rolling out antivirus updates. In addition, the amount of malware is growing exponentially, according to AV-Test, so even if a particular product has a high detection rate, more and more malware in absolute terms is going to slip through. Plus, if the attackers notice that a particular kind of malware is getting through, they can double-down on it.

These four factors combined have helped propel the recent WannaCry ransomware to more than 400,000 infected devices and potential total financial impact of as much as $8 billion. That doesn't mean that traditional antivirus is completely obsolete. It still has a place in the enterprise, experts say, because it is very effective at spotting and blocking known threats quickly, efficiently and with minimum human intervention. Plus, traditional antivirus is a compliance or customer requirement in some industries.

The case for traditional antivirus

One company that doesn't have a choice about whether to use traditional antivirus is Emeryville, Calif.-based National Mortgage Insurance Corp. "Our customers are banks, and many require a traditional signature-based antivirus as part of the defense we have in place," says Bob Vail, the company's director of information security.

[Related: Review: Minerva protects endpoints with trickery and deception]

Sophos, the company’s antivirus vendor, has a good detection record, and is very light-weight, he says. That makes it a good first round of defense, but Vail says he knows that's not enough. "antivirus in general is going to be after-the-fact," he says. "Someone has to be infected and a signature developed and hopefuly everyone else gets protected before they get attacked."

The company also has a second level of protection in place to guard against the malware that gets through, a behavior-based system from enSilo. The two products work well together, Vail says. "If a known virus comes down, Sophos will quarantine the file before it gets a chance to execute," he says. "But those things that get past it, enSilo will prosecute those, so it's a classic defense at depth."

Traditional antivirus is a good adjunct to the newer technologies such as those that involve behavior analytics, sandboxing, and machine learning. The more advanced tools can require more processing power, which can slow down computers. If the product runs behavioral or other tests on potential threats before permitting user access, it can impact productivity. If the product allows the threats through, then tests them separately, malware has a window of opportunity to get access to enterprise systems.

Finally, when a new threat is detected, additional work is required to mitigate the threat and generate signatures to protect against the threat in the future. "The first level of defense will always be some kind of signature-based defense," says Raja Patel, VP for corporate product at McAfee LLC. "If you already know something is bad, why do an additional layer of protection against it?"

Without that initial signature-based screening, companies will have to spent a lot more time, effort and money to handle all the threats that come in, he says. "You can image how much a security team would have to put up with." If a threat can be caught and stopped right out of the gate, it's the cheapest option. "Signature-based antivirus saves human effort and reduces false positives and time delays," he says. "It's a fantastic first layer, and will be for a long time."

Traditional, next-gen tools are converging

As the industry matures, enterprises are going to be able to get the full-suite of malware protection tools from a single vendor, if they don't already. Traditional antivirus providers are adding next-gen capabilities, while the next-generation vendors are including signature-based protections in their suites.

Endpoint security startup CrowdStrike, for example, launched its all-in-one Falcon platform three years ago, allowing customers such as the Center for Strategic and International Studies, a Washington, DC, think tank, to get everything in one place. "We had CrowdStrike already in place and were relying on it as part of endpoint security," says Ian Gottesman, the organization's CIO. "Extending that solution to include antivirus was advantageous for CSIS. I would recommend any other organizations do the same."

According to a survey released earlier this year by the SANS Institute, about 95 percent of respondents expect to see antivirus protection included in their next-generation endpoint solution. Traditional antivirus vendors aren't sitting on the sidelines, either.

Instead, many are buying or building the next-generation tools that can help catch the attacks that get by signature-based defenses. "antivirus will become extinct in the next few year unless they are able to evolve," says Luis Corrons, PandaLabs technical director at Panda Security, a traditional antivirus vendor. "We at Panda have been fully aware of this."

The company has been behavioral-based malware detection for several years, but even that is not enough. Many successful security breaches involve no malicious software at all, he says. "To say it crystal clear, a traditional antivirus is useless against these attacks as there is no malware involved," he says. For example, attackers can take advantage of existing non-malicious software.

The company has recently rolled out new tools to monitor the behavior of all active applications in an enterprise. "It allows us to have full visibility of what is happening in our network," he says.

McAfee has also added on new layers of protection, says McAfee's Patel. "Signature-based defenses will protect you after you know about the threats, but they won't protect patient zero and the time period after infection and when you wrote the signatures," he says. "We added two new protection capabilities last year -- machine learning and dynamic application containment."

Why some companies still rely on traditional antivirus alone

Ransomware infection rates show that many companies still lack adequate endpoint protection. According to an IBM survey released late last year, nearly half of all companies fell victim to ransomware in 2016, with 70 percent of them deciding to pay the ransom.

[Related: With new dynamic capabilities, will whitelisting finally catch on?]

Small firms are also hit, and, unlike the largest enterprise, may not be taking endpoint protection as seriously. Earlier this year, a survey by the Ponemon Institute showed that 51 percent of small and medium-sized businesses have experienced a ransomware attack, but, despite that, 57 percent says that they were "too small" to be targets for ransomware.

According to a May report by endpoint protection vendor VIPRE Security, 48 percent of IT managers and small and medium-sized enterprises says that a company of their size doesn't need endpoint security with advanced malware defense capabilities.

That's a mistake, says NSS Labs' Spanbauer. There are so many good options available on the market today, and very competitive pricing, that no company should be using signature-based antivirus and nothing else, he says. "There is not a price or protection argument that can be made that would make traditional antivirus the first choice or the preferred recommendation for any specific environment." More comprehensive protection is easier to find than ever before, with even entry-level products offering advanced controls, he adds. "It's hard to find a strict signature-only antivirus product these days."

This story, "The best antivirus? Kaspersky leads in latest tests, but that's only part of the story" was originally published by CSO.

Shop Tech Products at Amazon