| The anti-virus age may be over, but if the supporting evidence is that host based signature products don't provide an effective defense against a variety of common security threats then the anti-virus age was over a long, long time ago. Like back to when things propagated for moths or years autonomously without any modifications to the main component - the stuff that actually matched the term "virus" that we now use as a synonym for malware. The last time that such items were anything but an unusual novelty was something like 2003. The last time they were the most substantial threat was sometime in the 1990's. And while it typically wasn't viral, a variety of naive threats produced by amateurs continued to be a good portion of the threat landscape until around the middle of the last decade. That isn't to say database driven signature systems never stop any attacks. They just provide such a small amount of defense and so consistently unable to identify well publicized threats months after their public use in the wild that there is little to any statistical difference in compromise between a well configured and patched system with an av engine and the same system without an av engine. But while their product is ineffective, they are far from alone in the security industry. IDS systems are wildly ineffective in any configuration that isn't custom tuned for defending an extremely limited network that exclusively transports a few specific protocols in very predictable ways - mostly backend networks in datacenters. Typical edge firewalls defend against a threat primarily exists because they enable it - clients are so vulnerable on local networks that can't survive that way on open networks. But without them we'd have just reduced the attack surface like we;ve done with public facing servers. As nearly every compromise includes a service that's intentionally exposed or intentionally allowed through the edge, they at best are a limited crutch to avoid having to ensure each computer is as minimally exposed to start with. If your firewall allows you to be an extra soft target once an attacker has established a foothold inside it's arguable that you'd have been better off totally exposed so that you limit the number of additional systems that exist in radically insecure postures. The only automated system that comes to mind that ive seen provide any real amount of value are the expensive and exclusive block list subscriptions that contain databases of actively operating C&C servers and similar active apt sources. But these would become worthless if any of them ever enjoyed widespread adoption, as they'd simply stop being lazy and using the same servers all the time. ASLR, DEP and even managed code to a certain extent all are similarly ineffective in that while making exploits more complicated they've had no impact on the rate of compromise. The simple fact is that offensive security has won for the forseeable future and defensive security has lost entirely, with no real hope of change without dramatic practice shifts. For client security the only things that have provided clear and practical benefits have been a) reducing the attack surface by mass removal of services and features and b) building the system withe the expectation of regular compromise, and including an easy and reliable way to wipe and restore. Oh and forced automatic patching. The ChromeOS team gets it. The windowsrt team gets it. ios gets it. Anyone producing a client OS that is feature rich, highly configurable strives for easy out of the box use should be considered systemically insecure at this point. Any motivator attacker will succeed against it 99%+ of the time. But since there are really no other options for so many people and tasks, it's very uncomfortable to explain to someone that they are able to do little to nothing about it that won't involve draconian systems users would refuse to use, and that compromise is at some point essentially inevitable. So you tell them to run anti-virus. It's like children hiding under their desks in the event of nuclear war. It helps avoid some amount of existential crisis. That's why the anti-virus age won't be over for a long, long time. Because if you don't have a replacement that's actually good, and no one even has a clue what that would look like, you still need to tell people to use their AV. Just like you need to tell people there is heaven. |