Bryan Owen

Anti-Virus is dead. Long live anti-virus! (redux)

Blog Post created by Bryan Owen on Jul 26, 2017

Anti-virus has been declared dead many times.  Makers of AV engines themselves even say so.


Why?  Because AV is a feedback control. There is always some lag time as AV isn't really designed to protect patient zero. Modern viruses mutate on the fly and as a result traditional AV effectiveness is quite limited. 


Whitelisting approaches, like Applocker, emerged as the heir apparent to protect computers from malware. What a great idea! Enumerate what's known good on a machine and just block everything else.  No more feedback lag issue and performance is much more deterministic.


If you have yet to adopt whitelisting it's easy to get started. Start small, even the default path based rules are quite effective and flexible enough to accommodate normal changes that occur on a computer.  Still gun shy? Start in 'audit' mode and monitor the logs for unexpected warnings.


Deploy stronger rules as appropriate for more important systems.  See KB00994 for OSIsoft technical support guidance on Applocker.  Similarly we look forward to constructing a new KB for Device Guard as Windows Server 2016 deployment becomes more common. Please contact me if you have interest in exploring Device Guard in collaboration with OSIsoft.


While AV isn't as good as it once was, AV is reinventing itself. This article describes a new cloud based feedback loop for Windows Defender. 

Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware – Wind…

Checking file hashes with the cloud is bound to make a difference. We'll want to see how this performs and of course there are interesting questions about blindly allowing any file to be uploaded to the cloud but the design change is full of good promise.


In closing, the future for Anti-Virus looks quite optimistic thanks to the cloud.  We may even see this approach pivot AV into a turnkey whitelisting solution.