The Death of Mr. Norton Has Been Greatly Over Exaggerated (aka: Antivirus Is Not Dead)

April 10, 2012

Post to Twitter Post to Facebook Post to Reddit

Over the past few months I had the opportunity to attend several awesome conferences and meetups. One concept that keeps rearing its head is that “antivirus is dead.” I’m guessing this comes up a lot because of it’s reliance on a reactive signature-based approach. As most of us probably know this method doesn’t work because signatures are in response to current attacks instead of being proactive. All a person has to do is take an existing attack and change the signature so that it isn’t detected anymore. It’s your classic cat & mouse game.

(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under News and Infosec Blogs/Podcasts. -@grecs)

Well maybe back in the old days when we had to look at that smug Norton guy on the face of all the boxes in Micro Center, the cat & mouse issue was true however vendors have continued to evolve their products (e.g., the incorporation of behavior-based detection) to address the ever changing attack techniques. Yeah, antivirus products might be behind the leading edge of attacks but at least they help us in keeping up. I liken the issues we have with antivirus with the complaints we have with passwords. Yes, passwords suck at providing perfect security and we all know that. But guess what … they do a pretty decent job of keeping most people away from what they shouldn’t have access to. Want more security? Then come up with a better authentication solution that industry (and the rest of the world) will follow.

A recent post over on the SANS Computer Forensics blog by Rob Lee further cemented the “antivirus is dead” concept. Rob detailed how he led a team of whitehats through a simple attack sequence developed for one of his classes. And guess what … the antivirus systems didn’t flick one bit. This article really hit hard because I had been working on this post detailing on how antivirus was in fact NOT dead. Although Rob’s research and conclusions make sense in his specific scenario, I still believe that antivirus is NOT dead for the vast majority of us. I guess my litmus test is that I would never bet my career on telling a large government customer to forgo implementing any antivirus solution.

There are plenty of ways around antivirus but I stick by the fact that it will at a minimum catch much of the low-hanging fruit that novices or automated attack tools use. In the best cases, data captured through antivirus tools also complements the data gathered from other network- and host-based security and non-security systems to paint a clearer operational picture of the entire enterprise. With a better understanding of what’s going on in the environment, analysts can more easily discover anomalies that might have been harder to find otherwise.

I’ve also seen antivirus used as a stop-gap between when vendors disclose a vulnerability or exploit and when they distribute a patch. The vendor simply distributes a new attack signature and enterprise admins that quickly push it out are able to lower the risk of attacks against their infrastructure almost immediately. Someone could still change the attack sequence and you get into the traditional cat & mouse game again but at least this keeps the enterprise ahead of HD Moore’s law.

It’s easy to just to sit back and say antivirus is dead because it doesn’t provide the perfect solution … but it’s a lot harder to live without it. Antivirus isn’t the proverbial “silver bullet” however used as part of a comprehensive defense-in-depth strategy it will continue to benefit corporate and personal environments for some time.


Would you recommend to your big government clients to forgo running ANY antivirus solutions? If so, let us know what your arguments would be in the comments below. Today’s post pic is from from

Tags: , ,

15 Responses to The Death of Mr. Norton Has Been Greatly Over Exaggerated (aka: Antivirus Is Not Dead)

  1. (@grecs) (@grecs) on April 10, 2012 at 11:59 pm

    BLOGGED: Antivirus Is Not Dead

  2. Tim Tomes (@LaNMaSteR53) on April 11, 2012 at 8:53 am

    “@sambowne: Antivirus Is Not Dead” <– it’s all about layers. A/V is a thin, albeit necessary, one.

  3. (@novainfosec) (@novainfosec) on April 11, 2012 at 11:38 am

    Also we are curious as to your thoughts on our late night “Antivirus Is Not Dead” post.

  4. Heather Pilkington on April 11, 2012 at 1:06 pm

    I don’t think AV is dead, but I think those who use it continue to expect the wrong things from it. As you have pointed out, client-side AV is good at reducing the low-hanging fruit on flat networks or mobile platforms. However, as Rob has pointed out, it’s no good at detecting advanced compromise and preventing it. But that isn’t what it was designed to do. That’s what people have come to think it will do, though.

    Also, in stratified networks, or in a thin mobile client paradigm, investment in network-based analysis and detection may make more sense than accepting the overhead and management issues of decentralized client agents.

    AV is not dead; how we think of AV and use it needs to be changed.

  5. (@novainfosec) (@novainfosec) on April 11, 2012 at 9:07 pm

    AV Is Not Dead post seems 2 have gotten good response. No silver bullet but definitely part of DiD.

  6. (@grecs) (@grecs) on April 11, 2012 at 10:41 pm

    The death of Mr. Norton has been greatly over exaggerated. & Mr. McAfee and others as well..

  7. (@novainfosec) (@novainfosec) on April 11, 2012 at 10:42 pm

    The death of Mr. Norton has been greatly over exaggerated. & Mr. McAfee and others as well..

  8. grecs on April 11, 2012 at 11:08 pm

    Heather: Well said. Thanks for contributing!

  9. Annabelle Hammond (@compusaabb) on April 14, 2012 at 5:23 am Antivirus Is Not Dead |

  10. (@novainfosec) (@novainfosec) on July 10, 2012 at 12:17 pm

    Best Of: The Death of Mr. Norton Has Been Greatly Over Exaggerated (aka: Antivirus Is Not Dead)

  11. novainfosec (@novainfosec) on November 19, 2012 at 9:18 pm

    Best Of: The Death of Mr. Norton Has Been Greatly Over Exaggerated (aka: Antivirus Is Not Dead)

  12. novainfosec (@novainfosec) on February 24, 2013 at 10:12 am

    Best Of: The Death of Mr. Norton Has Been Greatly Over Exaggerated (aka: Antivirus Is Not Dead)

  13. Jeremy on May 2, 2013 at 9:43 am

    It really bothers me when “so called” security experts say that Antivirus is dead. In most instances, these “experts” tout their experience in bypassing AV by either using a packer or changing a few bits. Sure, anyone can do that, but the real value of AV is the fact that it’s an extra set of eyes. If you were tasked with defending a network of 1000 nodes, would you rather have 100 fires to put out or 10? Antivirus gives you an extra layer of protection that reduces the number of infections, thus leaving you with more time to try and find the more serious intrusions.

  14. grecs on May 2, 2013 at 9:24 pm

    Jeremy: Totally agree with you…

  15. novainfosec (@novainfosec) on February 16, 2014 at 10:34 pm

    Best Of: The Death of Mr. Norton Has Been Greatly Over Exaggerated (aka: Antivirus Is Not Dead)

Leave a Reply

Your email address will not be published. Required fields are marked *

About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.