When the Blaster, MS/SQL, and Sobig worms made their appearance on the scene in 2003, one thing became clear: none of the worms was initially stopped with antivirus software.
According to a report issued in January 2004 by the Aberdeen Group: "The Internet worms of 2003 took advantage of common network channels and system vulnerabilities to deposit executable payloads on unprotected PCs and PC servers. These worms were able to gain access to resources on the local corporate network to subsequently infect other PCs and PC servers throughout the network."
So what does this say about the efficacy of antivirus software? Can it help fight the newer strains of viruses?
John Verry, a consultant for the security firm of CQUR IT, told TechRepublic that "antivirus software by its very nature [signature-based detection] is a reactionary technology. Accordingly, any worm with the ability to replicate with the speed and efficiency of an MS/SQL will render antivirus ineffective to block the initial outbreak."
Verry doesn't believe the problem is with antivirus software, however, as much as it is with the Internet community's inability to develop less vulnerable software and for the end user community's reluctance to rapidly patch vulnerabilities as they are discovered. (For more information on improving your patching practices, read "Quickly deploy Microsoft security patches with KiXtart login scripts" (free registration required)). He said, "AV is still a critical piece of a well-layered security infrastructure and brings significant benefit relating to these worms as it prevents reinfection and is often the tool of choice for removing them."
He added that the most effective way to prevent business disruptions from these newer worm variations "is to add ongoing vulnerability assessments and diligent patch management practices to existing security efforts."
The Aberdeen group agrees that AV software is still effective as long as it's part of a combination package; the challenge for buyers and suppliers in 2004 will be a package that delivers antivirus, PC firewalls and antispyware. The PC firewall can "prevent inbound payloads from landing and sending unauthorised outbound communications to unknown locations."
