Future Tense

You Can’t Depend on Antivirus Software Anymore

Malware has become too sophisticated.



In 2005, Panda Software reported that a new strain of malware was discovered every 12 minutes. In 2016, the cybersecurity company McAfee says it found four every second.

And those were just the strains the companies could detect. For malware—the umbrella term for parasitic software like viruses, worms, and Trojans that infiltrate and interfere with computer functions—hasn’t only proliferated: It’s evolved to better evade detection.

Faced with this tsunami of sophisticated malware, antivirus software like McAfee, once practically synonymous with personal cybersecurity, has struggled to keep pace. In 2014, a senior vice president at Symantec (the company that created McAfee competitor Norton Antivirus) went so far as to publicly say he thought that antivirus software was “dead.” At the time, he estimated that the technology only caught about 45 percent of cyberattacks.

Antivirus software is struggling to keep up because the primary strategy on which it relies—signature detection—is based on the outdated assumption that the malware you saw yesterday will look the same today. Generally speaking, when a cybersecurity company sees a new type of malware, it will analyze and create a detection signature for that specific strain. Like the immune system recognizing a pathogen it has seen before, antivirus software uses these signatures to scan files for known threats. This strategy worked reasonably well when viruses were mostly made by amateur hackers. But in 2003, according to McAfee, we saw the first real for-profit malware and since then, the growth of organized cybercrime has brought forth a series of innovations that allow malware to rapidly change its appearance. If the viruses of the early 2000s were the common cold, sophisticated malware of today is like HIV, able to change its protein coatings to avoid detection.

One of these innovations is a process called “crypting,” which allows a developer to transform the appearance of a piece of malicious code using encryption tools and test it against antivirus software until it is undetectable. Similarly, developers can also use polymorphic code to turn malware into a chameleon, capable of changing its appearance every time it runs. One 2013 analysis found that 82 percent of malware disappears after an hour, and 70 percent of malware only exists once. This short lifespan means just a small percentage of antivirus detection signatures—0.34 percent in one analysis—catch active threats. The rest just hunt ghosts. Though some companies have introduced new strategies to combat these adaptations, they haven’t been enough to fully keep up with fast-moving threats.

Despite its diminishing effectiveness, a startling number of users still use antivirus software as their first, or only, line of defense. According to a 2015 Google study comparing digital practices of security experts and nonexperts, 42 percent of nonexperts said antivirus software was among the most important steps they took protect themselves online. The response topped the list of measures taken by nonexperts, even ahead of “using strong passwords.” But, tellingly, it didn’t even crack the top five among those who work in the cybersecurity field.

This knowledge gap is significant and worrying, because modern malware attacks can be devastating. One type of attack that has grown dramatically in recent years is ransomware, which encrypts one’s files and holds them for ransom. In 2016 alone there were 4,000 ransomware attacks a day, according to IBM. As we store more and more personal information on our computers—home videos, photos, financial information—the cost of infection only grows. So how can the typical user keep up their cyberhealth in a post-antivirus age?

While the staggering progress of malware is frightening, comparing digital threats to infectious diseases provides some context to the risk internet users face. Each day, we all encounter millions of germs. Yet most of us stay healthy most of the time thanks to a combination of our immune system and preventive health measures such as washing our hands, exercising, and getting plenty of sleep. To preserve your cyberhealth, you must similarly strengthen your defenses by supplementing antivirus software (think of it as your imperfect cyber immune system) with a diversity of preventive digital tools and habits that can help keep malware and hackers from reaching you in the first place.

First, antivirus software can still play an important role. No matter how much you wash your hands, some infection will inevitably get through. While other security practices can help you avoid malware and prevent hackers from breaching your online accounts, no other consumer tool will recognize malware in downloads and emails. In 2013, Microsoft said that unprotected computers are 5.5 times more likely to be infected than those that run real-time antivirus protection. Most well-known brands provide both real-time monitoring and malware removal.

Premium products like Norton Security Deluxe, McAfee Total Protection, and Kaspersky Total Security may provide a higher level of customer service, but free products from brands like AVG and Avira provide a similar level of overall protection. While Windows users can use Microsoft’s native antivirus software, Mac users will need to find a third-party product (although Macs are generally at lower risk of infection due to Apple’s smaller market share). Whatever solution you choose, it is essential to turn on automatic updates. According to a 2014 study by Microsoft, having expired or out-of-date antivirus software is nearly as bad as having none at all.

With all its flaws, however, people need to take other steps to ensure a robust digital defense. This is the wash your hands, eat nutritious foods, and get enough sleep part that, like a parent, cybersecurity experts (and Future Tensers) like to nag users about. Among them: Install updates for all of your software—not just antivirus programs. In 2016, a Sophos researcher reported that nearly half of malware attacks involving Microsoft Office target a vulnerability Microsoft patched in 2012. Get a password manager. (If you are on a budget, it is better to use your limited funds on a password manager than on premium antivirus software.) Set up two-factor authentication, use unique passwords for each account, encrypt your computers and phones, and please, please create backups of your devices. Though these tools alone won’t keep you safe from malware, they will help protect your personal data should a virus breach your defenses.

Healthy digital habits also make a big difference for individual protection. The simplest advice for online safety comes via cybersecurity journalist Brian Krebs: First, if you didn’t go looking for it, don’t install it. Second, if you installed it, update it. Third, if you no longer need it, get rid of it! Mostly, use common sense: You wouldn’t eat a piece of candy off the ground. Yet in 2008, a U.S. soldier sparked one of the largest data breaches in military history by using a USB stick he found in the parking lot outside his base.

Antivirus may not be dead yet, but it’s probably time to call hospice. While this calls to mind the old joke that the best way to secure a computer is to pull the plug, giving up is not an option for most of us. If you haven’t previously taken your cybersecurity seriously, now is a great time to start. For the quantity and intimate quality of the information we trust to our devices is transforming our relationship to data. In some important ways, we no longer simply own our information. We are our information.

This article is part of the cybersecurity self-defense installment of Futurography, a series in which Future Tense introduces readers to the technologies that will define tomorrow. Each month, we’ll choose a new technology and break it down. Future Tense is a collaboration among Arizona State University, New America, and Slate.