Last night, I received a phone call from a neighbor asking if he should renew his home anti-virus subscription. I typically shy away from giving people advice on this sort of question, but it did give me pause and caused me to do some thinking before I answered him.
I thought about how in most large enterprises that I advise, anti-virus is <25% effective at detecting malicious code threats. Worse yet, most anti-virus vendors have not only sold large enterprises software that is largely ineffective, but they have also sold those enterprises on a mantra/workflow/philosophy that is nearly useless. In other words, most anti-virus vendors will suggest that you review their logs regularly to identify systems infected with malicious code. I remember from graduate school that this is, by definition, the quintessential biased sample. In other words, since anti-virus is <25% effective at detecting and identifying threats, the enterprise is left with a gaping hole/blind spot of >75%. Stated another way, if you trust anti-virus logs to guide your analysis, workflow, and/or process, you will be left largely in the dark.
The "Know Your Network" philosophy discussed in this blog and elsewhere is really the only way to effectively monitor a large, enterprise network. Unfortunately, anti-virus vendors do not seem to be interested in improving through novel or cutting edge techniques. They are quite content to sell both home users and enterprises the 21st century equivalent of a bridge.
Of course, anti-virus logs are somewhat useful as a supporting/corroborating data source for investigations that begin with true network forensics/network traffic analysis, but not much else. In other words, anti-virus logs can tell you if the malicious code that you see a user downloading in the proxy logs or via deep packet inspection (DPI) data was somehow detected and cleaned by anti-virus. As an aside, even this is not 100% reliable though, as it is not uncommon for malicious code infection vectors to try several different exploits and/or executable downloads. Just because anti-virus caught one of them, doesn't mean it caught all of them. The analyst still needs to examine the proxy logs, firewall logs, DPI data, and/or any other relevant data looking for artifacts of infection.
So back to my neighbor. After thinking about this for a moment, I explained to him that the anti-virus vendor he was thinking of sending additional money to was really no more effective than some of the free products that are available. I advised him to hold onto his money. After all, if one ignores the hype and thinks about it logically, it only makes sense.