Is Your Antivirus Software Really Protecting Your Business?

How antivirus software works

While most antivirus software is still called “antivirus,” the best solutions have evolved and can more accurately be called anti-malware software. The best antivirus software can detect and block multiple types of malicious software (malware), including viruses, Trojans, worms, spyware, adware and rootkits. This software provides real-time and scheduled protection, allowing businesses to set full system scans at specific times along with round-the-clock protection. 

Antivirus software detects malware in two ways:

• Signature-based detection. Antivirus software most commonly detects malware through signature-based detection. Essentially, each file has the equivalent of a digital thumbprint. When security professionals find a new malware type, they share this thumbprint. When antivirus software detects malware with a matching thumbprint, the software knows to quarantine it immediately. Because signature-based antivirus software relies on thumbprints, it will look for updates several times a day to stay updated. However, this software cannot detect malware that has never been seen before. 
• Heuristic-based detection. The second detection type is heuristic-based detection. This software will look for malware based on how it functions, as malware behaves differently than legitimate programs. Heuristic-based antivirus software can detect previously unnoticed malware. Because it’s algorithm-based and fully automated, heuristic-based antivirus software must be tuned carefully so it does not lead to a security alert overload. 

In general, sophisticated antivirus solutions include both signature and heuristic-based capabilities. 

What to look for in antivirus software

There is no shortage of antivirus software, and deciding between providers can be overwhelming. At a basic level, most sophisticated antivirus providers have products that share fundamental signature-based detection capabilities. However, when it comes to additional protection levels and other add-ons, some software providers offer better packages than others.

Businesses should look for the following features before purchasing antivirus software:

• Multiple types of threat protection. At a basic level, antivirus software should include signature-based detection capabilities. For businesses concerned with more advanced threats, look for antivirus software that also uses heuristics, AI and behavior monitoring.
• Frequent updates. Antivirus software is typically only as good as its update frequency. Look for software that updates frequently, has good reviews, and is known to have an extensive and frequently updated threat database.
• Compatibility with your systems. If you have various device types, such as Macs, PCs, Chromebooks or Android-based devices, look for cross-functional antivirus software. Some tools can run on multiple operating systems, which makes operations easier for IT managers.
• Ransomware protection. Frequent and damaging ransomware attacks are on the rise. Some antivirus software provides ransomware mitigation measures.
• Moderate system resource load. Your antivirus software shouldn’t be a resource hog. Even the best antivirus software solutions aren’t worth using if they completely drain system resources and lead to computer crashes. 

Beyond core antivirus functions, businesses should also look at extra features that may be included in a bundle. Some antivirus software comes with the following:

• 24/7 customer support
• An included VPN
• Email security features
• Regulatory compliance checks
• Office management platforms

While none of these features are required for an antivirus solution to work, they help protect against other threats. For example, compliance fines can be debilitating for businesses that accidentally fall afoul of regulations. Similarly, email security can help protect users against phishing attacks, which continue to be a route attackers use to gain access to an organization and cause data breaches. 

Threats that antivirus software can’t defend against

While antivirus software is crucial to a business’s security strategy, it has limitations. Antivirus software can’t defend against — or can only partially contain — a range of threats, including the following.

1. Antivirus software can’t defend against insider threats.

Antivirus software can’t protect a business from insider threats, including employee-driven cyberattacks, employee fraud, and outsiders infiltrating systems via compromised employee accounts.

“Antivirus is a good and necessary protection but is only part of a security solution,” said security consultant David Swift. “The facts show that a determined attacker will get in, and that a vast majority of the losses are going to come from external attackers using legitimate — but compromised — credentials.”

Instead of relying on antivirus software alone and watching out for malware, businesses should also monitor employee behaviors and accounts, Swift advised.

“The era of insider threats or threats from compromised accounts is here,” Swift noted. “Companies must look beyond signature-based security tools and look at user activity for bad behavior. It may be the trusted insider [or] a harvested account used by a bad guy, such as in identity theft and stolen credit cards.” 

2. Antivirus software can’t protect against compromised devices.

Antivirus software can’t protect network systems from compromised devices. In the bring your own device (BYOD) age, unprotected computers, tablets and smartphones can infiltrate and infect protected systems.

“Antivirus, antispyware, and firewalls are solutions that users first think of to minimize [the] risk of cyberattacks from the endpoints in their network,“ said Carmine Clementelli, former network security product manager at business technology solutions company PFU Systems. “However, there are a few considerations to think about. First of all, what if the network is accessed by devices that aren’t protected?”

For example, say an employee brings their personal device — with no installed antivirus protection — to work and connects it to the corporate Wi-Fi network. If their device was compromised, they’ve now made the entire network vulnerable to infiltration. 

For this reason, businesses must strive to minimize risk and protect their systems.

“Mobility and BYOD in the modern era require a new approach that is obligating businesses to adopt network visualization technologies,” Clementelli said. “This will allow them to know who and what is on the network and to control their network access.”

3. Antivirus software can’t protect against advanced persistent threats.

Even if systems have antivirus software, they’re not immune to advanced persistent threat (APT) attacks. In APT attacks, highly advanced attackers — typically those with substantial financial backing or who may work for a government — infiltrate an organization’s networks. An APT typically maintains a long-term presence on an infiltrated network to steal intellectual property or sensitive client or user data. 

APT attacks focus on stealth; attackers typically launch operations using targeted phishing campaigns to steal login credentials. After attackers gain network access, they’ll try to broaden their reach while remaining undetected. In such cases, attackers will try to use legitimate tools within compromised machines to maintain as much stealth as possible. 

If the APT uses legitimate tools and credentials, antivirus software won’t detect anything amiss. Eventually, an APT may deploy malware known as a Remote Access Trojan (RAT).

“With a RAT, the intruder outside a network remotely operates an infected PC within a network to collect internal data,” Clementelli warned. An RAT may infiltrate the network in advance through an email message but does not immediately begin the attack. 

“Afterwards, when the attack begins, the content of the communications does not contain malware itself, and the traffic associated with the remote operations is almost always encrypted,” Clementelli explained. “This activity is difficult to discover using conventional antivirus software or unauthorized intrusion-detection systems.”

4. Antivirus software can’t protect against unknown malware.

In addition to undetected malware, unknown malware can also bypass antivirus solutions. The sheer amount of malware that is created and distributed daily makes it virtually impossible for antivirus solutions to protect against them all.

“We’re literally being bombarded by new malware to the tune of 200,000 new malware each and every single day, and that’s on a good day,” said Pierluigi Stella, chief technology officer at managed security services firm Network Box USA. “During an outbreak, we see that number escalate, sometimes close to 1 million.”

This massive bombardment is because it’s easier than ever for hackers to launch attacks. They can create viruses automatically — with thousands of variations — and use efficient and rapid distribution networks. In comparison, it can take an antivirus company several hours to detect and fix malware.

To combat this disconnect, antivirus companies are finding new ways to protect systems, including cloud-based databases of malware signatures — an algorithm that specifically identifies individual viruses — and methods that detect malware without signatures.

For businesses, this means finding antivirus software or providers with zero-day initiatives, aiming to catch malware no one has seen before without any currently available protections.

“Catching the zero-day malware is where the industry’s headed,” Stella said. “Sandboxing, behavioral analysis, pattern recognition, etc. are all expressions describing some of the methods companies are using to spot the next ‘zero day’ before it causes damage. Many such methods are plagued with false positives, but a false positive is far more acceptable than a false negative [where unknown malware] then enters your network and causes havoc.”

Building on antivirus protection with cybersecurity policies

Antivirus software can help provide businesses with a solid security layer; however, it’s not enough for comprehensive business security. In addition to antivirus protection, businesses should institute proactive cybersecurity policies with additional tools, best practices and security architecture. 

Businesses should consider implementing the following: 

• Comprehensive security education. Businesses should ensure everyone in the organization understands cybersecurity basics. Cybersecurity is a complex, constantly evolving field; IT professionals and business owners must learn the most common attack types, along with cybersecurity best practices. Additionally, businesses should educate employees about threats, create strong passwords, and develop an incident-response plan. 
• Zero-trust architecture. Businesses should also employ a zero-trust architecture (ZTA) network model. ZTA is a newer network model that focuses on users, assets, and resources instead of network-based perimeter defense. While antivirus software may look at threats trying to get into a network, ZTA assumes the network has already been breached and focuses on authenticating and validating users. ZTA is particularly useful for defending against advanced threats like APTs. 

• Managed services providers. Additionally, businesses that lack technical expertise on staff may find it helpful to work with a managed services provider (MSP). MSPs can help a business establish and implement cybersecurity policies, including ZTA, while also setting up additional security tools, including firewalls, intrusion-detection systems, and antivirus software if it’s not already in place. 

Getting the most from antivirus software

Although antivirus software can’t completely protect a business’s systems, these solutions are still necessary.

“Despite the prevalence of zero-day, there’s still a huge number of very well-known and maleficent viruses that your antivirus can stop,” Stella said. Consider conducting online research to compare various antivirus solutions — and look beyond the big names. “There are plenty of other companies that are doing better and deserve a chance,” Stella noted. 

Businesses should also ensure their antivirus software is running at its optimum level.

“Don’t ditch that old AV just yet,” Stella advised. “Rather, keep it up to date and keep it running. This way, at least you’re protected from the ‘known’ stuff. It’d be silly to be attacked by something that can be stopped so easily.”

Better yet, see if your old antivirus system is ready for an upgrade. A new, comprehensive antivirus tool could be the precise complement your overall cybersecurity posture needs. 

Sara Angeles contributed to the reporting and writing in this article. Some source interviews were conducted for a previous version of this article.