Antivirus vs Anti-malware simplified but it is also the matter of doctrine…

An endless maze of cybersecurity is, however, not a simple choice between technology tools. Hence, after discussing the above dilemma of interest to common folks, we continue with teasing cybersecurity professionals and policymakers with fitting it in the cybersecurity doctrines.

WatchGuard’s Threat Lab has recently published a reporton the latest malware and Internet attacks showing that in Q1 2020:

  • 67% of malware uses encrypted communication channels,
  • Zero-day malware accounts for 63.7% of all threats on Fireboxes,
  • SQL injection attacks remained the top network threat for Q1.

At the same time, the CRN portal warns that the line between ransomware attacks and data breaches continues to blur in early 2020, with many prolific ransomware operators. The portal reported that victims of the 11 biggest ransomware attacks (so far) have spent at least USD 144.2 million on costs ranging from investigating the attack, rebuilding networks and restoring backups to paying the hackers ransom and putting preventative measures in place to avoid future incidents.

A brief look at the Threat Landscape dashboard on the day of writing this article shows the following Malware Attacks by Region:

  • Americas: 36,73%,
  • Europe, Middle East and Africa: 50,62%,
  • Asia, Pacific: 12,65%

Closer to home, the 2019 KnowBe4 Africa Cybersecurity Awareness report warned that:

  • 53% of the surveyed people think that trusting people that they know is good enough,
  • 64% do not know what the ransomware is and yet believe that they can easily identify a security threat,
  • 52% do not know what multi-factor identification is,
  • 28% have fallen for a phishing email, and
  • 50% had a malware infection.  

Seeing these frightening statistics, the majority of ‘ordinary’ people immediately think of the simple solution of deploying antivirus or antimalware software. But there is – more often than not – a dilemma: do we need antivirus or antimalware? Or both?

Indeed, very puzzling and frustrating for people not having expert cybersecurity knowledge… So, let us try to solve this puzzle.

What is antivirus?

A computer virus is a type of computer program that, when executed, spreads from user to user by replicating itself through programming a file – eventually making the affected area ‘infected’.

Antivirus is a computer program that is designed to prevent, search for, detect, and remove software viruses, and sometimes other malicious software like worms, Trojans, adware, and alike. The purpose of antivirus software is to identify known threats using signature-based detection –the detection that matches file signatures to a database of known malware.

In other words, antivirus software scans the devices and system for known viruses. If you have free antivirus, it will only scan ‘classic’ viruses such as keyloggers and worms, hence offering minimal protection. The advanced versions of antivirus software will protect against more advanced threats, sometimes also including the feature of malware removal tools.

The antivirus software normally includes real-time scanning, automatic updates, and the removal of threats.

What is antimalware?

Malware is any software programs that are intentionally designed to cause damage to computers and computer networks. In addition to computer viruses, malware includes worms, Trojan horses, ransomware, spyware, adware, rogue software, and scareware.

In contrast to antivirus, antimalware programs utilise heuristic-based detection to proactively find source codes that indicate a threat. Even though antivirus software can protect against common types of viruses, antimalware software reaches further by detecting any new iteration of infection. If well-designed, antimalware should be able to defend against malware that classic antivirus software sometimes fails to detect.

In addition to the antivirus features, antimalware adds capabilities such as sandboxing (controlled environment for testing safety of software) or traffic filtering (blocking malware access to computers and systems). Antimalware is often seen as proactive security as it scans, detects, and remove all known malware.

Antimalware, in short, deals with any malicious code that can damage software, hardware, communication equipment or steal data.

Which one do we need?

We have seen, thus far, that antimalware and antivirus are not the same tools but are both created to detect and protect against malicious software.

While the term antivirus denotes that it only protects against computer viruses, its features often protect against the many common forms of malware today. Antimalware goes one step further and focuses on broader, more advanced, threats.

In other words, while antivirus software defends against well-known, more established threats, antimalware detects more advanced malicious codes, including so-called ‘zero-day’ attacks.

Antimalware does not replace antivirus, they are rather complementary. In other words, antimalware gives antivirus a boost and enhance multi-layer protection for computing devices and systems. However, the complementarity depends on features provided by the vendors and may be related to each product’s specifications and setup.

Pricing is an important factor to consider when you decide to purchase a security product – whether it is antimalware or antivirus. In many cases, users cannot distinguish which is the right one, because they do not have specific technical skills, neither do they know pricing criteria. The most common approach is to estimate the real costs of a potential attack striking computing devices by considering all case scenarios.

As we advised our readers, cybersecurity actions are successful if they contribute to reducing cyber-attack related losses by a higher sum than the security preventative measures cost – the costs of antivirus or antimalware in this case.

But it is not that simple: there come cybersecurity doctrines

If you are not cybersecurity professional or interested in more detailed cybersecurity, you can comfortably stop reading here… otherwise, let us see where the above discussed technical tools fit in the doctrinal picture of securing our digital work and life.

Generally, the doctrine is a codification of beliefs or a body of teachings or instructions, taught principles or positions, as the essence of teachings in a given branch of knowledge or a belief system.

The focus of early cybersecurity doctrine in the 1960s was on developing new technology without paying much attention to security. As computer systems were becoming pervasive, these systems touched the lives of ordinary people – citizens’ records were stored electronically and as workers who used information technology to be more efficient. The requirement for a cybersecurity doctrine to take account of societal values became crucial. Then came other cybersecurity doctrines: Doctrine of Prevention, Doctrine of Risk Management, Doctrine of Deterrence Through Accountability and alike. 

A more detailed elaboration of these doctrines is out of the scope of this opinion piece but it can be concluded that these doctrines lack a synergy. The discrepancies are also visible through the doctrinal understanding by different implementers – whether corporates or the state agencies. 

The French approach to cybersecurity and defence, for example, contrasts with that embraced by the United States or the United Kingdom. Most notably, France assumes a clear separation between offensive and defensive cyber operations and actors. This means that, contrary to the National Security Agency or the U.K.’s Government Communications Headquarters, France’s leading agency for cybersecurity is not part of the intelligence community – a distinct defensive agency is separated from offence-oriented military intelligence agencies.

Our intention here is not to ‘vivisect’ the above-mentioned doctrines but to support more inclusive one and, in our view, more effective. It is a Public Cybersecurity doctrine, suggested by Mulligan and Schneider almost a decade ago (2011). The main point of this doctrine is that it “requires intervention in the private choices of individuals, hard trade-offs, and political agreements that could span nations”.

In view of this article, we would like to iterate that none of the cybersecurity technological tools can help in isolation. Linking back to our discussion about antivirus and/or antimalware, it can be safely concluded that without synergy these are, like disconnected doctrines, almost useless tools.

As we recently suggested, it is important to understand that there are three general layers responsible for securing organisational digital future: cybersecurity professionals, IT departments that are in charge of supporting the organisation’s business goals and operations, and the enabling layer represented by the group of business leaders, including managers and executives.

In line with the cybersecurity Public doctrine, we continuously advocate international cooperation as a doctrine for reaching more sustainable global security of our digital systems and lives. We are definitely in favour of negotiations and reaching global arrangements of all actors. Although the discussion on cybersecurity remained polarised as ever, reaching the common resolution seems far better than entering into endless and spiralling retaliations that can bring only disastrous results.

Without the above synergy, none choice of technology tools or disengaged doctrines would effectively protect our digital future.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s