Symantec's 'Death of Antivirus' Is a Dangerous Marketing Ploy

UPDATED 10:45 a.m. ET Thursday with comment from Symantec.

Earlier this week, an executive of the antivirus software giant Symantec told a reporter from the Wall Street Journal that his company's core business model "is dead."

"We don't think of antivirus as a moneymaker in any way," Brian Dye, senior vice president for information security at Symantec, was quoted as saying.

Because Symantec is a leader in the U.S. antivirus software market, both with its core enterprise business and with its Norton consumer division, and its products for all platforms are considered some of the best antivirus software out there, Dye's comments that "antivirus is dead" got a lot of attention.

MORE: Best Windows Antivirus Software

But the attention was undeserved. Dye's declaration was a marketing ploy, pure and simple. It was aimed at corporate IT departments, executive suites and Symantec investors, an attempt to rebrand old, lumbering Symantec as a lean, nimble rapid-reaction team that "gets it" and can keep up with the ever-changing malware threats facing big American companies.

The fact is, antivirus software is not dead, except in Dye's rather limited definition. Everyone needs to keep using it, even on the Mac and Android platforms, which is why we keep track of the best Mac antivirus software and the best Android antivirus apps.

The problem with comments such as Dye's is that they may mislead the average user to stop using antivirus software, which will only increase the risks posed by the very real threats.

Not what malware looks like, but what it does

Dye's definition of "antivirus" is narrow. He's talking about the business of selling software that scans computers for known malware files, which are detected by their code "signatures," mathematical representations of their unique software profiles.

That business is indeed dead, especially in the enterprise market, because there's no money in it. Only bare-bones antivirus products that are given away free to consumers still practice signature-only detection. 

Better AV products — Symantec and Norton included — long ago incorporated more advanced "heuristic" detection systems that not only scan for malware signatures, but detect malware-like behavior.

Heuristic detection is necessary because a lot of malware slips by signature-based systems. Some of it is "zero-day" malware that's never been seen before. Some of it is "polymorphic" malware that changes its code to evade signature blacklists.

Security blogger Brian Krebs noted today (May 7) that many malware creators test their products to make sure they will not be detected by antivirus signature scanners upon initial release.

As the Wall Street Journal noted, Symantec's Norton line of consumer products also includes "a password manager, a spam blocker and a tool that scans a user's Facebook feed to guard against dangerous links" — items that now come standard with high-end consumer antivirus products.

But from a business perspective, heuristic detection and spam blockers aren't enough. Despite decades of assurances by Symantec and its main domestic competitor, McAfee, that antivirus products would keep corporate networks safe, U.S. companies are increasingly finding out the grim truth — that a determined attacker will get through eventually.

That makes Symantec look bad, and it makes smaller firms like Mandiant or FireEye, which get called in to clean up after a corporate data breach or network infection, look good. (Mandiant and FireEye recently merged.)

Lean, mean fighting machine

So Symantec is going to meet the cleanup crews on their own turf. The Wall Street Journal said the company was "creating its own response team to help hacked businesses" and would "sell intelligence briefings on specific threats." It's going to try to provide the intimate, comprehensive service that Symantec slipped away from as it grew large and, arguably, complacent.

There's no doubt that Symantec needs a shakeup. The company recently fired its CEO, the second to get the boot in two years. (The last CEO to leave voluntarily is now chairman of the board at Microsoft.) Its revenue is down, according to the Wall Street Journal, and its Norton consumer line is facing increased competition from well-regarded overseas AV makers such as Kaspersky Lab and Bitdefender.

Yet a post-breach cleanup crew isn't what the ordinary home computer user needs. Joe or Jane Public are not going to be targeted by Chinese state-sponsored hackers looking for corporate secrets.

But Joe, Jane and you are being targeted by cybercriminals who try to steal money and identities with banking Trojans, drive-by downloads, phishing emails and ransomware— all forms of malware that full-fledged, paid and constantly updated antivirus software suites are very good at stopping.

UPDATE: After our article was published, Symantec gave Tom's Guide the following statement:

"The era of AV-only is over. Companies need comprehensive attack prevention that integrates the full range of security technologies. Symantec led the first era of security with antivirus, and it continues to be an important part of our portfolio. Combined with intelligence and other technologies we are pioneering, we can solve larger customer problems that point-based competitors simply cannot do."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • spectrewind
    My two cents... I work for a global medical technology company, and Windows runs beneath the products. They used SAV going back to SAVECE7 up to ENDPOINT11.

    No longer. The memory footprint of Symantec's anti-malware products continuously 'gimp' a perfectly working system, be it a dual-core desktop or a redundant xeon server system running a formulary database, whether stand-alone install or linked to a parent server (via GRC.DAT or .XML file).

    I have worked on entirely too many service calls to 'repair' such systems and have earned fabulous quantities of overtime be Symantec's poorly designed software broke the computer (although it was kind enough to leave lots of event logs telling you that it doesn't work).
    BSODs to extreme slowness. A virus did do this. Symantec's software did this.

    Another well know vendor took their business. Could be the death of something coming up, although I wager 'antivirus software' isn't the answer.
  • spectrewind
    *A virus didn't do this.

    Getting error 500 trying to slosh round tom's broken forums.
  • hotwire_downunder
    Unfortunately this incident reflects a serious issue with some tech companies... It is totally one thing to get business savy individuals to run a company and totally something else to let them speak about that technology in a public forum... This is specially true in InfoSec... A/V is always a firefight... You cannot ever just settle on one type of technology and be complacent

    Signatures may be outdated tech, but it is still a vital and valid tech as the processing overhead for signature based scanning is far less than heuristics which most of the time requires sand-boxing and code emulation...
  • Bondfc11
    If you are dumb enough to take the word of one VP that you don't need antivirus protection you should probably just chuck your rig out the window.
  • thundervore
    Ive been running a computer without AV for a few years now and no issues what so ever. Granted that computer is used be me and only me and I know what sites I visit and I know what I click on.

    Even my server do not run AV. and no issues so far. My work computer how ever runs SAV and it is a pain in the ass. It slows everything down for no reason.

    Computers still were infected with the Homeland Security Virus and Crypoterlocker even though SAV was installed and running.

    Honestly if you cannot prevent the virus from doing its nasty deed then there is no need to have you on the system taking up resources!
  • Darkk
    Most users are smart enough not to do stupid things on their PC. But it takes one idiot to bring the entire network down so better to have protection than none at all.
  • memadmax
    At work, AV is mandated.
    Because of people that don't know what they are doing.

    At home, rarely touch the stuff. I fire up an AV program once in a blue moon to check things/curiosity. After that, I shelve it...
  • Pailin
    I've seen AV software work successfully Far Far too many times (over the years) to consider not using any.

    - and I am also one of those super careful people.
    - - but sometimes have to work on files from other trusted people (who do not use AV software >_< )

    and a decent number of files are Extremely destructive (a couple I have seen on friends PCs:).
    - sometimes in your face obvious destroying all your jpg and avi files for eg
    - other times slowly progressively destroying you PC's core files over may months gradually corrupting all files on your PC so by the time you notice critical damage is done (and to a large proportion of your backups too :s )

    Anyone working as an IT Admin in a largish company 200+ people will Know you don't want to run with no AV lol
    (most viruses come from the semi PC savvy Directors and upper managers then infect everyone else PC's over the internal network if the AV does not stop it in time)

    Not running AV and not seeing a problem does not mean you are not infected by a nasty virus either ;)

    - I have had viruses try to infect my PC from sites I trust like Tomshardware through their advertisers more than once before.
    - trusted downloads from original website sources of programs have been infected before a few times in my personal experience, though this is very rare.

    Basically you would be Crazy to run a PC with no AV, unless you are perm offline and never accept files from 3rd parties (not really possible unless you never install any software on your PC)
  • Haravikk
    Granted, a good heuristic system is better for detecting newer threats, signature based detection is still the best way to detect known threats as it doesn't have to occur on running software, and is less expensive on system resources.
  • grumpigeek
    Maybe Brian Dye thought his comments would attract attention.

    However, I believe he has lost sight of the fact that the average PC user is rather stupid. His comments will only encourage these disinterested users to abandon their Internet Security Suites

    All Dye has succeeded in doing is damaging Symantec's reputation.