Fresh Thoughts #24: The Evolution of Cybersecurity: Antivirus

three chrysalis

Last week while having a few days' break, I read the headline - "Cybersecurity tech is constantly changing".

Erm… not in my experience. Most of the cybersecurity tech is evolutionary.

There are only rare occasions that a revolutionary step forward occurs.

This week - the evolution of antivirus.

Next week - the revolutionary advance of "3 random words".

The Evolution of Cybersecurity: Antivirus

In the beginning

I don't feel that old, and 4 May 2000 doesn't seem that long ago... even if it was 22 years ago.

On that day, Onel de Guzman released the first widespread virus using social engineering. A simple email subject of ILOVEYOU and a script pretending to be a text file created at least $15.5 billion of damage.

In the early '00s, antivirus was simple. Find a unique identifier - a signature - and you've found the virus. In Guzman's case, it was the copyright he included in his source code.

From here, the cat-and-mouse game between virus writers and antivirus researchers began:

Publish a virus.

Create a signature for the virus.

Detect and remove the virus.

This cat-and-mouse game hasn't really changed - and is at the heart of antivirus.

But what if the virus didn't have a "signature"?


What if every time a virus is released, it looks different?

There wouldn't be a signature and no easy identification and removal.

Fast forward 7 years, and the next step of evolution came in the form of packers. Rather than have clearly readable source code - use a 'packer' to jumble up the instructions.

The source code is always in a different order but the same outcome when the virus runs.

At the extreme, the code looks like a plate of spaghetti. Hence - spaghetti packers. While these have been available since 2007, it remains a common concern today.

So if signatures have become impossible… how do we detect it?


In response to the rise of packers, vendors changed their tactics.

Instead of simply looking for signatures:

What happens when the file runs?

Which server does it connect to?

Does it try to get access to data that it really shouldn't?

This is heuristics.


But - wow… managing all these things is getting tricky.

Indicators of Compromise

Only 2 years later, while I was looking at cybercrime in 2009, the team at Mandiant were working on state-sponsored hackers. Or Advanced Persistent Threats - APTs.

State-sponsored hackers used the most sophisticated techniques, and tracking the indicators that computers had been infected was tricky. So they created "indicators of compromise" (IoCs) as a way to share information.

IoCs were simply a list of ways a virus or malware could be identified. If it connects to this domain or has this file… etc.

Great. So we've solved viruses and malware… right?

Unfortunately - no.

"My computer's too slow."

Even though antivirus analysis techniques matured in 2010, all was not well...

"My computer's too slow. I can't work effectively."

Laptops aren't designed to run massive amounts of security monitoring - and complete work. So people started to complain.

Luckily at this time, a new advance in IT - cloud computing - came to the rescue.

"Let's offload the heuristics work to the cloud - so our customers' laptops start working again."


A few years later, in 2013, Gartner analyst Anton Chuvakin labelled this approach as "endpoint [..] detection and response."

EDR was born and became the industry marketing term.

And as indicators of compromised moved from APTs to everyday cybercrime… Gartner started citing Trend Micro's use of eXtended Detection and Response (XDR) in 2017.

Fast forward to 2022

The daily cat-and-mouse game between hacker and antivirus company continues. The most significant value an antivirus vendor provides is their research team and ability to respond quickly to emerging threats.

But at best, the tech approach is iterative. And the idea of rapid change is grossly overstated.

However, you can be forgiven for not spotting this. The hype of cybersecurity marketing and the buzzword de jour is constantly changing.

July 19, 2022
3 Minutes Read

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Related Reads

Rocky path on the side of a mountain

Fresh Thoughts #23: The Time a Teenage Girl Broke Her Back

In Incident Response, “doing anything” can sometimes make things much, much worse. And it always burns time. Did I ever tell you about the time when doing nothing meant a 13-year-old girl wasn’t paralysed for life?

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868