Changes in the antivirus industry

by Eugene Kaspersky

Over the past few years, the antivirus industry has undergone some major changes. The market leader has changed (McAfee has lost ground to Symantec), some independent antivirus companies have either disappeared from the market or have been taken over (the Romanian company RAV and the Australian company VET), and new players (BitDefender, ClamAV) have appeared. However, before discussing this, the following factors should be highlighted:

1. This article only deals with ‘standard’ antivirus solutions: for home computers, workstations, corporate file and mail servers. Arguably, antivirus solutions for smartphones could be included in this list examine. Virus attacks targeting mobile phones may not be particularly common at the moment but the situation is likely to change radically - for the worse, naturally - in the next few years. This article does not examine at hardware solutions (such as gateways, routers with integrated virus scanning capability), or solutions for large UNIX systems. Nor does it cover other antivirus filters which are dedicated to specific tasks.

2. Additionally, the discussion here is not concerned with the marketing side of the industry. Marketing undoubtedly has an influence on the market share of individual companies, but security solutions (a category which includes antivirus programs) aren’t washing powder or toothpaste. Ultimately, end users don’t choose a security solution because of the way it’s marketed.

Obviously ‘standard’ antivirus solutions will continue to evolve. In order to understand the nature of such solutions and to identify trends, we need to determine the main factors currently influencing the antivirus industry.

Factor 1: Continuing criminalization of the Internet

Any society of a certain size (such as a town or a country) includes criminal elements. Crime levels are determined by the following factors:

• the size of the community (the bigger it is, the higher the number of potential and actual criminals)
  

• the level of economic development (it's easier to earn a living by honest means in more developed countries)
  

• the ability of law enforcement bodies (e.g. the police) to investigate crimes and imprison the perpetrators

The Internet is no exception. Its size is immense, and many of the different countries which make up part of this community are economically undeveloped. A particular cause for concern is programs which advocate ‘cheap computers for poor third world countries’) - these further encourage criminal activity on the Internet. Statistics on the number of malicious programs originating from specific countries confirm this: the world leader in virus writing is China, followed by Latin America, with Russia and Eastern European countries not far behind.

In terms of law enforcement, in the vast majority of cases investigating cybercrime is a complex task, particularly taking into account the fact that the Internet has no physical borders.

Data which falls into the three categories listed above clearly indicate that not only is the level of criminal activity on the Internet already high, but that it will also continue to increase. One piece of evidence for this statement is that the amount of crimeware has increased twofold over the past year; this indicates that criminal activity on the Internet has doubled in the same space of time. There is no reason to suppose that this growth rate will slow in the future.

The conclusion: pressure on antivirus companies will increase as they will have to analyze more and more malicious code. Companies that fail to detect new malicious programs quickly and thus leave their customers unprotected will suffer a decrease in their market share, and will not be capable of competing in this professional arms race.

Factor 2: Increased variety of malware and attack methods

Ten years ago, back in 1996, malicious programs fell into two categories: viruses and primitive Trojans. At that time, there was no such thing as malware which could be used for criminal ends. However, in the intervening decade, malware has become far more complex and varied:

• network worms
  

• a wide range of Trojan programs, including Spyware
  

• AdWare
  

• malicious application of legitimate programs (such as keyloggers and remote administration utilities)
  

• a wide range of spam, from begging emails to blackmail
  

• phishing - a clearly differentiated type of financial scam
  

• network attacks and rackets
  

• etc

The vast majority of malicious programs are written for Win32 systems. The number of malicious programs targeting Linux, MacOs, and smartphones (running under a variety of operating systems) is still, as yet, insignificant. There have also been a handful of PoC viruses for 64 bit systems.

The conclusion: antivirus companies have to be prepared to work with a wide variety of malware. This means not only releasing products but providing continued support: testing them, and releasing updates for the whole product range. Companies that cannot keep up with the very latest technological developments will not be able to break into new industry segments. Moreover, they will start to lose ground on their own territory, and current competitors or completely new players will take advantage of new market opportunities.

Factor 3: Microsoft

Microsoft is going to be seriously focussing on the security solutions market; this will include developing antivirus solutions. The antivirus industry is in a state of shock - everyone remembers Netscape and other independent projects, which either significantly lost market share or disappeared altogether after Microsoft produced similar products. Microsoft is planning to bring the following to the market:

• antivirus for home PCs
  

• antivirus for workstations (planned for the future)
  

• solutions for MS Exchange (using the multi-engine Antigen from Sybari)

Of course, the appearance of this commercial giant will be a heavy blow to other manufacturers. But just how heavy will the blow be?

Users come in a range of shapes and sizes. So what factors influence them when buying an antivirus solution?

• A: Commodity: the user buys the cheapest antivirus, or the most attractively packaged.
  

• B: Branding: The user buys either a brand to which s/he has loyalty. or a branded product which has been successfully marketed.
  

• C: Branding: the user is determined not to buy a Microsoft product. Such consumers will not trust antivirus solutions produced by this manufacturer.
  

• D: Performance characteristics - the overall quality of the product.

It’s clear that these factors, and the types of user described, don’t exist in any pure form. The factors which influence consumer chose will be a combination of A+B+C+D in varying degrees. If we’re talking about the home user market, factor B will have a significant influence. As Antigen uses several antivirus engines (including some very good ones), the corporate market will be influenced by B+D. In order to estimate Microsoft's future market share, and the losses which other antivirus companies will correspondingly suffer, the value of A, B, C, and D needs to be determined. This is a simple task which can be fulfilled via consumer surveys.

Conclusions

As shown above, there are three deciding factors which affect the condition of the antivirus industry:

• The criminalization of the Internet
  

• Various types of criminal activity
  

• Antivirus protection from Microsoft

The antivirus market of the future will be heavily influenced by these three factors.

So is it time to throw in the towel?

The answer to this question is unclear. We should remember Microsoft’s first attempt to create an integrated antivirus solution, MSAV for MS-DOS in 1994. This attempt was unsuccessful. It’s rare to make the same mistake twice. 12 years have passed since 1994, and a lot has changed during that time. The most important thing is that consumer demand for quality has increased: detection rates, speed of reaction to the dramatically increased number of attacks, frequency of updates, proactive technologies.

If a product is technically sound but does not offer better antivirus protection than Microsoft’s solution, it will more than likely be bought mainly by consumers influenced by factor C. If a product offers better protection than Microsoft’s antivirus together with a lower price, then it will appeal to buyers of all categories. Furthermore, if an antivirus developer’s engine is integrated into Antigen, then there is no need to worry about the future (as long as the engine continues to be used). Microsoft will not be selling the product itself, but taking a percentage from the vendor. And for Microsoft, that is the beauty of it: it can sit back and enjoy the profits (and the ideology of a “multi-engine solution" will transform the antivirus business into a trade in engines rather than products).

It will be a different, rather sorry, story for those vendors whose antivirus engines are not integrated into Antigen. On the other hand, such companies should not, perhaps, be written off; as there's no solution which can provide 100% protection against all threats, the IT market (including the antivirus market) is extremely crowded. The more troublesome a disease, the more medicines will be taken to combat it: in a similar way, users plagued by computer viruses are ready to embrace new technologies to rid themselves of the problem, and this means they will be ready to embrace a variety of solutions, not only those from the software giant. The message to antivirus companies is clear: if the company is not only to survive, but to survive profitably, compatibility issues have to be solved. Engines from different developers have to be developed with peaceful coexistence in mind (as is the case with Antigen) Another alternative is to develop double or triple layer protection against Internet threats.

The conclusion: it’s likely that things won’t turn out that badly. However, some antivirus companies will have to start cutting their budgets and thinning the ranks of their employees. Public companies will find that Microsoft’s entry to the antivirus market will impact the value of shares, and a fall in value will have the following negative consequences

• It will be harder to attract investment
  

• Employees share options will be devalued

One consequence will be that middle and senior management will desert the company.

Summary

Changes are underway in the antivirus industry and will continue for some time to come. It’s not unlikely that Microsoft’s entry to the IT security market will be a decisive factor which affects the changing situation. The software giant’s entry will undoubtedly have an impact on the best-known industry players and the current market share of antivirus companies is likely to change radically. Naturally, each company will be affected in a different way. For some, it will come as a heavy blow, while others will barely be affected and yet others will welcome Microsoft’s arrival on the market.

The most negative consequences will be felt by:

1. Publicly held companies
2. Businesses which rely on income from the market sector which Microsoft is entering
3. Manufacturers with engines which are inferior in quality to Microsoft’s
4. Manufacturers whose engines aren't used in Antigen

The brightest future awaits:

1. Privately held companies
2. Manufacturers with a broad product range
3. Manufacturers with a high-quality engine
4. Manufacturers whose engines are used in Antigen

Hopefully, the arrival of the software giant on the IT security market will have a positive impact on future developments in this field and will raise the quality of security solutions. It is to be hoped that the Internet will become a safer place as a result - every desk will not only have a computer on it, but a secure computer.