Antivirus is not a replacement for patch management software

Defense-in-depth, sometimes called layered security, is a philosophy that embraces the concept of multiple defenses against threats. Rather than putting all the proverbial eggs in one basket and relying upon a single security strategy, multiple and different technologies, policies and practices all work together to provide as thorough and effective protection as is possible. It sounds good on paper, and it works great in practice, but in far too many customer engagements, IT often chooses to pass over patch management software in the false belief that their antivirus software will protect them against all threats.

This is not only dangerous but it’s completely wrong. Antivirus software is a critical protection, and should be installed on all systems, but the purpose of antivirus software is to protect against malware. Whether that is a piece of code that a user tries to download and run, or a malicious script that is hosted on a website, or a worm that tries to propagate from system to system, malware is code that has a recognizable binary pattern and acts in a recognizable way. It’s designed to work against code specifically written to cause harm.

What antivirus software is NOT built for or capable of doing is protecting against faulty code in otherwise approved applications. Patches are designed to fix bad code; collectively called bugs. That code could be a mistake made by a programmer, or an incompatibility with another piece of software, or perhaps instead it is code that just is not as good as it could be. When that mistake can be exploited by an attacker, patching that code may be the only way to prevent the vulnerability from being exploited.

Antivirus software acts upon malware that is already present on your system. How did it get there? Well, frequently that code can get there through a bug. The problem is that malware may do things thanks to an opening created by the bug, but won’t necessarily result in any code picked up by the antivirus software and blocked. When a piece of buggy code allows an attacker remote access to your system, antivirus software will not detect or prevent that access.

Another way of looking at this is to compare antivirus software to a security guard, and patches to good locks. Sure, the guard can react to the presence of a thief, but the locks could proactively keep the thief completely out of the system. If the thief gets in, how much damage could be caused before the guard finds him?

Just as you need antivirus software on all your systems, you want the necessary patches installed on all the systems that require them. The best way to accomplish that is by using patch management software. Patch management software, like GFI LanGuard, for example, provides you with a centralized application that can deploy patches to every system on the network. It can also assess those systems so that you know exactly what each needs. In essence, it does the heavy lifting for you, upgrades the locks and secures the latches. Patching is an on-going task, with both monthly releases from the major operating system vendors and unpredictable releases from software vendors as new vulnerabilities are discovered.

Automatic updates can take care of the operating system, but only if you trust all those patches to work on all your systems without testing. Patch management software will not only make it far easier to test all those patches, but you can use it to roll back any that turn out to have their own set of issues – and it won’t be the first time either.

So while antivirus software is absolutely critical and has its proper place in your network, it’s no substitute for patch management software. Using both will help to bolster your defenses and is a good start towards that layered security approach.