Walking Among the Valley of Kings: EDR Rising and the End of the Antivirus Era

It was 1971 when the first known virus began infecting PDP-10 mainframe computers manufactured by the Digital Equipment Corporation (DEC). In order to delete the infected files, Ray Tomlinson developed the first known software to hunt down and delete the virus dubbed Reaper. This would later be followed by the first known antivirus software in 1987 when a German computer security expert Bernd Robert Fix came up with the first recorded antivirus software program designed to remove the Vienna virus that was designed to infect .com files in the DOS operating system. Later, German company G Data Software AGreleased the first known antivirus software designed to be used on Atari ST computers, followed shortly by McAfee, Inc. now owned by Intel, who released its first antivirus scanner dubbed Viruscan after its founding in 1987.

The antivirus industry would quickly mature over the next decade and a half to 2003 when I along with other cybersecurity engineers around the world were working tirelessly to remediate SQL Slammer worm infections. Despite having antivirus software installed on our endpoints, these hosts were still becoming infected, underscoring what I always believed would be the eventual sunsetting of this traditional approach to antivirus. This worm outbreak required me along with several colleagues to stay in a nearby hotel to work throughout the day and night to clean the infections off hosts that despite having Symantec Endpoint Protection installed, were still getting infected. Symantec’s technical support team’s response? Go download their individual cleaner tool, Symantec Eraser. The continuous effort to download updated DAT files was still ineffective at catching every variant so their solution was to direct customers to their Eraser tool to clean infected hosts instead.

This is just one incident response event among many in my history along with penetration tests I performed where I was able to shut down specific antivirus software with a module within Metasploit Framework, upload a backdoor to a compromised host built with veil-framework that went unnoticed by the AV, and so on and so on. But my stories are just a few in the thousands that are out there that exist in the annals of history of antivirus software fails dating back to 1994 when I first started learning how to hack from hackers on IRC channels in EFNET (back when IRC was a “thing”) using dialup accounts to Concentric Internet Services (CRIS) using my Procomm Plus dialer and a 2400 baud modem (end nerd flashback).

Fast forward to 2002 and enter the EDR startup landscape — startups that came in attempting to unseat the old guard. Coincidentally enough, just six years later in 2008 as Endgame was making its debut, a hacking competition at the annual Defcon security conference dubbed “Race to Zero” was to evidence to the world that legacy antivirus was indeed now dead by having participants tweak known viruses in an attempt to foil signature-based blacklists of several major antivirus engines despite the lament of several of the AV vendors for the mere idea of holding a contest like this. The competition’s organizer simply responded to the AV industry, “we’re just pointing out the basic flaw in signature-based antivirus.”

The contenders that would begin putting downward market pressure on the traditional antivirus companies beginning in 2002 would include Carbon Black founded in 2002; Countertack, 2004; Tanium, 2007; Endgame, 2008; Crowdstrike, 2011; Cybereason, 2012; Cylance, 2012; and SentinelOne in 2013 just to name a select few.