In today's threatscape, antivirus software provides little piece of mind. In fact, antimalware scanners on the whole are horrifically inaccurate, especially with exploits less than 24 hours old. After all, malicious hackers and malware can change their tactics at will. Swap a few bytes around, and a previously recognized malware program becomes unrecognizable.
Stories by Roger A. Grimes
I first came across the Mu Security Analyzer when a co-worker on a multi-company government project raved about how the appliance found a zero-day vulnerability in an e-mail inspection device that was protecting a top secret government agency. It was a rather simple script bug in the other vendor's product, but it would have allowed uncontrolled code execution. The implication was that our top secret project could have been compromised by an external hacker running penetration tests against our e-mail services. Initially, the manufacturer of the compromised mail filter refused to believe that a weakness existed in its product. That is, until we sent the exploit, automatically generated by the Mu analyzer, that the vendor's engineers could run to see for themselves.
Server-side polymorphism is a challenging problem for anti-malware software vendors. Much of today's malware, such as the Storm worm, creates tens of thousands of variants each month, a development that has made many anti-virus software programs that use static signatures significantly less accurate.
Companies should have a honeypot, not to learn hacker and malware tricks, but as an early warning system. All computer security defenses will ultimately fail. And if they fail and a bad thing gets by your defenses, what's the next best thing? Early warning.