Few things beat patching, yet on industrial control systems patching is often delayed and delayed and delayed until some event forces the owner’s hand. Antivirus is often used as a stop-gap measure to delay patching. This is often not a very good approach.
Recently we made the news when someone attempted to spearfish us (and no, they did not succeed). What was quite interesting about the malware was that only 7 out of 42 antivirus products used on VirusTotal initially recognized the attachment sent to us as malicious. More antivirus companies have joined the ranks, but still only 62% detect it. The file that the email attachment downloads is still only recognized by 3 out of 42. Notably, Symantec and McAfee still don’t recognize it as malicious.
Antivirus is incredibly easy to circumvent. Plenty of automated tools exist to change a program’s signature just enough to get around antivirus.
Access to source code shows just how easy it is. I often use the tool netcat in network assessments. Netcat is recognized by most antivirus software as malicious and it is quickly quarantined if I need to use it on a system, for example during a penetration test. I compiled my own copy with nothing more than passing some optimization flags to a compiler. My special netcat binary for Windows is recognized by 0 out of 42 vendors, and lets me maintain access for the pen-test.
So don’t forget to patch. It may just save your control system network.