Tempted to change your antivirus after a ransomware infection ? Good or bad idea?
It is common to see ransomware victims wanting to change their antivirus software if it has not been able to detect it. In reality, beyond the impressive detection rates (99.99%) found in benchmarks or reviews, antivirus software performs poorly in real life when it comes to detecting unknown malicious tools. In the many incident response cases we've handled, we've seen every type of antivirus get bypassed by ransomware.
For instance, in 2020 we have seen some very reputable antivirus products on the market unable to detect old ransomware dating back to 2017.
Based on our experience in the field, we therefore recommend that companies assume that any antivirus will protect them against 50% of malicious tools, but not more than that.
The rest is up to you: educate your users, deploy complementary technologies, monitor your network, etc. And finally, make sure that a password is required to shut down the antivirus software. You could bite your fingers if you realize afterwards that the antivirus would have prevented the infection if the hacker had not been able to stop it.