Security optimize

New controversy on the effectiveness of antivirus software

Patrick Lambert looks at a recent report that tested antivirus and found detection rates "abysmal." But not everyone thinks the tests were fair.

The debate on whether or not an antivirus solution is worth the money spent is not new. There have been surveys and studies comparing the effectiveness of the various security solutions out there for many years. The problem used to be fairly huge, because the very design of an antivirus meant that it would scan a system for potential malware it knows about, and nothing else. In the early years of these security systems, each antivirus would keep a database of known threats, and whenever a new type of malware came in, nothing could detect it, and it would then infect every system it could reach until the companies could update their virus definition databases. Now, this is less so, because of something called heuristics, where an antivirus software not only looks at malware signatures, but also behavior, and tries to detect new malware simply by what the binary file may be doing to your computer. However, the effectiveness of these new solutions is up for debate, and according to a recent study by the firm Imperva, also published in the New York Times, antivirus solutions simply do not do a good job at it.

In its Hacker Intelligence Initiative Monthly Trend Report, published in late December, the researchers picked 82 randomly selected malware files and used them against some of the most popular antivirus solutions to see what their detection rates were. These were newly created infections, taken from web forums, and the result was abysmal, according to the report. The initial detection rate for new viruses was less than 5%. In fact, they found that for some of them, it would take weeks for an antivirus to start detecting the infected file. They also found that the commercial and free solutions had similar detection rates, and recommend that people and businesses stick to freeware products instead. One of the figures they cited, was that 4.5 billion dollars is spent on antivirus solutions -- an amount that is not proportional to the effectiveness of these applications. They finally recommend that security teams focus on identifying aberrant behavior rather than detecting infections.

There are many ways to compare security solutions, and it can be very complex to reach a good conclusion. In the weeks following the release of this study, many independent labs and antivirus companies criticized the way this particular research was done. First, the firm used a tool called Virus Total. This site is a very popular one in the security community, where you can upload a file and run it through a series of popular antivirus engines to see if the file is infected. Virus Total gives you a report as to which solutions detected which malware, if any. However, this automated process only uses the core engine of each antivirus solution. It does not use some of the perimeter detection systems and the heuristics will not be as good. It also uses the command line version of the engine, and will not behave like a fully-installed antivirus.

Another problem that the security companies are quick to point out is the small sample size. There are around 142,000 new malicious files being submitted to security researchers every single day. A sample size of 82 is much too small, and could be biased. This is especially true if all of those files were taken from specific Russian forums, for example, and not from a more representative sample of what everyday Internet users may find. Finally, they also note that normal computer users will not face sophisticated threats like Flame or Stuxnet, and that for average malware, your antivirus solution will stop around 9 infections out of 10.

One interesting thing to note is that few people criticised the study for reaching the conclusion that free antivirus solutions were just as good as paid ones. In fact while there are differences between each company, and the features that each antivirus provides, as far as the engine goes, the detection rate is fairly similar, which makes the purchase of a paid software fairly dubious. One conclusion that the study did point out is that some of the free solutions have a higher false positive rate, but this may be seen as a good thing, since it means they might be more aggressive in their detection.

But at the end of the day, the information most of us want to know is whether an antivirus solution is useful, and everyone pretty much agrees on that one. There is no question that using security software is a good thing, and that your antivirus will help detect infections. While the detection rate will never be 100%, modern software with heuristics have a very good rate for normal, average malware, the type we find in abundance on the web. Problems typically occur for new, zero-day malicious infections, and for targeted attacks. This is where researchers don't agree, but it can be safe to assume that if someone is out to get you, then there is a good chance that your antivirus will not protect you. Flame, for example, infected Windows computers in the Middle-East for over four years before antivirus companies finally started detecting it. This was a major failure of the security community, but it was also a new type of highly sophisticated malware.

If you have no reason to think the government or organized crime will spend the necessary resources to break into your system, there probably is no good reason to lose sleep over it. But any modern business should be doing more than simply installing antivirus software. This is just one part of a full protection policy, which should also include intrusion detection systems, log auditing, and a myriad of other things.

What is your take on antivirus? Do you use freeware only, if any? Are there any solutions that you think rise above the crowd?

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

47 comments
anthonyhorwood
anthonyhorwood

I have to use a site that I know is infected with the ukash, PaySafeCard or MoneyPak virus. I have asked the site owners to clean it, but they are pretty inept, so once a week or so I get infected. It's no big deal to disinfect myself, but it takes 10 minutes out of my day, and there's a risk that it may cause some damage.

So what I wonder, given that this virus is really, really widespread to judge from the Google search results, is why won't AVG, McAfee, Avast or Ad-aware detect it? I run all of these on my various PCs and none of them is of the slightest use. They all seem about equivalent in terms of stopping low-risk stuff, and warning me about tracking cookies, but why cannot they detect a genuine threat that's been around for literally years?

I found that Kaspersky can clean it, once you have booted in safe mode, but it's as useless as the rest at actually preventing it. I intend to try Bitdefender free next week, but I bet it's just as impotent against this threat.

So, why would I buy anti-virus for my personal PCs? None of the paid versions is significantly better than the freeware, and none of them will actually stop a vicious ransomeware virus, or to put it another way, none of them do what they say they will.



sethqbht
sethqbht

Yeah, that's really true. I like Kaspersky [url=http://www.passcertification.com/]antivirus software[/url]. This helps windows operating system. And safe your computer from outside virus attack. And protect your computer. It's really amazing.

techie
techie

If everyone used Linux, guess what, the problem would be just as big as it is now with windows users. If you were wanting to target an audience, would you set your goals on New York City, or Belton, Texas? Linux is great I use several different flavors, but as far as software goes, there are limits, so I use windows far more often, most people do and therefore the target audience. And since Linux is basically open source, well some enthusiastic scammer/hacker/script kiddie could develop his own open source vulnerability virus/trojan/malware of some sort, then what do you do? No anti-virus company is going to touch that, no profit in it,...one problem on Linux possibly affecting a handful of PCs. All this highly unlikely, but you catch my drift.

techie
techie

It is definitely all about training and knowledge of malware, I don't have any anti-virus on any of my PCs, but how many users are smart enough to identify and stay clear of the bad stuff? Experience is the best defense. No anti-virus is perfect, some don't even come close, and most cannot clean a PC completely after infected. But we all know this already. Knowing this I would not pay one penny for anti-virus, there are plenty of free ones that work as good as you can expect. The best anti-malware software I have ever used is free...combofix.

zmaxie
zmaxie

If folks would use Ubuntu Linux then this would Not be a problem and viruses, malware and infections are just words and no threat. I do research on this and have been using Ubuntu 4 years, saves me a ton of money eliminates stress about viruses. for proof go to : http://micromac.webs.com/

dogknees
dogknees

How about the AV vendors start living up to their press. They say they have "intelligent heuristics" and various other technology. Where is the "intelligent" stuff? Why haven't they delivered what they describe? Real human intelligence rather than somewhat less than an earthworm.

ibalabine
ibalabine

Think about the absurdity of the "9 out of 10" argument. Would you fly an airline which boasts that 9 out of 10 flights reach the destination?

andrew232006
andrew232006

The 99% detection rates they boast sound great until you consider the countless thousands of old viruses that are catalogued and the sampling bias inherent in only testing viruses they know about. The new and custom viruses may represent a small fraction of that catalogue but that doesn't mean they aren't more widespread. And there really is no good way to measure performance on zero day viruses. If had reason to suspect my PC was compromised I'd format and reinstall. And don't think these viruses slipping through are super viruses engineered by the CIA or mob. I remember custom virus kits being sold so you could have an undetectable virus for less than $1000 which you can then use to infect hundreds of PCs and maybe thousands before your virus is found and catalogued. Antivirus is a bandaid solution to bad security models.

sarahmsarah
sarahmsarah

I use my antivirus as a precaution rather then the solution for viruses. I try to use common sense when I surf the net and don't completely rely on my antivirus (Unthreat Antivirus) and so far so good.

BuckG
BuckG

Avira, avast!, AVG Free, ClamWin AV. Avira was the cleanest and most user-friendly; avast! was the most comprehensive. These days I'm sticking with Windows Defender/MS Security Essentials, mostly to see how I like it and because it seems to be less of a resource hog than 3rd-party solutions - so far it's worked out fine for me, but should it fail me (or if MS screws it up at some point) I'm ready to return to Avira in a heartbeat. BUT, I also use Sandboxie for all my web-browsing and email-erm, -mailing, so even if I get something I just close out all my sessions, wipe the sandbox and begin anew. So far, nothing has gotten out of the sandbox! Anyway, I haven't paid for anti-malware since the '90s, or used a commercial package since my last free trial of Norton AV in '05. Commercial anti-malware is a waste of money. But one must install something; I have a friend who, in the past, always put off installing anti-malware, and I can recall at least 2 occasions when he spent the better part of a day recovering from a virus that pretty much any AV prog would have stopped (ditto one occasion for another friend).

Regulus
Regulus

I'm using GFI Vipre. I also keep a few 'backups' available, but not running (Malware Bytes & various Spyware things). But, no matter who you are, it's not a question of 'if', but 'when'.

Gisabun
Gisabun

Anti-virus on its own is useless. Viruses aren't coming out as frequent as 10 years ago. Instead those virus writers are switching to malware or ransomware. Making money off someone's less fortunes is the name of the game now. Getting ahold of a victim's computer, searching for passwords, account information etc. Then if not use the information, sell it off. Or maybe hijack someone's computer. Pay $200 or the user never sees the information again. Most AV software outhere [well particularly the free ones] won't even detect malware out there and if they did, they don't know how to clean the computer. Avast Pro [which had malware "protection"] couldn't even pick up that fake Windows XP Antivirus crap. Microsoft Security Essentials wouldn't find a bunch of trojans.... But finally the biggest problem is the end user. Either they'll click on anything that pops up or don't do anything when a legitimate popup comes around.

JCitizen
JCitizen

the attacks I see in my honeypot lab are almost 100% malware. The threatscape is changing, so questioning the system is legitimate, and I commend the author for bringing it up, because things are changing so rapidly, that constant day-to-day re-evaluation is a requirement. The Windows x64 NT5 and NT6 kernel have almost achieved the hardness that was once exclusive to Unix based operating systems. However too many users still need java and adobe products to do their daily business, so let us get real here. I propose an SOP that goes something like this; but not necessarily in priority order: 1. Run only in restricted user environments, and DON"T disable the UAC. 2. Only select malware solutions that don't conflict with each other and overlap in coverage. 3. Select mitigation tools that work as near the kernel level as possible to avoid malware manipulation; and always password protect the GUI controls(of course) 4. Have a good automatic backup plan, and use more than one HDD drive whenever possible. 5. Keep the free AV - at least it does housecleaning. 6. I used to recommend two of the top software firewalls, but they've become so bloated now, that using the Vista/Win7 built in firewall with a template and/or manager is just about as good. 7. Switch to new generation UTM perimeter appliances with streaming services for SMBs or any larger organization, that have something to lose. 8. Keep in mind solutions that can actually run in the infected environment and still foil the malicious mission of any resident malware that may be on board. Encrypted password managers, and things like bit-locker are on this list. 9. Use Secunia PSI, File Hippo Update Checker, or any tool necessary to keep all applications, plugins/extensions, and drivers up to date. This can go a LONG way toward hardening the operating system environment. 10, A HIPS that correctly identifies the process in question, and relies more on updates to the heuristic engine, and less on white lists, [and definitely NOT signatures], is the logical direction. AV might well be on the road to obsolescence; but the blended defense is not.

Steve__Jobs
Steve__Jobs

It would be nice to encrypt and polymorph our OS comparable to genetic evolution/mutation of "receptor sites" ASLR and PIE only went part of the way. Individually "unique" OS's would be like a new Ubuntu/OS6 for each individual. That should reduce root kits, drive by's and overflows. The devil would be in the details e.g MS would need a public key system.

wtburnette67
wtburnette67

You also need to harden your desktop, keep the OS and other software up to date and stop using insecure plugins like Java and Adobe products.

Darren B - KC
Darren B - KC

Instead of creating better anti-virus software... I wish we could have better methods of hunting down the worthless pieces of trash that write malware and viruses and... well, make them "disappear"...

VytautasB
VytautasB

Good article. AV is good for what it is worth as an automatic protection system that runs in the background. User training in safe use of computers, smart phones, and the internet is the next line of defense that should provide good value for the money put into it.

Clendanielc
Clendanielc

Sorry if I sound a little like a jerk, but who uses Antivirus to be a proactive measure? If you do, then you are behind the times. I see antivirus to regular cold medicine. It is always behind the latest strand and you still deal with the effects of the cold. Of course they will not have the latest or greatest defense. There is how many new viruses created daily? The other argument I can't stand is, "Hey switch to this operation system. It has no viruses." My response to that is, "Yea for now." If everyone in the world switched OS's like they do with phones, clothes, girlfriends, wives, jobs, etc; every system would have a virus. It doesn't solve the problem. You are just running away from it. The odds are against us. There is probably a 2 to 1 ratio when it comes to hackers and anti-virus companies. If you want a strong true antivirus system, be proactive. There are a lot of steps you can take in order to make sure that your system is virus free. Please do not rely just on antivirus software. If you do, you failed.

tiggsy
tiggsy

The best way to avoid viruses is to lose Windows. I have loads of naive-user friends. Theyall used to get viruses ALL the time. I swapped them over to Ubuntu. Over several years, I've never had a virus problem to deal with for them. Plus, it's not a full-day job to install either.

occam49
occam49

Everyone knows this ...

Tony Hopkinson
Tony Hopkinson

You might use linux and open source but you obviously don't get it. Obscurity is NOT security. If the source being open was a real factor then there would be no windows viruses, because it isn't.

Tony Hopkinson
Tony Hopkinson

A dubious contention at best. That's not even counting the huge issue of persuading appliance users that they should wipe the OS thay have off their machine, source a distibution, and then install and configure it. I know it's as easy as windows, but they don't install windows do they, which is fortunate, because they'd find it just as difficult... Do better, the only people you are convincing is those who already disagree with you and will continue to do so, when you represent yourself with this sort of drivel.

Tony Hopkinson
Tony Hopkinson

one that did 4 out of 10. Got to play the hand you are dealt...

CharlieSpencer
CharlieSpencer

I wouldn't fly an airline that gets there only 9 times out of 10, but I'd sure hire a baseball player than gets 'only' 4 hits for every 10 times at bat.

JCitizen
JCitizen

can become a professional "cyber" criminal with the crime kits available at the crack forums now. You advice is golden.

JCitizen
JCitizen

I just got done working on a client's machine that was using MSE, and it was so hosed that you could not use conventional means to recover the system!! Even the optical drives were being blocked - and I suspect the malware flashed the controller on the DVD drive and ruined it. I had to pull every trick I knew out of the tool box to fix this machine, and I had to learn a few new tricks too!!! :O

Gisabun
Gisabun

I'd ditch MSE. It lost a security certification letting in too much stuff it should be blocking. Another free AV product detected trojans on a system [not mine] that MSE didn't detect in the hidden Recycler folder. Also didn't detect a harmless rootkit. Don't trust Avast. It didn't pick up those fake AV malware a few years back at a place where I worked.

dogknees
dogknees

I've been running my home pcs for 14 years without a single infection. So, "when" might I expect it to happen?

JCitizen
JCitizen

I hear that Lavasoft is using Viper's engine in their new suite product - which is still free - AdAware 10. However - since they were bought out by some shady concerns last January, I can't trust them on my machine - but I do encourage clients with little to lose, to continue using it. On those that did uninstall it - they quickly decided to return to using it - so that is proof in the pudding - as I see it.

JCitizen
JCitizen

Since we are mentioning brand names, I like the pro version of MBAM, which BTW has recently hardened its code to avoid manipulation by the malware. Avast will report it as a root-kit on the XP platform(false positive). For my rather indigent clients, I like to pile on the anti-malware, and pick them by their various technologies - this way whatever kind of passive or active real time protection does not conflict. With the right tools - a scan of the hard drive will not result in any secure data being detected by the crooks. My honey pot tests confirm this. I got to admit though - even though I dropped Lavasoft's AdAware, I have noticed some malware manipulations on limited rights accounts, that can still be vexing and lead to eventual compromise on a novice's machine. My clients who do not bank or shop online still use it; but you have to cow-tow to their AV, as it is a suite product now. It is still free; but it must be conflicting with some of my kernel based solutions, and I can't get any stability out of it(as if I trusted them anymore anyway).

JCitizen
JCitizen

out there that lock the drive environment. They have become so effective, they don't even require PCI or other hardware support. Steady state went away, but there are still good paid solutions in this arena. They basically turn the local machine into a dumb terminal, so using an NAS at minimum is probably wise. IT staffs everywhere are already using remote server storage for backup redundancy anyway. It is surprising the industry still buys refresh user equipment with any drive in it at all these days.

Locrian_Lyric
Locrian_Lyric

More and more companies and users are having 'clean' computers that they keep offline entirely as backups

Locrian_Lyric
Locrian_Lyric

The US made any kind of intrusion a crime, and Germany went so far as to make hacker tools illegal. The result was that law-abiding hackers in those nations watched their skills atrophy while nations like Romania, China and Russia have effectively pwned all the nations that cracked down on their domestic hackers.

daboochmeister
daboochmeister

There's a whole lotta gray in that realm, and giving too much power to any enforcement body ... well, think Aaron Swartz.

CharlieSpencer
CharlieSpencer

Do you consider duplicates and long file names as diagnostic? Why?

UbuntuJon
UbuntuJon

I installed Ubuntu on an old Dell laptop last night in little over an hour. Works perfectly, it's fast, I've no need to worry about viruses, it's free (in all contexts), has a beautiful interface, and it isn't riddled with bloatware.

Gisabun
Gisabun

You have to change friends. I've had *NO* friends with any virus infections for years. Why? Because they are smart enough to know what to do. Most viruses [other than attachments] are from sites you should be going to or pirated software you've downloaded. Ditch the friends and stop with this Linux crap is better.

JCitizen
JCitizen

Since cross platform threats are now becoming more prevalent; how are you to truly know your Ubuntu platform isn't actually pwned? You have no way of really knowing, unless you're a file freak who is constantly looking at your file structure. I agree that viruses are not really the threat here actually; but malware. Today's malware don't need administrative privileges, and can do harm without taking over the operating system. They can pwn the browser though, using java/adobe vulnerabilities and do damage to anyone who uses the machine for financial purposes. Quite frankly for my clients that do not use their PC's for shopping, banking, or E-Trading, I tell them not to worry too much about viruses/malware/etc. Because they have little to lose, and as long as they don't click on fake alerts and run as a limited rights user, they will be fine. Especially if they run CCleaner before every log off and/or shutdown.

dogknees
dogknees

Perhaps the fundamentals of business are flawed and need to change. False and misleading advertising. Anything a business says about their products should be factually accurate.

JCitizen
JCitizen

Using Avast with other good freeware anti-malware are doing a good job for my clients who are on a budget. Avast and MBAM Pro are a killer team - but then you need to run as a limited user too. I have NEVER considered Avast to truly be an anti-malware despite any claims by ALWIL on their Pro version.

Gisabun
Gisabun

Looks to me like advertising.

UbuntuJon
UbuntuJon

But do your friends pay for security software they wouldn't need if they used Linux? Come on, Ubuntu is 10 times better than Windows, and its free.