The Truth About Anti-Virus Products
Eugene Kaspersky, who heads the Russian anti-virus maker Kaspersky Lab, has published an excellent article that offers a refreshingly honest look at the shortcomings inherent in most anti-virus products on the market today.
Briefly, the paper points out that most AV vendors are having trouble keeping pace in the "virus arms race." Virus authors take advantage of the fact that anti-virus software depends on frequent virus-definition updates to spot the latest malware. By the time those products are updated to detect the latest threat, the virus writers have already released several newer versions that evade the latest anti-virus signatures.
All of which necessarily leads to the dirtiest open secret in the anti-virus community today: A lot of the time, anti-virus software simply doesn't work. Kaspersky writes, "malicious programs propagate so quickly that anti-virus companies have to release updates as quickly as possible to minimize the amount of time that users will potentially be at risk. Unfortunately, many anti-virus companies are unable to do this - users often receive updates once they are already infected."
But surely anti-virus software does a good job curing computers once they've been infected with a virus or worm? Not necessarily, Kaspersky says. Much of today's malware shuts down anti-virus and other security software once it gets its hooks into a victim PC. What's more, Kaspersky says, "very often viruses and Trojans are written in a way which enables them to hide their presence in the system and/or to penetrate the system so deeply that deleting them is a complex task. Unfortunately, some anti-virus programs are unable to delete malicious code and restore the data which has been modified by the virus without causing further problems."
Kaspersky laments the fact that while there are several security labs dedicated to detecting various types of malicious programs, there is currently a lack of any trusted source of benchmarking for how well the various anti-virus products do in cleaning computers once they have been infected with malware.
Please bear in mind that this is not to say that anti-virus software is ineffective: For the foreseeable future, it will remain one of several critical lines of defense for most computer users. But Kaspersky does the computer security community -- and users in general -- a service by reminding us that the even the most up-to-date anti-virus program isn't a perfect defense.
By
Brian Krebs
|
November 28, 2005; 12:45 PM ET
Categories:
From the Bunker
Share This: E-Mail | Technorati
| Del.icio.us | Digg | Stumble
Previous: Brokerage Hack Endangers Investors
Next: November a Record Month for IM Worms
Posted by: gatorron | November 28, 2005 2:26 PM | Report abuse
or Linux
Posted by: David | November 28, 2005 2:31 PM | Report abuse
no, I didn't see these comments coming.
Posted by: Bk | November 28, 2005 2:38 PM | Report abuse
For eome years, there has been a program easily available that can filter malware, spyware, viruses, etc from your email that doesn't require updates. The product is called "Benign", is transparent to the user, takes the email apart, removes the junk, and then reassembles it. It is available from Firetrust.com It doesn' prevent viruses that might arrive through downloads, etc....just email. Works great! I have used it for years.
Posted by: Ed from Philly | November 28, 2005 2:49 PM | Report abuse
Kaspersky should start with his own server product.The worst set of apps I ever purchased...
Posted by: Anonymous | November 28, 2005 2:49 PM | Report abuse
"..., there is currently a lack of any trusted source of benchmarking for how well the various anti-virus products do in cleaning computers once they have been infected with malware."
Not sure what qualifies as 'trusted', but you may want to check out the following link as it does provide some comparisons relative to various anti-virus products:
http://www.av-comparatives.org/
Hope this helps!
hd
Posted by: helpdesk | November 28, 2005 3:15 PM | Report abuse
Get a Macintosh.
Posted by: Steve from Chattaroy | November 28, 2005 3:20 PM | Report abuse
What Eugene Kaspersky Did Not Tell
Anti-virus expert Eugene Kaspersky has
written a very comprehensive and interesting overview
(http://www.viruslist.com/en/analysis?pubid=174405517) "The contemporary antivirus industry and its problems". It is advisable reading for everyone taking IT security seriously. Still it is obvious that Eugene
Kaspersky's position in the anti-virus industry has not allowed him to tell
everything to the end. So, for instance, the expert confines himself to the phrase:„Unfortunately, there are relatively few products available in shops or on the Internet which offer even close to 100% protection. The majority of products are unable even to guarantee 90% protection. And this is the main problem facing the antivirus industry today." Here I could add some much more precise information to what Eugene says, and every Internet user should know it.
From Eugene's overview we can plainly see that there are three companies dominating the anti-virus market; Symantec, McAfee and Trend Micro. Hence, majority of the world's computer systems are protected by products of these companies. But now I invite you to take a look at the place of these companies in serious tests. By serious tests I do not mean the ones offered for example by the
(http://www.chip.de/artikel/c1_artikelunterseite_15048316.html?tid1=tid2=)
CHIP magazine, where all the anti-virus products identify 100% of the few malicious codes used in the testing and rating is assigned only by the editor's opinion. By serious tests I also do not mean the likes of (http://www.virusbtn.com/vb100/about/index.xml) Virus Bulletin 100% where anti-virus scanners have to identify one month old malicious codes.
So, today the most important feature expected by the user from an anti-virus solution is that it protects his computer from new threats. First serious research on how fast anti-virus solutions react, (http://www.av-test.org/down/papers/2004-09_vb_2004.zip) "Anti-Virus Outbreak Response Testing and Impact", was presented at the Virus Bulletin 2004 conference. Average reacting time of Symantec was 14-16 hours (the worst), McAfee 12-14 hours, Trend Micro 8-10 h. The best result was between 2 and 4 hours. Quite a disappointment! Now a year has passed since the VB 2004 conference. Has anything changed? In August this year, AV-Test.org published the (http://www.av-test.org/down/ms05-039.zip) "Reaction Times of the latest MS05-039-based Worm Attacks" where the market leaders, for the most part, performed very poorly again.
And now let us look at the latest of the
(http://www.av-comparatives.org/seiten/ergebnisse_2005_05.php) Retrospective/ProActive tests performed by AV-Comparatives, where anti-virus scanners (used programs/updates are 3 month old) had to identify unknown new malicious codes: Symantec 14%, McAfee 30%, Trend Micro 15%. In this test best results were between 48%-70%. Again, market leaders fall heavily behind.
These days, a very popular approach is to
pack malicious codes by different packagers to create a large number of pseudo versions. Tests performed by an IBM Virus CERT employee Eric Johansen (http://files.malwareblog.com/EJohansen_VB2005.pdf) were presented at the Virus Bulletin 2005 conference. He had packed the generally known Nimda.a by different packagers and tested what was the possibility of fooling different anti-viruses. Symantec with its on-demand scanner identified only 33%, McAfee 67%, Trend Micro 57%. Best result was 90%. Once more market leaders are not the test leaders.
But what do we see in the real life? In the
last year's time, I have analysed detailed reports on more than two hundred infected computers. Next to active malicious programs, quite often I encountered Symantec. Therefore I think I have the right to add to Eugene Kaspersky's report the anti-virus industry's problem Nr. 0: anti-virus market leaders, whose products "protect" most of computers in the world, do not provide adequate level of protection against today's threats!
I expect there will be people saying that I
am talking about signature scanners, which are dead. To them shall I remind that signature technologies are still the basis of protection in anti-virus products. If somebody says that this basis is dead, I could agree, provided that we talk about signature scanners made by the market leaders.
Posted by: NaBadanga | November 28, 2005 4:15 PM | Report abuse
OK so that was obviously just an advert for Kapersky labs, and you and I were dumb enough to read it; analogous to buying and watching a DVD full of adverts.
Posted by: doe | November 29, 2005 3:40 AM | Report abuse
I think one of the problems is a lot of these new viruses are disabling / killing the scanners. Just look at how they're doing it: Find the running process, and kill it, or, find the installation directory, and corrupt necessary files.
The problem is, virus scanners aren't aggressive enough to ensure their OWN survival until that next critical update like the viruses are. They should take ideas from the viruses to use them against them.
How about "rename the executable files to random names on installation"? or "Copy themselves to alternate areas on the computer in random spots upon installation and 'check up' on the 'working copy' to ensure it's properly intact.
The WORST malware has multiple copies of itself running, and in the millisecond it takes to disable one copy, the other jump-starts it back up. Why don't virus scanners do the same?
And yea, I know I'm talking about "random installation options", but people want to uninstall things right? It HAS to keep a record of all this SOMEWHERE on the system... that the virus can exploit, correct? No... not if the person bought their scanner legally and is registered with the virus scanner company. It can send this info safely off-site and away from being used by virus threats. And if worse comes to worse? A generic uninstall program that knows how to identify and hunt down the virus scanner's own processes, that can only be run from Safe Mode.
Posted by: Frobozz | November 29, 2005 10:09 AM | Report abuse
I think one of the problems is a lot of these new viruses are disabling / killing the scanners. Just look at how they're doing it: Find the running process, and kill it, or, find the installation directory, and corrupt necessary files.
The problem is, virus scanners aren't aggressive enough to ensure their OWN survival until that next critical update like the viruses are. They should take ideas from the viruses to use them against them.
How about "rename the executable files to random names on installation"? or "Copy themselves to alternate areas on the computer in random spots upon installation and 'check up' on the 'working copy' to ensure it's properly intact.
The WORST malware has multiple copies of itself running, and in the millisecond it takes to disable one copy, the other jump-starts it back up. Why don't virus scanners do the same?
And yea, I know I'm talking about "random installation options", but people want to uninstall things right? It HAS to keep a record of all this SOMEWHERE on the system... that the virus can exploit, correct? No... not if the person bought their scanner legally and is registered with the virus scanner company. It can send this info safely off-site and away from being used by virus threats. And if worse comes to worse? A generic uninstall program that knows how to identify and hunt down the virus scanner's own processes, that can only be run from Safe Mode.
Posted by: Frobozz | November 29, 2005 10:10 AM | Report abuse
An Apple a day keeps the doctor away...
Posted by: pvw | November 29, 2005 10:16 AM | Report abuse
I use a Norwegian product, Norman (see www.norman.com) and they have a sandbox system that keeps unknown virusses from entering, even before an update is launched. They even have that sandbox online, you can check it out.
It's the only antivirus program I know that has this system, works great.
So they are pro-active, what I read that is the problem with Kaspersky (and others).
Posted by: John Belvedeer | November 29, 2005 11:12 AM | Report abuse
sounds like the best is TREND MICRO that incidentally microsoft has taken on. please do not quote me.thanks.
Posted by: howard becker | November 29, 2005 12:42 PM | Report abuse
It's Trend that Sony uses. And, not surprisingly perhaps, Trend were extremely reluctant to flag Sony's XCP malware. They finally did in a very half-hearted and apologetic fashion long after everyone else had.
For that reason alone, I wouldn't touch them.
But their product doesn't look particularly effective anyway. In one of the comparative tests that Eugene Kaspersky linked to Trend only caught 15% of the new viruses in the test.
KAV got 48% which is far more creditable. And NOD32 whacked an impressive 70% of the viruses.
http://www.av-comparatives.org/seiten/ergebnisse_2005_05.php
Posted by: Mike | November 29, 2005 2:01 PM | Report abuse
I think this an very good article about the viruses some of those things I'm only can imagine but they're true, but at the same time has been an excelent invesigation job...
Posted by: julio lara | November 29, 2005 4:01 PM | Report abuse
When are people going to finally learn how to use and take advantage of a secure file system. Nothing can bury itself into your system if the account you are logged in to (whether it be Windows or *nix) to surfing the internet with does not have permission to access critical system files. Windows is not solely to blame. The application vendors are to blame as well - particularly the anti-virus makers.
Try logging into a Windows account that has restricted access to system files and see what happens (Norton doesn't work and McAfee can't update its files). There is no excuse for any application to force users to be logged in as admins to allow for the updating of support files that would otherwise be protected.
Posted by: Craig | November 29, 2005 9:21 PM | Report abuse
In reading your comments on the way Computer virus's get through the computer's defenses, I am of course reminded of the way virus mutate and get through body defenses. What we need to do is to find these people who are building virus inroads into our computers and hire them to work on cures for the AIDS virus and also the Bird flue virus that could also mutate into a Pandemic. They truly are the medical researchers of the future.
Just a thought.
Posted by: Mala | November 30, 2005 12:28 AM | Report abuse
I'm just glad I have a Mac and don't need to worry about any of this.
Posted by: Mateo | December 2, 2005 10:38 AM | Report abuse
How to be secure:
1. We've come to a point where antiviruses are useless. They only slow down your computer. Viruses are always a step ahead of them. So, just ditch them! Use your brain, instead, which is the best antivirus. Also, to prevent is better than to cure, but when there's no way to prevent, cure. Use msconfig, Sysinternals' Process Explorer, file system monitors, registry monitors, rootkit detectors, etc. It's actually fun to see how a virus works.
2. Ditch mainstream programs. Ditch Internet Explorer. Ditch Outlook. Use an alternative browser and email application. Use something that nobody (fewbody) uses: you will be perfectly secure (at least for a while).
3. Use an hardware router/firewall. Or just take the old computer in the attic, place two network cards (one for LAN, other for Internet) in it and install a linux-based firewall distribution in it (like IPCOP or SMOOTHWALL, or, better, something more obscure): that will make it the best router/firewall ever.
Posted by: Johnny Owl | December 4, 2005 1:58 PM | Report abuse
LOL all you "apple is safe" people. HA HA HA you dont know there are MORE holes in it than windows or linux, just look at the last 2 updates they were the size os server packs!!!
Posted by: carl | December 5, 2005 9:23 AM | Report abuse
The best proactive av-technology is the Norman Sandbox: http://sandbox.norman.no/
Posted by: Steve | December 14, 2005 9:32 AM | Report abuse
If it all fails you can always depend on IRONPORT MGA gateways that detects and quarantines any suspected threat volume until virus update is developed and release. It works magicly. Check it out. ironport.com
Posted by: bs | December 20, 2005 3:22 AM | Report abuse
http://www.shonk.org/Virus.html
here's one for you that i was recently infected with
i cant believe no one else picks it up as a trojan
Posted by: Shonk | December 20, 2005 6:35 PM | Report abuse
AntiVir 6.33.0.70 12.20.2005 no virus found
Avast 4.6.695.0 12.20.2005 no virus found
AVG 718 12.20.2005 no virus found
Avira 6.33.0.70 12.20.2005 no virus found
BitDefender 7.2 12.20.2005 no virus found
CAT-QuickHeal 8.00 12.19.2005 no virus found
ClamAV devel-20051108 12.19.2005 no virus found
DrWeb 4.33 12.20.2005 no virus found
eTrust-Iris 7.1.194.0 12.20.2005 no virus found
eTrust-Vet 12.3.3.0 12.20.2005 no virus found
Fortinet 2.54.0.0 12.20.2005 suspicious
F-Prot 3.16c 12.20.2005 no virus found
Ikarus 0.2.59.0 12.20.2005 no virus found
Kaspersky 4.0.2.24 12.20.2005 Backdoor.Win32.Delf.ahv
McAfee 4654 12.20.2005 no virus found
NOD32v2 1.1331 12.20.2005 no virus found
Norman 5.70.10 12.20.2005 no virus found
Panda 8.02.00 12.20.2005 no virus found
Sophos 4.01.0 12.20.2005 no virus found
Symantec 8.0 12.20.2005 no virus found
TheHacker 5.9.1.059 12.19.2005 no virus found
VBA32 3.10.5 12.20.2005 no virus found
Posted by: Shonk | December 20, 2005 6:36 PM | Report abuse
I'll agree on the Norman Virus Control "sandbox" for detecting unknown viruses.
Posted by: innothwoods | December 26, 2005 5:14 PM | Report abuse
The comments to this entry are closed.
Or, use the best virus security system out there: OS X.