Network News

X My Profile
View More Activity

The Truth About Anti-Virus Products

Eugene Kaspersky, who heads the Russian anti-virus maker Kaspersky Lab, has published an excellent article that offers a refreshingly honest look at the shortcomings inherent in most anti-virus products on the market today.

Briefly, the paper points out that most AV vendors are having trouble keeping pace in the "virus arms race." Virus authors take advantage of the fact that anti-virus software depends on frequent virus-definition updates to spot the latest malware.  By the time those products are updated to detect the latest threat, the virus writers have already released several newer versions that evade the latest anti-virus signatures.

All of which necessarily leads to the dirtiest open secret in the anti-virus community today: A lot of the time, anti-virus software simply doesn't work.  Kaspersky writes, "malicious programs propagate so quickly that anti-virus companies have to release updates as quickly as possible to minimize the amount of time that users will potentially be at risk. Unfortunately, many anti-virus companies are unable to do this - users often receive updates once they are already infected."

But surely anti-virus software does a good job curing computers once they've been infected with a virus  or worm? Not necessarily, Kaspersky says. Much of today's malware shuts down anti-virus and other security software once it gets its hooks into a victim PC. What's more, Kaspersky says, "very often viruses and Trojans are written in a way which enables them to hide their presence in the system and/or to penetrate the system so deeply that deleting them is a complex task. Unfortunately, some anti-virus programs are unable to delete malicious code and restore the data which has been modified by the virus without causing further problems."

Kaspersky laments the fact that while there are several security labs dedicated to detecting various types of malicious programs, there is currently a lack of any trusted source of benchmarking for how well the various anti-virus products do in cleaning computers once they have been infected with malware.

Please bear in mind that this is not to say that anti-virus software is ineffective: For the foreseeable future, it will remain one of several critical lines of defense for most computer users. But Kaspersky does the computer security community -- and users in general -- a service by reminding us that the even the most up-to-date anti-virus program isn't a perfect defense.

By Brian Krebs  |  November 28, 2005; 12:45 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Brokerage Hack Endangers Investors
Next: November a Record Month for IM Worms

Comments

Or, use the best virus security system out there: OS X.

Posted by: gatorron | November 28, 2005 2:26 PM | Report abuse

or Linux

Posted by: David | November 28, 2005 2:31 PM | Report abuse

no, I didn't see these comments coming.

Posted by: Bk | November 28, 2005 2:38 PM | Report abuse

For eome years, there has been a program easily available that can filter malware, spyware, viruses, etc from your email that doesn't require updates. The product is called "Benign", is transparent to the user, takes the email apart, removes the junk, and then reassembles it. It is available from Firetrust.com It doesn' prevent viruses that might arrive through downloads, etc....just email. Works great! I have used it for years.

Posted by: Ed from Philly | November 28, 2005 2:49 PM | Report abuse

Kaspersky should start with his own server product.The worst set of apps I ever purchased...

Posted by: Anonymous | November 28, 2005 2:49 PM | Report abuse

"..., there is currently a lack of any trusted source of benchmarking for how well the various anti-virus products do in cleaning computers once they have been infected with malware."

Not sure what qualifies as 'trusted', but you may want to check out the following link as it does provide some comparisons relative to various anti-virus products:

http://www.av-comparatives.org/

Hope this helps!

hd

Posted by: helpdesk | November 28, 2005 3:15 PM | Report abuse

Get a Macintosh.

Posted by: Steve from Chattaroy | November 28, 2005 3:20 PM | Report abuse

What Eugene Kaspersky Did Not Tell

Anti-virus expert Eugene Kaspersky has
written a very comprehensive and interesting overview
(http://www.viruslist.com/en/analysis?pubid=174405517) "The contemporary antivirus industry and its problems". It is advisable reading for everyone taking IT security seriously. Still it is obvious that Eugene
Kaspersky's position in the anti-virus industry has not allowed him to tell
everything to the end. So, for instance, the expert confines himself to the phrase:„Unfortunately, there are relatively few products available in shops or on the Internet which offer even close to 100% protection. The majority of products are unable even to guarantee 90% protection. And this is the main problem facing the antivirus industry today." Here I could add some much more precise information to what Eugene says, and every Internet user should know it.

From Eugene's overview we can plainly see that there are three companies dominating the anti-virus market; Symantec, McAfee and Trend Micro. Hence, majority of the world's computer systems are protected by products of these companies. But now I invite you to take a look at the place of these companies in serious tests. By serious tests I do not mean the ones offered for example by the
(http://www.chip.de/artikel/c1_artikelunterseite_15048316.html?tid1=tid2=)
CHIP magazine, where all the anti-virus products identify 100% of the few malicious codes used in the testing and rating is assigned only by the editor's opinion. By serious tests I also do not mean the likes of (http://www.virusbtn.com/vb100/about/index.xml) Virus Bulletin 100% where anti-virus scanners have to identify one month old malicious codes.

So, today the most important feature expected by the user from an anti-virus solution is that it protects his computer from new threats. First serious research on how fast anti-virus solutions react, (http://www.av-test.org/down/papers/2004-09_vb_2004.zip) "Anti-Virus Outbreak Response Testing and Impact", was presented at the Virus Bulletin 2004 conference. Average reacting time of Symantec was 14-16 hours (the worst), McAfee 12-14 hours, Trend Micro 8-10 h. The best result was between 2 and 4 hours. Quite a disappointment! Now a year has passed since the VB 2004 conference. Has anything changed? In August this year, AV-Test.org published the (http://www.av-test.org/down/ms05-039.zip) "Reaction Times of the latest MS05-039-based Worm Attacks" where the market leaders, for the most part, performed very poorly again.

And now let us look at the latest of the
(http://www.av-comparatives.org/seiten/ergebnisse_2005_05.php) Retrospective/ProActive tests performed by AV-Comparatives, where anti-virus scanners (used programs/updates are 3 month old) had to identify unknown new malicious codes: Symantec 14%, McAfee 30%, Trend Micro 15%. In this test best results were between 48%-70%. Again, market leaders fall heavily behind.

These days, a very popular approach is to
pack malicious codes by different packagers to create a large number of pseudo versions. Tests performed by an IBM Virus CERT employee Eric Johansen (http://files.malwareblog.com/EJohansen_VB2005.pdf) were presented at the Virus Bulletin 2005 conference. He had packed the generally known Nimda.a by different packagers and tested what was the possibility of fooling different anti-viruses. Symantec with its on-demand scanner identified only 33%, McAfee 67%, Trend Micro 57%. Best result was 90%. Once more market leaders are not the test leaders.

But what do we see in the real life? In the
last year's time, I have analysed detailed reports on more than two hundred infected computers. Next to active malicious programs, quite often I encountered Symantec. Therefore I think I have the right to add to Eugene Kaspersky's report the anti-virus industry's problem Nr. 0: anti-virus market leaders, whose products "protect" most of computers in the world, do not provide adequate level of protection against today's threats!

I expect there will be people saying that I
am talking about signature scanners, which are dead. To them shall I remind that signature technologies are still the basis of protection in anti-virus products. If somebody says that this basis is dead, I could agree, provided that we talk about signature scanners made by the market leaders.

Posted by: NaBadanga | November 28, 2005 4:15 PM | Report abuse

OK so that was obviously just an advert for Kapersky labs, and you and I were dumb enough to read it; analogous to buying and watching a DVD full of adverts.

Posted by: doe | November 29, 2005 3:40 AM | Report abuse

I think one of the problems is a lot of these new viruses are disabling / killing the scanners. Just look at how they're doing it: Find the running process, and kill it, or, find the installation directory, and corrupt necessary files.

The problem is, virus scanners aren't aggressive enough to ensure their OWN survival until that next critical update like the viruses are. They should take ideas from the viruses to use them against them.

How about "rename the executable files to random names on installation"? or "Copy themselves to alternate areas on the computer in random spots upon installation and 'check up' on the 'working copy' to ensure it's properly intact.

The WORST malware has multiple copies of itself running, and in the millisecond it takes to disable one copy, the other jump-starts it back up. Why don't virus scanners do the same?

And yea, I know I'm talking about "random installation options", but people want to uninstall things right? It HAS to keep a record of all this SOMEWHERE on the system... that the virus can exploit, correct? No... not if the person bought their scanner legally and is registered with the virus scanner company. It can send this info safely off-site and away from being used by virus threats. And if worse comes to worse? A generic uninstall program that knows how to identify and hunt down the virus scanner's own processes, that can only be run from Safe Mode.

Posted by: Frobozz | November 29, 2005 10:09 AM | Report abuse

I think one of the problems is a lot of these new viruses are disabling / killing the scanners. Just look at how they're doing it: Find the running process, and kill it, or, find the installation directory, and corrupt necessary files.

The problem is, virus scanners aren't aggressive enough to ensure their OWN survival until that next critical update like the viruses are. They should take ideas from the viruses to use them against them.

How about "rename the executable files to random names on installation"? or "Copy themselves to alternate areas on the computer in random spots upon installation and 'check up' on the 'working copy' to ensure it's properly intact.

The WORST malware has multiple copies of itself running, and in the millisecond it takes to disable one copy, the other jump-starts it back up. Why don't virus scanners do the same?

And yea, I know I'm talking about "random installation options", but people want to uninstall things right? It HAS to keep a record of all this SOMEWHERE on the system... that the virus can exploit, correct? No... not if the person bought their scanner legally and is registered with the virus scanner company. It can send this info safely off-site and away from being used by virus threats. And if worse comes to worse? A generic uninstall program that knows how to identify and hunt down the virus scanner's own processes, that can only be run from Safe Mode.

Posted by: Frobozz | November 29, 2005 10:10 AM | Report abuse

An Apple a day keeps the doctor away...

Posted by: pvw | November 29, 2005 10:16 AM | Report abuse

I use a Norwegian product, Norman (see www.norman.com) and they have a sandbox system that keeps unknown virusses from entering, even before an update is launched. They even have that sandbox online, you can check it out.
It's the only antivirus program I know that has this system, works great.
So they are pro-active, what I read that is the problem with Kaspersky (and others).

Posted by: John Belvedeer | November 29, 2005 11:12 AM | Report abuse

sounds like the best is TREND MICRO that incidentally microsoft has taken on. please do not quote me.thanks.

Posted by: howard becker | November 29, 2005 12:42 PM | Report abuse

It's Trend that Sony uses. And, not surprisingly perhaps, Trend were extremely reluctant to flag Sony's XCP malware. They finally did in a very half-hearted and apologetic fashion long after everyone else had.

For that reason alone, I wouldn't touch them.

But their product doesn't look particularly effective anyway. In one of the comparative tests that Eugene Kaspersky linked to Trend only caught 15% of the new viruses in the test.

KAV got 48% which is far more creditable. And NOD32 whacked an impressive 70% of the viruses.

http://www.av-comparatives.org/seiten/ergebnisse_2005_05.php

Posted by: Mike | November 29, 2005 2:01 PM | Report abuse

I think this an very good article about the viruses some of those things I'm only can imagine but they're true, but at the same time has been an excelent invesigation job...

Posted by: julio lara | November 29, 2005 4:01 PM | Report abuse

When are people going to finally learn how to use and take advantage of a secure file system. Nothing can bury itself into your system if the account you are logged in to (whether it be Windows or *nix) to surfing the internet with does not have permission to access critical system files. Windows is not solely to blame. The application vendors are to blame as well - particularly the anti-virus makers.

Try logging into a Windows account that has restricted access to system files and see what happens (Norton doesn't work and McAfee can't update its files). There is no excuse for any application to force users to be logged in as admins to allow for the updating of support files that would otherwise be protected.

Posted by: Craig | November 29, 2005 9:21 PM | Report abuse

In reading your comments on the way Computer virus's get through the computer's defenses, I am of course reminded of the way virus mutate and get through body defenses. What we need to do is to find these people who are building virus inroads into our computers and hire them to work on cures for the AIDS virus and also the Bird flue virus that could also mutate into a Pandemic. They truly are the medical researchers of the future.
Just a thought.

Posted by: Mala | November 30, 2005 12:28 AM | Report abuse

I'm just glad I have a Mac and don't need to worry about any of this.

Posted by: Mateo | December 2, 2005 10:38 AM | Report abuse

How to be secure:

1. We've come to a point where antiviruses are useless. They only slow down your computer. Viruses are always a step ahead of them. So, just ditch them! Use your brain, instead, which is the best antivirus. Also, to prevent is better than to cure, but when there's no way to prevent, cure. Use msconfig, Sysinternals' Process Explorer, file system monitors, registry monitors, rootkit detectors, etc. It's actually fun to see how a virus works.

2. Ditch mainstream programs. Ditch Internet Explorer. Ditch Outlook. Use an alternative browser and email application. Use something that nobody (fewbody) uses: you will be perfectly secure (at least for a while).

3. Use an hardware router/firewall. Or just take the old computer in the attic, place two network cards (one for LAN, other for Internet) in it and install a linux-based firewall distribution in it (like IPCOP or SMOOTHWALL, or, better, something more obscure): that will make it the best router/firewall ever.

Posted by: Johnny Owl | December 4, 2005 1:58 PM | Report abuse

LOL all you "apple is safe" people. HA HA HA you dont know there are MORE holes in it than windows or linux, just look at the last 2 updates they were the size os server packs!!!

Posted by: carl | December 5, 2005 9:23 AM | Report abuse

The best proactive av-technology is the Norman Sandbox: http://sandbox.norman.no/

Posted by: Steve | December 14, 2005 9:32 AM | Report abuse

If it all fails you can always depend on IRONPORT MGA gateways that detects and quarantines any suspected threat volume until virus update is developed and release. It works magicly. Check it out. ironport.com

Posted by: bs | December 20, 2005 3:22 AM | Report abuse

http://www.shonk.org/Virus.html

here's one for you that i was recently infected with

i cant believe no one else picks it up as a trojan

Posted by: Shonk | December 20, 2005 6:35 PM | Report abuse

AntiVir 6.33.0.70 12.20.2005 no virus found
Avast 4.6.695.0 12.20.2005 no virus found
AVG 718 12.20.2005 no virus found
Avira 6.33.0.70 12.20.2005 no virus found
BitDefender 7.2 12.20.2005 no virus found
CAT-QuickHeal 8.00 12.19.2005 no virus found
ClamAV devel-20051108 12.19.2005 no virus found
DrWeb 4.33 12.20.2005 no virus found
eTrust-Iris 7.1.194.0 12.20.2005 no virus found
eTrust-Vet 12.3.3.0 12.20.2005 no virus found
Fortinet 2.54.0.0 12.20.2005 suspicious
F-Prot 3.16c 12.20.2005 no virus found
Ikarus 0.2.59.0 12.20.2005 no virus found
Kaspersky 4.0.2.24 12.20.2005 Backdoor.Win32.Delf.ahv
McAfee 4654 12.20.2005 no virus found
NOD32v2 1.1331 12.20.2005 no virus found
Norman 5.70.10 12.20.2005 no virus found
Panda 8.02.00 12.20.2005 no virus found
Sophos 4.01.0 12.20.2005 no virus found
Symantec 8.0 12.20.2005 no virus found
TheHacker 5.9.1.059 12.19.2005 no virus found
VBA32 3.10.5 12.20.2005 no virus found

Posted by: Shonk | December 20, 2005 6:36 PM | Report abuse

I'll agree on the Norman Virus Control "sandbox" for detecting unknown viruses.

Posted by: innothwoods | December 26, 2005 5:14 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company